/
proto.h
3314 lines (2913 loc) · 144 KB
/
proto.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/* proto.h
* Definitions for protocol display
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
/*! @file proto.h
The protocol tree related functions.<BR>
A protocol tree will hold all necessary data to display the whole dissected packet.
Creating a protocol tree is done in a two stage process:
A static part at program startup, and a dynamic part when the dissection with the real packet data is done.<BR>
The "static" information is provided by creating a hf_register_info hf[] array, and register it using the
proto_register_field_array() function. This is usually done at dissector registering.<BR>
The "dynamic" information is added to the protocol tree by calling one of the proto_tree_add_...() functions,
e.g. proto_tree_add_bytes().
*/
#ifndef __PROTO_H__
#define __PROTO_H__
#include <stdarg.h>
#include <glib.h>
#include <epan/wmem/wmem.h>
#include "ipv4.h"
#include "wsutil/nstime.h"
#include "time_fmt.h"
#include "tvbuff.h"
#include "value_string.h"
#include "tfs.h"
#include "packet_info.h"
#include "ftypes/ftypes.h"
#include "register.h"
#include "ws_symbol_export.h"
#include "ws_attributes.h"
#ifdef HAVE_PLUGINS
#include "wsutil/plugins.h"
#endif
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
/** @defgroup prototree The Protocol Tree
*
* Dissectors use proto_tree_add_* to add items to the protocol tree. In
* most cases you'll want to use proto_tree_add_item().
*
* @{
*/
/** The header-field index for the special text pseudo-field. Exported by libwireshark.dll */
WS_DLL_PUBLIC int hf_text_only;
/** the maximum length of a protocol field string representation */
#define ITEM_LABEL_LENGTH 240
#define ITEM_LABEL_UNKNOWN_STR "Unknown"
struct expert_field;
/* Type-check that 'x' is compatible with 'type', should give compiler warnings otherwise. */
#define cast_same(type, x) (0 ? (type)0 : (x))
/** Make a const value_string[] look like a _value_string pointer, used to set header_field_info.strings */
#define VALS(x) (cast_same(const struct _value_string*, (x)))
/** Make a const val64_string[] look like a _val64_string pointer, used to set header_field_info.strings */
#define VALS64(x) (cast_same(const struct _val64_string*, (x)))
/** Something to satisfy checkAPIs when you have a pointer to a value_string_ext (e.g., one built with value_string_ext_new()) */
#define VALS_EXT_PTR(x) (cast_same(value_string_ext*, (x)))
/** Make a const true_false_string[] look like a _true_false_string pointer, used to set header_field_info.strings */
#define TFS(x) (cast_same(const struct true_false_string*, (x)))
typedef void (*custom_fmt_func_t)(gchar *, guint32);
typedef void (*custom_fmt_func_64_t)(gchar *, guint64);
/** Make a custom format function pointer look like a void pointer. Used to set header_field_info.strings.
*
* We cast to gsize first, which 1) is guaranteed to be wide enough to
* hold a pointer and 2) lets us side-step warnings about casting function
* pointers to 'void *'. This violates ISO C but should be fine on POSIX
* and Windows.
*/
#define CF_FUNC(x) ((const void *) (gsize) (x))
/** Make a const range_string[] look like a _range_string pointer, used to set
* header_field_info.strings */
#define RVALS(x) (cast_same(const struct _range_string*, (x)))
/** Cast a ft_framenum_type_t, used to set header_field_info.strings */
#define FRAMENUM_TYPE(x) GINT_TO_POINTER(x)
struct _protocol;
/** Structure for information about a protocol */
typedef struct _protocol protocol_t;
/** Function used for reporting errors in dissectors; it throws a
* DissectorError exception, with a string generated from the format
* and arguments to the format, as the message for the exception, so
* that it can show up in the Info column and the protocol tree.
*
* If the WIRESHARK_ABORT_ON_DISSECTOR_BUG environment variable is set,
* it will call abort(), instead, to make it easier to get a stack trace.
*
* @param format format string to use for the message
*/
WS_DLL_PUBLIC WS_NORETURN
void proto_report_dissector_bug(const char *format, ...)
G_GNUC_PRINTF(1, 2);
#define REPORT_DISSECTOR_BUG(...) \
proto_report_dissector_bug(__VA_ARGS__)
/** Macro used to provide a hint to static analysis tools.
* (Currently only Visual C++.)
*/
#ifdef _MSC_VER
/* XXX - Is there a way to say "quit checking at this point"? */
#define __DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT(expression) \
; __analysis_assume(expression);
#else
#define __DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT(expression)
#endif
/** Macro used for assertions in dissectors; it doesn't abort, it just
* throws a DissectorError exception, with the assertion failure
* message as a parameter, so that it can show up in the protocol tree.
*
* NOTE: this should only be used to detect bugs in the dissector (e.g., logic
* conditions that shouldn't happen). It should NOT be used for showing
* that a packet is malformed. For that, use expert_infos instead.
*
* @param s expression to test in the assertion
*/
#define __DISSECTOR_ASSERT_STRINGIFY(s) # s
#define __DISSECTOR_ASSERT(expression, file, lineno) \
(REPORT_DISSECTOR_BUG("%s:%u: failed assertion \"%s\"", \
file, lineno, __DISSECTOR_ASSERT_STRINGIFY(expression)))
#define __DISSECTOR_ASSERT_HINT(expression, file, lineno, hint) \
(REPORT_DISSECTOR_BUG("%s:%u: failed assertion \"%s\" (%s)", \
file, lineno, __DISSECTOR_ASSERT_STRINGIFY(expression), hint))
#define DISSECTOR_ASSERT(expression) \
((void) ((expression) ? (void)0 : \
__DISSECTOR_ASSERT (expression, __FILE__, __LINE__))) \
__DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT(expression)
/**
* Same as DISSECTOR_ASSERT(), but takes an extra 'hint' parameter that
* can be used to provide information as to why the assertion might fail.
*
* @param expression expression to test in the assertion
* @param hint message providing extra information
*/
#define DISSECTOR_ASSERT_HINT(expression, hint) \
((void) ((expression) ? (void)0 : \
__DISSECTOR_ASSERT_HINT (expression, __FILE__, __LINE__, hint))) \
__DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT(expression)
#if 0
/* win32: using a debug breakpoint (int 3) can be very handy while debugging,
* as the assert handling of GTK/GLib is currently not very helpful */
#define DISSECTOR_ASSERT(expression) \
{ if(!(expression)) _asm { int 3}; }
#endif
/** Same as DISSECTOR_ASSERT(), but will throw DissectorError exception
* unconditionally, much like GLIB's g_assert_not_reached works.
*
* NOTE: this should only be used to detect bugs in the dissector (e.g., logic
* conditions that shouldn't happen). It should NOT be used for showing
* that a packet is malformed. For that, use expert_infos instead.
*
*/
#define DISSECTOR_ASSERT_NOT_REACHED() \
(REPORT_DISSECTOR_BUG("%s:%u: failed assertion \"DISSECTOR_ASSERT_NOT_REACHED\"", \
__FILE__, __LINE__))
/** Compare two integers.
*
* This is functionally the same as `DISSECTOR_ASSERT(a op b)` except that it
* will display the values of a and b upon failure.
*
* DISSECTOR_ASSERT_CMPINT(a, ==, b);
* DISSECTOR_ASSERT_CMPINT(min, <=, max);
*
* This function can currently compare values that fit inside a gint64.
*
* WARNING: The number of times the arguments are evaluated is undefined. Do
* not use expressions with side effects as arguments.
*
* @param a The first integer.
* @param op Any binary operator.
* @param b The second integer.
* @param type the type operator
* @param fmt the fmt operator
*/
#define __DISSECTOR_ASSERT_CMPINT(a, op, b, type, fmt) \
(REPORT_DISSECTOR_BUG("%s:%u: failed assertion " #a " " #op " " #b " (" fmt " " #op " " fmt ")", \
__FILE__, __LINE__, (type)a, (type)b))
#define DISSECTOR_ASSERT_CMPINT(a, op, b) \
((void) ((a op b) ? (void)0 : \
__DISSECTOR_ASSERT_CMPINT (a, op, b, gint64, "%" G_GINT64_MODIFIER "d"))) \
__DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT(a op b)
/** Like DISSECTOR_ASSERT_CMPINT() except the arguments are treated as
* unsigned values.
*
* This function can currently compare values that fit inside a guint64.
*/
#define DISSECTOR_ASSERT_CMPUINT(a, op, b) \
((void) ((a op b) ? (void)0 : \
__DISSECTOR_ASSERT_CMPINT (a, op, b, guint64, "%" G_GINT64_MODIFIER "u"))) \
__DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT(a op b)
/** Like DISSECTOR_ASSERT_CMPUINT() except the values are displayed in
* hexadecimal upon assertion failure.
*/
#define DISSECTOR_ASSERT_CMPUINTHEX(a, op, b) \
((void) ((a op b) ? (void)0 : \
__DISSECTOR_ASSERT_CMPINT (a, op, b, guint64, "0x%" G_GINT64_MODIFIER "X"))) \
__DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT(a op b)
/*
* This is similar to DISSECTOR_ASSERT(hfinfo->type == type) except that
* it will report the name of the field with the wrong type as well as
* the type.
*
* @param hfinfo The hfinfo for the field being tested
* @param type The type it's expected to have
*/
#define __DISSECTOR_ASSERT_FIELD_TYPE(hfinfo, t) \
(REPORT_DISSECTOR_BUG("%s:%u: field %s is not of type "#t, \
__FILE__, __LINE__, (hfinfo)->abbrev))
#define DISSECTOR_ASSERT_FIELD_TYPE(hfinfo, t) \
((void) (((hfinfo)->type == t) ? (void)0 : \
__DISSECTOR_ASSERT_FIELD_TYPE ((hfinfo), t))) \
__DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT((hfinfo)->type == t)
#define DISSECTOR_ASSERT_FIELD_TYPE_IS_INTEGRAL(hfinfo) \
((void) ((IS_FT_INT((hfinfo)->type) || \
IS_FT_UINT((hfinfo)->type)) ? (void)0 : \
REPORT_DISSECTOR_BUG("%s:%u: field %s is not of type FT_CHAR or an FT_{U}INTn type", \
__FILE__, __LINE__, (hfinfo)->abbrev))) \
__DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT(IS_FT_INT((hfinfo)->type) || \
IS_FT_UINT((hfinfo)->type))
#define __DISSECTOR_ASSERT_FIELD_TYPE_IS_STRING(hfinfo) \
(REPORT_DISSECTOR_BUG("%s:%u: field %s is not of type FT_STRING, FT_STRINGZ, or FT_STRINGZPAD", \
__FILE__, __LINE__, (hfinfo)->abbrev))
#define DISSECTOR_ASSERT_FIELD_TYPE_IS_STRING(hfinfo) \
((void) (((hfinfo)->type == FT_STRING || (hfinfo)->type == FT_STRINGZ || \
(hfinfo)->type == FT_STRINGZPAD) ? (void)0 : \
__DISSECTOR_ASSERT_FIELD_TYPE_IS_STRING ((hfinfo)))) \
__DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT((hfinfo)->type == FT_STRING || \
(hfinfo)->type == FT_STRINGZ || \
(hfinfo)->type == FT_STRINGZPAD)
#define __DISSECTOR_ASSERT_FIELD_TYPE_IS_TIME(hfinfo) \
(REPORT_DISSECTOR_BUG("%s:%u: field %s is not of type FT_ABSOLUTE_TIME or FT_RELATIVE_TIME", \
__FILE__, __LINE__, (hfinfo)->abbrev))
#define DISSECTOR_ASSERT_FIELD_TYPE_IS_TIME(hfinfo) \
((void) (((hfinfo)->type == FT_ABSOLUTE_TIME || \
(hfinfo)->type == FT_RELATIVE_TIME) ? (void)0 : \
__DISSECTOR_ASSERT_FIELD_TYPE_IS_TIME ((hfinfo)))) \
__DISSECTOR_ASSERT_STATIC_ANALYSIS_HINT((hfinfo)->type == FT_ABSOLUTE_TIME || \
(hfinfo)->type == FT_RELATIVE_TIME)
/*
* The encoding of a field of a particular type may involve more
* than just whether it's big-endian or little-endian and its size.
*
* For integral values, that's it, as 99.9999999999999% of the machines
* out there are 2's complement binary machines with 8-bit bytes,
* so the protocols out there expect that and, for example, any Unisys
* 2200 series machines out there just have to translate between 2's
* complement and 1's complement (and nobody's put any IBM 709x's on
* any networks lately :-)).
*
* However:
*
* for floating-point numbers, in addition to IEEE decimal
* floating-point, there's also IBM System/3x0 and PDP-11/VAX
* floating-point - most protocols use IEEE binary, but DCE RPC
* can use other formats if that's what the sending host uses;
*
* for character strings, there are various character encodings
* (various ISO 646 sets, ISO 8859/x, various other national
* standards, various DOS and Windows encodings, various Mac
* encodings, UTF-8, UTF-16, other extensions to ASCII, EBCDIC,
* etc.);
*
* for absolute times, there's UNIX time_t, UNIX time_t followed
* by 32-bit microseconds, UNIX time_t followed by 32-bit
* nanoseconds, DOS date/time, Windows FILETIME, NTP time, etc..
*
* We might also, in the future, want to allow a field specifier to
* indicate the encoding of the field, or at least its default
* encoding, as most fields in most protocols always use the
* same encoding (although that's not true of all fields, so we
* still need to be able to specify that at run time).
*
* So, for now, we define ENC_BIG_ENDIAN and ENC_LITTLE_ENDIAN as
* bit flags, to be combined, in the future, with other information
* to specify the encoding in the last argument to
* proto_tree_add_item(), and possibly to specify in a field
* definition (e.g., ORed in with the type value).
*
* Currently, proto_tree_add_item() treats its last argument as a
* Boolean - if it's zero, the field is big-endian, and if it's non-zero,
* the field is little-endian - and other code in epan/proto.c does
* the same. We therefore define ENC_BIG_ENDIAN as 0x00000000 and
* ENC_LITTLE_ENDIAN as 0x80000000 - we're using the high-order bit
* so that we could put a field type and/or a value such as a character
* encoding in the lower bits.
*/
#define ENC_BIG_ENDIAN 0x00000000
#define ENC_LITTLE_ENDIAN 0x80000000
#if G_BYTE_ORDER == G_LITTLE_ENDIAN
#define ENC_HOST_ENDIAN ENC_LITTLE_ENDIAN
#else
#define ENC_HOST_ENDIAN ENC_BIG_ENDIAN
#endif
/*
* Historically FT_TIMEs were only timespecs; the only question was whether
* they were stored in big- or little-endian format.
*
* For backwards compatibility, we interpret an encoding of 1 as meaning
* "little-endian timespec", so that passing TRUE is interpreted as that.
*
* We now support:
*
* ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4
* bytes are seconds and the next 4 bytes are nanoseconds; for 12 bytes,
* the first 8 bytes are seconds and the next 4 bytes are nanoseconds;
* for 16 bytes, the first 8 bytes are seconds and the next 8 bytes are
* nanoseconds. If the time is absolute, the seconds are seconds since
* the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X struct
* timespec with a 4-byte or 8-byte time_t or a structure with an
* 8-byte time_t and an 8-byte nanoseconds field.)
*
* ENC_TIME_NTP - 8 bytes; the first 4 bytes are seconds since the NTP
* epoch (1901-01-01 00:00:00 GMT) and the next 4 bytes are 1/2^32's of
* a second since that second. (I.e., a 64-bit count of 1/2^32's of a
* second since the NTP epoch, with the upper 32 bits first and the
* lower 32 bits second, even when little-endian.)
*
* ENC_TIME_TOD - 8 bytes, as a count of microseconds since the System/3x0
* and z/Architecture epoch (1900-01-01 00:00:00 GMT).
*
* ENC_TIME_RTPS - 8 bytes; the first 4 bytes are seconds since the UN*X
* epoch and the next 4 bytes are are 1/2^32's of a second since that
* second. (I.e., it's the offspring of a mating between UN*X time and
* NTP time.) It's used by the Object Management Group's Real-Time
* Publish-Subscribe Wire Protocol for the Data Distribution Service.
*
* ENC_TIME_SECS_USECS - 8 bytes; the first 4 bytes are seconds and the
* next 4 bytes are microseconds. If the time is absolute, the seconds
* are seconds since the UN*X epoch. (I.e., a UN*X struct timeval with
* a 4-byte time_t.)
*
* ENC_TIME_SECS - 4 to 8 bytes, representing a value in seconds.
* If the time is absolute, it's seconds since the UN*X epoch.
*
* ENC_TIME_MSECS - 6 to 8 bytes, representing a value in milliseconds.
* If the time is absolute, it's milliseconds since the UN*X epoch.
*
* ENC_TIME_SECS_NTP - 4 bytes, representing a count of seconds since
* the NTP epoch. (I.e., seconds since the NTP epoch.)
*
* ENC_TIME_RFC_3971 - 8 bytes, representing a count of 1/64ths of a
* second since the UN*X epoch; see section 5.3.1 "Timestamp Option"
* in RFC 3971.
*
* ENC_TIME_MSEC_NTP - 4-8 bytes, representing a count of milliseconds since
* the NTP epoch. (I.e., milliseconds since the NTP epoch.)
*
* The backwards-compatibility names are defined as hex numbers so that
* the script to generate init.lua will add them as global variables,
* along with the new names.
*/
#define ENC_TIME_SECS_NSECS 0x00000000
#define ENC_TIME_TIMESPEC 0x00000000 /* for backwards source compatibility */
#define ENC_TIME_NTP 0x00000002
#define ENC_TIME_TOD 0x00000004
#define ENC_TIME_RTPS 0x00000008
#define ENC_TIME_NTP_BASE_ZERO 0x00000008 /* for backwards source compatibility */
#define ENC_TIME_SECS_USECS 0x00000010
#define ENC_TIME_TIMEVAL 0x00000010 /* for backwards source compatibility */
#define ENC_TIME_SECS 0x00000012
#define ENC_TIME_MSECS 0x00000014
#define ENC_TIME_SECS_NTP 0x00000018
#define ENC_TIME_RFC_3971 0x00000020
#define ENC_TIME_MSEC_NTP 0x00000022
#define ENC_TIME_MIP6 0x00000024
/*
* This is a modifier for FT_UINT_STRING and FT_UINT_BYTES values;
* it indicates that the length field should be interpreted as per
* sections 2.5.2.11 Octet String through 2.5.2.14 Long Character
* String of the ZigBee Cluster Library Specification, where if all
* bits are set in the length field, the string has an invalid value,
* and the number of octets in the value is 0.
*/
#define ENC_ZIGBEE 0x40000000
/*
* Historically, the only place the representation mattered for strings
* was with FT_UINT_STRINGs, where we had FALSE for the string length
* being big-endian and TRUE for it being little-endian.
*
* We now have encoding values for the character encoding. The encoding
* values are encoded in all but the top bit (which is the byte-order
* bit, required for FT_UINT_STRING and for UCS-2 and UTF-16 strings)
* and the bottom bit (which we ignore for now so that programs that
* pass TRUE for the encoding just do ASCII). (The encodings are given
* directly as even numbers in hex, so that make-init-lua.pl can just
* turn them into numbers for use in init.lua.)
*
* We don't yet process ASCII and UTF-8 differently. Ultimately, for
* ASCII, all bytes with the 8th bit set should be mapped to some "this
* is not a valid character" code point, as ENC_ASCII should mean "this
* is ASCII, not some extended variant thereof". We should also map
* 0x00 to that as well - null-terminated and null-padded strings
* never have NULs in them, but counted strings might. (Either that,
* or the values for strings should be counted, not null-terminated.)
* For UTF-8, invalid UTF-8 sequences should be mapped to the same
* code point.
*
* For display, perhaps we should also map control characters to the
* Unicode glyphs showing the name of the control character in small
* caps, diagonally. (Unfortunately, those only exist for C0, not C1.)
*
* *DO NOT* add anything to this set that is not a character encoding!
*/
#define ENC_CHARENCODING_MASK 0x3FFFFFFE /* mask out byte-order bits and Zigbee bits */
#define ENC_ASCII 0x00000000
#define ENC_ISO_646_IRV ENC_ASCII /* ISO 646 International Reference Version = ASCII */
#define ENC_UTF_8 0x00000002
#define ENC_UTF_16 0x00000004
#define ENC_UCS_2 0x00000006
#define ENC_UCS_4 0x00000008
#define ENC_ISO_8859_1 0x0000000A
#define ENC_ISO_8859_2 0x0000000C
#define ENC_ISO_8859_3 0x0000000E
#define ENC_ISO_8859_4 0x00000010
#define ENC_ISO_8859_5 0x00000012
#define ENC_ISO_8859_6 0x00000014
#define ENC_ISO_8859_7 0x00000016
#define ENC_ISO_8859_8 0x00000018
#define ENC_ISO_8859_9 0x0000001A
#define ENC_ISO_8859_10 0x0000001C
#define ENC_ISO_8859_11 0x0000001E
/* #define ENC_ISO_8859_12 0x00000020 ISO 8859-12 was abandoned */
#define ENC_ISO_8859_13 0x00000022
#define ENC_ISO_8859_14 0x00000024
#define ENC_ISO_8859_15 0x00000026
#define ENC_ISO_8859_16 0x00000028
#define ENC_WINDOWS_1250 0x0000002A
#define ENC_3GPP_TS_23_038_7BITS 0x0000002C
#define ENC_EBCDIC 0x0000002E
#define ENC_MAC_ROMAN 0x00000030
#define ENC_CP437 0x00000032
#define ENC_ASCII_7BITS 0x00000034
#define ENC_T61 0x00000036
#define ENC_EBCDIC_CP037 0x00000038
#define ENC_WINDOWS_1252 0x0000003A
#define ENC_WINDOWS_1251 0x0000003C
#define ENC_CP855 0x0000003E
#define ENC_CP866 0x00000040
#define ENC_ISO_646_BASIC 0x00000042
/*
* TODO:
*
* These could probably be used by existing code:
*
* "IBM MS DBCS"
* JIS C 6226
*
* As those are added, change code such as the code in packet-bacapp.c
* to use them.
