diff options
author | João Valverde <j@v6e.pt> | 2022-10-25 04:20:18 +0100 |
---|---|---|
committer | João Valverde <j@v6e.pt> | 2022-10-31 21:02:39 +0000 |
commit | 0853ddd1cb9c94e83bba5ac2608c8de0dc94dae4 (patch) | |
tree | 9f571c07583e4a4527647471a5ca43411bd39fc5 /docbook | |
parent | 31a0147daa278cfed749c0cbfc6db87bb5cfc3c9 (diff) |
dfilter: Add support for raw (bytes) addressing mode
This adds new syntax to read a field from the tree as bytes, instead
of the actual type. This is a useful extension for example to match
matformed strings that contain unicode replacement characters. In
this case it is not possible to match the raw value of the malformed
string field. This extension fills this need and is generic enough
that it should be useful in many other situations.
The syntax used is to prefix the field name with "@". The following
artificial example tests if the HTTP user agent contains a particular
invalid UTF-8 sequence:
@http.user_agent == "Mozill\xAA"
Where simply using "http.user_agent" won't work because the invalid byte
sequence will have been replaced with U+FFFD.
Considering the following programs:
$ dftest '_ws.ftypes.string == "ABC"'
Filter: _ws.ftypes.string == "ABC"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.string <FT_STRING>)
1 FVALUE("ABC" <FT_STRING>)
Instructions:
00000 READ_TREE _ws.ftypes.string <FT_STRING> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == "ABC" <FT_STRING>
00003 RETURN
$ dftest '@_ws.ftypes.string == "ABC"'
Filter: @_ws.ftypes.string == "ABC"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.string <RAW>)
1 FVALUE(41:42:43 <FT_BYTES>)
Instructions:
00000 READ_TREE @_ws.ftypes.string <FT_BYTES> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == 41:42:43 <FT_BYTES>
00003 RETURN
In the second case the field has a "raw" type, that equates directly to
FT_BYTES, and the field value is read from the protocol raw data.
Diffstat (limited to 'docbook')
-rw-r--r-- | docbook/release-notes.adoc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/docbook/release-notes.adoc b/docbook/release-notes.adoc index af0c2e2ccc..7cb137f038 100644 --- a/docbook/release-notes.adoc +++ b/docbook/release-notes.adoc @@ -21,6 +21,8 @@ It is used for troubleshooting, analysis, development and education. Wireshark is now better about generating valid UTF-8 output. +A new display filter feature for filtering raw bytes has been added. + Many other improvements have been made. See the “New and Updated Features” section below for more details. @@ -46,6 +48,9 @@ The following features are new (or have been significantly updated) since versio * Wireshark now builds with Qt6 by default. To use Qt5 instead pass USE_qt6=OFF to CMake. +* It is now possible to filter on raw packet data for any field by using the syntax ``@some.field == <bytes...>``. + This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to + look at the field's raw data. === Removed Features and Support |