aboutsummaryrefslogtreecommitdiffstats
path: root/dfilter.c
AgeCommit message (Collapse)AuthorFilesLines
2000-09-27First step in moving core Ethereal routines to libepan.Gilbert Ramirez1-1064/+0
svn path=/trunk/; revision=2458
2000-09-13Don't put hf_text_only into the tree of filter-able protocols and fields.Gilbert Ramirez1-2/+7
svn path=/trunk/; revision=2429
2000-08-11Miscellaneous code cleaningLaurent Deniel1-24/+2
- add <stdarg.h> or <varargs.h> in snprintf.h and remove those inclusions in the other #ifdef NEED_SNPRINTF_H codes - remove the check of multiple inclusions in source (.c) code (there is a bit loss of _cpp_ performance, but I prefer the gain of code reading and maintenance; and nowadays, disk caches and VM are correctly optimized ;-). - protect all (well almost) header files against multiple inclusions - add header (i.e. GPL license) in some include files - reorganize a bit the way header files are included: First: #include <system_include_files> #include <external_package_include_files (e.g. gtk, glib etc.)> Then #include "ethereal_include_files" with the correct HAVE_XXX or NEED_XXX protections. - add some HAVE_XXX checks before including some system header files - add the same HAVE_XXX in wiretap as in ethereal Please forgive me, if I break something (I've only compiled and regression tested on Linux). svn path=/trunk/; revision=2254
2000-08-01Allow filtering on strings.Gilbert Ramirez1-1/+71
svn path=/trunk/; revision=2193
2000-07-22Simplify the way the display filter routines get field values fromGilbert Ramirez1-101/+95
the proto tree. Now, proto_get_finfo_ptr_array() can easily be used by any routine, not just display filter code, to get values from the proto tree. This might be useful if one were to allow columns in the packet list to show the value of an arbitrary field. Fixed a memleak when filtering on a byte arrays. Fixed erroneous asserts in dfilter-grammar.y, where I used '=' instead of '=='. They had to do with byte-arrays, too. svn path=/trunk/; revision=2152
2000-04-14Change dfilter_apply() to 4-argument function. 4th argument is not yet used,Gilbert Ramirez1-3/+3
but will be in the future, and it's easier for me to keep my local branch in sync with the source with the calls to dfilter_apply() already modified tothe 4-arg format. Add a CPP macro to ipv4.h to define ipv4_addr_ne(). Use it in dfilter.c svn path=/trunk/; revision=1854
2000-03-20Change dfilter_init() to check for empty-string abbreviations and forGilbert Ramirez1-5/+11
duplicate abbreviations. All mods to packet-*.c files are fixes to remove those cases. svn path=/trunk/; revision=1733
1999-11-15Add "class" that understands IPv4 addresses and subnet masks.Gilbert Ramirez1-1/+103
We now store IPv4 addresses in host order, allowing non-equivalence comparisons. That is, display filters with lt, le, gt, and ge will work on big-endian and little-endian machines. CIDR notation is now supported for IPv4 addresses in display filters. You can test to see if an IPv4 address is on a certain subnet by using this notation. For example, to test for IPv4 packets on a Class-C network: ip.addr == 192.168.1.0/24 svn path=/trunk/; revision=1032
1999-10-19Enable display filtering on FT_DOUBLE fields.Gilbert Ramirez1-2/+101
svn path=/trunk/; revision=886
1999-10-12Have "dfilter_compile()" return 0 on success and 1 on failure, andGuy Harris1-10/+25
return the pointer to the compiled filter through a pointer argument. Have it check whether the filter is a null filter and, if so, free up the filter and supply a filter pointer, rather than obliging its callers to check whether the filter actually has any code. (Well, they may want to check if the filter is null, so that they don't save a pointer to the filter text, e.g. so that the display filter displays as "none" rather than as a blank string in the summary box.) In the process, fix the check in "gtk/file_dlg.c" that tests whether the read filter compiled successfully. svn path=/trunk/; revision=812
1999-10-12Re-implemented fix to keep display filter from reading data from outsideGilbert Ramirez1-25/+44
the packet boundary. Now the field boundary is honored. The frame boundary is ignored, but of course we put proper field lengths in the proto_tree, right? :) Implemented negative offsets in byte-strings: frame[-4:4] will read the last 4 bytes of a frame. Implemented "offset-only" byte-string comparisons, since the dfilter compiler knows the length of the byte-string you supplied. These are now legal: frame[-4] == 0.0.0.1 tr.dst[0] == 00:06:29 Implemented the use of integers if you're comparing one byte. These are legal: llc[0] == 0xaa llc[0:1] == 0xaa All these forms check against the length of the field, so these will be reported as bad to the user: eth.src[5] == 00:06:29 (goes beyond field boundary) eth.dst == 1.2.3.4.5.6.7 (too long, goes beyond field boundary) Thes is also reported as bad: eth.dst[0:3] == 1.2 (incorrect number of bytes specified) eth.dst[0:1] == eth.src[0:2] (disparate lengths) I had to add a new function, proto_registrar_get_length() in proto.c, which reports the length of a field as can be determined at registration time. There are some shift/reduce errors in the grammar that I need to get rid of. svn path=/trunk/; revision=811
1999-10-11- add handling of FT_IPv6 variablesLaurent Deniel1-1/+60
there is still some work to do in resolv.c (get_host_ipaddr6) - add display filters of this kind in packet-ipv6.c just for testing (display filtering is incomplete) svn path=/trunk/; revision=808
1999-10-11Fixed bug reported by Laurent regarding byte-string filters notGilbert Ramirez1-23/+26
checking the length of the packet before copying bytes from the packet. svn path=/trunk/; revision=807
1999-10-11When a new display filter is to be applied, don't set "cf.dfilter" orGuy Harris1-96/+41
"cf.dfcode" if the new filter doesn't compile, because the filter currently in effect will be the one that was last applied - just free up the text of the new filter, and whatever memory was allocated for the new filter code. This means we allocate a new dfilter when a new filter is to be applied, rather than recycling stuff from the old filter, as we want the old filter code to remain around if the new filter doesn't compile. This means that "cf.dfilter" and "cf.dfcode" will be null if there's no filter in effect. svn path=/trunk/; revision=803
1999-10-11Have "get_host_ipaddr()" return a Boolean indicating whether itGuy Harris1-15/+20
succeeded or failed, and, if it succeeded, have it fill in the IP address if found through a pointer passed as the second argument. Have it first try interpreting its first argument as a dotted-quad IP address, with "inet_aton()", and, if that fails, have it try to interpret it as a host name with "gethostbyname()"; don't bother with "gethostbyaddr()", as we should be allowed to filter on IP addresses even if there's no host name associated with them (there's no guarantee that "gethostbyaddr()" will succeed if handed an IP address with no corresponding name - and it looks as if FreeBSD 3.2, at least, may not succeed in that case). Add a "dfilter_fail()" routine that takes "printf()"-like arguments and uses them to set an error message for the parse; doing so means that even if the filter expression is syntactically valid, we treat it as being invalid. (Is there a better way to force a parse to fail from arbitrary places in routines called by the parser?) Use that routine in the lexical analyzer. If that error message was set, use it as is as the failure message, rather than adding "Unable to parse filter string XXX" to it. Have the code to handle IP addresses and host names in display filters check whether "get_host_ipaddr()" succeeded or failed and, if it failed, arrange that the parse fail with an error message indicating the source of the problem. svn path=/trunk/; revision=802
1999-10-07Make "dfilter_error()" available to the lexical analyzer.Guy Harris1-6/+22
Get rid of the declaration of the non-existent "dfilter_yyerror()", and put in some #defines to work around the fact that the #defines to replace "yy" with "dfilter_" in the names of Flex-generated and Yacc-generated routines aren't put into a header file, they're put into ".c" files. Have it remember the error message it was handed (unless it's Yacc's boring "parse error" message). When generating the message to be shown to the user on a parse error, make it be the "Unable to parse filter string" message, and, if a non-boring error message was supplied to "dfilter_error()", take that error message onto the end. Don't panic if a field type we don't yet support in the parser is seen; generate an error, telling the user we don't support filter on that type yet. Don't assume that "global_df" has been set if we see an empty statement (if the first token was the end-marker, because, say, the first token the lexical analyzer found was a field of a type not yet supported in filter expressions, "global_df" won't have been set). svn path=/trunk/; revision=783
1999-10-04Corrected comment regarding usage.Gilbert Ramirez1-2/+2
svn path=/trunk/; revision=767
1999-10-04Removed dummy protocol and removed bug which prevented the firstGilbert Ramirez1-2/+2
registered protocol's name from being used in a display filter. svn path=/trunk/; revision=766
1999-09-29Fixed assert error reported by Dewi Morgan <dewim@sco.com>.Gilbert Ramirez1-1/+5
After some bad dfilter parses, the top-level dfilter tree (global_df->dftree) would erroneously be set to the last good dfilter_node that was parsed. Later, the non-NULLness of the dftree made us clear it.. really confusing GTK internals. After _that_, new GNodes created via g_node_new() would all have the same address! svn path=/trunk/; revision=735
1999-09-29Added and extended Santeri Paavolainen's <santtu@ssh.fi> patchGilbert Ramirez1-1/+3
to avoid applying NULL dfilters while setting colorization dfilters during an ongoing, screen-updating, capture. svn path=/trunk/; revision=734
1999-08-30Now that FT_BOOLEAN display filter fields are treated differently (onlyGilbert Ramirez1-62/+1
their existence is checked), some FT_BOOLEAN-related functions in dfilter.c are no longer called. So I removed them. svn path=/trunk/; revision=611
1999-08-30Fixed problem with not being able to filt on field values.Gilbert Ramirez1-2/+1
svn path=/trunk/; revision=610
1999-08-29Removed from the display filter/proto_tree code the assumption thatGilbert Ramirez1-32/+22
a protocol occurs only once in a packet. Because of encapsulation (IP within IP), a protocol can occur more than once. I don't have a packet trace showing such a packet, but the code should handle it now. The one thing that it cannot do, though, is differentiate the levels. It might be nice to say: ip{1}.src == 192.168.1.1 && ipx{2}.dst == 10.0.0.1 In the dfilter grammar I had left IPXNET variables out of the list of variables that could be checked for existence. Now you can check for the existence of ipx.srcnet and ipx.dstnet. Hurrah. svn path=/trunk/; revision=608
1999-08-26The dfilter yacc grammar now keeps track of every GNode that it allocates.Gilbert Ramirez1-10/+60
After a bad parse, instead of leaking this memory, the memory used for those GNodes is now freed. Added some memory-freeing "cleanup" routines for the dfilter and proto_tree modules, which are called right before ethereal exits. Maybe once we get a complete set of cleanup routines, we'll be able to better check if memory is leaking. svn path=/trunk/; revision=582
1999-08-25Correctly set global_df->dftree to NULL after a bad parse.Gilbert Ramirez1-10/+4
svn path=/trunk/; revision=581
1999-08-20Changed some symbols inside parser, fixed default error message inGilbert Ramirez1-2/+2
dfilter_compile, and removed debug printf that I left in match_selected. svn path=/trunk/; revision=532
1999-08-20Include "snprintf.h" if necessary, to squelch some "gcc -Wall"Guy Harris1-1/+10
complaints. svn path=/trunk/; revision=531
1999-08-20Enabled error reporting for bad ETHER values in display filters. A newGilbert Ramirez1-7/+28
global variable, dfilter_error_msg is now available, being NULL when there was no error, or pointing to a string when an error occurred. The three places that dfilter_compile() is called now use this global variable to report the error message to the user. A default error message is put in that string if no context-specific error message is available (since I only have one context-specifici error message, namely, ETHER values, that will be most of the time). svn path=/trunk/; revision=530
1999-08-20Made handling of byte strings in scanner and parser much simpler,Gilbert Ramirez1-1/+7
improving size of grammar and creating the possibility of dfilter_compile reporting errors back to user. In this case, if an ETHER variable is compared against a byte string that is not 6 bytes, an error condition is flagged appropriately. I have not put in the code to conver that error flag to a message to the user, but that's what I'm working on next. Also, fixed sample debug session in README to show correct gdb prompt. svn path=/trunk/; revision=522
1999-08-14Modified YACC grammar to use non-yy symbols, to avoid conflicts withGilbert Ramirez1-5/+6
libpcap's that were compiled with symbols beginning with 'yy'. svn path=/trunk/; revision=487
1999-08-13Moved global memory alloction used in display filters (which was storedGilbert Ramirez1-33/+85
in dfilter-grammar.y) to a new struct dfilter. Display filters now have their own struct, rather than simply being GNode's. This allows multiple display filters to exist at once, aiding John McDermott in his work on colorization. svn path=/trunk/; revision=480
1999-08-12Create a "dfilter-int.h" file, containing stuff used internally to theGuy Harris1-1/+2
display filter code but not outside it (and not static to one of the modules in the display filter code), with most of that stuff moved there from "dfilter.h". Add a declaration of "byte_str_to_guint8_array()" to "dfilter-int.h". svn path=/trunk/; revision=479
1999-08-12Fixed two bugs in display filter parsing.Gilbert Ramirez1-3/+3
1. Some IP addresses (like 0.0.0.0) would be interpreted as byte ranges. 2. Parens were being ignored. Thanks to Guy for pointing these out to me. svn path=/trunk/; revision=477
1999-08-03Removed the "exists" keyword from the grammar. The name of a protocol or aGilbert Ramirez1-31/+8
field by itself assumes you are checking for the existence of that protocol or field. Changed the format of the list of filterable fields in the man page. Developers: run "./configure" so that your configure script will re-create dfilter2pod from the new dfilter2pod.in svn path=/trunk/; revision=426
1999-08-01Changed the display filter scanner from GLIB's GScanner to lex. The codeGilbert Ramirez1-162/+54
as it standed depends on your lex being flex, but that only matters if you're a developer. The distribution will include the dfilter-scanner.c file, so that if the user doesn't modify dfilter-scanner.l, he won't need flex to re-create the *.c file. The new lex scanner gives me better syntax checking for ether addresses. I thought I could get by using GScanner, but it simply wasn't powerful enough. All operands have English-like abbreviations and C-like syntax: and, && ; or, || ; eq, == ; ne, != ; , etc. I removed the ETHER_VENDOR type in favor of letting the user use the [x:y] notation: ether.src[0:3] == 0:6:29 instead of ether.srcvendor == 00:06:29 I implemented the IPXNET field type; it had been there before, but was not implemented. I chose to make it use integer values rather than byte ranges, since an IPX Network is 4 bytes. So a display filter looks like this: ipx.srcnet == 0xc0a82c00 rather than this: ipx.srcnet == c0:a8:2c:00 I can supposrt the byte-range type IPXNET in the future, very trivially. I still have more work to do on the parser though. It needs to check ranges when extracting byte ranges ([x:y]) from packets. And I need to get rid of those reduce/reduce errors from yacc! svn path=/trunk/; revision=414
1999-07-11When you hit <Return> in the text entry box for the display filter,Guy Harris1-1/+4
apply the filter (if it isn't invalid). Apply the filter by clearing the Clist that shows packet summary lines and scanning through the list of all packets and adding to the Clist those that match the filter. Get rid of "if (dfilter_proto_tree)" test in "load_cap_file()"; "dfilter_proto_tree" is always FALSE, and all the test does is keep us from doing a "gtk_clist_freeze()" of the packet list, and we don't want to do that (we don't want the packet to be updated until we're done reading in the file). Get rid of "dfilter_proto_tree", as it's no longer used. Move the test that checks whether the display filter matches the current packet to "add_packet_to_packet_list()"; this allows us to run "dissect_packet()" only once - if we have a display filter, we generate the summary info *and* the protocol tree in the same call, using the summary info to make the packet list item and the protocol tree when checking the display filter. In "dfilter_compile()", destroy "*p_dfcode" if it's not NULL, so we don't leak memory. svn path=/trunk/; revision=355
1999-07-08Put the XOR logic in place, where previously I had left an inclusive-ORGilbert Ramirez1-8/+10
place-holder. Also removed the printf() telling the world that the parser found some punctuation. svn path=/trunk/; revision=347
1999-07-07"const"ifty some function arguments and structure members, and "#if 0"Guy Harris1-11/+11
out the declaration of a variable used only by "#if 0"ed out code, to eliminate some compiler warnings. svn path=/trunk/; revision=344
1999-07-07Created a new protocol tree implementation and a new display filterGilbert Ramirez1-0/+806
mechanism that is built into ethereal. Wiretap is now used to read all file formats. Libpcap is used only for capturing. svn path=/trunk/; revision=342