*/
/*
* For protocols (FT_PROTOCOL), aggregate items with subtrees (FT_NONE),
* opaque byte-array fields (FT_BYTES), and other fields where there
* is no choice of encoding (either because it's "just a bucket
* of bytes" or because the encoding is completely fixed), we
* have ENC_NA (for "Not Applicable").
*/
#define ENC_NA 0x00000000
/* For cases where either native type or string encodings could both be
* valid arguments, we need something to distinguish which one is being
* passed as the argument, because ENC_BIG_ENDIAN and ENC_ASCII are both
* 0x00000000. So we use ENC_STR_NUM or ENC_STR_HEX bit-or'ed with
* ENC_ASCII and its ilk.
*/
/* this is for strings as numbers "12345" */
#define ENC_STR_NUM 0x01000000
/* this is for strings as hex "1a2b3c" */
#define ENC_STR_HEX 0x02000000
/* a convenience macro for either of the above */
#define ENC_STRING 0x03000000
/* mask out ENC_STR_* and related bits - should this replace ENC_CHARENCODING_MASK? */
#define ENC_STR_MASK 0x0000FFFE
/* for cases where the number is allowed to have a leading '+'/'-' */
/* this can't collide with ENC_SEP_* because they can be used simultaneously */
#define ENC_NUM_PREF 0x00200000
/* Use varint format as described in Protobuf protocol
* https://developers.google.cn/protocol-buffers/docs/encoding
*/
#define ENC_VARINT_PROTOBUF 0x00000002
/*
* Decodes a variable-length integer used in QUIC protocol
* See https://tools.ietf.org/html/draft-ietf-quic-transport-08#section-8.1
*/
#define ENC_VARINT_QUIC 0x00000004
/*
* Use "zig-zag" varint format as described in Protobuf protocol
* See https://developers.google.com/protocol-buffers/docs/encoding?csw=1#types
*/
#define ENC_VARINT_ZIGZAG 0x00000008
#define ENC_VARIANT_MASK (ENC_VARINT_PROTOBUF|ENC_VARINT_QUIC|ENC_VARINT_ZIGZAG)
/* For cases where a string encoding contains hex, bit-or one or more
* of these for the allowed separator(s), as well as with ENC_STR_HEX.
* See hex_str_to_bytes_encoding() in epan/strutil.h for details.
*/
#define ENC_SEP_NONE 0x00010000
#define ENC_SEP_COLON 0x00020000
#define ENC_SEP_DASH 0x00040000
#define ENC_SEP_DOT 0x00080000
#define ENC_SEP_SPACE 0x00100000
/* a convenience macro for the above */
#define ENC_SEP_MASK 0x001F0000
/* For cases where a string encoding contains a timestamp, use one
* of these (but only one). These values can collide with above, because
* you can't do both at the same time.
*/
#define ENC_ISO_8601_DATE 0x00010000
#define ENC_ISO_8601_TIME 0x00020000
#define ENC_ISO_8601_DATE_TIME 0x00030000
#define ENC_RFC_822 0x00040000
#define ENC_RFC_1123 0x00080000
/* a convenience macro for the above - for internal use only */
#define ENC_STR_TIME_MASK 0x000F0000
/* Values for header_field_info.display */
/* For integral types, the display format is a BASE_* field_display_e value
* possibly ORed with BASE_*_STRING */
/** FIELD_DISPLAY_E_MASK selects the field_display_e value. */
#define FIELD_DISPLAY_E_MASK 0xFF
/*
* Note that this enum values are parsed in make-init-lua.pl so make sure
* any changes here still makes valid entries in init.lua.
*/
typedef enum {
/* Integral types */
BASE_NONE = 0, /**< none */
BASE_DEC = 1, /**< decimal */
BASE_HEX = 2, /**< hexadecimal */
BASE_OCT = 3, /**< octal */
BASE_DEC_HEX = 4, /**< decimal (hexadecimal) */
BASE_HEX_DEC = 5, /**< hexadecimal (decimal) */
BASE_CUSTOM = 6, /**< call custom routine (in ->strings) to format */
/* Float types */
BASE_FLOAT = BASE_NONE, /**< decimal-format float */
/* String types */
STR_ASCII = 0, /**< shows non-printable ASCII characters as C-style escapes */
/* XXX, support for format_text_wsp() ? */
STR_UNICODE = 7, /**< shows non-printable UNICODE characters as \\uXXXX (XXX for now non-printable characters display depends on UI) */
/* Byte separators */
SEP_DOT = 8, /**< hexadecimal bytes with a period (.) between each byte */
SEP_DASH = 9, /**< hexadecimal bytes with a dash (-) between each byte */
SEP_COLON = 10, /**< hexadecimal bytes with a colon (:) between each byte */
SEP_SPACE = 11, /**< hexadecimal bytes with a space between each byte */
/* Address types */
BASE_NETMASK = 12, /**< Used for IPv4 address that shouldn't be resolved (like for netmasks) */
/* Port types */
BASE_PT_UDP = 13, /**< UDP port */
BASE_PT_TCP = 14, /**< TCP port */
BASE_PT_DCCP = 15, /**< DCCP port */
BASE_PT_SCTP = 16, /**< SCTP port */
/* OUI types */
BASE_OUI = 17 /**< OUI resolution */
} field_display_e;
#define FIELD_DISPLAY(d) ((d) & FIELD_DISPLAY_E_MASK)
/* Following constants have to be ORed with a field_display_e when dissector
* want to use specials value-string MACROs for a header_field_info */
#define BASE_RANGE_STRING 0x00000100 /**< Use the supplied range string to convert the field to text */
#define BASE_EXT_STRING 0x00000200
#define BASE_VAL64_STRING 0x00000400
#define BASE_ALLOW_ZERO 0x00000800 /**< Display `<none>` instead of `<MISSING>` for zero sized byte array */
#define BASE_UNIT_STRING 0x00001000 /**< Add unit text to the field value */
#define BASE_NO_DISPLAY_VALUE 0x00002000 /**< Just display the field name with no value. Intended for
byte arrays or header fields above a subtree */
#define BASE_PROTOCOL_INFO 0x00004000 /**< protocol_t in [FIELDCONVERT]. Internal use only. */
#define BASE_SPECIAL_VALS 0x00008000 /**< field will not display "Unknown" if value_string match is not found */
#define BASE_SHOW_ASCII_PRINTABLE 0x00010000 /**< show byte array as ASCII if it's all printable characters */
/** BASE_ values that cause the field value to be displayed twice */
#define IS_BASE_DUAL(b) ((b)==BASE_DEC_HEX||(b)==BASE_HEX_DEC)
/** BASE_PT_ values display decimal and transport port service name */
#define IS_BASE_PORT(b) (((b)==BASE_PT_UDP||(b)==BASE_PT_TCP||(b)==BASE_PT_DCCP||(b)==BASE_PT_SCTP))
/* For FT_ABSOLUTE_TIME, the display format is an absolute_time_display_e
* as per time_fmt.h. */
typedef enum {
HF_REF_TYPE_NONE, /**< Field is not referenced */
HF_REF_TYPE_INDIRECT, /**< Field is indirectly referenced (only applicable for FT_PROTOCOL) via. its child */
HF_REF_TYPE_DIRECT /**< Field is directly referenced */
} hf_ref_type;
/** information describing a header field */
typedef struct _header_field_info header_field_info;
/** information describing a header field */
struct _header_field_info {
/* ---------- set by dissector --------- */
const char *name; /**< [FIELDNAME] full name of this field */
const char *abbrev; /**< [FIELDABBREV] abbreviated name of this field */
enum ftenum type; /**< [FIELDTYPE] field type, one of FT_ (from ftypes.h) */
int display; /**< [FIELDDISPLAY] one of BASE_, or field bit-width if FT_BOOLEAN and non-zero bitmask */
const void *strings; /**< [FIELDCONVERT] value_string, val64_string, range_string or true_false_string,
typically converted by VALS(), RVALS() or TFS().
If this is an FT_PROTOCOL or BASE_PROTOCOL_INFO then it points to the
associated protocol_t structure */
guint64 bitmask; /**< [BITMASK] bitmask of interesting bits */
const char *blurb; /**< [FIELDDESCR] Brief description of field */
/* ------- set by proto routines (prefilled by HFILL macro, see below) ------ */
int id; /**< Field ID */
int parent; /**< parent protocol tree */
hf_ref_type ref_type; /**< is this field referenced by a filter */
int same_name_prev_id; /**< ID of previous hfinfo with same abbrev */
header_field_info *same_name_next; /**< Link to next hfinfo with same abbrev */
};
/**
* HFILL initializes all the "set by proto routines" fields in a
* _header_field_info. If new fields are added or removed, it should
* be changed as necessary.
*/
#define HFILL -1, 0, HF_REF_TYPE_NONE, -1, NULL
#define HFILL_INIT(hf) \
(hf).hfinfo.id = -1; \
(hf).hfinfo.parent = 0; \
(hf).hfinfo.ref_type = HF_REF_TYPE_NONE; \
(hf).hfinfo.same_name_prev_id = -1; \
(hf).hfinfo.same_name_next = NULL;
/** Used when registering many fields at once, using proto_register_field_array() */
typedef struct hf_register_info {
int *p_id; /**< written to by register() function */
header_field_info hfinfo; /**< the field info to be registered */
} hf_register_info;
/** string representation, if one of the proto_tree_add_..._format() functions used */
typedef struct _item_label_t {
char representation[ITEM_LABEL_LENGTH];
} item_label_t;
/** Contains the field information for the proto_item. */
typedef struct field_info {
header_field_info *hfinfo; /**< pointer to registered field information */
gint start; /**< current start of data in field_info.ds_tvb */
gint length; /**< current data length of item in field_info.ds_tvb */
gint appendix_start; /**< start of appendix data */
gint appendix_length; /**< length of appendix data */
gint tree_type; /**< one of ETT_ or -1 */
guint32 flags; /**< bitfield like FI_GENERATED, ... */
item_label_t *rep; /**< string for GUI tree */
tvbuff_t *ds_tvb; /**< data source tvbuff */
fvalue_t value;
} field_info;
/*
* This structure describes one segment of a split-bits item
* crumb_bit_offset is the bit offset in the input tvb of the first (most significant) bit of this crumb
* crumb_bit_length is the number of contiguous bits of this crumb.
* The first element of an array of bits_specs describes the most significant crumb of the output value.
* The second element of an array of bits_specs describes the next-most significant crumb of the output value, etc.
* The array is terminated by a sentinel entry with crumb_bit_length of 0.
*/
typedef struct
{
guint crumb_bit_offset;
guint8 crumb_bit_length;
} crumb_spec_t;
/*
* Flag fields. Do not assign values greater than 0x00000080 unless you
* shuffle the expert information upward; see below.
*/
/** The protocol field should not be shown in the tree (it's used for filtering only),
* used in field_info.flags. */
/** HIDING PROTOCOL FIELDS IS DEPRECATED, IT'S CONSIDERED TO BE BAD GUI DESIGN!
A user cannot tell by looking at the packet detail that the field exists
and that they can filter on its value. */
#define FI_HIDDEN 0x00000001
/** The protocol field should be displayed as "generated by Wireshark",
* used in field_info.flags. */
#define FI_GENERATED 0x00000002
/** The protocol field is actually a URL */
#define FI_URL 0x00000004
/** The protocol field value is in little endian */
#define FI_LITTLE_ENDIAN 0x00000008
/** The protocol field value is in big endian */
#define FI_BIG_ENDIAN 0x00000010
/** Field value start from nth bit (values from 0x20 - 0x100) */
#define FI_BITS_OFFSET(n) (((n) & 7) << 5)
/** Field value takes n bits (values from 0x100 - 0x4000) */
/* if 0, it means that field takes fi->length * 8 */
#define FI_BITS_SIZE(n) (((n) & 63) << 8)
/** The protocol field value is a varint */
#define FI_VARINT 0x00004000
/** convenience macro to get field_info.flags */
#define FI_GET_FLAG(fi, flag) ((fi) ? ((fi)->flags & (flag)) : 0)
/** convenience macro to set field_info.flags */
#define FI_SET_FLAG(fi, flag) \
do { \
if (fi) \
(fi)->flags = (fi)->flags | (flag); \
} while(0)
/** convenience macro to reset field_info.flags */
#define FI_RESET_FLAG(fi, flag) \
do { \
if (fi) \
(fi)->flags = (fi)->flags & ~(flag); \
} while(0)
#define FI_GET_BITS_OFFSET(fi) (FI_GET_FLAG(fi, FI_BITS_OFFSET(7)) >> 5)
#define FI_GET_BITS_SIZE(fi) (FI_GET_FLAG(fi, FI_BITS_SIZE(63)) >> 8)
/** One of these exists for the entire protocol tree. Each proto_node
* in the protocol tree points to the same copy. */
typedef struct {
GHashTable *interesting_hfids;
gboolean visible;
gboolean fake_protocols;
gint count;
struct _packet_info *pinfo;
} tree_data_t;
/** Each proto_tree, proto_item is one of these. */
typedef struct _proto_node {
struct _proto_node *first_child;
struct _proto_node *last_child;
struct _proto_node *next;
struct _proto_node *parent;
field_info *finfo;
tree_data_t *tree_data;
} proto_node;
/** A protocol tree element. */
typedef proto_node proto_tree;
/** A protocol item element. */
typedef proto_node proto_item;
/*
* Expert information.
* This is in the flags field; we allocate this from the top down,
* so as not to collide with FI_ flags, which are allocated from
* the bottom up.
*/
/* do not modify the PI_SEVERITY_MASK name - it's used by make-init-lua.pl */
/* expert severities */
#define PI_SEVERITY_MASK 0x00F00000 /**< mask usually for internal use only! */
/** Packet comment */
#define PI_COMMENT 0x00100000
/** Usual workflow, e.g. TCP connection establishing */
#define PI_CHAT 0x00200000
/** Notable messages, e.g. an application returned an "unusual" error code like HTTP 404 */
#define PI_NOTE 0x00400000
/** Warning, e.g. application returned an "unusual" error code */
#define PI_WARN 0x00600000
/** Serious problems, e.g. a malformed packet */
#define PI_ERROR 0x00800000
/* do not modify the PI_GROUP_MASK name - it's used by make-init-lua.pl */
/* expert "event groups" */
#define PI_GROUP_MASK 0xFF000000 /**< mask usually for internal use only! */
/** The protocol field has a bad checksum, usually uses PI_WARN severity */
#define PI_CHECKSUM 0x01000000
/** The protocol field indicates a sequence problem (e.g. TCP window is zero) */
#define PI_SEQUENCE 0x02000000
/** The protocol field indicates a bad application response code (e.g. HTTP 404), usually PI_NOTE severity */
#define PI_RESPONSE_CODE 0x03000000
/** The protocol field indicates an application request (e.g. File Handle == xxxx), usually PI_CHAT severity */
#define PI_REQUEST_CODE 0x04000000
/** The data is undecoded, the protocol dissection is incomplete here, usually PI_WARN severity */
#define PI_UNDECODED 0x05000000
/** The protocol field indicates a reassemble (e.g. DCE/RPC defragmentation), usually PI_CHAT severity (or PI_ERROR) */
#define PI_REASSEMBLE 0x06000000
/** The packet data is malformed, the dissector has "given up", usually PI_ERROR severity */
#define PI_MALFORMED 0x07000000
/** A generic debugging message (shouldn't remain in production code!), usually PI_ERROR severity */
#define PI_DEBUG 0x08000000
/** The protocol field violates a protocol specification, usually PI_WARN severity */
#define PI_PROTOCOL 0x09000000
/** The protocol field indicates a security problem (e.g. insecure implementation) */
#define PI_SECURITY 0x0a000000
/** The protocol field indicates a packet comment */
#define PI_COMMENTS_GROUP 0x0b000000
/** The protocol field indicates a decryption problem */
#define PI_DECRYPTION 0x0c000000
/** The protocol field has incomplete data, decode based on assumed value */
#define PI_ASSUMPTION 0x0d000000
/** The protocol field has been deprecated, usually PI_NOTE severity */
#define PI_DEPRECATED 0x0e000000
/* add more, see https://wiki.wireshark.org/Development/ExpertInfo */
/** Retrieve the field_info from a proto_node */
#define PNODE_FINFO(proto_node) ((proto_node)->finfo)
/** Retrieve the field_info from a proto_item */
#define PITEM_FINFO(proto_item) PNODE_FINFO(proto_item)
/** Retrieve the field_info from a proto_tree */
#define PTREE_FINFO(proto_tree) PNODE_FINFO(proto_tree)
/** Retrieve the tree_data_t from a proto_tree */
#define PTREE_DATA(proto_tree) ((proto_tree)->tree_data)
/** Retrieve the wmem_allocator_t from a proto_node */
#define PNODE_POOL(proto_node) ((proto_node)->tree_data->pinfo->pool)
/** Is this protocol field hidden from the protocol tree display? Used for filtering only.
* Use with caution, HIDING PROTOCOL FIELDS IS CONSIDERED TO BE BAD GUI DESIGN!
* @param ti The item to check. May be NULL.
* @return TRUE if the item is hidden, FALSE otherwise.
*/
static inline gboolean proto_item_is_hidden(proto_item *ti) {
if (ti) {
return FI_GET_FLAG(PITEM_FINFO(ti), FI_HIDDEN);
}
return FALSE;
}
#define PROTO_ITEM_IS_HIDDEN(ti) proto_item_is_hidden((ti))
/** Mark this protocol field to be hidden from the protocol tree display. Used for filtering only.
* Use with caution, HIDING PROTOCOL FIELDS IS CONSIDERED TO BE BAD GUI DESIGN!
* @param ti The item to hide. May be NULL.
*/
static inline void proto_item_set_hidden(proto_item *ti) {
if (ti) {
FI_SET_FLAG(PITEM_FINFO(ti), FI_HIDDEN);
}
}
#define PROTO_ITEM_SET_HIDDEN(ti) proto_item_set_hidden((ti))
/** Mark this protocol field to be visible from the protocol tree display.
* @param ti The item to hide. May be NULL.
*/
static inline void proto_item_set_visible(proto_item *ti) {
if (ti) {
FI_RESET_FLAG(PITEM_FINFO(ti), FI_HIDDEN);
}
}
#define PROTO_ITEM_SET_VISIBLE(ti) proto_item_set_visible((ti))
/** Is this protocol field generated by Wireshark (and not read from the packet data)?
* @param ti The item to check. May be NULL.
* @return TRUE if the item is generated, FALSE otherwise.
*/
static inline gboolean proto_item_is_generated(proto_item *ti) {
if (ti) {
return FI_GET_FLAG(PITEM_FINFO(ti), FI_GENERATED);
}
return FALSE;
}
#define PROTO_ITEM_IS_GENERATED(ti) proto_item_is_generated((ti))
/** Mark this protocol field as generated by Wireshark (and not read from the packet data).
* @param ti The item to mark as generated. May be NULL.
*/
static inline void proto_item_set_generated(proto_item *ti) {
if (ti) {
FI_SET_FLAG(PITEM_FINFO(ti), FI_GENERATED);
}
}
#define PROTO_ITEM_SET_GENERATED(ti) proto_item_set_generated((ti))
/** Is this protocol field actually a URL?
* @brief proto_item_is_url
* @param ti The item to check. May be NULL.
* @return TRUE if the item is a URL, FALSE otherwise.
*/
static inline gboolean proto_item_is_url(proto_item *ti) {
if (ti) {
return FI_GET_FLAG(PITEM_FINFO(ti), FI_URL);
}
return FALSE;
}
#define PROTO_ITEM_IS_URL(ti) proto_item_is_url((ti))
/** Mark this protocol field as a URL
* @param ti The item to mark as a URL. May be NULL.
*/
static inline void proto_item_set_url(proto_item *ti) {
if (ti) {
FI_SET_FLAG(PITEM_FINFO(ti), FI_URL);
}
}
#define PROTO_ITEM_SET_URL(ti) proto_item_set_url((ti))
typedef void (*proto_tree_foreach_func)(proto_node *, gpointer);
typedef gboolean (*proto_tree_traverse_func)(proto_node *, gpointer);
extern gboolean proto_tree_traverse_post_order(proto_tree *tree,
proto_tree_traverse_func func, gpointer data);
WS_DLL_PUBLIC void proto_tree_children_foreach(proto_tree *tree,
proto_tree_foreach_func func, gpointer data);
#ifdef HAVE_PLUGINS
typedef struct {
void (*register_protoinfo)(void); /* routine to call to register protocol information */
void (*register_handoff)(void); /* routine to call to register dissector handoff */
} proto_plugin;
/** Register dissector plugin with the plugin system. */
WS_DLL_PUBLIC void proto_register_plugin(const proto_plugin *plugin);
#endif
/** Sets up memory used by proto routines. Called at program startup */
void proto_init(GSList *register_all_plugin_protocols_list,
GSList *register_all_plugin_handoffs_list, register_cb cb, void *client_data);
/** Frees memory used by proto routines. Called at program shutdown */
extern void proto_cleanup(void);
/** This function takes a tree and a protocol id as parameter and
will return TRUE/FALSE for whether the protocol or any of the filterable
fields in the protocol is referenced by any fitlers.
If this function returns FALSE then it is safe to skip any
proto_tree_add_...() calls and just treat the call as if the
dissector was called with tree==NULL.
If you reset the tree to NULL by this dissector returning FALSE,
you will still need to call any subdissector with the original value of
tree or filtering will break.
The purpose of this is to optimize wireshark for speed and make it
faster for when filters are being used.
*/
WS_DLL_PUBLIC gboolean proto_field_is_referenced(proto_tree *tree, int proto_id);