Re: [Wireshark-dev] proto_tree_add_item() with range_string

2007-01-12 Thread Guy Harris 

On Jan 12, 2007, at 2:02 PM, Sebastien Tandel wrote:

> As I was not totally satisfied by my solution, I'm not totally with  
> your
> neither. With VALS and TFS (and, in fact, also NULL :)), as you said,
> this field 'display' is usually defined to know which base to use  
> (dec,
> hex, dec_hex, ...) to display a value. If you want a range_string
> displayed with base dec, hex, ... you have to duplicate
> BASE_RANGE_STRING values as for example BASE_RANGE_STRING_DEC,
> BASE_RANGE_STRING_HEX, ...

...or have a BASE_RANGE_STRING flag that you OR with BASE_xxx.

That means that the value in the structure isn't one of the enum  
values, so the debugger won't be able to prettyprint it, though.


> VALS and TFS are independent from the base
> chosen (or in general display field) and RVALS won't be.
>
> What do you think of an hybrid solution between mine and your defining
> an additional field (i.e. convertfield_type) in head_register_info  
> which
> identifies which type of structure is in CONVERTFIELD (strings)?
> - It would bring the independence  from the base avoiding us to
> duplicate the fields (BASE_RANGE_STRING_DEC,  
> BASE_RANGE_STRING_HEX, ...)
> - this field could be hidden by the HFILL macro when you don't have to
> use it (and use another, HFILL2(?), when you have to use this field)

We might want to define macros to expand to definitions of fields of  
particular types, with particular options; that'd also handle the  
HFILL stuff, without having to have multiple HFILL macros.  Keep the  
old HFILL and have it initialize that additional field to a default  
value, and use the macros to create definitions that set it (and  
convert existing definitions to use the new macros over time as  
desired).

> - it would be scalable for the current and future implementation if  
> you
> create another structure à la range_string without changing anything  
> in
> the code of the existing dissectors.

...which means preserving binary compatibility as well.

> - would be possible to use FT_BOOLEAN as well
> - it's clean (from the syntax point of view and from the semantic as
> well) :)

Adding an additional field *does* make the structure a bit bigger,  
which might worsen the memory and cache footprint of Wireshark;  
whether it'd make a significant difference is another matter.

Note also that other display options might be useful to attach to  
fields, e.g. units, so you could define something such as

HF_UINT_WITH_UNITS(hf_xxx_data_rate, "Data rate", "xxx.data_rate",  
FT_UINT64, BASE_DEC, NULL, 0x0, "", "bytes/s")

(as an example of the new type of macro I mentioned), which might  
expand to something such as

{ &hf_xxx_data_rate,
{ "Data rate", "xxx.data_rate", FT_UINT64, BASE_DEC, NULL, 0x0, "Data  
rate, in bytes/s", "bytes/s", HFILL }},

so that the field would be displayed as "Data rate: %u bytes/s" rather  
than just "Data rate: %u".  That might let us get rid of a number of  
proto_tree_add_xxx_format() calls.  (Arguably, every time somebody  
calls proto_tree_add_xxx_format(), it means we failed to anticipate a  
need, although some might be sufficiently infrequently used that it's  
not worth adding another display feature for it.)

I'm not sure whether there's a way to, for example, bundle all the  
display information in a single structure, e.g. one with an optional  
value_string or true_false_string or range_string table *and* a units  
string and possibly even the base.

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] compile problem with gtk1.2

2007-01-12 Thread Sebastien Tandel 
errors while trying to compile wireshark with gtk1.2

epan/.libs/libwireshark.so: undefined reference to `uri_str_to_bytes'
epan/.libs/libwireshark.so: undefined reference to `byte_array_dup'
collect2: ld returned 1 exit status


both are defined in strutil.c (only for GTK2) and used, at least, by
airdpcap.c and airpcap_loader.c


Regards,

Sebastien Tandel
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] [The Wireshark Wiki] Update of "FrontPage" by nickvlas

2007-01-12 Thread Gerald Combs 
Ulf Lamping wrote:
> Wireshark Wiki - Do not reply wrote:
>> Dear Wiki user,
>>
>> You have subscribed to a wiki page or wiki category on "The Wireshark Wiki" 
>> for change notification.
>>
>> The following page has been changed by nickvlas:
>> http://wiki.wireshark.org/FrontPage
>>
>> --
>>* ["Preferences"]: Preference settings controlling the behaviour of 
>> Wireshark and TShark
>>* ["Statistics"]: Statistics range from general capture file information 
>> to protocol specific statistics
>>* ["Security"]: how to use Wireshark as securely as possible
>> +  * [http://freeclips.adrenalinbet.com free porn clips] Preference settings 
>> controlling the behaviour of Wireshark 
>>* ["Performance"]: how to "fine tune" Wireshark's performance
>>* ["Timestamps"]: Accuracy, precision, and resolution
>>* ["Tools"]: tools and scripts that relate to the use of Wireshark and 
>> TShark
>>
>>   
> Hi Gerald!
> 
> Someones spamming the frontpage repeatedly :-(
> 
> Maybe it's time to lock write access to a few known developers?

Done.  Editing is now restricted to the users listed on the
AdministratorGroup page.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Microsoft Visual C Version 6support isa bitoutdated ...

2007-01-12 Thread Gerald Combs 
This should be fixed in r20397.

Douglas Pratley wrote:
> Looks like this is related to revision 20388 - changing decryption keys
> to use GByteArray rather than GString for SSID in
> epan\crypt\airpdcap_user.h. Not sure why it only affects Windows.
> Nothing to do with MSVC version (as stated already).
>  
> As I'm not using airpdcap I "fixed" this for my build by changing
> gtk\airpcap_gui_utils.c line 338 to
>  
> s2 = g_strndup(curr_key->ssid->data, curr_key->ssid->len)
>  
> which should be safe, but possibly not what the patcher intended, so I'm
> not going to call it a real fix.
>  
> Cheers
>  
> Doug
>  
> 
> 
> *From:* [EMAIL PROTECTED] [mail 
>  
>  to:[EMAIL PROTECTED]   *On Behalf Of *Anders
> Broman (AL/EAB)
> *Sent:* 11 January 2007 10:13
> *To:* Developer support list for Wireshark
> *Subject:* SV: [Wireshark-dev] Microsoft Visual C Version 6support
> isa bitoutdated ...
> 
> Hi,
> The buildbot has the same problem so it's not related to MSVC...
> BR
> Anders
> 
> 
> *Från:* [EMAIL PROTECTED] genom Alfred Alinazar
> *Skickat:* to 2007-01-11 09:43
> *Till:* Developer support list for Wireshark
> *Ämne:* Re: [Wireshark-dev] Microsoft Visual C Version 6support isa
> bitoutdated ...
> 
> Ulf Lamping wrote:
> > Should be fixed now, I simply messed up the line copying the file "if
> > exist copy zlib1.dll.manifest ..." :-(
> >
> > I've done some more, all MSVC variants shouldn't give a NSIS warnings
> > now :-)
> >
> > Regards, ULFL
> Ulf,
> I managed to build my wireshark yesterday.
> But it failed again today after I update the source with the latest SVN.
> 
> Here is the error:
> ---
> Microsoft (R) Program Maintenance Utility   Version 7.00.8882
> Copyright (C) Microsoft Corp 1988-2000. All rights reserved.
> 
> cl -DWIN32 -DNULL=0 -D_MT -D_DLL -DHAVE_CONFIG_H /I..
> /I../wiretap /IC:\
> wireshark-win32-libs\glib\include\glib-2.0 
> /IC:\wireshark-win32-libs\glib\lib\g
> lib-2.0\include /IC:\wireshark-win32-libs\gtk+\include
> /IC:\wireshark-win32-libs
> \gtk+\include\gdk  /IC:\wireshark-win32-libs\gtk+\lib\gtk+\include
> /IC:\wireshar
> k-win32-libs\gnutls-1.6.1-1\include /DNOCRYPT 
> /IC:\wireshark-win32-libs\WPdpack
> \WPCAP\LIBPCAP /IC:\wireshark-win32-libs\WPdpack\WPCAP\LIBPCAP\bpf 
> /IC:\wiresha
> rk-win32-libs\WPdpack\WPCAP\LIBPCAP\lbl 
> /IC:\wireshark-win32-libs\WPdpack\inclu
> de /IC:\wireshark-win32-libs\net-snmp-5.4\include
> /IC:\wireshark-win32-libs\net-
> snmp-5.4\win32  /Zm800 -D_U_="" -D_NEED_VAR_IMPORT_ /Zi /W3 /MD
> /D_CRT_SECURE_NO
> _DEPRECATE /D_CRT_NONSTDC_NO_DEPRECATE 
> /IC:\wireshark-win32-libs\portaudio_v19\
> include /IC:\wireshark-win32-libs\portaudio_v19\src\common-Fd.\ -c
> airpcap_g
> ui_utils.c
> Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.42
> for 80x86
> Copyright (C) Microsoft Corporation.  All rights reserved.
> 
> airpcap_gui_utils.c
> airpcap_gui_utils.c(338) : error C2039: 'str' : is not a member of
> '_GByteArray'
> 
> C:\wireshark-win32-libs\glib\include\glib-2.0\glib/garray.h(45)
> : see de
> claration of '_GByteArray'
> airpcap_gui_utils.c(338) : error C2198: 'g_strdup' : too few arguments
> for call
> airpcap_gui_utils.c(837) : warning C4133: '=' : incompatible types -
> from 'GStri
> ng *' to 'GByteArray *'
> NMAKE : fatal error U1077: 'cl' : return code '0x2'
> Stop.
> NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Platform SDK for
> Windows
>  Server 2003 R2\Bin\nmake.exe"' : return code '0x2'
> Stop.
> -
> 
> 
> regards,
> 
> -Alfred-
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> 
> 
> 
> 
> This message should be regarded as confidential. If you have received
> this email in error please notify the sender and destroy it immediately.
> Statements of intent shall only become binding when confirmed in hard
> copy by an authorised signatory. The contents of this email may relate
> to dealings with other companies within the Detica Group plc group of
> companies.
> 
> Detica Limited is registered in England under No: 1337451.
> 
> Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP,
> England.
> 
> 
> 
> 
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://ww

Re: [Wireshark-dev] autogen.sh: configure.in:269: invalid unused variable name: `SHAREDLIB_LDFLAGS'

2007-01-12 Thread Stephen Fisher 
On Fri, Jan 12, 2007 at 01:05:45PM -0800, Guy Harris wrote:

> Changing SHAREDLIB_LDFLAGS to LDFLAGS_SHAREDLIB seems to work in the 
> test I did on OS X, at least, so I checked it in. 

Looks good here on FreeBSD.  Thanks!


Steve

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] roofnet v1

2007-01-12 Thread Sebastien Tandel 
Hi,

I will try to do it this WE.


Regards,

Sebastien Tandel

Nicola Arnoldi wrote:
> Hi all.
> I noticed that the version 1 of the roofnet header has got additional
> fields, as one might understand from the srpacket.hh file i posted
> some email ago.
>
> In particular, there are 6 and a half more lines in the header than in
> version 2.
>
> Can you modify the dissector in order to make it able to decode both
> v1 and v2 packets?
>
> Thanks
>
> Nicola
>
> Il giorno 10/gen/07, alle ore 16:48, Nicola Arnoldi ha scritto:
>
>> Was the pcap file enough?
>>
>> Bye
>>
>> Nicola
>>
>> Il giorno mar, 09/01/2007 alle 12.34 +0100, Sebastien Tandel ha scritto:
>>> Hi,
>>>
>>>Can you send a pcap file for testing purpose, please?
>>>
>>>
>>> Regards,
>>>
>>> Sebastien Tandel
>>>
>>> Nicola Arnoldi wrote:
 Hi everybody.
 The great work Sebastien did about Roofnet dissectors was related to
 Version 2, which is still far from stable.
 It should be implemented the V 1 as well, which has some differences
 between V2.
 I attach the c++ header, hoping it would be sufficient for you to
 modify
 the dissector accordingly.

 Note that ETHTYPES, which in V2 all started with a 6 (6xx) now start
 with number 9. (9xx)

 The message I receive when I try to decode V1 datagrams with the old
 dissector is something like.
 Bogus IP header, more payload than told by roofnet...and others.

 Bye.

 Nicola

 


 #ifndef CLICK_SRPAKCET_HH
 #define CLICK_SRPAKCET_HH
 #include 
 #include 
 CLICK_DECLS

 #define max(a, b) ((a) > (b) ? (a) : (b))
 #define min(a, b) ((a) < (b) ? (a) : (b))


 enum SRCRPacketType { PT_QUERY = 0x01,
   PT_REPLY = 0x02,
   PT_TOP5_RESULT = 0x03,
   PT_DATA  = 0x04,
   PT_GATEWAY = 0x08
 };



 enum SRCRPacketFlags {
   FLAG_ERROR = (1<<0),
   FLAG_UPDATE = (1<<1),
   FLAG_TOP5_REQUEST_RESULT = (1<<2),
   FLAG_TOP5_BEST_ROUTE = (1<<3),
   FLAG_SCHEDULE = (1<<4),
   FLAG_SCHEDULE_TOKEN = (1<<5),
   FLAG_SCHEDULE_FAKE = (1<<6),
   FLAG_ECN = (1<<7)
 };

 static const uint8_t _sr_version = 0x0b;


 // Packet format.
 CLICK_SIZE_PACKED_STRUCTURE(
 struct srpacket {,
   uint8_t _version; /* see _srcr_version */
   uint8_t _type;  /* see enum SRCRPacketType */
   uint8_t _nlinks;
   uint8_t _next;   // Index of next node who should process this
 packet.


   uint16_t _ttl;
   uint16_t _cksum;
   uint16_t _flags;
   uint16_t _dlen;

   /* PT_QUERY
* _qdst is used for the query destination in control packets
* and a extra 32 bit seq number in data packets
*/
   uint32_t _qdst;


   uint32_t _seq;   // seq number
   uint32_t _seq2;  // another seq number


   /* uin32_t ip[_nlinks] */
   /* uin32_t metrics[_nlinks] */


   /* ip */
   /* fwd */
   /* rev */
   /* seq */
   /* ip */

   uint32_t _random_from;
   uint32_t _random_fwd_metric;
   uint32_t _random_rev_metric;
   uint32_t _random_seq;
   uint16_t _random_age;
   uint32_t _random_to;


   void set_random_from(IPAddress ip) {
 _random_from = ip;
   }
   void set_random_to(IPAddress ip) {
 _random_to = ip;
   }
   void set_random_fwd_metric(uint32_t m) {
 _random_fwd_metric = m;
   }

   void set_random_rev_metric(uint32_t m) {
 _random_rev_metric = m;
   }
   void set_random_seq(uint32_t s) {
 _random_seq = s;
   }
   void set_random_age(uint32_t s) {
 _random_age = s;
   }

   IPAddress get_random_from() {
 return _random_from;
   }
   IPAddress get_random_to() {
 return _random_to;
   }
   uint32_t get_random_fwd_metric() {
 return _random_fwd_metric;
   }
   uint32_t get_random_rev_metric() {
 return _random_rev_metric;
   }

   uint32_t get_random_seq() {
 return _random_seq;
   }

   uint32_t get_random_age() {
 return _random_age;
   }


   void set_link(int link,
 IPAddress a, IPAddress b,
 uint32_t fwd, uint32_t rev,
 uint32_t seq,
 uint32_t age) {

 uint32_t *ndx = (uint32_t *) (this+1);
 ndx += link * 5;

 ndx[0] = a;
 ndx[1] = fwd;
 ndx[2] = rev;
 ndx[3] = seq;
 ndx[4] = age;
 ndx[5] = b;
   }

   uint32_t get_link_fwd(int link) {
 uint32_t *ndx = (uint32_t *) (this+1);
 ndx += link * 5;
 return ndx[1];
   }
   uint32_t get_link_rev(int

Re: [Wireshark-dev] roofnet v1

2007-01-12 Thread Nicola Arnoldi 

Hi all.
I noticed that the version 1 of the roofnet header has got additional  
fields, as one might understand from the srpacket.hh file i posted  
some email ago.


In particular, there are 6 and a half more lines in the header than  
in version 2.


Can you modify the dissector in order to make it able to decode both  
v1 and v2 packets?


Thanks

Nicola

Il giorno 10/gen/07, alle ore 16:48, Nicola Arnoldi ha scritto:


Was the pcap file enough?

Bye

Nicola

Il giorno mar, 09/01/2007 alle 12.34 +0100, Sebastien Tandel ha  
scritto:

Hi,

   Can you send a pcap file for testing purpose, please?


Regards,

Sebastien Tandel

Nicola Arnoldi wrote:

Hi everybody.
The great work Sebastien did about Roofnet dissectors was related to
Version 2, which is still far from stable.
It should be implemented the V 1 as well, which has some differences
between V2.
I attach the c++ header, hoping it would be sufficient for you to  
modify

the dissector accordingly.

Note that ETHTYPES, which in V2 all started with a 6 (6xx) now start
with number 9. (9xx)

The message I receive when I try to decode V1 datagrams with the old
dissector is something like.
Bogus IP header, more payload than told by roofnet...and others.

Bye.

Nicola

 



#ifndef CLICK_SRPAKCET_HH
#define CLICK_SRPAKCET_HH
#include 
#include 
CLICK_DECLS

#define max(a, b) ((a) > (b) ? (a) : (b))
#define min(a, b) ((a) < (b) ? (a) : (b))


enum SRCRPacketType { PT_QUERY = 0x01,
  PT_REPLY = 0x02,
  PT_TOP5_RESULT = 0x03,
  PT_DATA  = 0x04,
  PT_GATEWAY = 0x08
};



enum SRCRPacketFlags {
  FLAG_ERROR = (1<<0),
  FLAG_UPDATE = (1<<1),
  FLAG_TOP5_REQUEST_RESULT = (1<<2),
  FLAG_TOP5_BEST_ROUTE = (1<<3),
  FLAG_SCHEDULE = (1<<4),
  FLAG_SCHEDULE_TOKEN = (1<<5),
  FLAG_SCHEDULE_FAKE = (1<<6),
  FLAG_ECN = (1<<7)
};

static const uint8_t _sr_version = 0x0b;


// Packet format.
CLICK_SIZE_PACKED_STRUCTURE(
struct srpacket {,
  uint8_t _version; /* see _srcr_version */
  uint8_t _type;  /* see enum SRCRPacketType */
  uint8_t _nlinks;
  uint8_t _next;   // Index of next node who should process this  
packet.



  uint16_t _ttl;
  uint16_t _cksum;
  uint16_t _flags;
  uint16_t _dlen;

  /* PT_QUERY
   * _qdst is used for the query destination in control packets
   * and a extra 32 bit seq number in data packets
   */
  uint32_t _qdst;


  uint32_t _seq;   // seq number
  uint32_t _seq2;  // another seq number


  /* uin32_t ip[_nlinks] */
  /* uin32_t metrics[_nlinks] */


  /* ip */
  /* fwd */
  /* rev */
  /* seq */
  /* ip */

  uint32_t _random_from;
  uint32_t _random_fwd_metric;
  uint32_t _random_rev_metric;
  uint32_t _random_seq;
  uint16_t _random_age;
  uint32_t _random_to;


  void set_random_from(IPAddress ip) {
_random_from = ip;
  }
  void set_random_to(IPAddress ip) {
_random_to = ip;
  }
  void set_random_fwd_metric(uint32_t m) {
_random_fwd_metric = m;
  }

  void set_random_rev_metric(uint32_t m) {
_random_rev_metric = m;
  }
  void set_random_seq(uint32_t s) {
_random_seq = s;
  }
  void set_random_age(uint32_t s) {
_random_age = s;
  }

  IPAddress get_random_from() {
return _random_from;
  }
  IPAddress get_random_to() {
return _random_to;
  }
  uint32_t get_random_fwd_metric() {
return _random_fwd_metric;
  }
  uint32_t get_random_rev_metric() {
return _random_rev_metric;
  }

  uint32_t get_random_seq() {
return _random_seq;
  }

  uint32_t get_random_age() {
return _random_age;
  }


  void set_link(int link,
IPAddress a, IPAddress b,
uint32_t fwd, uint32_t rev,
uint32_t seq,
uint32_t age) {

uint32_t *ndx = (uint32_t *) (this+1);
ndx += link * 5;

ndx[0] = a;
ndx[1] = fwd;
ndx[2] = rev;
ndx[3] = seq;
ndx[4] = age;
ndx[5] = b;
  }

  uint32_t get_link_fwd(int link) {
uint32_t *ndx = (uint32_t *) (this+1);
ndx += link * 5;
return ndx[1];
  }
  uint32_t get_link_rev(int link) {
uint32_t *ndx = (uint32_t *) (this+1);
ndx += link * 5;
return ndx[2];
  }

  uint32_t get_link_seq(int link) {
uint32_t *ndx = (uint32_t *) (this+1);
ndx += link * 5;
return ndx[3];
  }

  uint32_t get_link_age(int link) {
uint32_t *ndx = (uint32_t *) (this+1);
ndx += link * 5;
return ndx[4];
  }

  IPAddress get_link_node(int link) {
uint32_t *ndx = (uint32_t *) (this+1);
ndx += link * 5;
return ndx[0];
  }


  void set_link_node(int link, IPAddress ip) {
uint32_t *ndx = (uint32_t *) (this+1);
ndx += link * 5;
ndx[0] = ip;
  }




  // How long should the packet be?
  size_t hlen_wo_data() const { return len_wo_data(_nlinks); }
  size_t hlen_with_data() const { return len_with_data(_nlinks,  
ntohs(_dlen)); }


  static size_t len_wo_data(int nlinks) {
return sizeof(struct srpacket) +
  sizeof

Re: [Wireshark-dev] proto_tree_add_item() with range_string

2007-01-12 Thread Sebastien Tandel 
Hi,

thx for the advice, I indeed didn't notice it. Modification done and
patch attached (FT_BOOLEAN not working) but ...

As I was not totally satisfied by my solution, I'm not totally with your
neither. With VALS and TFS (and, in fact, also NULL :)), as you said,
this field 'display' is usually defined to know which base to use (dec,
hex, dec_hex, ...) to display a value. If you want a range_string
displayed with base dec, hex, ... you have to duplicate
BASE_RANGE_STRING values as for example BASE_RANGE_STRING_DEC,
BASE_RANGE_STRING_HEX, ... VALS and TFS are independent from the base
chosen (or in general display field) and RVALS won't be.

What do you think of an hybrid solution between mine and your defining
an additional field (i.e. convertfield_type) in head_register_info which
identifies which type of structure is in CONVERTFIELD (strings)?
- It would bring the independence  from the base avoiding us to
duplicate the fields (BASE_RANGE_STRING_DEC, BASE_RANGE_STRING_HEX, ...)
- this field could be hidden by the HFILL macro when you don't have to
use it (and use another, HFILL2(?), when you have to use this field)
- it would be scalable for the current and future implementation if you
create another structure à la range_string without changing anything in
the code of the existing dissectors.
- would be possible to use FT_BOOLEAN as well
- it's clean (from the syntax point of view and from the semantic as
well) :)


Regards,

Sebastien Tandel

Guy Harris wrote:
> Sebastien Tandel wrote:
>
>   
>> If you want something cleaner ... one of the solution may be a
>> intermediate structure which is mandatory with well-defined values to
>> determine which structure it encapsulates. => need changes then in the
>> macros VALS, TFS and even in the dissectors using VALS, TFS
>> 
>
> That's one way to do it.
>
> Another is to note that there's a field "display" in the 
> header_field_info structure.  It currently just holds a base indication 
> for numbers, but it could be treated as a general "how to display this 
> field" indicator, with additional information such as, for numbers, 
> "display this as a numerical value"/"display this as a numerical value 
> and a symbolic interpretation using a value_string table"/"display this 
> as a numerical value with a range-based description"/etc..
>
> Unfortunately, that won't work for FT_BOOLEAN, as, for Boolean 
> bitfields, "display" holds the value of the bigger item in which the 
> bitfield is packed.
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>   

Index: epan/proto.c
===
--- epan/proto.c(révision 20350)
+++ epan/proto.c(copie de travail)
@@ -4028,9 +4028,15 @@
value = fvalue_get_integer(&fi->value);
 
/* Fill in the textual info */
-   ret = g_snprintf(label_str, ITEM_LABEL_LENGTH,
+   if (hfinfo->display == BASE_RANGE_STRING) {
+ ret = g_snprintf(label_str, ITEM_LABEL_LENGTH, 
format,  hfinfo->name,
+   rval_to_str(value, hfinfo->strings, "Unknown"), value);
+   } else {
+ ret = g_snprintf(label_str, ITEM_LABEL_LENGTH,
+   format,  hfinfo->name,
val_to_str(value, cVALS(hfinfo->strings), "Unknown"), 
value);
+   }
if ((ret == -1) || (ret >= ITEM_LABEL_LENGTH))
label_str[ITEM_LABEL_LENGTH - 1] = '\0';
 }
@@ -4096,9 +4102,15 @@
value = fvalue_get_integer(&fi->value);
 
/* Fill in the textual info */
-   ret = g_snprintf(label_str, ITEM_LABEL_LENGTH,
+   if (hfinfo->display == BASE_RANGE_STRING) {
+ ret = g_snprintf(label_str, ITEM_LABEL_LENGTH, 
format,  hfinfo->name,
+   rval_to_str(value, hfinfo->strings, "Unknown"), value);
+   } else {
+ ret = g_snprintf(label_str, ITEM_LABEL_LENGTH,
+   format,  hfinfo->name,
val_to_str(value, cVALS(hfinfo->strings), "Unknown"), 
value);
+   }
if ((ret == -1) || (ret >= ITEM_LABEL_LENGTH))
label_str[ITEM_LABEL_LENGTH - 1] = '\0';
 }
@@ -4195,6 +4207,7 @@
switch(hfinfo->display) {
case BASE_DEC:
case BASE_DEC_HEX:
+   case BASE_RANGE_STRING:
format = "%s: %s (%u)";
break;
case BASE_OCT: /* I'm lazy */
@@ -4319,6 +4332,7 @@
switch(hfinfo->display) {
case BASE_DEC:
case BASE_DEC_HEX:
+   case BASE_RANGE_STRING:
format = "%s: %s (%d)";
break;
case BASE_OCT: /* I'm lazy */
Index: epan/proto.h
===
--- epan/proto.h(rév

Re: [Wireshark-dev] autogen.sh: configure.in:269: invalid unused variable name: `SHAREDLIB_LDFLAGS'

2007-01-12 Thread Guy Harris 
Guy Harris wrote:

> Or perhaps it should be changed to LDFLAGS_SHAREDLIB or, if necessary, 
> SHAREDLIB_LOADER_FLAGS; it appears from
> 
>   http://sources.redhat.com/ml/automake/2001-08/msg00046.html
> 
> that variable names shouldn't end with LDFLAGS.  I'll try 
> LDFLAGS_SHAREDLIB - I forget whether I tried that, found that auto* 
> didn't like it, and tried SHAREDLIB_LDFLAGS, or not.

Changing SHAREDLIB_LDFLAGS to LDFLAGS_SHAREDLIB seems to work in the 
test I did on OS X, at least, so I checked it in.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] autogen.sh: configure.in:269: invalid unused variable name: `SHAREDLIB_LDFLAGS'

2007-01-12 Thread Guy Harris 
Stephen Fisher wrote:
> I keep running into a gmake problem on FreeBSD after I svn up for the 
> last week or so.  It gives an error about SHAREDLIB_LDFLAGS.  I then 
> have to run autogen.sh and configure again before gmake before it will 
> work again.  When I run autogen.sh, I get this error:
> 
> configure.in:269: invalid unused variable name: `SHAREDLIB_LDFLAGS'
> 
> It seems related to Guy's recent addition of:
> 
>   SHAREDLIB_LDFLAGS="-Wl,-single_module"
> 
> Perhaps the AC_SUBST(SHAREDLIB_LDFLAGS) should be within the case/esac 
> block so it only takes effect if the OS is Darwin?  I'm not that good 
> with autotools yet to know for sure.

Or perhaps it should be changed to LDFLAGS_SHAREDLIB or, if necessary, 
SHAREDLIB_LOADER_FLAGS; it appears from

http://sources.redhat.com/ml/automake/2001-08/msg00046.html

that variable names shouldn't end with LDFLAGS.  I'll try 
LDFLAGS_SHAREDLIB - I forget whether I tried that, found that auto* 
didn't like it, and tried SHAREDLIB_LDFLAGS, or not.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] autogen.sh: configure.in:269: invalid unused variable name: `SHAREDLIB_LDFLAGS'

2007-01-12 Thread Stephen Fisher 

I keep running into a gmake problem on FreeBSD after I svn up for the 
last week or so.  It gives an error about SHAREDLIB_LDFLAGS.  I then 
have to run autogen.sh and configure again before gmake before it will 
work again.  When I run autogen.sh, I get this error:

configure.in:269: invalid unused variable name: `SHAREDLIB_LDFLAGS'

It seems related to Guy's recent addition of:

SHAREDLIB_LDFLAGS="-Wl,-single_module"

Perhaps the AC_SUBST(SHAREDLIB_LDFLAGS) should be within the case/esac 
block so it only takes effect if the OS is Darwin?  I'm not that good 
with autotools yet to know for sure.


Steve
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] proto_tree_add_item() with range_string

2007-01-12 Thread Guy Harris 
Sebastien Tandel wrote:

> If you want something cleaner ... one of the solution may be a
> intermediate structure which is mandatory with well-defined values to
> determine which structure it encapsulates. => need changes then in the
> macros VALS, TFS and even in the dissectors using VALS, TFS

That's one way to do it.

Another is to note that there's a field "display" in the 
header_field_info structure.  It currently just holds a base indication 
for numbers, but it could be treated as a general "how to display this 
field" indicator, with additional information such as, for numbers, 
"display this as a numerical value"/"display this as a numerical value 
and a symbolic interpretation using a value_string table"/"display this 
as a numerical value with a range-based description"/etc..

Unfortunately, that won't work for FT_BOOLEAN, as, for Boolean 
bitfields, "display" holds the value of the bigger item in which the 
bitfield is packed.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?

2007-01-12 Thread Gianluca Varenni 

- Original Message - 
From: "Guy Harris" <[EMAIL PROTECTED]>
To: "Developer support list for Wireshark" 
Sent: Friday, January 12, 2007 11:59 AM
Subject: Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?


> Gianluca Varenni wrote:
>
>> I would prefer to have a separate API set (being it NTAR or anything 
>> else)
>> to deal with capture files.
>>
>> One of the things I like less about libpcap is that the API to read/write
>> files is too much tied to the capture one without any specific reason.
>
> That somewhat collides with WinPcap's pcap_open(), which can either open
> a capture device or a capture file.

Right. And strictly speaking I never liked that API too much (as much as I 
love pcap_next_ex, instead). The problem is always the same. If you have a 
single API to open files and capture devices, you are somewhat limited to 
the operations you can do on files. And worse, the problem in the pcap API 
is that you use a pcap_t handle to read a file, and a pcap_dumper_t handle 
to write a file. Why?

GV


> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev 

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] SSL dissector conflicting with dissector plugin

2007-01-12 Thread Martin Warnes 

Stephen Fisher wrote the following on 12/01/2007 19:34:
> On Fri, Jan 12, 2007 at 07:19:59PM +, Martin Warnes wrote:
>
>   
>> The Connect:Direct protocol in this case is just a header record:
>>
>>  54 43 50 32 00 02 00 10 00 00 00 09  .S..TCP2
>> 0050   80 00 00 00 38 00 00 00
>>
>> and the SSL payload:
>>
>>  16 03 01 00 04 0e 00 00  8...
>> 0060   00 
>> 
>
> In this case, your dissector should call the SSL dissector once its done 
> processing its own data.  See epan/dissector/packet-eap.c for an example 
> of calling SSL as a sub-dissector (look for each instance of "ssl_handle" 
> and how it builds next_tvb before calling it).
>
>
> Steve
>   
That's what I thought I was doing, from my code:

  if (isSSL)
{
  if (cdirect_ssldissection)
{
  next_tvb =
tvb_new_subset (tvb, tvb_get_ntohs (tvb, 6) + rhlen,
tvb_get_ntohs (tvb, 10), -1);
   
}
  call_dissector (ssl_handle, next_tvb, pinfo, cdirect_tree);

}
}
}

The actual dissection of the SSL data works fine, it's just that when I 
select "Follow SSL stream" I always get a empty panel. I always assumed 
it was because the SSL was not atop TCP, I'll take a closer look when I 
get a spare moment.

Thanks .. Martin

--
Scanned by ClamAV antivirus system - http://www.clamav.net
Virus signatures last updated: Fri Jan 12 18:33:21 2007
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?

2007-01-12 Thread Guy Harris 
Gianluca Varenni wrote:

> I would prefer to have a separate API set (being it NTAR or anything else) 
> to deal with capture files.
> 
> One of the things I like less about libpcap is that the API to read/write 
> files is too much tied to the capture one without any specific reason.

That somewhat collides with WinPcap's pcap_open(), which can either open 
a capture device or a capture file.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?

2007-01-12 Thread Guy Harris 
Gianluca Varenni wrote:

>> 1) the existing libpcap API, which will handle as much of pcap-ng as it
>> can (ignoring some records, discarding some data in others, failing as
>> soon as it sees a link-layer type other than the first one it saw);
> 
> I think the main problem here is how to deal with multiple capture 
> interfaces within a section and multiple sections.

The alternatives I see are

1) fail as soon as a second capture interface or a second section 
header is seen;

2) fail as soon as a capture interface with a link-layer type or 
snapshot length different from the first interface's link-layer type is 
seen, and don't worry about section headers.

>> 2) a newer API, which exposes the full capabilities of pcap-ng, and
>> also transparently supports reading old-style libpcap files.
> 
> I would prefer to have a separate API set (being it NTAR or anything else) 
> to deal with capture files.
> 
> One of the things I like less about libpcap is that the API to read/write 
> files is too much tied to the capture one without any specific reason.

Requiring the loop that reads a saved file to be different from the loop 
that captures live packets wouldn't bother me too much.

However, there are capture APIs that should be tied to the file format; 
for example, the APIs that return interface properties (there should be 
"enumerate all interfaces" and "get interface property" APIs) should 
return something very much like an Interface Description Block, and the 
API to get capture statistics should return something very much like an 
Interface Statistics Block.  (The current APIs for both suck because 
they're not extensible, which is an issue for both - we'd have to change 
a data structure to add properties such as link-layer addresses to the 
interface properties returned by pcap_findalldevs(), and not only is 
there no way to add new statistics to what you get from pcap_stats() 
without changing the data structure, there's no way to indicate that 
some statistics are unavailable without changing the data structure.)
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] proto_tree_add_item() with range_string

2007-01-12 Thread Sebastien Tandel 

Here is the patch to have a more precise idea of what has changed (and
if you want to try it :))  ... and the example of Jaap modified to work
with the patch provided :

static const range_string rs_value[] = {
{  0, 49, "Little" },
{ 50, 99, "Some" },
{100,199, "Considerable" },
{200,255, "High" },
{  0,  0, NULL }
  };
RVALS_INT(rs_value, rs_value_int)

  proto_tree_add_item(tree, hf_proto_value, tvb, offset, 1, FALSE);

  static hf_register_info hf[] = {
{ &hf_proto_value,
  { "Value", "proto.value",
FT_UINT8, BASE_DEC,
RVALS(rs_value_int), 0x0,
"How much is it worth", HFILL }}
  };


+ Frame
+ Ethernet II
+ IP
+ TCP
+ Proto
  Value: High (220)


ChangeLog :
- RVALS_INT(rs_value, rs_value_int) is added to encapsulate the
range_string structure
- and the macro RVALS take another input, to know rs_value_int


Regards,

Sebastien Tandel

Jaap Keuter wrote:
> Hi,
>
> My first impression is that the RS() macro (refer to code sample below)
> needs to be implemented to work with the range_string type. I've got
> really no idea what is involved with that.
>
> Thanx,
> Jaap
>
> On Fri, 12 Jan 2007, Anders Broman wrote:
>
>   
>> Hi,
>> I had a brief look some time ago and it looked
>> To me like it would require new FT_x:s or
>> That the macros VAL and TFS would have to be changed to supply
>> the needed functions. Is there a better way to do it?
>>
>> BR
>> Anders
>>
>> -Ursprungligt meddelande-
>> Från: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] För Jaap Keuter
>> Skickat: den 12 januari 2007 15:48
>> Till: Developer support list for Wireshark
>> Ämne: Re: [Wireshark-dev] proto_tree_add_item() with range_string
>>
>> Hi,
>>
>> Yeah, that would be nice, having stuff like this:
>>
>>   static const range_string rs_value[] = {
>> {  0, 49, "Little" },
>> { 50, 99, "Some" },
>> {100,199, "Considerable" },
>> {200,255, "High" },
>> {  0,  0, NULL }
>>   };
>>
>>   proto_tree_add_item(tree, hf_proto_value, tvb, offset, 1, FALSE);
>>
>>   static hf_register_info hf[] = {
>> { &hf_proto_value,
>>   { "Value", "proto.value",
>> FT_UINT8, BASE_DEC,
>> RS(rs_value), 0x0,
>> "How much is it worth", HFILL }}
>>   };
>>
>> + Frame
>> + Ethernet II
>> + IP
>> + TCP
>> + Proto
>>   Value: High (220)
>>
>> That would require weaving in the range string handling along the types
>> where VALS() and TFS() handling applies (FT_*INT*, and FT_BOOLEAN).
>> epan/proto.c comes to mind.
>>
>> Thanx,
>> Jaap
>>
>> On Fri, 12 Jan 2007, Anders Broman wrote:
>>
>> 
>>> Hi,
>>> Does some have an idea on how to implement proto_tree_add_item() with a
>>> range_string?
>>> That would be really useful.
>>> BR
>>> Anders
>>>
>>>
>>>   
>> ___
>> Wireshark-dev mailing list
>> Wireshark-dev@wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>> ___
>> Wireshark-dev mailing list
>> Wireshark-dev@wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>>
>> 
>
>   
> 
>
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>   

Index: gtk/isis_analysis.c
===
Index: gtk/isis_analysis.h
===
Index: epan/value_string.h
===
--- epan/value_string.h (révision 20409)
+++ epan/value_string.h (copie de travail)
@@ -41,6 +41,15 @@
   const gchar   *strptr;
 } range_string;
 
+/* Structure used to encapsulate a range_string (maybe other in the future?)
+ * and able to be used inside a hf_register_info with RVALS macro. */
+typedef struct _int_rval_val {
+  guint32 value;
+  gchar * strptr;
+  const range_string * rstr;
+}int_rval_val;
+
+
 /* #define VS_DEF(x) { x, #x } */
 /* #define VS_END{ 0, NULL } */
 
Index: epan/proto.c
===
--- epan/proto.c(révision 20409)
+++ epan/proto.c(copie de travail)
@@ -4009,6 +4009,9 @@
 
 }
 
+#define INT_RVAL_GET_STR(x) ((const int_rval_val*)(x))->strptr
+#define RVAL_GET(x) ((const int_rval_val*)(x))->rstr
+
 static void
 fill_label_enumerated_uint(field_info *fi, gchar *label_str)
 {
@@ -4023,9 +4026,15 @@
value = fvalue_get_integer(&fi->value);
 
/* Fill in the textual info */
-   ret = g_snprintf(label_str, ITEM_LABEL_LENGTH,
+   if (INT_RVAL_GET_STR(hfinfo->strings) == NULL) {
+ ret = g_snprintf(label_str, ITEM_LABEL_LENGTH, 
format,  hfinfo->name,
+   rval_to_str(value, RVAL_GET(hfinfo->strings), 
"Unknown"), value);
+   } else {
+

Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?

2007-01-12 Thread Gianluca Varenni 

- Original Message - 
From: "Guy Harris" <[EMAIL PROTECTED]>
To: "Developer support list for Wireshark" 
Sent: Friday, January 12, 2007 10:21 AM
Subject: Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?


> Benn Bollay wrote:
>
>> How difficult will the integration into the std tools (tcpdump,
>> Wireshark, et al) be once a consistent API is implemented?  One wonders
>> if it would be possible to provide a pcap interface to a pcap-ng file,
>> and circumvent a lot of the immediate compatibility issues.
>
> That's certainly my intent for libpcap in the future.
>
> I want to provide two interfaces:
>
> 1) the existing libpcap API, which will handle as much of pcap-ng as it
> can (ignoring some records, discarding some data in others, failing as
> soon as it sees a link-layer type other than the first one it saw);

I think the main problem here is how to deal with multiple capture 
interfaces within a section and multiple sections.

>
> 2) a newer API, which exposes the full capabilities of pcap-ng, and
> also transparently supports reading old-style libpcap files.

I would prefer to have a separate API set (being it NTAR or anything else) 
to deal with capture files.

One of the things I like less about libpcap is that the API to read/write 
files is too much tied to the capture one without any specific reason.

Have a nice day
GV



>
> That would give applications using libpcap to read captures (such as
> tcpdump) transparent pcap-ng support (I'd convert tcpdump to use the
> newer API if available, with the configure script checking for it).
> Libpcap-based applications would be able to handle "typical" pcap-ng
> files without change; if they changed to support the new API's, they'd
> be able to handle all pcap-ng files (assuming they support all the
> possible link-layer types) and still support old-style libpcap files.
>
> Wireshark has its own code to read libpcap files; its Wiretap library's
> API, etc. is a bit different, as it's oriented towards random access and
> support for non-libpcap-style file formats.  The API would be changed to
> handle pcap-ng's capabilities (which might also allow support to be
> added for other capture file formats' capabilities).
>
> (If the Wiretap API were ever stable enough that we'd have good reason
> to think we wouldn't have to change it to support new capture file
> formats or new capabilities or link-layer types in existing file
> formats, we could perhaps consider merging it with libpcap - but the
> different licenses, BSD vs. GPL, would be a problem with that.  Given
> that Wireshark's release cycles are faster than libpcap's, we wouldn't
> be ready to consider that until we have something we don't think we'd
> need to change faster than libpcap.  I.e., I think we'll probably
> continue to have Wiretap around for a while.)
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev 

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?

2007-01-12 Thread Gianluca Varenni 

- Original Message - 
From: "Benn Bollay" <[EMAIL PROTECTED]>
To: "Developer support list for Wireshark" 
Sent: Friday, January 12, 2007 9:43 AM
Subject: Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?


> Hello GV -
>
> Thanks for the reply!
>
> It's interesting to see how people work around the limitations in the
> current pcap format.  One I'm is thinking of doing is utilizing the
> Ethernet Trailer (which you almost /never/ see anymore) to associate a
> lot of the data that pcap-ng would provide in a more elegent fashion.
> With a custom dissector, that should give us a lot of the features we're
> looking for.
>
> Is the seeking problem a mechanics issue, or an API issue?  I'd be

It's an API problem, in the sense that I haven't found a set of APIs that 
satisfies me 100%. I don't know if you ever looked at the NTAR APIs, however 
there are basically three handle types: file handles, section handles and 
block handles.
When you have an open block handle, you also have a corresponding section 
and file handle.
When you perform a seek between blocks, if the block is within the same 
section, everything works ok. What happens to the section handle block when 
you jump to a block in a different section?
Also, should it be possible to have a section seek pointer as well (so jump 
from a section to another, instead of block-to-block).

Regarding the implementation, it's not 100% trivial, and actually depends on 
how the new APIs are designed. At the moment i'm trying to create some 
samples with different API designs and see if they make sense or not...

> interest in talking about it more with you, or perhaps contributing a
> bit if that makes sense.

It would be definitely useful.

>
> How difficult will the integration into the std tools (tcpdump,
> Wireshark, et al) be once a consistent API is implemented?  One wonders
> if it would be possible to provide a pcap interface to a pcap-ng file,
> and circumvent a lot of the immediate compatibility issues.

Modifying libpcap to write pcap-ng files is quite easy, as pcap-ng is a 
superset of the pcap format. Reading is much more tricky. The problem is 
that the current libpcap API to read pcap files doesn't support all the 
features of pcap-ng (the most important one is probably the fact that a 
capture file can contain packets coming from multiple interfaces and link 
layers at the same time). In this case an idea is to modify the internals of 
libpcap to support a minimal set of the pcap-ng features without changing 
the current API (e.g. files with only one section and packets from one 
interface).

IMHO the best thing to do would be better decouple packet capture from 
packet logging to file. libpcap is the capture library, NTAR (or any other 
library) is the library used to read/write capture files.

Just my two cents.
GV

>
> Cheers!
> --Benn
>
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:wireshark-dev-
>> [EMAIL PROTECTED] On Behalf Of Gianluca Varenni
>> Sent: Thursday, January 11, 2007 4:39 PM
>> To: Developer support list for Wireshark
>> Subject: Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?
>>
>> Benn,
>>
>> regarding the NTAR project (i.e. the only implementation of the
> pcap-ng
>> "wannabe" spec so far) that I "maintain", I've been pretty busy in the
>> last
>> year or so, thus not being able to work on it. The project is not dead
> at
>> all, I'm simply giving priority to other tasks...
>>
>> As far as the integration with wireshark is concerned, technically
>> speaking
>> there is one big feature missing from NTAR that is needed by
> wireshark,
>> that
>> is seeking within a file.
>> I started working on it during the xmas holidays, but I haven't come
> out
>> with a definitive API for it. The main problem I'm having is the
> hierarchy
>> of the file (packets are embedded in blocks which are grouped into
>> sections)
>> that make everything much more complicated. I plan to work on it in
> the
>> upcoming weeks and post something on the NTAR website as soon as
> possible.
>>
>> I think that the wireshark devs have a great interest in moving to
> pcap-ng
>> as the standard trace format (being it through NTAR or reimplementing
> the
>> spec), I have no idea where this task sits within the Wireshark
> roadmap,
>> and
>> if this task would fit before or after the 1.0 milestone.
>>
>> Have a nice day
>> GV
>>
>>
>>
>> - Original Message -
>> From: "Benn Bollay" <[EMAIL PROTECTED]>
>> To: "Developer support list for Wireshark"
> 
>> Sent: Wednesday, January 10, 2007 2:27 PM
>> Subject: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?
>>
>>
>> > Hello all -
>> >
>> > Is the next-gen pcap format still in the roadmap at all?  I've heard
>> > nothing about it for ages; there doesn't seem to be any discussions,
> nor
>> > any implemention details for well over a year now.
>> >
>> > I'm trying to decide whether I should hack-up the libpcap format or
>> > spend more development effort and move entirely to

Re: [Wireshark-dev] SSL dissector conflicting with dissector plugin

2007-01-12 Thread Stephen Fisher 
On Fri, Jan 12, 2007 at 07:19:59PM +, Martin Warnes wrote:

> The Connect:Direct protocol in this case is just a header record:
> 
>   54 43 50 32 00 02 00 10 00 00 00 09  .S..TCP2
> 0050   80 00 00 00 38 00 00 00
> 
> and the SSL payload:
> 
>   16 03 01 00 04 0e 00 00  8...
> 0060   00 

In this case, your dissector should call the SSL dissector once its done 
processing its own data.  See epan/dissector/packet-eap.c for an example 
of calling SSL as a sub-dissector (look for each instance of "ssl_handle" 
and how it builds next_tvb before calling it).


Steve

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] SSL dissector conflicting with dissector plugin

2007-01-12 Thread Martin Warnes 
We carry SSL within the Connect:Direct file transfer protocol:

   00 00 03 04 00 00 00 50 ba da b4 6c 00 00 08 00  ...P...l
0010   45 00 00 51 0e 48 40 00 40 06 aa be c0 a8 00 28  [EMAIL 
PROTECTED]@..(
0020   c0 a8 00 28 05 54 86 0b 35 13 e0 4d 35 3a 86 3d  ...(.T..5..M5:.=
0030   80 18 20 00 81 e4 00 00 01 01 08 0a 09 53 d3 f3  .. ..S..
0040   09 53 d3 f3 54 43 50 32 00 02 00 10 00 00 00 09  .S..TCP2
0050   80 00 00 00 38 00 00 00 16 03 01 00 04 0e 00 00  8...
0060   00 

The Connect:Direct protocol in this case is just a header record:

54 43 50 32 00 02 00 10 00 00 00 09  .S..TCP2
0050   80 00 00 00 38 00 00 00

and the SSL payload:

16 03 01 00 04 0e 00 00  8...
0060   00 

Regards .. Martin

Stephen Fisher wrote the following on 12/01/2007 19:10:
> On Fri, Jan 12, 2007 at 06:50:31PM +, Martin Warnes wrote:
>
>   
>> Checking the SSL preferences I had an entry for RSA keys list; 
>> 127.0.0.1,1364,tls,c:\ssltest.key which specified this port so it was 
>> correctly attempting to dissect this packet as SSL after all.
>> 
>
> It sounds like you are trying to dissect SSL/TLS within SSL/TLS.  The 
> dissector is called "ssl" instead of "tls" used above.
>
>   
>> My follow-up question would be; Is it possible to follow the SSL 
>> stream when the SSL data is embedded in another protocol? This would 
>> be a very useful feature for what I'm working on.
>> 
>
> What other protocol would SSL be embedded in?
>
>
> Steve
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> jy�u�U2�צ�m
> �rV�j��z�b��,�   ڶ�޲V���]jם�Z�%���_����m4
>   


--
Scanned by ClamAV antivirus system - http://www.clamav.net
Virus signatures last updated: Fri Jan 12 18:33:21 2007
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] SSL dissector conflicting with dissector plugin

2007-01-12 Thread Stephen Fisher 
On Fri, Jan 12, 2007 at 06:50:31PM +, Martin Warnes wrote:

> Checking the SSL preferences I had an entry for RSA keys list; 
> 127.0.0.1,1364,tls,c:\ssltest.key which specified this port so it was 
> correctly attempting to dissect this packet as SSL after all.

It sounds like you are trying to dissect SSL/TLS within SSL/TLS.  The 
dissector is called "ssl" instead of "tls" used above.

> My follow-up question would be; Is it possible to follow the SSL 
> stream when the SSL data is embedded in another protocol? This would 
> be a very useful feature for what I'm working on.

What other protocol would SSL be embedded in?


Steve
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] SSL dissector conflicting with dissector plugin

2007-01-12 Thread Martin Warnes 
Ok I found the problem, in the SSL debug log I saw;

association_add TCP port 1364 protocol tls handle 
association_add could not find handle for protocol 'tls', try to find 
'data' dissector

Checking the SSL preferences I had an entry for RSA keys list; 
127.0.0.1,1364,tls,c:\ssltest.key which specified this port so it was 
correctly attempting to dissect this packet as SSL after all.

My follow-up question would be; Is it possible to follow the SSL stream 
when the SSL data is embedded in another protocol? This would be a very 
useful feature for what I'm working on.

Regards .. Martin


Martin Warnes wrote the following on 12/01/2007 16:27:
> Hi,
>
> I'm developing a dissector plugin for the Connect:Direct file transfer 
> protocol, the protocol itself can contain a SSL payload. Until recently 
> i didn't have too many problems with my dissector identifying it's own 
> data, adding some information to the tree and then passing the SSL 
> payload off to the SSL dissector for subdissection.
>
> I updated the source today and now all the Connect:Direct protocol 
> packets are being identified as SSL continuation data, this occurs with 
> or without my dissector plugin loaded.
>
> Example for the packet below:
>
>
>    00 00 03 04 00 00 00 50 ba da b4 6c 00 00 08 00  ...P...l
> 0010   45 00 00 51 0e 48 40 00 40 06 aa be c0 a8 00 28  [EMAIL 
> PROTECTED]@..(
> 0020   c0 a8 00 28 05 54 86 0b 35 13 e0 4d 35 3a 86 3d  ...(.T..5..M5:.=
> 0030   80 18 20 00 81 e4 00 00 01 01 08 0a 09 53 d3 f3  .. ..S..
> 0040   09 53 d3 f3 54 43 50 32 00 02 00 10 00 00 00 09  .S..TCP2
> 0050   80 00 00 00 38 00 00 00 16 03 01 00 04 0e 00 00  8...
> 0060   00 
>
>  The Connect:Direct protocol contains a header that starts with "TCP2" 
> the length of the header is offset +6 (x10), there are 4 bytes of flag 
> data and then the payload data starts.   
>
>54 43 50 32 00 02 00 10 00 00 00 09  .S..TCP2
> 0050   80 00 00 00 38 00 00 00 16 03 01 00 04 0e 00 00  8...
> 0060   00  .
>
> In this case the payload is SSL data starting x'16 x'03 x'01
>
> Has something changed in the SSL dissector that may caue this behaviour? 
> I looked at the SVN history and can't see anything obvious, but a quick 
> look through the SSL dissector code and I saw some routines called 
> "ssl_looks_like_". This seems to suggest that the SSL code does a 
> heuristic attempt to determine whether the packet contains SSL data, 
> which this does although it is not the only protocol in the packet.
>
> Is there a way to prevent this?
>
> I can work around the problem by using "decode as..", but that's not a 
> desirable solution.
>
> Regards .. Martin
>
>
>
> --
> Scanned by ClamAV antivirus system - http://www.clamav.net
> Virus signatures last updated: Fri Jan 12 15:33:21 2007
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> jy�u�U2�צ�m
> �rV�j��z�b��,�   ڶ�޲V���]jם�Z�%���^����m4
>   


--
Scanned by ClamAV antivirus system - http://www.clamav.net
Virus signatures last updated: Fri Jan 12 15:33:21 2007
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?

2007-01-12 Thread Guy Harris 
Benn Bollay wrote:

> How difficult will the integration into the std tools (tcpdump,
> Wireshark, et al) be once a consistent API is implemented?  One wonders
> if it would be possible to provide a pcap interface to a pcap-ng file,
> and circumvent a lot of the immediate compatibility issues.

That's certainly my intent for libpcap in the future.

I want to provide two interfaces:

1) the existing libpcap API, which will handle as much of pcap-ng as it 
can (ignoring some records, discarding some data in others, failing as 
soon as it sees a link-layer type other than the first one it saw);

2) a newer API, which exposes the full capabilities of pcap-ng, and 
also transparently supports reading old-style libpcap files.

That would give applications using libpcap to read captures (such as 
tcpdump) transparent pcap-ng support (I'd convert tcpdump to use the 
newer API if available, with the configure script checking for it). 
Libpcap-based applications would be able to handle "typical" pcap-ng 
files without change; if they changed to support the new API's, they'd 
be able to handle all pcap-ng files (assuming they support all the 
possible link-layer types) and still support old-style libpcap files.

Wireshark has its own code to read libpcap files; its Wiretap library's 
API, etc. is a bit different, as it's oriented towards random access and 
support for non-libpcap-style file formats.  The API would be changed to 
handle pcap-ng's capabilities (which might also allow support to be 
added for other capture file formats' capabilities).

(If the Wiretap API were ever stable enough that we'd have good reason 
to think we wouldn't have to change it to support new capture file 
formats or new capabilities or link-layer types in existing file 
formats, we could perhaps consider merging it with libpcap - but the 
different licenses, BSD vs. GPL, would be a problem with that.  Given 
that Wireshark's release cycles are faster than libpcap's, we wouldn't 
be ready to consider that until we have something we don't think we'd 
need to change faster than libpcap.  I.e., I think we'll probably 
continue to have Wiretap around for a while.)
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?

2007-01-12 Thread Benn Bollay 
Hello GV -

Thanks for the reply!

It's interesting to see how people work around the limitations in the
current pcap format.  One I'm is thinking of doing is utilizing the
Ethernet Trailer (which you almost /never/ see anymore) to associate a
lot of the data that pcap-ng would provide in a more elegent fashion.
With a custom dissector, that should give us a lot of the features we're
looking for.

Is the seeking problem a mechanics issue, or an API issue?  I'd be
interest in talking about it more with you, or perhaps contributing a
bit if that makes sense.

How difficult will the integration into the std tools (tcpdump,
Wireshark, et al) be once a consistent API is implemented?  One wonders
if it would be possible to provide a pcap interface to a pcap-ng file,
and circumvent a lot of the immediate compatibility issues.

Cheers!
--Benn

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:wireshark-dev-
> [EMAIL PROTECTED] On Behalf Of Gianluca Varenni
> Sent: Thursday, January 11, 2007 4:39 PM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?
> 
> Benn,
> 
> regarding the NTAR project (i.e. the only implementation of the
pcap-ng
> "wannabe" spec so far) that I "maintain", I've been pretty busy in the
> last
> year or so, thus not being able to work on it. The project is not dead
at
> all, I'm simply giving priority to other tasks...
> 
> As far as the integration with wireshark is concerned, technically
> speaking
> there is one big feature missing from NTAR that is needed by
wireshark,
> that
> is seeking within a file.
> I started working on it during the xmas holidays, but I haven't come
out
> with a definitive API for it. The main problem I'm having is the
hierarchy
> of the file (packets are embedded in blocks which are grouped into
> sections)
> that make everything much more complicated. I plan to work on it in
the
> upcoming weeks and post something on the NTAR website as soon as
possible.
> 
> I think that the wireshark devs have a great interest in moving to
pcap-ng
> as the standard trace format (being it through NTAR or reimplementing
the
> spec), I have no idea where this task sits within the Wireshark
roadmap,
> and
> if this task would fit before or after the 1.0 milestone.
> 
> Have a nice day
> GV
> 
> 
> 
> - Original Message -
> From: "Benn Bollay" <[EMAIL PROTECTED]>
> To: "Developer support list for Wireshark"

> Sent: Wednesday, January 10, 2007 2:27 PM
> Subject: [Wireshark-dev] Is pcap-ng/ntar still in roadmap?
> 
> 
> > Hello all -
> >
> > Is the next-gen pcap format still in the roadmap at all?  I've heard
> > nothing about it for ages; there doesn't seem to be any discussions,
nor
> > any implemention details for well over a year now.
> >
> > I'm trying to decide whether I should hack-up the libpcap format or
> > spend more development effort and move entirely to something else.
> >
> > Cheers,
> > --Benn
> > ___
> > Wireshark-dev mailing list
> > Wireshark-dev@wireshark.org
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> 
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] proto_tree_add_item() with range_string

2007-01-12 Thread Sebastien Tandel 
Hi,

   If I'm not wrong, the VALS(x), TFS(x) are affected to a const void *
in hf_register_info which in fact are enumerated types. range_string is
not an enumerated type. You then have to decide in proto_tree_add_item,
in fact, a little bit later in fill_label_enumerated_(u)int which is the
type of the structure you have. In the current code of proto.c you can't
decide if it's a range_string or value_string structure at this point.

You then have to implement a mechanism which can decide which type it is
before thinking about a specific treatment in proto.c
You may operate like the following by creating an intermediate structure
which will be used to determine which is the structure we're using  :
(little bit tricky but it's working (I already have a patch for))

*** in value_string.h

typedef struct _rval_val_int {
  guint32 value;
  gchar * strptr;
  const range_string * rstr;
}rval_val_int;

*** in proto.h

#define RVALS(x) (const _value_string*)(x)


*** in your dissector
const range_string rstr[] = {
{ 0, 10, "test" },
{ 0, 0, NULL }
};

const rval_val_int rval_interm[] = {
  { 0, NULL, rstr }
};


After having done this work, you can now change the code of
fill_label_enumerate_(u)int by doing a test on the first string element
of the structure you have if it's NULL => you have a range_string
structure. (you may imagine having more different types of structures,
and then doing a test on string names?)


refinement :
you may define a macro to hide a little bit more the intermediate structure
#define RVAL_INT(rvalstring, int_rvalstring) const rval_val_int
(int_rvalstring_name)[]= { { 0, NULL, rvalstring } };


If you want something cleaner ... one of the solution may be a
intermediate structure which is mandatory with well-defined values to
determine which structure it encapsulates. => need changes then in the
macros VALS, TFS and even in the dissectors using VALS, TFS


Regards,

Sebastien Tandel

Jaap Keuter wrote:
> Hi,
>
> My first impression is that the RS() macro (refer to code sample below)
> needs to be implemented to work with the range_string type. I've got
> really no idea what is involved with that.
>
> Thanx,
> Jaap
>
> On Fri, 12 Jan 2007, Anders Broman wrote:
>
>   
>> Hi,
>> I had a brief look some time ago and it looked
>> To me like it would require new FT_x:s or
>> That the macros VAL and TFS would have to be changed to supply
>> the needed functions. Is there a better way to do it?
>>
>> BR
>> Anders
>>
>> -Ursprungligt meddelande-
>> Från: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] För Jaap Keuter
>> Skickat: den 12 januari 2007 15:48
>> Till: Developer support list for Wireshark
>> Ämne: Re: [Wireshark-dev] proto_tree_add_item() with range_string
>>
>> Hi,
>>
>> Yeah, that would be nice, having stuff like this:
>>
>>   static const range_string rs_value[] = {
>> {  0, 49, "Little" },
>> { 50, 99, "Some" },
>> {100,199, "Considerable" },
>> {200,255, "High" },
>> {  0,  0, NULL }
>>   };
>>
>>   proto_tree_add_item(tree, hf_proto_value, tvb, offset, 1, FALSE);
>>
>>   static hf_register_info hf[] = {
>> { &hf_proto_value,
>>   { "Value", "proto.value",
>> FT_UINT8, BASE_DEC,
>> RS(rs_value), 0x0,
>> "How much is it worth", HFILL }}
>>   };
>>
>> + Frame
>> + Ethernet II
>> + IP
>> + TCP
>> + Proto
>>   Value: High (220)
>>
>> That would require weaving in the range string handling along the types
>> where VALS() and TFS() handling applies (FT_*INT*, and FT_BOOLEAN).
>> epan/proto.c comes to mind.
>>
>> Thanx,
>> Jaap
>>
>> On Fri, 12 Jan 2007, Anders Broman wrote:
>>
>> 
>>> Hi,
>>> Does some have an idea on how to implement proto_tree_add_item() with a
>>> range_string?
>>> That would be really useful.
>>> BR
>>> Anders
>>>
>>>
>>>   
>> ___
>> Wireshark-dev mailing list
>> Wireshark-dev@wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>> ___
>> Wireshark-dev mailing list
>> Wireshark-dev@wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>>
>> 
>
>   
> 
>
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>   

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] SSL dissector conflicting with dissector plugin

2007-01-12 Thread Martin Warnes 
Hi,

I'm developing a dissector plugin for the Connect:Direct file transfer 
protocol, the protocol itself can contain a SSL payload. Until recently 
i didn't have too many problems with my dissector identifying it's own 
data, adding some information to the tree and then passing the SSL 
payload off to the SSL dissector for subdissection.

I updated the source today and now all the Connect:Direct protocol 
packets are being identified as SSL continuation data, this occurs with 
or without my dissector plugin loaded.

Example for the packet below:


   00 00 03 04 00 00 00 50 ba da b4 6c 00 00 08 00  ...P...l
0010   45 00 00 51 0e 48 40 00 40 06 aa be c0 a8 00 28  [EMAIL 
PROTECTED]@..(
0020   c0 a8 00 28 05 54 86 0b 35 13 e0 4d 35 3a 86 3d  ...(.T..5..M5:.=
0030   80 18 20 00 81 e4 00 00 01 01 08 0a 09 53 d3 f3  .. ..S..
0040   09 53 d3 f3 54 43 50 32 00 02 00 10 00 00 00 09  .S..TCP2
0050   80 00 00 00 38 00 00 00 16 03 01 00 04 0e 00 00  8...
0060   00 

 The Connect:Direct protocol contains a header that starts with "TCP2" 
the length of the header is offset +6 (x10), there are 4 bytes of flag 
data and then the payload data starts.   

   54 43 50 32 00 02 00 10 00 00 00 09  .S..TCP2
0050   80 00 00 00 38 00 00 00 16 03 01 00 04 0e 00 00  8...
0060   00  .

In this case the payload is SSL data starting x'16 x'03 x'01

Has something changed in the SSL dissector that may caue this behaviour? 
I looked at the SVN history and can't see anything obvious, but a quick 
look through the SSL dissector code and I saw some routines called 
"ssl_looks_like_". This seems to suggest that the SSL code does a 
heuristic attempt to determine whether the packet contains SSL data, 
which this does although it is not the only protocol in the packet.

Is there a way to prevent this?

I can work around the problem by using "decode as..", but that's not a 
desirable solution.

Regards .. Martin



--
Scanned by ClamAV antivirus system - http://www.clamav.net
Virus signatures last updated: Fri Jan 12 15:33:21 2007
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] proto_tree_add_item() with range_string

2007-01-12 Thread Jaap Keuter 
Hi,

My first impression is that the RS() macro (refer to code sample below)
needs to be implemented to work with the range_string type. I've got
really no idea what is involved with that.

Thanx,
Jaap

On Fri, 12 Jan 2007, Anders Broman wrote:

> Hi,
> I had a brief look some time ago and it looked
> To me like it would require new FT_x:s or
> That the macros VAL and TFS would have to be changed to supply
> the needed functions. Is there a better way to do it?
>
> BR
> Anders
>
> -Ursprungligt meddelande-
> Fr??n: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] F??r Jaap Keuter
> Skickat: den 12 januari 2007 15:48
> Till: Developer support list for Wireshark
> ??mne: Re: [Wireshark-dev] proto_tree_add_item() with range_string
>
> Hi,
>
> Yeah, that would be nice, having stuff like this:
>
>   static const range_string rs_value[] = {
> {  0, 49, "Little" },
> { 50, 99, "Some" },
> {100,199, "Considerable" },
> {200,255, "High" },
> {  0,  0, NULL }
>   };
>
>   proto_tree_add_item(tree, hf_proto_value, tvb, offset, 1, FALSE);
>
>   static hf_register_info hf[] = {
> { &hf_proto_value,
>   { "Value", "proto.value",
> FT_UINT8, BASE_DEC,
> RS(rs_value), 0x0,
> "How much is it worth", HFILL }}
>   };
>
> + Frame
> + Ethernet II
> + IP
> + TCP
> + Proto
>   Value: High (220)
>
> That would require weaving in the range string handling along the types
> where VALS() and TFS() handling applies (FT_*INT*, and FT_BOOLEAN).
> epan/proto.c comes to mind.
>
> Thanx,
> Jaap
>
> On Fri, 12 Jan 2007, Anders Broman wrote:
>
> > Hi,
> > Does some have an idea on how to implement proto_tree_add_item() with a
> > range_string?
> > That would be really useful.
> > BR
> > Anders
> >
> >
>
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] proto_tree_add_item() with range_string

2007-01-12 Thread Anders Broman 
Hi,
I had a brief look some time ago and it looked
To me like it would require new FT_x:s or
That the macros VAL and TFS would have to be changed to supply
the needed functions. Is there a better way to do it?

BR
Anders

-Ursprungligt meddelande-
Från: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] För Jaap Keuter
Skickat: den 12 januari 2007 15:48
Till: Developer support list for Wireshark
Ämne: Re: [Wireshark-dev] proto_tree_add_item() with range_string

Hi,

Yeah, that would be nice, having stuff like this:

  static const range_string rs_value[] = {
{  0, 49, "Little" },
{ 50, 99, "Some" },
{100,199, "Considerable" },
{200,255, "High" },
{  0,  0, NULL }
  };

  proto_tree_add_item(tree, hf_proto_value, tvb, offset, 1, FALSE);

  static hf_register_info hf[] = {
{ &hf_proto_value,
  { "Value", "proto.value",
FT_UINT8, BASE_DEC,
RS(rs_value), 0x0,
"How much is it worth", HFILL }}
  };

+ Frame
+ Ethernet II
+ IP
+ TCP
+ Proto
  Value: High (220)

That would require weaving in the range string handling along the types
where VALS() and TFS() handling applies (FT_*INT*, and FT_BOOLEAN).
epan/proto.c comes to mind.

Thanx,
Jaap

On Fri, 12 Jan 2007, Anders Broman wrote:

> Hi,
> Does some have an idea on how to implement proto_tree_add_item() with a
> range_string?
> That would be really useful.
> BR
> Anders
>
>

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] write plugin following README.plugins

2007-01-12 Thread Jaap Keuter 
Hi,

I think you missed some steps in chapter 3. These are for pointing
configure and make to your new plugin directory.

Thanx,
Jaap

On Fri, 12 Jan 2007, Armin Wasicek wrote:

>
> Hello!
>
> I just tried to migrate an old (working) etherreal plugin following the
> guide in doc/README.plugins to the wireshark-0.99.4 source.
>
> I followed all steps, but unfortunately the ./configure tool generates
> no Makefile (and no "config.status: creating plugins/xxx/Makefile" line).
>
> Is the guide up to date and what could I have possibly missed?
>
> Cheers
> Armin
>

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] proto_tree_add_item() with range_string

2007-01-12 Thread Jaap Keuter 
Hi,

Yeah, that would be nice, having stuff like this:

  static const range_string rs_value[] = {
{  0, 49, "Little" },
{ 50, 99, "Some" },
{100,199, "Considerable" },
{200,255, "High" },
{  0,  0, NULL }
  };

  proto_tree_add_item(tree, hf_proto_value, tvb, offset, 1, FALSE);

  static hf_register_info hf[] = {
{ &hf_proto_value,
  { "Value", "proto.value",
FT_UINT8, BASE_DEC,
RS(rs_value), 0x0,
"How much is it worth", HFILL }}
  };

+ Frame
+ Ethernet II
+ IP
+ TCP
+ Proto
  Value: High (220)

That would require weaving in the range string handling along the types
where VALS() and TFS() handling applies (FT_*INT*, and FT_BOOLEAN).
epan/proto.c comes to mind.

Thanx,
Jaap

On Fri, 12 Jan 2007, Anders Broman wrote:

> Hi,
> Does some have an idea on how to implement proto_tree_add_item() with a
> range_string?
> That would be really useful.
> BR
> Anders
>
>

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Win32 build broken?

2007-01-12 Thread Giorgio Tino 
Tomas,

thanks, now it compiles!

Giorgio!

- Original Message - 
From: "Kukosa, Tomas" <[EMAIL PROTECTED]>
To: "Developer support list for Wireshark" 
Sent: Friday, January 12, 2007 1:40 PM
Subject: Re: [Wireshark-dev] Win32 build broken?


> Hi,
> 
> it is caused by my changes in SSL.
> Unfortunately ssl-dlg.c was not recompiled on my PC and did not catch
> this error.
> I will fix it.
> 
> Tomas 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Giorgio Tino
> Sent: Friday, January 12, 2007 1:28 PM
> To: Developer support list for Wireshark
> Subject: [Wireshark-dev] Win32 build broken?
> 
> Hi,
> 
> I've just updated Wireshark for Win32 to build 20405 and I get this
> error:
> 
> ssl-dlg.c(155) : error C2039: 'app_data' : is not a member of 
> 'SslPacketInfo'
>..\epan/dissectors/packet-ssl-utils.h(640) : see declaration of 
> 'SslPacketInfo'
> ssl-dlg.c(173) : error C2039: 'app_data' : is not a member of 
> 'SslPacketInfo'
>..\epan/dissectors/packet-ssl-utils.h(640) : see declaration of 
> 'SslPacketInfo'
> ssl-dlg.c(176) : error C2039: 'app_data' : is not a member of 
> 'SslPacketInfo'
>..\epan/dissectors/packet-ssl-utils.h(640) : see declaration of 
> 'SslPacketInfo'
> 
> Any idea?
> 
> Thanks,
> Giorgio
> 
> 
> - Original Message - 
> From: "Ulf Lamping" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, January 12, 2007 12:43 PM
> Subject: Re: [Wireshark-dev] [The Wireshark Wiki] Update of "FrontPage" 
> bynickvlas
> 
> 
>> Wireshark Wiki - Do not reply wrote:
>>> Dear Wiki user,
>>>
>>> You have subscribed to a wiki page or wiki category on "The Wireshark
> 
>>> Wiki" for change notification.
>>>
>>> The following page has been changed by nickvlas:
>>> http://wiki.wireshark.org/FrontPage
>>>
>>>
> 
> --
>>>* ["Preferences"]: Preference settings controlling the behaviour
> of 
>>> Wireshark and TShark
>>>* ["Statistics"]: Statistics range from general capture file 
>>> information to protocol specific statistics
>>>* ["Security"]: how to use Wireshark as securely as possible
>>> +  * [http://freeclips.adrenalinbet.com free porn clips] Preference 
>>> settings controlling the behaviour of Wireshark
>>>* ["Performance"]: how to "fine tune" Wireshark's performance
>>>* ["Timestamps"]: Accuracy, precision, and resolution
>>>* ["Tools"]: tools and scripts that relate to the use of Wireshark
> and 
>>> TShark
>>>
>>>
>> Hi Gerald!
>>
>> Someones spamming the frontpage repeatedly :-(
>>
>> Maybe it's time to lock write access to a few known developers?
>>
>> Regards, ULFL
>> ___
>> Wireshark-dev mailing list
>> Wireshark-dev@wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev 
> 
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] write plugin following README.plugins

2007-01-12 Thread Armin Wasicek 

Hello!

I just tried to migrate an old (working) etherreal plugin following the 
guide in doc/README.plugins to the wireshark-0.99.4 source.

I followed all steps, but unfortunately the ./configure tool generates 
no Makefile (and no "config.status: creating plugins/xxx/Makefile" line).

Is the guide up to date and what could I have possibly missed?

Cheers
Armin




___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Build Error in 0.99.4 LNK1181/U1073

2007-01-12 Thread Andrew Hood 
Jan Kokott wrote:
> Hi,
> 
> I found out that much. 
> The -i option I got from 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore/html/U1077.asp
> maybe that wasn´t a good idea.

It depends. -k or -i can get as much as possible compiled in one run.
You then run (n)make again without the option to fix the ones that
didn't compile the first time.

> I found out, that the problem started with the libui.lib (in GTK) which 
> couldn´t be build.
> There seems to be another declaration of somehting in VS 2005 (V.8) that 
> tries to overwrite one of the definitions in the wireshark sources.
> 
> After commenting out the IFNDEF line in the source of VS, it worked further 
> on to the next problem with the openssl.h which was called in the GTK Package 
> and a new error.
> 
> It just looked like my environment isn´t suitable for that task.(VS 2005 V8, 
> cygwin and nmake.exe)
> Switching to linux (ubuntu) should help me at least compiling wireshark and 
> starting with my 802.15.4 plugin project.
> 
> If you want to have more Information about my problem, I could switch back to 
> Windows, but for now I will use Linux instead.
> Thank you anyway.

Upgrade to the latest SVN. It compiles with MSCV2005 with almost no
fiddling. There has been an ongoing discussion in wireshark-dev between
Ulf, Anders, Laurent and me (with a few others thrown in for good
measure) over the last couple of weeks to get it working.

-- 
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Win32 build broken?

2007-01-12 Thread Kukosa, Tomas 
Hi,

it is caused by my changes in SSL.
Unfortunately ssl-dlg.c was not recompiled on my PC and did not catch
this error.
I will fix it.

Tomas 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Giorgio Tino
Sent: Friday, January 12, 2007 1:28 PM
To: Developer support list for Wireshark
Subject: [Wireshark-dev] Win32 build broken?

Hi,

I've just updated Wireshark for Win32 to build 20405 and I get this
error:

ssl-dlg.c(155) : error C2039: 'app_data' : is not a member of 
'SslPacketInfo'
..\epan/dissectors/packet-ssl-utils.h(640) : see declaration of 
'SslPacketInfo'
ssl-dlg.c(173) : error C2039: 'app_data' : is not a member of 
'SslPacketInfo'
..\epan/dissectors/packet-ssl-utils.h(640) : see declaration of 
'SslPacketInfo'
ssl-dlg.c(176) : error C2039: 'app_data' : is not a member of 
'SslPacketInfo'
..\epan/dissectors/packet-ssl-utils.h(640) : see declaration of 
'SslPacketInfo'

Any idea?

Thanks,
Giorgio


- Original Message - 
From: "Ulf Lamping" <[EMAIL PROTECTED]>
To: 
Sent: Friday, January 12, 2007 12:43 PM
Subject: Re: [Wireshark-dev] [The Wireshark Wiki] Update of "FrontPage" 
bynickvlas


> Wireshark Wiki - Do not reply wrote:
>> Dear Wiki user,
>>
>> You have subscribed to a wiki page or wiki category on "The Wireshark

>> Wiki" for change notification.
>>
>> The following page has been changed by nickvlas:
>> http://wiki.wireshark.org/FrontPage
>>
>>

--
>>* ["Preferences"]: Preference settings controlling the behaviour
of 
>> Wireshark and TShark
>>* ["Statistics"]: Statistics range from general capture file 
>> information to protocol specific statistics
>>* ["Security"]: how to use Wireshark as securely as possible
>> +  * [http://freeclips.adrenalinbet.com free porn clips] Preference 
>> settings controlling the behaviour of Wireshark
>>* ["Performance"]: how to "fine tune" Wireshark's performance
>>* ["Timestamps"]: Accuracy, precision, and resolution
>>* ["Tools"]: tools and scripts that relate to the use of Wireshark
and 
>> TShark
>>
>>
> Hi Gerald!
>
> Someones spamming the frontpage repeatedly :-(
>
> Maybe it's time to lock write access to a few known developers?
>
> Regards, ULFL
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev 

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Build Error in 0.99.4 LNK1181/U1073

2007-01-12 Thread Jan Kokott 
Hi,

I found out that much. 
The -i option I got from 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore/html/U1077.asp
maybe that wasn´t a good idea.

I found out, that the problem started with the libui.lib (in GTK) which 
couldn´t be build.
There seems to be another declaration of somehting in VS 2005 (V.8) that tries 
to overwrite one of the definitions in the wireshark sources.

After commenting out the IFNDEF line in the source of VS, it worked further on 
to the next problem with the openssl.h which was called in the GTK Package and 
a new error.

It just looked like my environment isn´t suitable for that task.(VS 2005 V8, 
cygwin and nmake.exe)
Switching to linux (ubuntu) should help me at least compiling wireshark and 
starting with my 802.15.4 plugin project.

If you want to have more Information about my problem, I could switch back to 
Windows, but for now I will use Linux instead.
Thank you anyway.

With kind Regards   Jan


 Original-Nachricht 
Datum: Fri, 12 Jan 2007 10:40:48 +0100 (CET)
Von: Jaap Keuter <[EMAIL PROTECTED]>
An: Developer support list for Wireshark 
Betreff: Re: [Wireshark-dev] Build Error in 0.99.4 LNK1181/U1073

> Hi,
> 
> Where do you get the "-i" from in "nmake -i Makefile.nmake". Doesn't that
> cover up build problems earlier on? My guess is that the build of
> capture_if_details_dlg.c failed but it scrolled off screen. The linker
> then couldn't find the object to build the libui.lib, which by itself is a
> target that nmake now doesn't know how to build.
> 
> Debugger rule of thumb: Always start with the first problem, then work
> your way down. Ignoring them won't make them go away.
> 
> Thanx,
> Jaap
> 
> On Fri, 12 Jan 2007, Jan Kokott wrote:
> 
> > Hi,
> >
> > I tried to build the 0.99.4 (latest Version
> http://www.wireshark.org/download.html)from source in my win XP.
> > After using
> > nmake -i Makefile.nmake
> > It does a lot of stuff and seems to work for a long time but then
> suddenly stops with
> >
> > LINK : fatal error LNK1181: cannot open input file
> 'capture_if_details_dlg.obj'
> > NMAKE : fatal error U1073: don't know how to make 'gtk\libui.lib'
> > Stop.
> >
> > The second fatal error was found some time ago :
> > http://www.ethereal.com/lists/ethereal-dev/200606/msg00228.html
> > but no one answered to the problem.
> >
> > I tried to do it again with a distclean and another cmd Window with
> clean Path as suggested here
> http://www.wireshark.org/lists/wireshark-dev/200611/msg00590.html
> > but that didn´t work.
> >
> > Anyone got a solution to this problem ?
> >
> > So longJan
> >
> 
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] Win32 build broken?

2007-01-12 Thread Giorgio Tino 
Hi,

I've just updated Wireshark for Win32 to build 20405 and I get this error:

ssl-dlg.c(155) : error C2039: 'app_data' : is not a member of 
'SslPacketInfo'
..\epan/dissectors/packet-ssl-utils.h(640) : see declaration of 
'SslPacketInfo'
ssl-dlg.c(173) : error C2039: 'app_data' : is not a member of 
'SslPacketInfo'
..\epan/dissectors/packet-ssl-utils.h(640) : see declaration of 
'SslPacketInfo'
ssl-dlg.c(176) : error C2039: 'app_data' : is not a member of 
'SslPacketInfo'
..\epan/dissectors/packet-ssl-utils.h(640) : see declaration of 
'SslPacketInfo'

Any idea?

Thanks,
Giorgio


- Original Message - 
From: "Ulf Lamping" <[EMAIL PROTECTED]>
To: 
Sent: Friday, January 12, 2007 12:43 PM
Subject: Re: [Wireshark-dev] [The Wireshark Wiki] Update of "FrontPage" 
bynickvlas


> Wireshark Wiki - Do not reply wrote:
>> Dear Wiki user,
>>
>> You have subscribed to a wiki page or wiki category on "The Wireshark 
>> Wiki" for change notification.
>>
>> The following page has been changed by nickvlas:
>> http://wiki.wireshark.org/FrontPage
>>
>> --
>>* ["Preferences"]: Preference settings controlling the behaviour of 
>> Wireshark and TShark
>>* ["Statistics"]: Statistics range from general capture file 
>> information to protocol specific statistics
>>* ["Security"]: how to use Wireshark as securely as possible
>> +  * [http://freeclips.adrenalinbet.com free porn clips] Preference 
>> settings controlling the behaviour of Wireshark
>>* ["Performance"]: how to "fine tune" Wireshark's performance
>>* ["Timestamps"]: Accuracy, precision, and resolution
>>* ["Tools"]: tools and scripts that relate to the use of Wireshark and 
>> TShark
>>
>>
> Hi Gerald!
>
> Someones spamming the frontpage repeatedly :-(
>
> Maybe it's time to lock write access to a few known developers?
>
> Regards, ULFL
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev 

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] [The Wireshark Wiki] Update of "FrontPage" by nickvlas

2007-01-12 Thread Ulf Lamping 
Wireshark Wiki - Do not reply wrote:
> Dear Wiki user,
>
> You have subscribed to a wiki page or wiki category on "The Wireshark Wiki" 
> for change notification.
>
> The following page has been changed by nickvlas:
> http://wiki.wireshark.org/FrontPage
>
> --
>* ["Preferences"]: Preference settings controlling the behaviour of 
> Wireshark and TShark
>* ["Statistics"]: Statistics range from general capture file information 
> to protocol specific statistics
>* ["Security"]: how to use Wireshark as securely as possible
> +  * [http://freeclips.adrenalinbet.com free porn clips] Preference settings 
> controlling the behaviour of Wireshark 
>* ["Performance"]: how to "fine tune" Wireshark's performance
>* ["Timestamps"]: Accuracy, precision, and resolution
>* ["Tools"]: tools and scripts that relate to the use of Wireshark and 
> TShark
>
>   
Hi Gerald!

Someones spamming the frontpage repeatedly :-(

Maybe it's time to lock write access to a few known developers?

Regards, ULFL
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] proto_tree_add_item() with range_string

2007-01-12 Thread Anders Broman 
Hi,
Does some have an idea on how to implement proto_tree_add_item() with a
range_string?
That would be really useful.
BR
Anders

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Build Error in 0.99.4 LNK1181/U1073

2007-01-12 Thread Jaap Keuter 
Hi,

Where do you get the "-i" from in "nmake -i Makefile.nmake". Doesn't that
cover up build problems earlier on? My guess is that the build of
capture_if_details_dlg.c failed but it scrolled off screen. The linker
then couldn't find the object to build the libui.lib, which by itself is a
target that nmake now doesn't know how to build.

Debugger rule of thumb: Always start with the first problem, then work
your way down. Ignoring them won't make them go away.

Thanx,
Jaap

On Fri, 12 Jan 2007, Jan Kokott wrote:

> Hi,
>
> I tried to build the 0.99.4 (latest Version 
> http://www.wireshark.org/download.html)from source in my win XP.
> After using
> nmake -i Makefile.nmake
> It does a lot of stuff and seems to work for a long time but then suddenly 
> stops with
>
> LINK : fatal error LNK1181: cannot open input file 
> 'capture_if_details_dlg.obj'
> NMAKE : fatal error U1073: don't know how to make 'gtk\libui.lib'
> Stop.
>
> The second fatal error was found some time ago :
> http://www.ethereal.com/lists/ethereal-dev/200606/msg00228.html
> but no one answered to the problem.
>
> I tried to do it again with a distclean and another cmd Window with clean 
> Path as suggested here 
> http://www.wireshark.org/lists/wireshark-dev/200611/msg00590.html
> but that didn??t work.
>
> Anyone got a solution to this problem ?
>
> So longJan
>

___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev

[Wireshark-dev] Build Error in 0.99.4 LNK1181/U1073

2007-01-12 Thread Jan Kokott 
Hi,

I tried to build the 0.99.4 (latest Version 
http://www.wireshark.org/download.html)from source in my win XP.
After using 
nmake -i Makefile.nmake 
It does a lot of stuff and seems to work for a long time but then suddenly 
stops with 

LINK : fatal error LNK1181: cannot open input file 'capture_if_details_dlg.obj'
NMAKE : fatal error U1073: don't know how to make 'gtk\libui.lib'
Stop.

The second fatal error was found some time ago : 
http://www.ethereal.com/lists/ethereal-dev/200606/msg00228.html
but no one answered to the problem.

I tried to do it again with a distclean and another cmd Window with clean Path 
as suggested here 
http://www.wireshark.org/lists/wireshark-dev/200611/msg00590.html
but that didn´t work.

Anyone got a solution to this problem ?

So longJan
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev