[Wireshark-dev] complex problem

2011-10-13 Thread Marcel Haas 

Hey,
maybe the problem isnt so complex to solve but its complex for me to 
explain. :)


I have written my own reassemble code and it seems to work. But i have 
one big problem.
If i set the filter and click apply, it works,because it goes trough 
every packet.
And I get my reassemble msg after the packet but if now click at the 
reassemble packet there
is now reassemble tvb. I know the reason for that cause he interpret 
every packet one on one


Example:
Filter is set click at Apply
Packet: 1 -frag
Packet: 2 -frag
Packet: 3 -Reassemble (last frag)
If i click at Packet 3 he interprets only packet 3. He doesnt see 
packet 1 2

and so he bulits now Reass Tvb.

Maybe im calling my function at the worng position.
Code:

static void
dissect_xxx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree){
...
if(tree){
...
}
// Fragment 
Routine

if(totalp 1){
frag_tvb =tvb_new_subset(tvb,offset2,-1,-1); // Get the 
TVB



big_tvb=ListenElementEinfuegen(NeuesListenElement(snode,pnum,totalp,frag_tvb)); 
// Reass Function


if (big_tvb) { // Reassembled  Big_tvb != NULL
 col_append_str(pinfo-cinfo, COL_INFO,
  (Message Reassembled));
add_new_data_source(pinfo,big_tvb,Defrag TVB);
// ADD new Data Source


} else { // Not last packet of reassembled Short 
Message  Big_tvb == NULL

 col_append_fstr(pinfo-cinfo, COL_INFO,
  (Message fragment %u), pnum);
 col_append_fstr(pinfo-cinfo, COL_INFO,
   (Frag:  %u), pinfo-fd - num);
 col_append_fstr(pinfo-cinfo, COL_INFO,
(Visit:  %u), pinfo-fd-flags.visited);
}

}
}

I hope someone understand my problem and have a good idea/solution :)

thx and regards
Marcel
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] complex problem

2011-10-13 Thread Jeff Morriss 

Marcel Haas wrote:

Hey,
maybe the problem isnt so complex to solve but its complex for me to 
explain. :)


I have written my own reassemble code and it seems to work. But i have 
one big problem.
If i set the filter and click apply, it works,because it goes trough 
every packet.
And I get my reassemble msg after the packet but if now click at the 
reassemble packet there
is now reassemble tvb. I know the reason for that cause he interpret 
every packet one on one


Example:
Filter is set click at Apply
Packet: 1 -frag
Packet: 2 -frag
Packet: 3 -Reassemble (last frag)
If i click at Packet 3 he interprets only packet 3. He doesnt see packet 
1 2

and so he bulits now Reass Tvb.


The part about not seeing packets 1 and 2 when clicking on packet 3 is 
correct.  You must do all your reassembly in the first pass (read: even 
when !tree--which it appears you're doing) and it must be stored in such 
a way that when it's (only) re-dissecting packet 3 it will have the data 
from packets 1 and 2 available to it.  I suspect that your custom 
reassembly routine isn't doing this latter part.


(Yes, this means that Reassembly requires using lots of memory.  See 
http://wiki.wireshark.org/KnownBugs/OutOfMemory .)

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Replace TRUE/FALSE with proper ENC_* in proto_tree_add_item() using a script.

2011-10-13 Thread Dirk Jagdmann 

I'll hold off doing any changes until tomorrow to wait for any comments.


Use ENC_ASCII. I suspect the majority of protocols currently available 
is so old, that they don't use anything more modern. And our users will 
tell us if ENC_ASCII is wrong for some protocols and we can fix them 
manually later.


--
--- Dirk Jagdmann
 http://cubic.org/~doj
- http://llg.cubic.org
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] interfaces support

2011-10-13 Thread Andrew Kampjes 
What support does wireshark currently have for multiple interfaces?
The pcap-ng format supports them but they don't seem to be shown anywhere and I 
can't find any points in the code to add interfaces to the GUI.

I would like to add the interface as a column for ERF. I can already do that 
manually but right clicking on the field and adding selecting apply as column.

Regards,
Andrew.

--
Andrew Kampjes
Junior Software Developer - Endace

andrew.kamp...@endace.com mailto:andrew.kamp...@endace.com
www.endace.com;http://www.endace.com/ 
LinkedIn;http://www.linkedin.com/companies/endace follow us on 
Twitterhttp://twitter.com/endace

power to see all

This email (including any attachments) is intended to be read by the named 
recipient(s) only. If the email wasn't addressed to you, you mustn't use, 
distribute or copy any part of it. If you've received it in error please delete 
it (along with any attachments) and inform us of the error. Emails aren't 
secure and can't be guaranteed to be error free as they can be intercepted, 
amended, lost or destroyed. It's your responsibility to check this email and 
any attachments for viruses. These risks are deemed accepted by everyone that 
communicates with us by email.

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Complete the switch to UIManager driven menubar?

2011-10-13 Thread Tony Trinh 
I've fixed the support for Lua menus, as described in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6405. Please review.

Thanks,
Tony

On Tue, Aug 23, 2011 at 3:03 PM, Anders Broman a.bro...@bredband.netwrote:

 Stephen Fisher skrev 2011-08-23 19:58:

 On Tue, Aug 23, 2011 at 10:19:26AM +0200, Anders Broman wrote:

  I think all menus work now with MAIN_MENU_USE_UIMANAGER, LUA? When
 should we start to rip out the old code?

 If you feel that it's ready to go, I would say change the default to
 build with ui manager unless the user specifies otherwise and give it
 some more time to work out any bugs (over a few months?)

 It's already the default, I see your point in letting it ripen a bit but I
 fear that it may become messy
 if we start adding improvements to the UIManager code.
 Some ideas which I wouldn't mind getting help on :-)
 - Read GUI description from file.
 - Move all Conversation Endpoint, and Service response lists into a single
 file per list including
  code for the sub menus.
 - New callback functionality to build sub menus/menu items  under place
 holders in the UIdescription
  similar to the recent files list which perhaps could be replaced by GTKs
 recent files.

 The LUA menu, perhaps we should have lua_gui.c to handle the LUA menus? I'm
 not quite sure how the old stuff worked...

 Regards
 Anders
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Replace TRUE/FALSE with proper ENC_* in proto_tree_add_item() using a script.

2011-10-13 Thread Bill Meier 

On 10/12/2011 3:30 PM, Bill Meier wrote:

Based upon the comments:



I propose to do the following for
the FT_STRING, FT_STRINGZ, FT_UINT_STRING encoding parameter:



 Conversions:
 1. For other than FT_UINT_STRING, always use ENC_NA
(replacing any existing True/1/FALSE/0
/ENC_BIG_ENDIAN/ENC_LITTLE_ENDIAN).


 2. If there's no character encoding (ENC_ASCII, ...) specified
 then use ENC_ASCII.



I'll hold off doing any changes until tomorrow to wait for any comments.


It now appears that I won't get to this until the weekend.


Bill

___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] interfaces support

2011-10-13 Thread Guy Harris 

On Oct 13, 2011, at 6:40 PM, Andrew Kampjes wrote:

 What support does wireshark currently have for multiple interfaces?

Currently as in 1.6.x, or currently as in the SVN trunk?  And are you 
referring to support when capturing or support when reading a capture file?  It 
sounds as if you're referring to the latter.

 The pcap-ng format supports them but they don't seem to be shown anywhere

Currently - as in the SVN trunk, so it also means in earlier releases - we 
don't have anywhere in the GUI that can show you a list of the interfaces.

 and I can't find any points in the code to add interfaces to the GUI.
 
 I would like to add the interface as a column for ERF. I can already do that 
 manually but right clicking on the field and adding selecting apply as column.

We should probably look at restructuring Wiretap a bit, to be a more 
pcap-ng-oriented API, which might also allow us to improve the handling of some 
other capture file formats.  I.e., a read should, instead of returning a 
packet, return a data item, which could be a packet or an interface description 
or

For pcap-ng, an Interface Description Block would be reported as an interface 
description.

For file formats that don't have records for interfaces, interface description 
reports would be synthesized as appropriate, e.g. for pcap one would be 
supplied before the first packet.

For ERF, the ERF-reading code would presumably report interfaces A through D 
with synthesized interface either before reporting the first packet record or 
before reporting the first packet record with the specified interface, and 
report the multi-channel interfaces before reporting the first packet record 
with the specified channel.

An interface index would be supplied in the Wiretap header provided for all 
packet records - yes, that would be redundant in ERF files, but that would 
allow the GUI code not to have to know or care.
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Replace TRUE/FALSE with proper ENC_* in proto_tree_add_item() using a script.

2011-10-13 Thread Bill Meier 

Re:


Should these functions be modified to take an encoding argument instead of a
little_endian argument, then the Perl script run on them as well to convert
TRUE/FALSE to ENC_LITTLE_ENDIAN/ENC_BIG_ENDIAN?


I think so.


tvb_fake_unicode()

  ; no remaining usage in Wireshark;leave as is ?


tvb_get_ephemeral_faked_unicode()

  ; some usage: convert to the replacement ?



proto_tree_add_bitmask()
proto_tree_add_bitmask_text()
proto_item_add_bitmask_tree()= static in epan/proto.c only
proto_tree_add_bits_item()
proto_tree_add_bits_item_ret_val()

   ; Fix

I'll get to these next week ...

Bill
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe