The TLS dissector relies on a stable value for pinfo->curr_layer_num
between passes to enable handshake reassembly and decryption. A mismatch
could occur if the subdissector accepted the data (len is non-zero), but
did not add any tree items (tree->tree_data->count remains unchanged).
The original change added the check for tree->tree_data->count in order
to remove protocol names that are not visible in the tree. This could
for example occur when the HTTP dissector accepts the data but requests
more data for reassembly.
This desire to hide protocols is understandable, so simply reverting the
change would not be ok. Checking pinfo->desegment_offset is also not
stable. So that leaves the current approach.
Change-Id: I247adafbaa6d23ab9397eadacabaed9e1bfde997
Ping-Bug: 15625
Fixes: v2.5.0rc0-1206-gcd90f732a1 ("Improve frame.protocols accuracy.")
Reviewed-on: https://code.wireshark.org/review/32919
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make the time stamp precision a 4-bit bitfield, so, when combined with
the other bitfields, we have 32 bits. That means we put the flags at
the same structure level as the time stamp precision, so they can be
combined; that gets rid of an extra "flags." for references to the flags.
Put the two pointers next to each other, and after a multiple of 8 bytes
worth of other fields, so that there's no padding before or between them.
It's still not down to 64 bytes, which is the next lower power of 2, so
there's more work to do.
Change-Id: I6f3e9d9f6f48137bbee8f100c152d2c42adb8fbe
Reviewed-on: https://code.wireshark.org/review/31213
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add the ability to specify maximum function counts for each group to
checkAPIs. Add maximum counts for the "termoutput" and "abort" groups
where needed. Show summaries in various checkAPI targets.
Switch uses of ws_g_warning back to plain g_warning.
Change-Id: I5cbddc8c671729e424eed8551f69116d16491976
Reviewed-on: https://code.wireshark.org/review/29721
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
IPv4 and v6 name resolution are bound to a capture file. Using a lua
script, it is possible to trigger a name resolution when no capture file
is open. This crashes Wireshark as the hash tables for name resolution
are not initialized at this time.
martin@reykholt:~/src/wireshark.git/build$ echo "print(Address.ip(\"1.1.1.1\"))" > bla.lua
martin@reykholt:~/src/wireshark.git/build$ ./run/tshark -Xlua_script:bla.lua
Segmentation fault
martin@reykholt:~/src/wireshark.git/build$ echo "print(Address.ipv6(\"::1\"))" > bla6.lua
martin@reykholt:~/src/wireshark.git/build$ ./run/tshark -Xlua_script:bla6.lua
Segmentation fault
Make sure that the hash tables are available as long as the epan library
is initialized. Add a new function host_name_lookup_reset(), call this
function every time we set up dissection for a new capture file. This
way, we keep the name resolution results separate per capture file.
Reorder the steps in init_dissection(). Host name lookup is now
available at all times, there's no need to be in file scope when it's
initialized.
Change-Id: I9599100d5f378b6a0f73dc630e4c8af3b3ffb2cc
Reviewed-on: https://code.wireshark.org/review/29398
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a "contained length" to tvbuffs. For non-subset tvbuffs, that's the
same as the reported length. For a subset tvbuff, that's the amount of
the reported data that was actually present in the "contained data" of
the parent tvbuff.
This is unaffected by the *captured* length of any tvbuff; that differs
from the contained length only if the capture was cut short by a
snapshot length.
If a reference is within the reported data, but not within the contained
data, a ContainedBoundsError exception is thrown. This exception
represents a protocol error, rather than a reference past the captured
data in the packet; we treat it as such.
Change-Id: Ide87f81238eaeb89b3093f54a87bf7f715485af5
Reviewed-on: https://code.wireshark.org/review/27039
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: Iff833bf5c197959c8decb62d6ce794c6d0415fb7
Reviewed-on: https://code.wireshark.org/review/26978
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Separate the stuff that any record could have from the stuff that only
particular record types have; put the latter into a union, and put all
that into a wtap_rec structure.
Add some record-type checks as necessary.
Change-Id: Id6b3486858f826fce4b096c59231f463e44bfaa2
Reviewed-on: https://code.wireshark.org/review/25696
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The first is deprecated, as per https://spdx.org/licenses/.
Change-Id: I8e21e1d32d09b8b94b93a2dc9fbdde5ffeba6bed
Reviewed-on: https://code.wireshark.org/review/25661
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
pinfo->pkt_encap is jsut a copy of pinfo->phdr->pkt_encap; no need for
the copy.
Expand a comment while we're at it.
Change-Id: I5fcfe694ecba42507f1d629d01440da0a0989501
Reviewed-on: https://code.wireshark.org/review/25643
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Some of the ASN.1 dissectors process their data indirectly through
dissector tables. Add dissector_try_string_new so that they can do so
without appending duplicate entries to frame.protocols.
Change-Id: If9e12d81f9d0cc5b3bf19816e675a0fb79d904a6
Reviewed-on: https://code.wireshark.org/review/24886
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
This is useful to implement language bindings (Lua, Python, etc) and
good practice in general.
Non-breaking change to the API.
Change-Id: I8d16c14880e5aa53212af8418c468a6ec3aa8954
Reviewed-on: https://code.wireshark.org/review/24814
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
DTLS decryption works for single-pass dissection, but breaks in the
second pass. Turns out that "curr_layer_num" has decremented in the
second pass, resulting in a failure to lookup the decrypted data.
This decryption issue was triggered by v2.3.0rc0-3740-ge1f84f985e
("Fix Decode As for protocols that may use tunneling.").
The first time the UDP dissector invokes "dissector_try_heuristic", the
second time "call_heur_dissector_direct". The first one increments
"curr_layer_num", so do the same in the second case.
Change-Id: I62679b817b02f42d073cfc07b88ec36d5bec5f04
Bug: 14243
Fixes: v1.11.4-rc1-468-g2cfda31ff0 ("Change the signature of dissector_try_heuristic() to return hdtbl_entry")
Reviewed-on: https://code.wireshark.org/review/24565
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Replace with conversation API that limits the "endpoint" to a single
uint32 value.
The intention is to eventually have "layered" endpoints, because circuit_id
was used in cases where src/dest port have already been populated (and
are used for layers above). Those src/dest ports should just be treated
as just another endpoint, but we currently only have support for one.
Change-Id: Ic6aa7ef0241275aa4dfde9459194369b48c72960
Reviewed-on: https://code.wireshark.org/review/24369
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Not used. Remove also weird pre-hash hash optimization in proto.c.
Change-Id: Ibebc12dbe90ac1d05fb1ba601d32fe98797fbd56
Reviewed-on: https://code.wireshark.org/review/24254
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: João Valverde <j@v6e.pt>
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
While we're at it, consistently use "name" as the name of the argument
giving the dissector table name.
Change-Id: Ied54c88d0d3dd467fe9067b008b49ead754c31a2
Reviewed-on: https://code.wireshark.org/review/24131
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Let's perform the check before potentially breaking the loop.
While we are at it, let's update the test to remove the last layer so as to
match the one used to add it.
Change-Id: I5807219de75c4e2c23b9435d6271ad60aec45783
Reviewed-on: https://code.wireshark.org/review/23844
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
During single-pass tshark dissection we can end up adding "Protocols in
frame: ...:tcp:http" to the tree even though we haven't dissected HTTP.
This may be true of other protocols as well.
Remove our last layer when we haven't added any items to the tree.
Decrement curr_layer_num as well. Update the layer logic in
dissector_try_heuristic to match call_dissector_work.
Change-Id: Ibc0591e774761e9496d056080c980243a0447066
Reviewed-on: https://code.wireshark.org/review/23508
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
This is for dissectors that have "payloads" that don't have
a unique identifier to determine a sub dissector.
For the command line parameter -d, specifying a selector is no longer
required for dissector tables of type FT_NONE.
Change-Id: I3370d9e0dc147deeca4f26b842fe35dc3bda876e
Reviewed-on: https://code.wireshark.org/review/22574
Reviewed-by: Michael Mann <mmann78@netscape.net>
wanted_hfids member was never properly freed. Fix indentation too.
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2198
Bug: 13996
Change-Id: I8297df2158fd0ae8123223f4622ae952a218a07a
Reviewed-on: https://code.wireshark.org/review/23167
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Exit straight away if there's no entry for our value in the dissector
table.
Change-Id: I2637b4f03cb852dca0a6993b9f63fdc15e8edc58
Reviewed-on: https://code.wireshark.org/review/21165
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We return the number of bytes consumed by the dissector.
Change-Id: Icc22c9e033dfb11f230fb59cfb79932bc8c80548
Reviewed-on: https://code.wireshark.org/review/21164
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
They deal with sets of hfids, which can belong to protocols as well as
fields (I guess you could argue that a protocol is a field, but...).
Change-Id: Ibd103cfa26427ead4ef54be89f1251908004cfae
Reviewed-on: https://code.wireshark.org/review/21154
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This makes sure that postdissectors that indicate that they need certain
fields in the first pass will get them.
While we're at it:
Fix the field-fetching code in TRANSUM not to assume it got any
instances of the field being fetched.
Rename process_packet_first_pass() in sharkd to process_packet(), as
it's the only routine in sharkd that processes packets.
Rename process_packet() in tshark and tfshark to
process_packet_single_pass(), as it's what's used if we're only doing
one-pass analysis.
Clean up comments and whitespace.
Change-Id: I3769af952c66f5ca4b68002ad6213858ab9cab9b
Reviewed-on: https://code.wireshark.org/review/21063
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Currently, this is only used to determine whether a protocol tree needs
to be built on the first pass or not - if there are postdissectors that
need fields, it does - but eventually we should be able to use it to
prime the dissection to deliver those fields in cases where we don't
need the *entire* protocol tree (rather than using a hack such as
cooking up a fake tap with a fake filter to do that).
Update MATE and TRANSUM to use it.
Clean up code to check whether we need a protocol tree, and add comments
before that code indicating, in each case, what the criteria are.
The array of postdissectors includes a length, so we don't need to
separately keep track of the number of postdissectors.
Clean up indentation while we're at it.
Change-Id: I71d4025848206d144bc54cc82941089a50e80ab7
Reviewed-on: https://code.wireshark.org/review/21029
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Simplifies cleanup because wmem can handle the memory cleanup.
Change-Id: Idc6a9bfe5f23c83b59a5278a64b9fb706862342d
Reviewed-on: https://code.wireshark.org/review/20042
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Dissectors can register shutdown functions, that will be called
just before program exit. Those function will free the memory
allocated during the init function.
Change-Id: Id88228af2cc916bfb316fe7b36d46499f6e4f8d4
Reviewed-on: https://code.wireshark.org/review/19282
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
For running through the postseq cleanup and final registration lists, we
can use the same dummy function call_routine() that is used for the init
and the cleanup lists. We don't need our own copies.
Change-Id: Ia1ea647d5831adda26dab86eceba8fcf704ce122
Reviewed-on: https://code.wireshark.org/review/19668
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: Ic1972399b706407ce8f15a3e554f1304a36d1009
Reviewed-on: https://code.wireshark.org/review/19663
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Change-Id: Ia28ceef189f8fe16105da88c01e1a159d5029c0a
Reviewed-on: https://code.wireshark.org/review/19655
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I3b954e3623473899b6039f0ff572eb56defe14cc
Fixes: v2.3.0rc0-1841-ga8b68205a4 ("packet: duplicate short_name to fix UAF in wslua")
Reviewed-on: https://code.wireshark.org/review/19571
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This is mostly to address memory leaks in range preferences (the biggest
user of range functionality) on shutdown.
Now range preferences must use epan scoped memory when referencing
internal preference structures to keep consistency.
Change-Id: Idc644f59b5b42fa1d46891542b53ff13ea754157
Reviewed-on: https://code.wireshark.org/review/19387
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: Ida3c5d5826f0ca01a25052a67f1460ff4686008f
Reviewed-on: https://code.wireshark.org/review/19513
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This is for dissectors that need distinguishing names either for registering
multiple dissection functions in a single dissector table or for "internal"
dissectors whose just need a name associated with the dissection function.
Features like enable/disable are handled by the "parent" protocol.
This avoids clutter in the "official" protocol list.
Change-Id: I69e7d27d332ae85286f254e95e8d79920da7a9e2
Reviewed-on: https://code.wireshark.org/review/19464
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The "short_name" parameter of heur_dissector_add is defined as const
(and was assumed to be a string literal). This was no longer the case
though since a change in Lua where "short_name" is a dynamically
allocated string.
This "simple" fix clones the memory for internal use to avoid a
heap-use-after-free when heur_dissector_delete tries to access
"short_name".
An alternative option is to make Proto_register_heuristic track the
memory, but since there are multiple possible heuristics lists for a
protocol, the Proto (struct _wslua_field_t) structure is not
appropriate. A possible working alternative is to store the string into
lua_heur_dissectors_table_ref (replacing the value (function) by a tuple
{function,short_name}).
Change-Id: I6c6b393f4d304dd847e864da6ad17b54c8cd80e2
Fixes: v2.3.0rc0-1474-g7f2a838922 ("lua: Allow proto:register_heuristic to be used on multiple list names")
Reviewed-on: https://code.wireshark.org/review/19365
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Franklin Mathieu <snaipe@diacritic.io>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
As per glib manual, GSLists need to be NULL initialized.
Change-Id: If78904b900f6ddd7a0afaf3a1c480ec7626f2027
Reviewed-on: https://code.wireshark.org/review/19281
Reviewed-by: Anders Broman <a.broman58@gmail.com>
1. Fix bug caught by scan build (module not read)
2. Remove range preference call that should have been part of original patch.
Change-Id: I24b1fb253548bffddc4c8ebfc3ede666d8fd9dcd
Reviewed-on: https://code.wireshark.org/review/18143
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This patch introduces new APIs to allow dissectors to have a preference for
a (TCP) port, but the underlying data is actually part of Decode As functionality.
For now the APIs are intentionally separate from the regular APIs that register a
dissector within a dissector table. It may be possible to eventually combine the
two so that all dissectors that register with a dissector table have an opportunity
to "automatically" have a preference to adjust the "table value" through the
preferences dialog.
The tcp.port dissector table was used as the guinea pig. This will eventually be
expanded to other dissector tables as well (most notably UDP ports). Some
dissectors that "shared" a TCP/UDP port preference were also converted. It also
removed the need for some preference callback functions (mostly when the callback
function was the proto_reg_handoff function) so there is cleanup around that.
Dissectors that has a port preference whose default was 0 were switched to using
the dissector_add_for_decode_as_with_preference API rather than dissector_add_uint_with_preference
Also added comments for TCP ports used that aren't IANA registered.
Change-Id: I99604f95d426ad345f4b494598d94178b886eb67
Reviewed-on: https://code.wireshark.org/review/17724
Reviewed-by: Michael Mann <mmann78@netscape.net>
Have all dissector tables have a "supports Decode As" flag, which
defaults to FALSE, and which is set to TRUE if a register_decode_as()
refers to it.
When adding a dissector to a dissector table with a given key, only add
it for Decode As if the dissector table supports it.
For non-FT_STRING dissector tables, always check for multiple entries
for the same protocol with different dissectors, and report an error if
we found them.
This means there's no need for the creator of a dissector table to
specify whether duplicates of that sort should be allowed - we always do
the check when registering something for "Decode As" (in a non-FT_STRING
dissector table), and just don't bother registering anything for "Decode
As" if the dissector table doesn't support "Decode As", so there's no
check done for those dissector tables.
Change-Id: I4a1fdea3bddc2af27a65cfbca23edc99b26c0eed
Reviewed-on: https://code.wireshark.org/review/17402
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This can happen for example is the heuristics changed between the Wireshark
version used to export PDUs, and the one used to open the file.
Instead, call data dissector.
Change-Id: I29f7754f883fd710c3557a610583ef988ca13e43
Reviewed-on: https://code.wireshark.org/review/17280
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Many of the complaints from checkAPI.pl for use of printf are when its embedded
in an #ifdef and checkAPI isn't smart enough to figure that out.
The other (non-ifdef) use is dumping internal structures (which is a type of
debug functionality)
Add a "ws_debug_printf" macro for printf to pacify the warnings.
Change-Id: I63610e1adbbaf2feffb4ec9d4f817247d833f7fd
Reviewed-on: https://code.wireshark.org/review/16623
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use wmem_strdup + the pinfo pool instead of g_strdup.
Change-Id: I11fbb5ce31b7139421c558ee65ca43c8d8e85900
Reviewed-on: https://code.wireshark.org/review/16445
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Dissector handles created with create_dissector_handle() don't have a
name; report them as "(anonymous)" (there's no guarantee that the printf
family of routines don't crash when a null pointer is provided to %s -
the printf routines in at least some versions of Solaris *do* crash in
that case).
Change-Id: I561ff855a46eeb442299011d567f20751c5c6869
Reviewed-on: https://code.wireshark.org/review/16399
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Improve the error message for a null disssector handle.
Fix indentation while we're at it.
Change-Id: I1cb2f8ac52e56fc98f6b3ad981018f571e5a7bf0
Reviewed-on: https://code.wireshark.org/review/16060
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add REC_TYPE_SYSCALL to wiretap and use it for Sysdig events. Call the
Sysdig event dissector from the frame dissector. Create a "syscall"
protocol for system calls, but add "frame" items to it for now.
Add the ability to write Sysdig events. This lets us merge packet
capture and syscall capture files.
Change-Id: I12774ec69c89d8e329b6130c67f29aade4e3d778
Reviewed-on: https://code.wireshark.org/review/15078
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Most protocols just want to limit COL_INFO or COL_PROTOCOL
so give that level of granularity.
Bug: 12144
Bug: 5117
Bug: 11144
Change-Id: I8de9b7d2c69e90d3fbfc0a52c2bd78c3de58e2f8
Reviewed-on: https://code.wireshark.org/review/15894
Reviewed-by: Jeff Morriss <jeff.morriss.ws@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
type.
Change-Id: I7af0d89441b9ab87e9ed8dd0d52ca7f6ad82b896
Reviewed-on: https://code.wireshark.org/review/15458
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: Ie1bcbffdc0040bf25e32c763185befb0231f4173
Reviewed-on: https://code.wireshark.org/review/15320
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Report the names for the dissectors as well as the protocol and
dissector table name.
Change-Id: I901b396a1310f0d98b68c9499038fe2f38498ee1
Reviewed-on: https://code.wireshark.org/review/14948
Reviewed-by: Guy Harris <guy@alum.mit.edu>
When deregister_dissector is called by Lua, the protocol was not
property removed from the dependent dissectors list. Fix this and also
duplicate the memory for keys and values since these strings might be
dynamically allocated.
Fixes a use-after-free after reloading Lua dissectors that use
DissectorTable:add() and opening a new/closing an existing capture file.
Change-Id: If2ae02f155e7ab8fc653c08003755897471f9be0
Reviewed-on: https://code.wireshark.org/review/14735
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This saves many dissectors the need to find the data dissector and store a handle to it.
There were also some that were finding it, but not using it.
For others this was the only reason for their handoff function, so it could be eliminated.
Change-Id: I5d3f951ee1daa3d30c060d21bd12bbc881a8027b
Reviewed-on: https://code.wireshark.org/review/14530
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Dissector and heuristic tables now setup protocol dependencies.
"Manual" dependencies in separate patch.
Ping-Bug: 1402
Change-Id: I8da1239306de8676dcb05f8807914376816fc44f
Reviewed-on: https://code.wireshark.org/review/14447
Petri-Dish: Roland Knall <rknall@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This will make it easier to determine protocol dependencies.
Some LLC OUI dissector tables didn't have an associated protocol, so they were left without one (-1 used)
Change-Id: I6339f16476510ef3f393d6fb5d8946419bfb4b7d
Reviewed-on: https://code.wireshark.org/review/14446
Reviewed-by: Michael Mann <mmann78@netscape.net>
Try to improve address API and also fix some constness warnings
by not overloading the 'data' pointer to store malloc'ed buffers
(use private pointer for that instead).
Second try, now passing test suite.
Change-Id: Idc101cd866b6d4f13500c9d59da5c7a38847fb7f
Reviewed-on: https://code.wireshark.org/review/13946
Petri-Dish: João Valverde <j@v6e.pt>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
'const gpointer' is the same as 'void *const'. Replace with gconstpointer
where straightforward (assuming that was the intent) and use gpointer everywhere
else for clarity (that does not change *API* constness contract; it just means
a variable is not declared immutable inside the called funtion).
Change-Id: Iad2ef13205bfb4ff0056b2bce056353b58942267
Reviewed-on: https://code.wireshark.org/review/13945
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This reverts commit 13ec77a9fc.
This commit introduces a segmentation fault for Lua code (uncovered by the test suite).
Change-Id: Ibc273d1915cda9632697b9f138f0ae104d3fb65e
Reviewed-on: https://code.wireshark.org/review/13813
Reviewed-by: João Valverde <j@v6e.pt>
Try to improve 'address' API (to be easier/safer) and also avoid
some constness warnings by not overloading the 'data' pointer to
store malloc'ed buffers (use private pointer for that instead).
Change-Id: I7456516b12c67620ceadac447907c12f5905bd49
Reviewed-on: https://code.wireshark.org/review/13463
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
That removes most of the uses of the frame number field in the
frame_data structure.
Change-Id: Ie22e4533e87f8360d7c0a61ca6ffb796cc233f22
Reviewed-on: https://code.wireshark.org/review/13509
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That takes into account any time-shifting that's been done.
Change-Id: Ib4c01e7b055f5ac2f1111bcbe946c6094dcb70ae
Reviewed-on: https://code.wireshark.org/review/13502
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add fields for the absolute time stamp (and another field for a presence
flag for the absolute time stamp) and the packet encapsulation for the
packet.
This lets us remove the field for the packet encapsulation in the
frame_data structure; do so.
Change-Id: Ifb910a9a192414e2a53086f3f7b97f39ed36aa39
Reviewed-on: https://code.wireshark.org/review/13499
Reviewed-by: Guy Harris <guy@alum.mit.edu>
There are no longer any "old" dissectors, so "new_" is redundant.
Change-Id: I5fee51228c2a8562166f5991e1f30c2c697e45c8
Reviewed-on: https://code.wireshark.org/review/13273
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Due to integer overflow (unsigned -1 + 1 = 0), a call to
dissector_add_uint_range would be stuck in an infinite loop, eventually
crashing due to out of memory.
Found when setting radius.alternate_port:-1, but could happen with any
dissector using similar ports_range constructs.
Change-Id: Ia234e94516446250e959e0f51d552bef704cddff
Reviewed-on: https://code.wireshark.org/review/13153
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I8512cfa1d424f82a873a0e0e1d22c7b075fdd7f3
Reviewed-on: https://code.wireshark.org/review/13069
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Color filters can be seen as a function that takes a tree and display
filters as input and a (possibly empty) coloring rule as output.
This coloring rule is then added to the frame tree and used by the GUI
for coloring the packets list.
From an architectural POV, "coloring" is part of the UI component, but
since it influences the tree, it is something for the dissection
component.
Bug: 5703
Bug: 6099
Change-Id: I73d132ec1dca7262bcb1b55c8481ca564c6161d1
Reviewed-on: https://code.wireshark.org/review/12507
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Most of the deregister functions are used internally from Lua
while reloading plugins. Don't export them for others to use.
Change-Id: I919dbfa807f696c38d409ca7206104a0fba1ae65
Reviewed-on: https://code.wireshark.org/review/12508
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
The macros are no longer needed because the conversion is complete.
