dfilter: Use ISO8601 as the default time format

Change from a default custom time representation to ISO8601.
All the existing formats are still supported for backward-
compatibility.

Before:

  Filter: frame.time == "2011-07-04 12:34:56"

  Constants:
  00000 PUT_FVALUE	"Jul  4, 2011 12:34:56.000000000" <FT_ABSOLUTE_TIME> -> reg#1
  (...)

After:

  Filter: frame.time == "2011-07-04 12:34:56"

  Constants:
  00000 PUT_FVALUE	"2011-07-04 12:34:56+0100" <FT_ABSOLUTE_TIME> -> reg#1
  (...)

2 files changed, 39 insertions, 7 deletions

diff --git a/docbook/release-notes.adoc b/docbook/release-notes.adoc
index 8da24dd867..59cbfd48b9 100644
--- a/docbook/release-notes.adoc
+++ b/docbook/release-notes.adoc
@@ -55,7 +55,8 @@ They previously shipped with Npcap 1.55.
 ** Adds a new strict equality operator "===" or "all_eq". The expression "a === b" is true if and only if all a's are equal to b.
    The negation of "===" can now be written as "!==" (any_ne), in addition to "~=" (introduced in Wireshark 3.6.0).
 ** Adds the aliases "any_eq" for "==" and "all_ne" for "!=".
-** Absolute times can be given in UTC by appending the suffix "UTC" to time values. Otherwise local time is used.
+** Date and time can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats.
+   Otherwise local time is used.
 
 * text2pcap has been updated to use the new logging output options and the
   "-d" flag has been removed. The "debug" log level corresponds to the old
diff --git a/epan/ftypes/ftype-time.c b/epan/ftypes/ftype-time.c
index 2a073bb49a..f4958c2fbf 100644
--- a/epan/ftypes/ftype-time.c
+++ b/epan/ftypes/ftype-time.c
@@ -194,6 +194,11 @@ absolute_val_from_string(fvalue_t *fv, const char *s, char **err_msg_ptr)
 	gboolean has_seconds = TRUE;
 	char *err_msg = NULL;
 
+	/* Try ISO 8601 format first. */
+	if (iso8601_to_nstime(&fv->value.time, s, ISO8601_DATETIME_AUTO) == strlen(s))
+		return TRUE;
+
+	/* Try other legacy formats. */
 	memset(&tm, 0, sizeof(tm));
 
 	if (strlen(s) < sizeof("2000-1-1") - 1)
@@ -203,10 +208,6 @@ absolute_val_from_string(fvalue_t *fv, const char *s, char **err_msg_ptr)
 	if (s[3] == ' ' && parse_month_name(s, &tm.tm_mon))
 		curptr = ws_strptime(s + 4, "%d, %Y %H:%M:%S", &tm);
 
-	if (curptr == NULL)
-		curptr = ws_strptime(s,"%Y-%m-%dT%H:%M:%S", &tm);
-	if (curptr == NULL)
-		curptr = ws_strptime(s,"%Y-%m-%d %H:%M:%S", &tm);
 	if (curptr == NULL) {
 		has_seconds = FALSE;
 		curptr = ws_strptime(s,"%Y-%m-%d %H:%M", &tm);
@@ -332,6 +333,37 @@ value_get(fvalue_t *fv)
 }
 
 static char *
+abs_time_to_ftrepr_dfilter(wmem_allocator_t *scope,
+			const nstime_t *nstime, bool use_utc)
+{
+	struct tm *tm;
+	char datetime_format[128];
+	int nsecs;
+	char nsecs_buf[32];
+
+	if (use_utc) {
+		tm = gmtime(&nstime->secs);
+		strftime(datetime_format, sizeof(datetime_format), "\"%Y-%m-%d %H:%M:%S%%sZ\"", tm);
+	}
+	else {
+		tm = localtime(&nstime->secs);
+		/* Displaying the timezone could be made into a preference. */
+		strftime(datetime_format, sizeof(datetime_format), "\"%Y-%m-%d %H:%M:%S%%s%z\"", tm);
+	}
+
+	if (nstime->nsecs == 0)
+		return wmem_strdup_printf(scope, datetime_format, "");
+
+	nsecs = nstime->nsecs;
+	while (nsecs > 0 && (nsecs % 10) == 0) {
+		nsecs /= 10;
+	}
+	snprintf(nsecs_buf, sizeof(nsecs_buf), ".%d", nsecs);
+
+	return wmem_strdup_printf(scope, datetime_format, nsecs_buf);
+}
+
+static char *
 absolute_val_to_repr(wmem_allocator_t *scope, const fvalue_t *fv, ftrepr_t rtype, int field_display)
 {
 	char *rep;
@@ -350,8 +382,7 @@ absolute_val_to_repr(wmem_allocator_t *scope, const fvalue_t *fv, ftrepr_t rtype
 			 * are supported. Normalize the field_display value. */
 			if (field_display != ABSOLUTE_TIME_LOCAL)
 				field_display = ABSOLUTE_TIME_UTC;
-			rep = abs_time_to_str_ex(scope, &fv->value.time,
-					field_display, ABS_TIME_TO_STR_SHOW_UTC_ONLY|ABS_TIME_TO_STR_ADD_DQUOTES);
+			rep = abs_time_to_ftrepr_dfilter(scope, &fv->value.time, field_display != ABSOLUTE_TIME_LOCAL);
 			break;
 
 		default: