[Wireshark-dev] Re: Diameter string hash

On Fri, Jul 25, 2025 at 9:15 AM Anders Broman wrote: > Hi, > Is the Diameter special string hash and string equal function really > needed? > It looks like it's a case-insensitive hash and string equality function. I don't know if that's faster than doing a one-time upper or lower case conversio

[Wireshark-dev] Re: How to add item on top of tree

On Fri, Jul 18, 2025, 3:06 PM Pablo MG wrote: > Hello, > > The subject is probably a XY problem so I'll explain my initial need. In > the protocol ieee80211, we have a bitmap of validated frames; if a frame > is missing we add an item "missing frame". The issue is that we rarely > have enough fra

[Wireshark-dev] Re: Wireshark build failure on Windows 11

We have already been enabling /bigobj when ASan is enabled. ( https://gitlab.com/wireshark/wireshark/-/commit/be4ea87bb63c53fa76a3d829a5951ee5e745f0f3 ) It's probably not a big deal to enable it always. It makes the object files a little larger (2% in an average case) and makes pre-Visual Studi

[Wireshark-dev] Re: Changes in the latest dev code (since 4.4.7) which heavily impacted PROTO_TREE_MAX_IDLE

ble to navigate to or > select data source tabs that are outside the widget boundary, at least on > macOS. > > On 6/25/25 9:51 PM, John Thacker wrote: > > It's a little difficult to see, because the field that triggers everything > is hidden unless the PER preference &qu

[Wireshark-dev] Re: Changes in the latest dev code (since 4.4.7) which heavily impacted PROTO_TREE_MAX_IDLE

It's a little difficult to see, because the field that triggers everything is hidden unless the PER preference "Display the internal PER fields in the tree" is enabled. That's disabled by default, so by default the field with the large offset is hidden. John On Thu, Jun 26, 2

[Wireshark-dev] Re: Changes in the latest dev code (since 4.4.7) which heavily impacted PROTO_TREE_MAX_IDLE

The root problem is that the "start_idle_count" logic doesn't take into account multiple data sources. NR-RRC uses unaligned PER. The packet has a very large (26201 octet) OCTET STRING which is not octet-aligned to the packet. So a new octet-aligned data source gets created for that. As the note u

[Wireshark-dev] Re: wireshark too strict in ESP deciphering or something else goes on ?

n the first place. It's trivial to also select the correct length of ICV / authentication algorithm. John Thacker > ___ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org

[Wireshark-dev] Re: Packet visited more than once?

On Thu, May 22, 2025 at 2:55 PM Yaniv Kaul via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > > > On Thu, 22 May 2025, 21:20 John Thacker, wrote: > >> I don't understand what you mean. How would you do that? If you mean >> something like on the same pa

[Wireshark-dev] Re: Packet visited more than once?

On Thu, May 22, 2025 at 12:49 PM Yaniv Kaul via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > > > On Thu, May 22, 2025 at 6:53 PM John Thacker > wrote: > This is done for several reasons. It is done to consume less memory, not > having to store all the strings a

[Wireshark-dev] Re: Packet visited more than once?

On Thu, May 22, 2025 at 11:22 AM Yaniv Kaul via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > I have some issue with the dissector going over my packets more than once. > There's a legitimate reason to go over *some* packets more than once - if > I have more than a single PDU in a packet (

[Wireshark-dev] Re: Windows build failure

> > > f6c4c25c95ff94fdf915f56\wireshark_ja_JP.qm.rule;C:\Wireshark\builds\x64\mas > > > ter\CMakeFiles\8d4498c73f6c4c25c95ff94fdf915f56\wireshark_ko.qm.rule;C:\Wir > > > eshark\builds\x64\master\CMakeFiles\8d4498c73f6c4c25c95ff94fdf915f56\wiresh > > > ark_pl.

[Wireshark-dev] Re: Windows build failure

I updated to the latest version of Visual Studio and saw the same warnings. They should be fixed now. On Thu, May 15, 2025, 12:34 PM John Thacker wrote: > The following link does suggest that MSVC 17.14.0 had some changes around > warning if enums weren't the same type:

[Wireshark-dev] Re: Windows build failure

I can see why all of those are warnings, as there's some incorrect casts or entries from the wrong enum (with the correct value, though) used. I suppose the latest MSVC is warning but the earlier versions don't. John On Thu, May 15, 2025, 10:05 AM Maynard, Chris via Wireshark-dev < wireshark-dev@

[Wireshark-dev] Re: Windows build failure

ts or using values from the correct enums. John On Thu, May 15, 2025, 12:26 PM John Thacker wrote: > I can see why all of those are warnings, as there's some incorrect casts > or entries from the wrong enum (with the correct value, though) used. I > suppose the latest MSVC is warn

[Wireshark-dev] Re: Fwd: MacOS Wireshark build issues

It is a known issue for a while: https://gitlab.com/wireshark/wireshark/-/issues/18885 But since XCode is not the recommended build method no developer who uses MacOS has been motivated enough to fix it. John Thacker On Wed, Apr 2, 2025, 10:00 AM Roland Knall wrote: > Hi Mike > >

[Wireshark-dev] Re: help - after building the Wireshark 4.5 cannot capture packets

On Sun, Feb 2, 2025 at 12:13 PM Jaap Keuter wrote: > Hi yeah, you’re at the right place. Figuring out permission issues is hard > when you’re not at the system itself. > > My first thing would be to look for remnants of previous installations > still lingering and being picked up. > > > > On 2 Fe

[Wireshark-dev] Re: byte range selections in tshark -e fields

On Fri, Jan 10, 2025 at 9:08 AM Cristian Constantin via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > wireshark GUI supports byte selection by means of indexing an protocol > field in display filters, e.g.: > > "gsm_map.ms.autn[6] == 0x80" > > is it possible to use expressions indexed like

[Wireshark-dev] Re: dpkg-buildpackage fails with recent tags

On Sat, Dec 14, 2024 at 1:32 PM Elimork Bald via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > I updated the git source, ran everything by the book, as usual. > I followed: > https://www.wireshark.org/docs/wsdg_html_chunked/ChapterSetup.html#ChSetupUNIX > created build directory, ran cmake

[Wireshark-dev] Re: Failure of asn1 build?

On Tue, Dec 3, 2024 at 12:51 PM Anders Broman wrote: > Hi, > Not sure why the clang build produces different results from my Windows > one. > https://gitlab.com/wireshark/wireshark/-/jobs/8533738229 > > Ideas? > Probably because it's a clean build and ../x509if/x509if-exp.cnf hasn't been generat

[Wireshark-dev] Re: Is it possible to create filterable field names based on parent tree?

ant* such separate fields, and would view such changes as making the filtering worse, not better. But in other cases people might agree.) John Thacker ___ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org

[Wireshark-dev] Re: MacOS Build issues

/-/issues/20125 This also broke our build system (as well as other projects, and we pushed a fix. The fix should be in all the active branches now, so try updating from git. Cheers, John Thacker ___ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org

[Wireshark-dev] Re: What to clean up before 4.4.1

On Sat, Oct 5, 2024 at 6:02 AM Jaap Keuter wrote: > Hi all, > > It would be nice to clean up before 4.4.1 rolls of the presses. > For different issues, it would be helpful if someone with a Mac could replicate https://gitlab.com/wireshark/wireshark/-/issues/20051 and https://gitlab.com/wireshark

[Wireshark-dev] Re: packetBB and MANET

On Thu, Aug 1, 2024 at 2:11 PM Jaap Keuter wrote: > Hi, > > Should we go ahead and rename the packetBB dissector to MANET? > > PacketBB seems to be used in the early days, when RFC 5444 was being > developed as draft-ietf-manet-packetbb. > Now it has the title "Generalized Mobile Ad Hoc Network (

Re: [Wireshark-dev] Failed piplines unrelated WS_DEPRECATED_X ?

On Sat, Jul 20, 2024, 2:29 PM Guy Harris wrote: > On Jul 20, 2024, at 3:09 AM, John Thacker wrote: > > > On Fri, Jul 19, 2024, 10:53 PM Guy Harris wrote: > > > >> On Jul 19, 2024, at 5:39 PM, John Thacker > wrote: > >> > >>> On Fri, Jul 19,

Re: [Wireshark-dev] Failed piplines unrelated WS_DEPRECATED_X ?

On Fri, Jul 19, 2024, 10:53 PM Guy Harris wrote: > On Jul 19, 2024, at 5:39 PM, John Thacker wrote: > > > On Fri, Jul 19, 2024 at 8:07 PM Guy Harris wrote: > > > >> Not sure what it's diffing there, given that both > epan/dissectors/asn1/pkcs12/packet-pkcs

Re: [Wireshark-dev] Failed piplines unrelated WS_DEPRECATED_X ?

On Fri, Jul 19, 2024 at 8:07 PM Guy Harris wrote: > On Jul 19, 2024, at 2:19 PM, Gerald Combs wrote: > > > The cppcheck warning needs to be fixed, but it looks like the job is > failing due to a change in packet-pkcs12.c: > > > > > > diff --git a/epan/dissectors/packet-pkcs12.c > b/epan/dis

Re: [Wireshark-dev] [PATCH] capture-sync: Fix deadlock with lots of interfaces.

MR from patch: https://gitlab.com/wireshark/wireshark/-/merge_requests/16383 I already submitted a patch for closing the pipe, which should help with error reports. Of course it would be better to be able to deal with multiple reads. Thanks again, John On Wed, Jul 10, 2024 at 8:12 PM John

Re: [Wireshark-dev] [PATCH] capture-sync: Fix deadlock with lots of interfaces.

Yes, the buffer needs to be declared on the heap to make it larger. There's also an assertion that isn't in effect when the code is optimized. It's relatively simple to fix the underlying issue- in sync_interface_stats_open the pipe is closed on an error, but it should be closed before waiting on

Re: [Wireshark-dev] wireshark 4.3.git deadlock on startup.

Can you see if this commit fixes it for you? https://gitlab.com/wireshark/wireshark/-/commit/0146fe4eb622a6a54d6ccb0e69488b594ec1fe50 John Thacker On Wed, Jul 10, 2024, 6:17 PM Ben Greear wrote: > Hello, > > We saw a lockup on a system with lots of network interfaces. > I haven

Re: [Wireshark-dev] API to adjust view in Wireshark

at faster with binary search or similar. (It might be helpful to have a flag in the capture_file struct similar to what capinfos stores for strict time order.) Once you get the frame number, there are API calls to go to a particu

Re: [Wireshark-dev] RPM package error on Fedora-30

n-US/releases/eol/ ) so most of the assumptions in the spec file in the last development branch are that people will be using Fedora 33 or later (which itself has been EOL for 2.5 years), even though Fedora 30 is roughly similar to RHEL 8 and thus is able to build, RHEL8 (in 8.4) ga

Re: [Wireshark-dev] SCTP association analysis & selection does not work correctly

On Thu, Feb 22, 2024 at 10:24 AM Cristian Constantin via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > Hi, > How to figure out if a fix for an issue like the one mentioned by John > above is part of a Wireshark release? And what Wireshark release is > part of... > The Gitlab page for the

Re: [Wireshark-dev] resolving external symbol for ASN.1 plugin issue

for the x509af dissector so that dissect_x509af_Certificate got the WS_DLL_PUBLIC attribute added to it by the asn2wrs.py process. Cheers, John Thacker ___ Sent via:Wireshark-dev mailing list Archives:https://ww

Re: [Wireshark-dev] 4GB limit for RPC dissector?

lves having some kind of extended sequence number and changing certain lookups for old segments. Unlike an ordinary network stack, Wireshark (and and also tshark, even in one pass mode) can't just discard old segments but keeps information around so that

Re: [Wireshark-dev] SCTP association analysis & selection does not work correctly

On Thu, Dec 7, 2023 at 3:32 AM Cristian Constantin via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > Hi Jeff, > > Yes, after enabling the respective protocol decoding option, SCTP > association analysis works. > SCTP association analysis is _quite_ slow, though. I'll check why it > is so s

Re: [Wireshark-dev] wireshark handles SCTP association indexing wrong under some circumstances -- multi-homing is wrongly reported where there is none

On Wed, Dec 20, 2023, 4:32 PM John Thacker wrote: > > On 6 Dec 2023, at 12:08, Ariel Burbaickij >> wrote: >> > >> > Hello all, >> > >> > we have a special setup here: SS7 E1 is converted to SCTP traffic with >> the following bas

Re: [Wireshark-dev] wireshark handles SCTP association indexing wrong under some circumstances -- multi-homing is wrongly reported where there is none

relatedly is allowed to happen in GTPv1, which causes requests and replies not to be associated. (In GTPv1 the Destination Address of a response has to be the Source Address of the request, but the Source Address of the response doesn't have to be the Destination Address of the Request, exce

Re: [Wireshark-dev] Future of Wireshark's Debian packaging scripts in the main repository

On Wed, Nov 22, 2023 at 10:37 AM John Thacker wrote: > > I think moving the packaging assets to the packaging directory and telling > people to symbolically link it to build Debian, as we've been doing, is a > relatively minor imposition for the Debian folks, but my understand

Re: [Wireshark-dev] Future of Wireshark's Debian packaging scripts in the main repository

s a burden on us. On RPM distributions there's an annoyance because Red Hat / Fedora decided to change their package names around a bit, so they're no longer quite compatible with the old names which we provide (and which still wor

Re: [Wireshark-dev] Examples where field doesn't have enough bits of value_string values

On Thu, Sep 21, 2023, 4:20 PM Martin Mathieson via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > After https://gitlab.com/wireshark/wireshark/-/merge_requests/12195, I'm > finding the warnings below. I think these are valid, based upon editing a > mask value and watching how the value was

Re: [Wireshark-dev] question on validation of a dissected string from a BASE_CUSTOM hf item

ormatting for that. Then you could filter with a decimal number instead of having to filter by typing in your BCD encoding. (Also note that generating a filter for your current field will produce a decimal version of the still BCD encoded value, which won't be easy to read.) John Thac

Re: [Wireshark-dev] Wireshark-dev Digest, Vol 208, Issue 2

On Thu, Sep 14, 2023 at 12:52 PM John Dill wrote: > >Message: 2 > >Date: Tue, 12 Sep 2023 10:24:19 -0400 > >From: John Thacker > >To: Developer support list for Wireshark > >Subject: Re: [Wireshark-dev] question on validation of a dissected > >

Re: [Wireshark-dev] question on validation of a dissected string from a BASE_CUSTOM hf item

You may have noticed "proto_tree_add_item_ret_display_string()" and perhaps found that it doesn't do what you want; it produces the display string for a default display representation and doesn't use your custom function. (Perhaps it should?) On Tue, Sep 12, 2023, 10:05 AM

Re: [Wireshark-dev] question on validation of a dissected string from a BASE_CUSTOM hf item

e uint64_t value and passing it to a function that converts it directly to the floating point you need, separate from your custom display function. Cheers, John Thacker On Thu, Sep 7, 2023 at 12:15 PM John Dill wrote: > I have a question whether I can get the dissected string of the >

Re: [Wireshark-dev] SCTP statistics

The statistics mentioned here? https://gitlab.com/wireshark/wireshark/-/issues/16367 The comments there suggest that the Enable Association Indexing preference has to be on for the SCTP stats to work. John On Mon, Aug 28, 2023, 10:19 AM Jaap Keuter wrote: > Hi, > > Who knows what the current

Re: [Wireshark-dev] Help regarding CI failure in gitlab

ctions here: https://www.tcpdump.org/linktypes.html And request a new link layer type, which will then also result in a new wiretap encapsulation. John Thacker > ___ Sent via:Wireshark-dev mailing list Archives:https

Re: [Wireshark-dev] wiki.wireshark.org Sample Capture Links Broken

Someone created an issue for this: https://gitlab.com/wireshark/wireshark/-/issues/19234 On Sat, Jul 1, 2023, 7:18 PM chuck c wrote: > Thank you for the analysis. > I copied your notes over to the Discord server for internal discussion > about infrastructure. > > On Thu, Jun 29, 2023 at 10:44 A

Re: [Wireshark-dev] Dissecting TLS and non-TLS using the same ports

tic dissector for Zabbix; if the non TLS protocol doesn't look like TLS, the TLS dissector should reject it, and your heuristic dissector should pick it up. 3. Register some kind of helper dissector to the TCP port that can detect whether thi

Re: [Wireshark-dev] Ability to dynamically dissect in more detail?

l Hierarchy stats don't deal well with protocols that change length after the items are added.) John Thacker ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscrib

Re: [Wireshark-dev] lua dissector: using base.UNIT_STRING on ftypes.DOUBLE ProtoField

t appear in the UI. > The problem isn't in Lua, but in epan/proto.c The code that handles the values displayed for doubles ignores unit strings. Dr. Lars Völker started a MR to add this: https://gitlab.com/wireshark/wireshark/-/

Re: [Wireshark-dev] Some items with apparently out-of-range value_string values?

just the MNC for the value. John Thacker On Sun, Feb 12, 2023, 6:14 PM Martin Mathieson via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > Hi, > > I have added another check to CHECK_HF_FILTER in proto.c (extra checks > that only get done in the 'CLANG + Code chec

Re: [Wireshark-dev] how to decode ULP in TLS

t to add. Would you mind filing an issue for it? https://gitlab.com/wireshark/wireshark/-/issues John Thacker ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe:

Re: [Wireshark-dev] CARES to old for CentOS8?

>>>>> >>>>>> Also keep in mind that if RHEL decides to fix the CVE(s) in question >>>>>> in version 8 of their OS, they would likely apply the fix for the CVE to >>>>>> the version of CARES that they are already shipping (i.e., they'd

Re: [Wireshark-dev] CARES to old for CentOS8?

On Wed, Sep 28, 2022, 10:47 AM Anders Broman wrote: > Hi, > Is there a workaround for > CMake Error at > /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:230 (message): > Could NOT find CARES: Found unsuitable version "1.13.0", but required is > at > least "1.14.0" (found /usr/lib

Re: [Wireshark-dev] Missing text2pcap-scanner.l in repository

On Tue, Aug 23, 2022, 4:04 PM Jirka Novak wrote: > Hi, > >By chance I noticed that there is text2pcap-scanner.c which is based > on text2pcap-scanner.l, but the file is not in repository. >It was there, but was removed. > >Was removal intended? > Yes, ui/text_import_scanner.l now han

Re: [Wireshark-dev] wslog, windows, pytest, and heap corruption

On Thu, Dec 30, 2021 at 5:55 PM Gerald Combs wrote: > On 12/29/21 5:15 PM, John Thacker wrote: > > I was working on a MR for moving the text2pcap/text_import debug over to > the ws_log features and I ran into a seemingly bizarre problem. Setting the > log level to a non-default v

[Wireshark-dev] wslog, windows, pytest, and heap corruption

erver uses), with UTF-8 locales, with log systems that get system locale information and print dates, the Windows 10 Universal CRT, and heap corruption. It might have something to do with the tests spawning a lot of subprocesses in parallel and setting the log level to a different value eventually callin

Re: [Wireshark-dev] ISO-8601 date support

a few possible enhancements that would be nice to have. (Use command line options similar to other CLI, support other file formats, etc.) John Thacker ___ Sent via:Wireshark-dev mailing list Archi

Re: [Wireshark-dev] Exporting FTP objects

sited) export if it's the last block seen. That doesn't work for tshark except in two pass mode. As far as the usefulness, for text files I found it quite useful to have even partial sparse files, which is why I did the above, though I didn't really consider it good enough quality to su

Re: [Wireshark-dev] TCP reassembly fails when ethernet tunnled over TCP

Yes, this is a long standing problem: https://gitlab.com/wireshark/wireshark/-/issues/2345 and https://gitlab.com/wireshark/wireshark/-/issues/9782 among others, are examples of the same generic problem. The entire packet_info [dl_|net_]{src, dst} structure doesn't work very well for tunnelled p

Re: [Wireshark-dev] How to test legacy (glib-compat) code

12, which is supposed to be fully supported until late 2024. Dropping SLES 12 would enable moving from CMake 3.5 to at least 3.7, and moving to QT 5.7, which would mean assuming C++11 by default. John Thacker > ___ Sent via:

Re: [Wireshark-dev] Non-core cherry pick

elieve I recall getting that message from the GUI when my personal fork on Gitlab didn't have the release-3.6 branch mirrored, shortly after that branch was related. I had to go and update my mirroring settings. Have you cherry-picked other changes before? John Thacker __

Re: [Wireshark-dev] Is this the bug of wmem_tree_lookup32_array_le()?

result in the tree, for the less than equal match case.) John On Tue, Oct 19, 2021 at 12:21 PM qiangxiong.huang via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > John Thacker, > > Thank you for your information. I may try to add xxx_insert64/lookup64(). > > --

Re: [Wireshark-dev] Is this the bug of wmem_tree_lookup32_array_le()?

th looking at since the method for 32 bit integers calls the GUINT_TO_POINTER macros and is guaranteed to work for 64 bit integers.) John Thacker ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshar

Re: [Wireshark-dev] Byte view mouse hover behaviour

, that includes a preference for "Enable mouse-over colorization." ( https://gitlab.com/wireshark/wireshark/-/blob/master/epan/prefs.c#L3377-L3380) Perhaps add a "Packet Bytes settings" group and then the new preference. Cheers, John Thacker ___

[Wireshark-dev] Issues to close

t was left open because of immediate thoughts about backing out the patch because perhaps the reassembled_data field and the fragments field were redundant (although one is FT_NONE and one FT_BYTES.) I don't know that is likely after seven years. Thanks, Jo

[Wireshark-dev] close issues

in how Gitlab automatically parses it, and it only viewed it as "related to.") Can someone with the proper permissions close them? Thanks, John Thacker ___ Sent via:Wireshark-dev mailing list Archives

Re: [Wireshark-dev] Merge blocked: the source branch must be rebased onto the target branch.

If there are no conflicts, then the same developer who reviews it will also rebase it for you when approving the merge. John Thacker ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.or

Re: [Wireshark-dev] Can the legacy HAVE_LIBGCRYPT_AEAD check be removed?

widely used enough distribution, still scheduled for 3 more years of support, that I think that for now the current approach of supporting it is reasonable. We do warn about it in strong terms. (The RH package may have some backports of features from l

Re: [Wireshark-dev] Calling a dissector: Type for data parameter

On Mon, Jun 21, 2021 at 9:28 PM João Valverde via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > > > On 22/06/21 01:26, John Thacker wrote: > > On Mon, Jun 21, 2021 at 2:21 PM João Valverde via Wireshark-dev > > mailto:wireshark-dev@wireshark.org>> > wr

Re: [Wireshark-dev] Calling a dissector: Type for data parameter

case the protocol registration number couldn't be used, or if the identifier is instead related to the calling protocol and controlled by it (which is perhaps for this method of calling the wrong dependency direction, unlike with dissector tables where the calling protocol does control the p

Re: [Wireshark-dev] Wiki editor permission request

Be warned, though, it doesn't seem like the changes to the editable wiki have been reflected in the main public wiki for about a month: https://gitlab.com/wireshark/wireshark/-/issues/17397 It was working before then. John Thacker On Wed, Jun 9, 2021, 1:46 PM Gerald Combs wrote: &

[Wireshark-dev] Close bugs

close #6365 ( https://gitlab.com/wireshark/wireshark/-/issues/6365), which was addressed with the "Export PDUs to File" functionality and API. Thanks, John Thacker ___ Sent via:Wireshark-dev mailing list Arc

Re: [Wireshark-dev] Question / nit / ocd trigger

, the all time winner in this category is "why does packet_info use src and dst for addresses, but srcport and destport for ports, why isn't it dstport?" John Thacker ___ Sent via:Wireshark-d

Re: [Wireshark-dev] Ethernet dissector

On Sun, May 23, 2021 at 1:10 PM Antonello Tartamo < antonellotart...@gmail.com> wrote: > I manually added the MAC addresses using proto_tree_add_ether(). > I thought there was a better way. > Thanks in advance > Regards > Antonello > If the MAC addresses are just present in the normal way like an

Re: [Wireshark-dev] Ethernet dissector

On Sun, May 23, 2021 at 12:18 PM John Thacker wrote: > On Sun, May 23, 2021 at 11:59 AM Antonello Tartamo < > antonellotart...@gmail.com> wrote: > >> The problem is that I don't have a predefined ether type as the ether >> type field is used as length field. &g

Re: [Wireshark-dev] Ethernet dissector

your dissector and not call the Ethernet dissector. It's not difficult at all to add two FT_ETHER fields to your dissector. Are you trying to have your protocol work on capture files that claim to have an Ethernet link layer, with this not quit

Re: [Wireshark-dev] Ethernet dissector

ETHERTYPE_MYPROTO, myproto_handle) or dissector_add_for_decode_as[_with_preference]("ethertype", myproto_handle) as well.) If it's being called by something else (whether a custom DLT or whatever), then whatever else is calling it shouldn't call the same function as being

Re: [Wireshark-dev] How to disable QT_MULTIMEDIA_LIB during cmake

7 | #include | ^~ Because QAudioDeviceInfo is part of Qt Multimedia but not properly protected by that #ifdef, which is exactly what you're trying to test. John Thacker On Mon, Apr 26, 2021, 5:03 AM Jirka Novak wrote: > Hi, > > I would like to test whether #ifdef QT_MULTIMEDIA_LIB are cor

Re: [Wireshark-dev] How to build the simple ASN.1 UDP-based dissector example (foo)

t;>> Try to delete the build dir before rerunning cmake again? >>>> >>>> I’m not sure on linux if the generate cmake file ends up under the >>>> build dir or in the source dir. >>>> >>>> >>>> >>>> Regards

Re: [Wireshark-dev] How to build the simple ASN.1 UDP-based dissector example (foo)

e of the 5 (five) CMakeListsCustom.txt.example files inWireshark > source code. > The CMakeListsCustom.txt.example files are just that, examples. You need to copy or rename them to CMakeListsCustom.txt (without the .example) for them to have any effect (and edit them appropriately to add the dissector name to the list

Re: [Wireshark-dev] Fwd: ASN.1 dissector Wireshark

wever, editing the file is deprecated and should be viewed as a last resort, as any such changes would have to be reapplied when the protocol is updated to a later released version of the specification with a new official ASN.1 definition. Problems sometimes result, as occurs

Re: [Wireshark-dev] tvb_get_nstringz0

On Sat, Mar 27, 2021 at 2:57 PM Dario Lombardo wrote: > Hi John, > thanks, your explanation helped a lot. However I still don't get why the > code crashes. Please let me use the actual buffer sizes since the ones I > told before were examples. The packet is 49, the local buffer is 15. > > When yo

Re: [Wireshark-dev] tvb_get_nstringz0

vb_get_nstringz0() sets buffer[9] to NULL, and returns 9. The caller assures that the call won't be invalid by passing in the size of the buffer. John Thacker ___ Sent via:Wireshark-dev mailing list Archives:htt

Re: [Wireshark-dev] New Protocol encapsulation as plugin

On Wed, Jan 27, 2021 at 6:16 AM Björn < bjoern.peter...@missinglinkelectronics.com> wrote: > Hi, > > we use a custom dissector to analyze custom protocol traffic. However, to > further increase the usability, we need to add protocol analysis specific > GUI elements. For now, we are not aware of a

Re: [Wireshark-dev] Display of UTF-8 Characters

ormat_text() function in that version. Or upgrade or get the patch from that bug. John Thacker On Sat, Dec 12, 2020 at 1:43 PM wrote: > I create a GString str = “A{Dagger}B{Sigma}C”; (i.e. > “\x41\xE2\x80\xA0\x42\xCE\xA3\x43” where \xE2\x80\xA0 is Dagger and > \xCE\xA3 is Sigma). &g

[Wireshark-dev] MacOS buildbot

ng from https://gitlab.com/wireshark/wireshark/-/commit/ec65f1d9e203ae0a01107941abff7e57b6b4180a or later). E.g. GnuTLS is still 3.4.17. Is anyone able to update the libraries by running tools/macos-setup.sh or similar? John Thacker ___

Re: [Wireshark-dev] Packet Diagram shows only raw bytes of a subtree instead of individual fields

ly has an entry for the country code but leave the other bits blank. Or you could have issues with dealing with overlaps. John Thacker ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists

Re: [Wireshark-dev] Indicate [Generated] field on Display Filter Reference page

ly, and in those packets the corresponding fields are added without set_generated() For packets with other opcodes, conversation tracking is used to add the source or destination filename, as appropriate, for the ongoing transfer, and there set_generated() is used because it'

Re: [Wireshark-dev] How to close migrated issues without a merge?

My understanding is that people have to be made members at the "Reporter" level or higher in order to close issues (which is moving issues to the Closed list) or otherwise manage them (label, etc.) https://docs.gitlab.com/ee/user/project/issue_board.html#permissions https://docs.gitlab.com/ee/user

[Wireshark-dev] Adventures in cherry-picking

#x27;cherry-pick-{hash}-2'. I'm not sure where I'd turn to get a cherry-pick into the target master-3.0. Perhaps cherry-picking a cherry-picked commit. Has anyone else run into this, and do you have a workaround? Our existing workflow has been built around cherry-picking, and th

Re: [Wireshark-dev] lua decoder accessing info from layers above

g some of the examples linked from here: https://gitlab.com/wireshark/wireshark/-/wikis/Lua John Thacker ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: http

Re: [Wireshark-dev] So how are fixes cherry-picked to release branches?

On Wed, Sep 2, 2020 at 4:03 AM Guy Harris wrote: > Searching for "cherry" on the Wiki finds these pages: > > > https://gitlab.com/wireshark/wireshark/-/wikis/Development/Backporting > > > https://gitlab.com/wireshark/wireshark/-/wikis/Development/Workflow > > > https://gitlab.com/wireshark/wiresh

Re: [Wireshark-dev] FT_STRING, FT_STRINGZPAD, and null padding

onversion code twice. It also would mean some more tricky and error prone conversions. It could be added as syntactic sugar for the function composition of tvb_get_string_enc() and format_text() if 1) or 2) was implemented. John Thacker _

Re: [Wireshark-dev] FT_STRING, FT_STRINGZPAD, and null padding

me-- it reaches 15 octets in the substituted/validated string: That's for a field with hexdump: 61 c3 b3 c3 b3 69 00 74 72 61 63 69 c3 b3 6e ai.t raci..n which with the UTF-8 patch looks like a different sort of nonsense: T

[Wireshark-dev] FT_STRING, FT_STRINGZPAD, and null padding

eing NULL padding.This is typically used for fixed-length fieldsthat contain a string value that might be shorterthan the fixed length. John Thacker ___ Sent via:Wireshark-de

Re: [Wireshark-dev] Cherry-picking, gitlab permissions

On Wed, Aug 26, 2020 at 9:13 AM Graham Bloice wrote: > The "Options" droplist Pascal mentions can be seen on this page: > https://gitlab.com/wireshark/wireshark/-/commit/847d3949c977a39c3cea15a214af02671ccd21e9?merge_request_iid=26 > > Let us know if you can't see it John. > OK, thanks, I see it

[Wireshark-dev] Cherry-picking, gitlab permissions

rmission seems to include only things that previously people could get by registering for Bugzilla, and some other features that people used to be able to do seem at the "Developer" level (though that also includes some higher le

Re: [Wireshark-dev] tshark --export-objects : -2 assumed or required for two-pass ?

are certain protocols where single pass analysis just isn't sufficient to determine all the data, and dissectors where some state object is set, like packet-dcm.c, are a common case. John Thacker ___ Sent via:Wir

Re: [Wireshark-dev] Some apparent type bugs

On Fri, Jul 31, 2020 at 8:13 AM Jaap Keuter wrote: > Hi, > > Don’t know, just noticed the UINT part and thought about returning 'a > value' should be possible. > Will have to look into this more closely to see if and what makes sense. > > I created change 38006

  1   2   >