Change-Id: I42c4b937986d9707eff9225c444cbcab73f8e86a
Reviewed-on: https://code.wireshark.org/review/12517
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I32d30ada66ee68782194905a8aa669c07f0dc204
Reviewed-on: https://code.wireshark.org/review/12482
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The typedef for the "old style" has been removed as well as any old vs new style checks.
The release notes have been updated to reflect the API change, even though the search/replace of the "new style" function names hasn't happen yet. But it will be coming shortly...
Change-Id: I6d1eeb51d30e3b2b27f0eafd85fe0ddc0ca25b14
Reviewed-on: https://code.wireshark.org/review/12153
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
new_register_dissector will eventually take its place, but that search/replace should be done when all "old style" APIs have been removed.
Change-Id: Ic3fdec67d5761fd72beeca7355f9de617562bb77
Reviewed-on: https://code.wireshark.org/review/12095
Reviewed-by: Michael Mann <mmann78@netscape.net>
The target here is the Decode As dialog where protocols have multiple registrations into a dissector table and that shows up as multiple entries in the Decode As dialog list with the same name so users are unsure which "dissector" they are choosing.
The "default" behavior (done in this commit) is to not allow duplicates for a dissector table, whether its part of Decode As or not. It's just ENFORCED for Decode As.
Bug: 3949
Change-Id: Ibe14fa61aaeca0881f9cc39b78799e314b5e8127
Reviewed-on: https://code.wireshark.org/review/11405
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
It ends up dragging in libwireshark headers, which programs not linking
with libwireshark shouldn't do. In particular, including
<epan/address.h> causes some functions that refer to libwireshark
functions to be defined if the compiler doesn't handle "static inline"
the way GCC does, and you end up requiring libwireshark even though you
shouldn't require it.
Move plurality() to wsutil/str_util.h, so that non-libwireshark code can
get it without include epan/packet.h. Fix includes as necessary.
Change-Id: Ie4819719da4c2b349f61445112aa419e99b977d3
Reviewed-on: https://code.wireshark.org/review/11545
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It seems like DCE/RPC could benefit from a GUID dissector table, where a dissector can register it's GUID with a dissector handle. So here is a basic start.
Change-Id: Id407117687a1a648d87f6f99c2ecbf858d8c0911
Reviewed-on: https://code.wireshark.org/review/4718
Reviewed-by: Michael Mann <mmann78@netscape.net>
With the adjustment to heur_dissector_add passing an enable/disable flag and "global" control of heuristic dissectors just like regular ones, this is no longer needed.
Change-Id: I2d433c7bff8353421eca31f8813992e38b716911
Reviewed-on: https://code.wireshark.org/review/10848
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add the "Internals" menu under the View menu instead of at the top level
for now at least. Add the Dissector Tables dialog there.
Change-Id: Ieb23b0015591bac196e4ef94e3443832288333f9
Reviewed-on: https://code.wireshark.org/review/10654
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Passing a null pointer probably means there's really something else
wrong at a higher level. If we could arrange that the DISSECTOR_ASSERT
macros do something useful when *not* executed during a dissection, that
would work.
Change-Id: I2605d1e1f97d35370736852aaf29eeaf2c560279
Reviewed-on: https://code.wireshark.org/review/10592
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This is initial support for reloading Lua plugins without
restarting the application.
Still todo:
- Deregister FileHandlers
- Support deregister ProtoField with existing abbrev (same_name_hfinfo)
- Add a progress dialog when reloading many plugins
- Search for memory leakages in wslua functions
Change-Id: I48870d8741251705ca15ffe1068613fcb0cb18c1
Reviewed-on: https://code.wireshark.org/review/5028
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
This dialog combines the "protocols" and heuristic dissectors (from GTK) into a single tree view where heuristic dissectors are children of their protocol.
Change-Id: I107656afd079c1d1c8a98161b736e4b4ad84f813
Reviewed-on: https://code.wireshark.org/review/9739
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Gerald Combs