| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
we don't (yet) filter on the value of an FT_STRING variable.
Added info about FT_DOUBLE fields to man page.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@887 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@886 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
T_VAL_UNQUOTED string in order to fix parsing problem (single digit number
vs. multiple digit numbers). T_VAL_NUMBER_STRING no longer exists.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@877 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
TODO: T_VAL_BYTE_STRING and IPv6 address are inherently ambiguous...
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@868 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
fix hexadecimal matching in lexer ("0x[a-fA-F0-9]+"), need more improvement.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@839 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
possible.
ipv6.nxt == 17
ipv6.dst == ff02::9
ipv6.src[0:2] == fe:80
modify dfilter lexical rule to allow standard IPv6 expression to be
passed up to parser.
XXX backward compat issue in lex rule, maybe
XXX IPv6 has chained headers. how will dfilter behave when we have
multiple protocol header of the same type?
XXX ipv6.nxt is not really useful due to IPv6 chained header. we need a
symbol to identify "final" protocol type on the chain (testing ipv6.final
but will SEGV).
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@836 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
the base for numbers to be displayed in, bitmasks for bitfields, and blurbs
(which are one or two sentences describing the field).
proto_tree_add*() routines now automatically handle bitfields. You tell
it which header field you are adding, and just pass it the value of the
entire field, and the proto_tree routines will do the masking and shifting
for you.
This means that bitfields are more naturally filtered via dfilter now.
Added Phil Techau's support for signed integers in dfilters/proto_tree.
Added the beginning of the SNA dissector. It's not complete, but I'm
committing it now because it has example after example of how to use
bitfields with the new header_field_info struct and proto_tree routines.
It was the impetus to change how header_field_info works.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@815 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
the packet boundary. Now the field boundary is honored. The frame boundary
is ignored, but of course we put proper field lengths in the proto_tree,
right? :)
Implemented negative offsets in byte-strings:
frame[-4:4] will read the last 4 bytes of a frame.
Implemented "offset-only" byte-string comparisons, since the dfilter
compiler knows the length of the byte-string you supplied. These are
now legal:
frame[-4] == 0.0.0.1
tr.dst[0] == 00:06:29
Implemented the use of integers if you're comparing one byte. These are
legal:
llc[0] == 0xaa
llc[0:1] == 0xaa
All these forms check against the length of the field, so these will be
reported as bad to the user:
eth.src[5] == 00:06:29 (goes beyond field boundary)
eth.dst == 1.2.3.4.5.6.7 (too long, goes beyond field boundary)
Thes is also reported as bad:
eth.dst[0:3] == 1.2 (incorrect number of bytes specified)
eth.dst[0:1] == eth.src[0:2] (disparate lengths)
I had to add a new function, proto_registrar_get_length() in proto.c, which
reports the length of a field as can be determined at registration time.
There are some shift/reduce errors in the grammar that I need to get rid of.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@811 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
there is still some work to do in resolv.c (get_host_ipaddr6)
- add display filters of this kind in packet-ipv6.c just
for testing (display filtering is incomplete)
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@808 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
succeeded or failed, and, if it succeeded, have it fill in the IP
address if found through a pointer passed as the second argument.
Have it first try interpreting its first argument as a dotted-quad IP
address, with "inet_aton()", and, if that fails, have it try to
interpret it as a host name with "gethostbyname()"; don't bother with
"gethostbyaddr()", as we should be allowed to filter on IP addresses
even if there's no host name associated with them (there's no guarantee
that "gethostbyaddr()" will succeed if handed an IP address with no
corresponding name - and it looks as if FreeBSD 3.2, at least, may not
succeed in that case).
Add a "dfilter_fail()" routine that takes "printf()"-like arguments and
uses them to set an error message for the parse; doing so means that
even if the filter expression is syntactically valid, we treat it as
being invalid. (Is there a better way to force a parse to fail from
arbitrary places in routines called by the parser?)
Use that routine in the lexical analyzer.
If that error message was set, use it as is as the failure message,
rather than adding "Unable to parse filter string XXX" to it.
Have the code to handle IP addresses and host names in display filters
check whether "get_host_ipaddr()" succeeded or failed and, if it failed,
arrange that the parse fail with an error message indicating the source
of the problem.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@802 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@796 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
Get rid of the declaration of the non-existent "dfilter_yyerror()", and
put in some #defines to work around the fact that the #defines to
replace "yy" with "dfilter_" in the names of Flex-generated and
Yacc-generated routines aren't put into a header file, they're put into
".c" files.
Have it remember the error message it was handed (unless it's Yacc's
boring "parse error" message).
When generating the message to be shown to the user on a parse error,
make it be the "Unable to parse filter string" message, and, if a
non-boring error message was supplied to "dfilter_error()", take that
error message onto the end.
Don't panic if a field type we don't yet support in the parser is seen;
generate an error, telling the user we don't support filter on that type
yet.
Don't assume that "global_df" has been set if we see an empty statement
(if the first token was the end-marker, because, say, the first token
the lexical analyzer found was a field of a type not yet supported in
filter expressions, "global_df" won't have been set).
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@783 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@776 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
registered protocol's name from being used in a display filter.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@766 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
Dissector code can add FT_BOOLEAN fields to the proto_tree and pass TRUE
or FALSE values (non-zero and zero values). The display filter language,
however, treats the checking for the existence of a FT_BOOLEAN field as
the checking for its truth. Before this change, packet-tr.c was the only
dissector using FT_BOOLEAN fields, and it only added the field to the
proto_tree if the TRUE; the dissector was determining the difference between
the check for existence and the check for truth.
I made this change because packet-ppp.c added some FT_BOOLEAN fields and
added them to the tree regardless of truth value, It's more natural just to
do it this way and let the display filter code worry about whether to
check for existence or truth. So that's how it works now.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@679 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
is true. The test for truth now becomes a test for existence. The dfilter
grammar no longer recognizes 'true' and 'false', since you can now check
a boolean field via:
tr.sr
or by its negation:
!tr.sr
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@591 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
dfilter_compile, and removed debug printf that I left in match_selected.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@532 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
improving size of grammar and creating the possibility of dfilter_compile
reporting errors back to user. In this case, if an ETHER variable is
compared against a byte string that is not 6 bytes, an error condition is
flagged appropriately. I have not put in the code to conver that error flag
to a message to the user, but that's what I'm working on next.
Also, fixed sample debug session in README to show correct gdb prompt.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@522 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
libpcap's that were compiled with symbols beginning with 'yy'.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@487 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
in dfilter-grammar.y) to a new struct dfilter. Display filters now have
their own struct, rather than simply being GNode's. This allows multiple
display filters to exist at once, aiding John McDermott in his
work on colorization.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@480 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
display filter code but not outside it (and not static to one of the
modules in the display filter code), with most of that stuff moved there
from "dfilter.h".
Add a declaration of "byte_str_to_guint8_array()" to "dfilter-int.h".
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@479 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@478 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
1. Some IP addresses (like 0.0.0.0) would be interpreted as byte ranges.
2. Parens were being ignored.
Thanks to Guy for pointing these out to me.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@477 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
token to the yacc parser.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@446 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
field by itself assumes you are checking for the existence of that protocol
or field.
Changed the format of the list of filterable fields in the man page.
Developers: run "./configure" so that your configure script will re-create
dfilter2pod from the new dfilter2pod.in
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@426 f5534014-38df-0310-8fa8-9805f1628bb7
|
|
as it standed depends on your lex being flex, but that only matters if you're
a developer. The distribution will include the dfilter-scanner.c file, so
that if the user doesn't modify dfilter-scanner.l, he won't need flex to
re-create the *.c file.
The new lex scanner gives me better syntax checking for ether addresses. I
thought I could get by using GScanner, but it simply wasn't powerful enough.
All operands have English-like abbreviations and C-like syntax:
and, && ; or, || ; eq, == ; ne, != ; , etc.
I removed the ETHER_VENDOR type in favor of letting the user use the [x:y]
notation: ether.src[0:3] == 0:6:29 instead of ether.srcvendor == 00:06:29
I implemented the IPXNET field type; it had been there before, but was
not implemented. I chose to make it use integer values rather than byte
ranges, since an IPX Network is 4 bytes. So a display filter looks like this:
ipx.srcnet == 0xc0a82c00
rather than this:
ipx.srcnet == c0:a8:2c:00
I can supposrt the byte-range type IPXNET in the future, very trivially.
I still have more work to do on the parser though. It needs to check ranges
when extracting byte ranges ([x:y]) from packets. And I need to get rid
of those reduce/reduce errors from yacc!
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@414 f5534014-38df-0310-8fa8-9805f1628bb7
|
