Field infos have a length property that was not stored with the
field value so when using a negative index the end was computed
from the captured length of the frame tvbuff, leading to incorrect
results. The documentation in wireshark-filter(5) describes how
this was supposed to work but as far as I can tell it never worked
properly.
We now store the length and use that (when it is different from -1)
to locate the end of the protocol data in the tvbuff. An extra wrinkle
is that sometimes the length is set after the field value is created.
This is the most common case as the majority of protocols have a
variable length and dissection generally proceeds with a TVB subset from
the current layer (with offset zero) through all remaining layers to the
end of the captured length. For that reason we must use an expedient to allow
changing the protocol length of an existing protocol fvalue, whenever
proto_item_set_len() is called.
Fixes#17772.
Add support for display filter binary addition and subtraction.
The grammar is intentionally kept simple for now. The use case
is to add a constant to a protocol field, or (maybe) add two
fields in an expression.
We use signed arithmetic with unsigned numbers, checking for
overflow and casting where necessary to do the conversion.
We could legitimately opt to use traditional modular arithmetic
instead (like C) and if it turns out that that is more useful for
some reason we may want to in the future.
Fixes#15504.
This adds a _ws.ftypes namespace with protocol fields with all
the existing field types.
Currently this is only useful to debug the display filter compiler,
without having to find a real protocol field with the desired type.
Later it may find other uses.
This change implements a unary minus operator.
Filter: tcp.window_size_scalefactor == -tcp.dstport
Instructions:
00000 READ_TREE tcp.window_size_scalefactor -> reg#0
00001 IF_FALSE_GOTO 6
00002 READ_TREE tcp.dstport -> reg#1
00003 IF_FALSE_GOTO 6
00004 MK_MINUS -reg#1 -> reg#2
00005 ANY_EQ reg#0 == reg#2
00006 RETURN
It is supported for integer types, floats and relative time values.
The unsigned integer types are promoted to a 32 bit signed integer.
Unary plus is implemented as a no-op. The plus sign is simply ignored.
Constant arithmetic expressions are computed during compilation.
Overflow with constants is a compile time error. Overflow with
variables is a run time error and silently ignored. Only a debug
message will be printed to the console.
Related to #15504.
Add support for masking of bits. Before the bitwise operator
could only test bits, it did not support clearing bits.
This allows testing if any combination of bits are set/unset
more naturally with a single test. Previously this was only
possible by combining several bitwise predicates.
Bitwise is implemented as a test node, even though it is not.
Maybe the test node should be renamed to something else.
Fixes#17246.
This shared variable hidden behind a macro does not provide any
efficiency gains and just obscures the code. Move the boolean to
the fvalue protocol struct, where it belongs.
A literal value is a value that cannot be interpreted as a
registered protocol. An unparsed value can be a literal or
an identifier (protocol/field) according to context and the
current disambiguation rules.
Strictly literal here is to be understood to mean "numeric
literal, including numeric arrays, but not strings or character
constants".
Split ws_regex_matches() into two functions with better semantics
and remove the WS_REGEX_ZERO_TERMINATED symbol.
ws_regex_matches() matches zero terminated strings.
ws_regex_matches_length() matches a string length in code units.
The type ssize_t is not available on Windows. Because this is
used in the public API we must provide a definition for it.
To avoid having to add a header to fix this use a size_t in
the API instead, and assign SIZE_MAX to represent a null
terminated string.
Invalid character constants should be handled in the lexical scanner.
Todo: See if some code could be shared to parse double quoted strings.
It also fixes some unintuitive type coercions to string. Character
constants should be treated as characters, or maybe integers, or
maybe even throw an invalid comparison error, but coverting to a
literal string or byte array is surprising and not particularly
useful:
'\xFF' -> "'\xFF'" (equals)
'\xFF' -> "FF" (contains)
Before:
Filter: http.request.method contains "\x63"
Constants:
00000 PUT_FVALUE "c" <FT_STRING> -> reg#1
(...)
Filter: http.request.method contains '\x63'
Constants:
00000 PUT_FVALUE "63" <FT_STRING> -> reg#1
(...)
Filter: http.request.method == "\x63"
Constants:
00000 PUT_FVALUE "c" <FT_STRING> -> reg#1
(...)
Filter: http.request.method == '\x63'
Constants:
00000 PUT_FVALUE "'\\x63'" <FT_STRING> -> reg#1
(...)
After:
Filter: http.request.method contains '\x63'
Constants:
00000 PUT_FVALUE "c" <FT_STRING> -> reg#1
(...)
Filter: http.request.method == '\x63'
Constants:
00000 PUT_FVALUE "c" <FT_STRING> -> reg#1
(...)
The implementation is pre-computing the length and using that
to allocate a buffer. This doesn't have any practical advantage
and is inefficient because the code is mostly doing the same work
twice. Remove the unnecessary length pre-computation step.
FT_PROTOCOL and FT_BYTES are the same semantic type, but one is
backed by a GByteArray and the other by a TVBuff. Use the same
semantic rules to parse both. In particular unparsed strings
are not converted to literal strings for protocols.
Before:
Filter: frame contains 0x0000
Constants:
00000 PUT_FVALUE 30:78:30:30:30:30 <FT_PROTOCOL> -> reg#1
Instructions:
00000 READ_TREE frame -> reg#0
00001 IF-FALSE-GOTO 3
00002 ANY_CONTAINS reg#0 contains reg#1
00003 RETURN
Filter: frame[5:] contains 0x0000
dftest: "0x0000" is not a valid byte string.
After:
Filter: frame contains 0x0000
dftest: "0x0000" is not a valid byte string.
Filter: frame[5:] contains 0x0000
dftest: "0x0000" is not a valid byte string.
Related to #17634.
For efficiency do the comparison in a single function call
instead of trying to preserving exactly the previous semantics.
Still I tried not to deviate much.
All the order operators can be defined in terms of 'lt'
and 'eq' so use that to reduce the number of required
methods from 6 to 2.
Further reduce to one by combining those two into a single
function that has memcmp semantics: negative return is
"less than", positive is "greater than" and zero is equal.
This utility function is useful outside of epan. Move it to wsutil
and export the interface.
The move isn't completely clean as it requires duplicating two small
inline functions but that was necessary to avoiding moving too much at
once.
The ftype-protocol has two components to its value - a tvb, which is
allowed to be be NULL (most notably in _ws.expert), and a string
description. They can also be created from string literals, such as
in display filters. It's possible to compare protocols with a NULL
tvb with protocol terms created from literals, e.g. entering the
display filter "_ws_expert < 1".
Partially revert 69e2603c48 so that
this doesn't crash, by assigning proto_string to the empty string
instead of null when creating from a literal. Fixes#17316
It's not a valid field type, it's only a hack to support regular
expression matching in packet-matching expressions.
Instead, in the packet-matching code, have a separate syntax tree type
for Perl-compatible regular expressions, and a separate instruction to
load one into a register, and have the "matching" operator for field
types take a GRegex * as the second argument.
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
TRY/CATCH are macros, before returning the ENDTRY block must be executed
or the weirdest crashes can occur.
Change-Id: Ic56871322f8567263e2b8a81cce5a3c7042301b7
Fixes: v2.1.0rc0-2939-g5493fe0167 ("Convert ftype-tvbuff.c to ftype-protocol.c")
Reviewed-on: https://code.wireshark.org/review/30095
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When converting byte array strings to a FT_PROTOCOL value (for example,
when using a display filter such as `eth contains aa:bb`), the converted
memory in GByteArray was not freed. If an error occurred (the value
cannot be parsed as hex string), then an error message was leaked.
Fix the above issues and avoid an unnecessary g_memdup.
Change-Id: I3a076b3a2384b1a0e15ea8518f2e0f66a7b6ea49
Reviewed-on: https://code.wireshark.org/review/27130
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Delete get_value_ptr from struct _ftype_t, make it
part of the get_value union.
Change-Id: I947331069662a7043bd838e622d286629cc7be9a
Reviewed-on: https://code.wireshark.org/review/20647
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete get_value_uinteger from struct _ftype_t, make it
part of the get_value union.
Change-Id: I4a6c8341676c442e2bf8ae3b8f771b72161d133c
Reviewed-on: https://code.wireshark.org/review/20640
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete get_value_sinteger from struct _ftype_t, make it
part of the get_value union.
Change-Id: I3127252cafc62389ce426639992f1d59f7ac9731
Reviewed-on: https://code.wireshark.org/review/20637
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete get_value_uinteger64 from struct _ftype_t, make it
part of the get_value union.
Change-Id: I2b06efb7691c1bd4089994849373ab8b5ff0bcc7
Reviewed-on: https://code.wireshark.org/review/20618
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete get_value_sinteger64 from struct _ftype_t, make it
part of the get_value union.
Change-Id: I0113f70ab0aadd1aa655466e896e3acce6c8faeb
Reviewed-on: https://code.wireshark.org/review/20617
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I6bbaf6a7c8a3124e5eab7a7b97c6be082fe8beff
Reviewed-on: https://code.wireshark.org/review/20611
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This is in preparation for introducing a get_value union, similar to
set_value.
Change-Id: Id0cf913a616e0314638f1531836c3136ed02631d
Reviewed-on: https://code.wireshark.org/review/20610
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Delete set_value_floating from struct _ftype_t, make it
part of the set_value union.
Change-Id: Ic00e1c70488ddc4422c34657c62af7dc07db02d9
Reviewed-on: https://code.wireshark.org/review/20556
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_sinteger64 from struct _ftype_t, make it
part of the set_value union.
Change-Id: I76668f0a6455c5d75c703cd4f440757601246bdb
Reviewed-on: https://code.wireshark.org/review/20551
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_uinteger64 from struct _ftype_t, make it
part of the set_value union.
Change-Id: I12407b7336282daa60fe6e0e742d65e205dc84fd
Reviewed-on: https://code.wireshark.org/review/20539
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_sinteger from struct _ftype_t, make it part of the
set_value union.
Change-Id: I084c4c9beba9978b538d359ebaac21391ebd7f82
Reviewed-on: https://code.wireshark.org/review/20523
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_uinteger from struct _ftype_t, make it part of the
set_value union.
Change-Id: I26de15be8ea0ede76236a8f8a4958bfd97ad9d52
Reviewed-on: https://code.wireshark.org/review/20521
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_protocol from struct _ftype_t, make it part of the
set_value union.
Change-Id: Iae55388b8a2c965944028499619282c3232c31f3
Reviewed-on: https://code.wireshark.org/review/20475
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Delete set_value_string from struct _ftype_t, make it part of the
set_value union.
Change-Id: Ia3a57245330ed0d158c8c3e4552ec5d80752fe0f
Reviewed-on: https://code.wireshark.org/review/20474
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>