[Wireshark-dev] Display Filters

2016-01-10 Thread David Morsberger 
I need some help and advice on display filters because I’m new to the codebase. 
I’m trying to add the capability where a ‘http contains blah’ filter searches 
uncompressed HTTP content. I’m adding because we use ‘Frame contains’ and ‘http 
contains’ in our workflow to find items of interest in the traffic. There are 
items in the compressed data that we would like to find using the contains 
operator. 

I see how the ‘http contains’ filter works and how HTTP decompression works 
however I cannot figure out how to add the decompressed data to the link list 
used for display filtering. 

I believe it will work if the decompressed buffer was added to the list_a link 
list in dfvm.c. The list_a link list only has the raw HTTP packet data and the 
next pointer is NULL when protocol ID is http. It would seem to work if the 
uncompressed data pointer was added to the end of the list_a link list in the 
read_tree method. 

Thoughts/guidance?

static gboolean
any_test(dfilter_t *df, FvalueCmpFunc cmp, int reg1, int reg2)
{
GList   *list_a, *list_b;

list_a = df->registers[reg1];

while (list_a) {
list_b = df->registers[reg2];
while (list_b) {
if (cmp((fvalue_t *)list_a->data, (fvalue_t 
*)list_b->data)) {
return TRUE;
}
list_b = g_list_next(list_b);
}
list_a = g_list_next(list_a);
}
return FALSE;
}___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Compiling Wireshark with gcc-6: Lots of new warnings

2016-01-10 Thread Michael Mann 


Did you have plans to fix them?
 
I quickly scanned the list and found a few "true" bugs (packet-csm-encaps.c 
being the worst)
 
A lot of them fall under constants/defines not used (tango_colors.h being the 
biggest offender).  The tango_colors.h seems to be a C/C++ difference (we could 
make all of those #defines, but then loose type safety).  
 
 
 
-Original Message-
From: Joerg Mayer 
To: wireshark-dev 
Sent: Sun, Jan 10, 2016 7:41 pm
Subject: [Wireshark-dev] Compiling Wireshark with gcc-6: Lots of new warnings

Hello,

I just compiled current source with gcc-6 and warnings as errors. Attached
is the error log with the 351 files that error out.

Ciao
Jörg
-- 
Joerg Mayer   
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Wireshark 2.01 packages in Ubuntu ppa

2016-01-10 Thread Bálint Réczey 
Hi,

2016-01-09 16:40 GMT+01:00 Peter Wu :
> Hi Bernard,
>
> On Thu, Jan 07, 2016 at 12:31:12PM -0500, bernard ck Wong wrote:
>> I have installed wireshark2.01 from the wireshark stable ppa on Wily (64
>> bit) and wireshark-gtk crashes immediately. The errors are in attachment.
>> The  package for vivid 64 bit works without issue though.
>>
>> I just compiled 2.01 from source and it didn't crash.
>
> Can you please post the outptu of:
>
> tshark -G currentprefs | grep gui.layout_type
>
> If it is "#gui.layout_type: 1" (or something in the range 1-6) and still
> crashes, then maybe some memory is scribbled. Can you try to reproduce
> the issue with a clean configuration? Example:
>
> HOME=/tmp/wshome wireshark
I have reproduced the issue in a clean Wily VM.
And did short triaging:

#4  0x5653770ef3e3 in main_widgets_rearrange () at
/home/vagrant/wireshark-2.0.1+g59ea380/ui/gtk/main.c:3491
3491g_assert_not_reached();
(gdb) p prefs.gui_layout_type
$1 = layout_unused

Recompilation does not help and the preferences file is not created.

The Qt version and tshark start fine.

Cheers,
Balint
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] [Wireshark-bugs] [Bug 11980] The filtering speed is impacted by commit b344107d757466e0768a3ef8927852479e926cf6 (Make color filters part of dissection)

2016-01-10 Thread Anders Broman 
Den 10 jan 2016 14:50 skrev :
>
> Comment # 6 on bug 11980 from Peter Wu
>
> You are right, coloring always need to happen (whenever color rules
exist).
> (What about tshark? Colors are normally not shown, but if the two
> frame.coloring_rule fields are shown in the frame tree/columns, should the
> color calculation also be done?)

Do we know if it's a tshark run? If so skip the fields?

>
> For a start, to calculate on the first pass (pinfo->fd->flags.visited ==
0).
> This did not work because the fields from the color filter are not primed
yet.
> Possible fix: always invoke dfilter_prime_proto_tree before
> epan_dissect_run{,_with_taps} (similar to epan_dissect_prime_dfilter).
>
> The next problem is that the applicable color may change during subsequent
> redissections.

Do the opposite, only run on second pass? Is it only needed for visible
frames?

> Possible fix: introduce a new fd->flags.need_colorize which must be set
before
> the initial dissection in GUI and again after changing color rules. Clear
flag
> after after recalculation.
> Alternative fix: introduce a new global flag (eww), that behaves similar
to the
> previous fix, but outside frame_data.
>
> Those fixes will then bring the coloring rules at the same level as
display
> filter rules, allowing filtering as well.
>
> 
> You are receiving this mail because:
> You are watching all bug changes.
>
>
___
> Sent via:Wireshark-bugs mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-bugs
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-bugs
>  mailto:wireshark-bugs-requ...@wireshark.org
?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Compiling Wireshark with gcc-6: Lots of new warnings

2016-01-10 Thread Joerg Mayer 
Hello,

I just compiled current source with gcc-6 and warnings as errors. Attached
is the error log with the 351 files that error out.

Ciao
Jörg
-- 
Joerg Mayer   
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.


errors.log.bz2
Description: BZip2 compressed data
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Removing echld/ directory

2016-01-10 Thread Joerg Mayer 
Hello,

the echld/ directory is not compiled by default, has a IMO lousy code quality,
no users in the current code base and will most likely not build with MSVC
anyway (variable length array).
I intend to remove it soon'ish if there are no convincing reasons to keep it
(convincing likely to mean intention to clean it up, compiling it by default on
all platforms ;-)

Ciao
 Jörg
-- 
Joerg Mayer   
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe