======================================================================== * AUTHORS ========================================================================  Original Author -------- ------ Gerald Combs Contributors ------------ Gilbert Ramirez { Wiretap Printing Token-Ring, TR MAC 802.2 LLC IPX, SPX, NCP BOOTP/DHCP LPD Win32 support tvbuffs Miscellaneous enhancements and fixes } Thomas Bottom { IEEE 1722.1 support } Chris Pane { IEEE 1722.1 support } Hannes R. Boehm { http://hannes.boehm.org/ OSPFv2 RIPv1, RIPv2 CDP (Cisco Discovery Protocol Version 1) } Mike Hall { Follow TCP Stream } Bobo Rajec { DNS protocol support } Laurent Deniel { Name resolution Ethernet/Manufacturer files support FDDI support OMG GIOP/IIOP support ISO/OSI CLNP/COTP support Real time capture and display enhancement Many display filters added GUI enhancements (about & help windows) Follow TCP stream for IPv6 Protocol activation/deactivation (Edit:protocols) Ability to mark the frames and associated features "Protocol Properties..." menu item Ring buffer rework X11 decoding enhancements and fixes Miscellaneous enhancements and fixes } Don Lafontaine { Banyan Vines support IGRP support } Guy Harris { DNS and NetBIOS Name Service enhancements Bitfield decoding IP and TCP option decoding HTTP support NNTP support ATM and LANE decoding Q.931 decoding Changes to the popup packet windows Miscellaneous enhancements and fixes } Simon Wilkinson { AppleTalk support } Jörg Mayer { Banyan Vines support NTP fixes DHCP support for Intel PXEclient DHCP requests Support for "-N" flag enabling selected forms of name resolution Changes to structure initializations to initialize all members Define __USE_XOPEN in files that use "strptime()" Various signed vs. unsigned fixes Crank up the warning level in GCC Skinny (Official Name: SCCP) Remove trailing blanks from hex dump in print/Tethereal Remove unused variables and declarations of non-existent functions In configure scripts, if the compiler is GCC, add to CFLAGS a -D flag to define _U_ as something that marks an argument unused in GCC, and as nothing for other compilers Add _U_ to unused arguments, and turn off "-Wno-unused" .cvsignore fixes Make a pile of stuff not used outside one source file static Clean up #includes Mark last packet of TFTP transfer as such in the Info column Dissect both the BOOTP server and client ports as bootp/DHCP Fix some small memleaks found by valgrind Some Extreme protocols Some 3com management protocol } Martin Maciaszek { RPM .spec file } Didier Jorand { SNMP support TCP SEQ/ACK analysis bugfix for sequence number wrapping. FIX 4.0 to 4.4 fields } Jun-ichiro itojun Hagino { http://www.itojun.org/ IPv6 support RIPng support IPsec support PIM (Prototocol-Independent Multicast) support IPComp (IP Payload Compression) support BGP (Border Gateway Protocol) support } Richard Sharpe { TFTP, FTP, POP, Telnet support Infrastructure changes for the benefit of TFTP SMB support LDP GSS-API and SPNEGO work MS RPC WKSSVC dissector } John McDermott { Packet coloring support Pseudo-real-time capture } Jeff Jahr { PPP over Ethernet (PPPoe) } Brad Robel-Forrest { ISAKMP, GRE, PPTP } Ashok Narayanan { RSVP Match Selected functionality Support for reading compressed capture files MPLS Link Management Protocol IEEE 802.1ad and 802.1ah } Aaron Hillegass { Summary dialogue } Jason Lango { RTSP, SDP RTCP fixes } Johan Feyaerts { RADIUS } Olivier Abad { X.25 support in iptrace files and Sniffer files Support for files from RADCOM WAN/LAN analyzers and HP-UX nettl traces LAPB, X.25 Plugins support Support for capturing packet data from pipes Support for writing NetXRay 2.x (Windows Sniffer) format captures } Thierry Andry { Linux ATM Classical IP support More filterable fields in SNMP } Jeff Foster { NetBEUI/NBF support (NetBIOS atop 802.2 LLC, the original NetBIOS encapsulation) SMB Mailslot and Netlogin protocol support Popup packet windows Support for protocols registering themselves with dissectors for protocols on top of which they run Rlogin support Support for associating a dissector with a conversation, and for use of that dissector by TCP and UDP SOCKS support Microsoft Proxy protocol support Support for conversations with "wildcard" destination addresses and/or ports Initial support for constructing filter expressions Support for reading Sniffer Frame Relay captures Partial support for determining the type of "Internetwork analyzer" Sniffer captures (we don't yet have enough captures to do it all) } Peter Torvals { Internet Cache Protocol support } Christophe Tronche { http://tronche.com/ BPDU (spanning tree protocol) support X11 requests support } Nathan Neulinger { Yahoo Messenger YHOO protocol, and Yahoo Pager (YPNS?) protocol support NTP (Network Time Protocol) support RX protocol support Andrew File System protocol support 802.1q VLAN support Misc. RPC program dissectors TNS/Oracle dissector Tacacs+/XTacacs dissector IRC dissector AppleTalk NBP dissector AppleTalk RTMP response dissector Automake and autoconf updates to handle the current CVS versions of automake (which will probably eventually become the next releases of automake and autoconf) Additional cipher suite names for SSL SEBEK - Kernel read() data capture protocol support Linux IPVS Synchronization Daemon support } Tomislav Vujec { Additional NTP support } Kojak { ICQ support } Uwe Girlich { ONC RPC support NFS support Mount Protocol support started NLM support started PCNFSD support started TSP support Quake dissector QuakeWorld dissector Quake II dissector Quake 3 Arena dissector DTPT dissector INTERLINK dissector } Warren Young { "Print" button support in "Tools:Follow TCP Stream" window } Heikki Vatiainen { Cisco Auto-RP protocol support SAP (Session Announcement Protocol) support VRRP (Virtual Router Redundancy) HSRP (Hot Standby Router Protocol) option to control whether to interpret the IPv4 TOS field as such or as the DiffServ field COPS SIP (Session Initiation Protocol) BGP tvbuffification IPv6 and ICMPv6 tvbuffification PIM enhancements and fixes Support for Enter/Return toggling expansion of selected protocol tree item IGMP fixes and multicast traceroute support MSDP support IPv6 name resolution support on Solaris 8 Enhancements to the "bad sed" tests Make "get_host_ipaddr()" require dotted-quad IP addresses to really be quads CGMP-over-Ethernet II support Fix the test for IS-IS virtual links Documentation improvements } Greg Hankins { http://www.twoguys.org/~gregh updates to BGP (Border Gateway Protocol) support } Jerry Talkington { tvb_uncompress()/HTTP Content-Encoding decompression HTTP chunked encoding dissection updates to HTTP support Filter selection/editing GUI improvements WCCP 1.0 support Right-mouse-button menu support } Dave Chapeskie { updates to ISAKMP support } James Coe { SRVLOC (Service Location Protocol) support NCP over IP support } Bert Driehuis { I4B (ISDN for BSD) wiretap module V.120 } Stuart Stanley { ISIS on CLNP support } John Thomes { L2TP support } Laurent Cazalet { updates to L2TP support } Thomas Parvais { updates to L2TP support } Gerrit Gehnen { support for "Inactive Subset" of ISO CLNP Decoding of OSI COTP TSAPs as text when they're plain text Sinec H1 protocol support } Craig Newell { TFTP options (RFC 2347) support } Ed Meaney { Win32 support } Dietmar Petras { Time protocol support Fix to handling of SNMPv2 TRAP PDUs } Fred Reimer { TCP segment length in TCP packet summary } Florian Lohoff { Various enhancements to RADIUS support Fixes to L2TP result and error code dissection Redback SmartEdge SE400/800 tcpdump disassembly Redback Lawful Intercept dissection } Jochen Friedrich { SNA improvements Fix to IPv6 fragment handling SMUX and SNMPv3 support Zebra support HPR/UDP (RFC 2353, Enterprise Extender) RPL support HP extended 802.2 LLC support HP remote management protocol support SNMP over HP extended 802.2 LLC support } Paul Welchinski { Fixes to Win32 packet capture code } Doug Nazar { LDAP support } Andreas Sikkema { Fixes to SMB dissector Fixes to capture file handling on Win32 RTCP, RTP, TPKT (RFC 1006), H.261 Q.931 enhancements } Mark Muhlestein { CIFS-over-TCP support } Graham Bloice { Win32 icon for Wireshark, and Win32 resource-compiler files to add version/copyright/etc. information to Win32 executables Support for sorting columns in the summary by clicking on them Win32 Makefile improvements Support for "Update list of packets in real time" during capture on Win32 Support for inverse video rather than boldface highlighting of the bytes, in the hex dump window, corresponding to a selected field Support for DNP } Ralf Schneider { Enhancements to OSI CLNP, CLTP, and ISIS support OSI ESIS support } Yaniv Kaul { Enhancements to ISAKMP CPHA support DCERPC OXID operation #5 dissection TDS enhancements DCERPC: Resolve UUID to interface names on win32 platforms PCT support X509 Certificates over HTTP support VNC heuristic dissection TightVNC dissection More tags in the DAAP dissector SPICE dissector } Paul Ionescu { IPX-over-GRE support EIGRP support Cisco IGRP support X.25-over-TCP support DEC LANBridge Spanning Tree Protocol support X.25-over-LLC support IP Prefix field support in CDP Frame Relay support Frame-Relay-over-GRE support IPX SAP over IPX EIGRP support Fleshed out TACACS/XTACACS/TACACS+ dissector DLSw support } Mark Burton { Assorted SMB fixes and enhancements iSCSI support } Stefan Raab { Mobile IP } Mark Clayton { Support for capturing on ATM interfaces on Linux } Michael Rozhavsky { OSPF enhancements CRLDP support } Dug Song { RPCSEC_GSS credential/verifier dissection for ONC RPC } Michael Tüxen { SCTP support M3UA support ISDN Q.921-User Adaptation Layer (IUA) support SUA and SUA Light support MTP3 support MacOS X support Update of M2PA support for later Internet drafts MTP2 support SCTP support in text2pcap SCCP-atop-M3UA support M2UA support ASAP support ENRP support Fix SCTP port number for M2PA } Bruce Korb { Improved autogen.sh script } Jose Pedro Oliveira { DHCP enhancements } David Frascone { DIAMETER support Bug fixes and enhancements to Mobile IP Support for Mobile IP's use of ICMP Router Advertisements Removal of unused variables and functions LWAPP support } Peter Kjellerstedt { SRVLOC fixes ICQ enhancements autogen.sh fixes } Phil Techau { Added "col_append_str()" Signed integer support in display filters and in the protocol tree BOOTP fixes Additional NTP reference clock identifiers } Wes Hardaker { Kerberos 5 support occasional ucd-snmp/net-snmp help. } Robert Tsai { Rsh support Support for embedded newlines in SDP fields Support for leading LWS in RTSP headers } Craig Metz { OSPF type 7 LSA dissection } Per Flock { A6 and DNAME resource record support RFC 2673 bitstring label support } Jack Keane { ISAKMP fixes to handle malformed packets } Brian Wellington { Support for DNS CERT, KX, TSIG, and TKEY records Support for NOTIFY and UPDATE DNS opcodes Support for YXDOMAIN, YXRRSSET, NXRRRSET, NOTAUTH, NOTZONE, and TSIG/TKEY error DNS reply codes Partial support for DNS-over-TCP } Santeri Paavolainen { "Capture->Stop" menu bar item Improved capture statistics box Make doc/Makefile.am work in POSIXLY_CORRECT environment Mobile IPv6 fixes } Ulrich Kiermayr { ECN Extension support } Neil Hunter { WAP support } Ralf Holzer { AIM/OSCAR support } Craig Rodrigues { GIOP 1.2 support and other GIOP enhancements Handle current versions of RPM, which compress man pages Real-time CORBA priority value support } Ed Warnicke { MGCP dissector PCLI ( Packet Cable Lawful Intercept ) dissector } Johan Jorgensen { IEEE 802.11 support } Frank Singleton { Short integer CDR support for GIOP Support for protocols running atop GIOP GIOP CosNaming support } Kevin Shi { GVRP support } Mike Frisch { NFSv4 support HCLNFSD support rquota support AUTH_DES support Tvbuffified NFS dissector RPCSEC_GSS fixes PCNFSD updates NFS_ACL support PVFS2 support } Burke Lau { PPP FCS checking Cisco HDLC support in PPP dissector MPLS-over-PPP support } Martti Kuparinen { Mobile IPv6 support HMIPv6 support } David Hampton { Support for HTTP methods added by GENA (the uPnP protocol) Support for the HTTP-based SSDP protocol "Decode As" dialog } Kent Engström { CDP VTP Management Domain item support } Ronnie Sahlberg { NLM dissector enhancements Mount dissector enhancements Support for status monitor protocol and status monitor callback protocol YPSERV dissector enhancements BOOTPARAM dissector enhancements RWALL support HCLNFSD dissector enhancements IP fragment reassembly YPPASSWD support KLM support SPRAY support rquota support completed XDR array support NIS+ support Rewritten IGMP dissector Tvbuffified and bug-fixed RX and AFS dissectors Support for filtering on absolute and relative time fields DVMRP support MRDISC support MSNIP support Tvbuffified ISIS dissector Tvbuffified SMB NETLOGON dissector Tvbuffified SMB BROWSER dissector TCP segment reassembly and support for it in ONC RPC and NBSS dissectors Filterable fields for XoT and RIP Times in NFS done as FT_ABSOLUTE_TIME and FT_RELATIVE_TIME FT_UINT64 support, code to handle 64-bit integers without requiring compiler support for them, and updates to the Diameter, L2TP, NFS, and NLM dissectors to use it and to the ONC RPC dissector to allow ONC RPC subdissectors to use it SMB tvbuffication and enhancement NDMPv3 support Add time between request and reply as a field to ONC RPC replies File handle to file name resolution in NFS and related protocols DCE RPC enhancements SAMR updates NETLOGON implementation LSA updates NFS AUTH stub implementation MAPI skeleton dissector DCE/RPC fragment reassembly TCP ACK/SEQ number analysis and relative sequence numbers TAP system and ONC RPC and DCE RPC examples DISTCC updates H225 and H245 dissectors and PER dissector helpers Kerberos decryption PacketCable protocol } Borosa Tomislav { Updates to mobile IPv6 } Alexandre P. Ferreira { WTLS support WSP fixes and enhancements } Simharajan Srishylam { Assorted WCCP2 enhancements ICAP support } Greg Kilfoyle { BOOTP option 82 (Relay Agent Information option) support } James E. Flemer { Hidden Boolean fields set if the IP or ICMP checksums are bad } Peter Lei { RFC 3024 reverse tunneling support for the Mobile IP dissector } Thomas Gimpel { Fixes to the Q.931 dissector } Albert Chin { Fixes to Lemon to get it to compile on platforms (such as some versions of Tru64 UNIX) that define TRUE and FALSE Fixes for various non-GCC compiler warnings Fix to TCP graph code to eliminate a GCCism Simplify some autoconf code Assorted cleanups Autoconf/automake cleanups } Charles Levert { CUPS browsing protocol support } Todd Sabin { DCE RPC support Cleaned up "get_column_format_matches()" Skeleton NSPI dissector } Eduardo Pérez Ureta { GUI fixes } Martin Thomas { Support for TPKT being used for its original purpose (TCP port 102, containing OSI transport layer PDUs) Handle address lengths based on TOA bit in X.25 } Hartmut Mueller { BACNET support } Michal Melerowicz { GTP support GTPv1 support and GTPv0 improvements } Hannes Gredler { OSI network layer over PPP support Many IS-IS enhancements Juniper Networks vendor ID in RADIUS dissector HELLO message support in RSVP Many BGP enhancements and bug fixes Fix display of OSI system IDs to use a dot rather than a dash before the PSN byte Decode the sample rate factor in cflowd5 headers Support OSI over CHDLC Show the type value for OSI protocols symbolically in GRE Support MPLS over CHDLC Bi-directional Fault Detection (BFD) support Support for Juniper's DLT_JUNIPER_ATM1, DLT_JUNIPER_ATM2 values Support for Juniper's PPPOE encapsulation } Inoue { Preference dialog crash fix } Olivier Biot { Various WTP fixes and enhancements Rewrite of much of WSP WBXML/WMLC support README.win32 updates for Cygwin UDH dissection in SMPP WTP-over-SMPP and WSP-over-SMPP GSM SMS, CBS and DCS support for the SMPP dissector Display filter operator: matches (PCRE syntax) Compuserve GIF image dissector JPEG File Interchange Format (JFIF) dissector Dissector for message/http media type Generic line-based textual data dissector Multipart media dissector Display filter operator: bitwise_and Generic media dissector (in analogy to the data dissector) } Patrick Wolfe { WTLS client and trusted key ID handling enhancements } Martin Held { RANAP support } Riaan Swart { Modbus/TCP support } Christian Lacunza { Command-line option to control automatic scrolling in "Update list of packets in real time" captures } Scott Renfro { LDAP checks for invalid packets "-t" flag for editcap, to adjust timestamps in frames SSL/TLS support Mergecap utility for merging capture files Fixes for some calls to "localtime()" that didn't check whether the call succeeded (it doesn't always do so on Windows, for example) } Juan Toledo { Passive FTP support } Jean-Christian Pennetier { ISIS IPv6 routing TLV dissection ISIS traffic engineering TLV dissection IS neighbor and IP reachability TLVs given their own subtree types Assorted other ISIS fixes } Jian Yu { BGP enhancements } Eran Mann { Fix to LDP prefix FEC dissection for IPv4 } Andy Hood { "--with-ssl" configuration option, to use if UCD SNMP is compiled with crypto support and needs -lcrypto On Solaris, with GCC, add flags to reduce warnings from inadequacies of function declarations in X11 headers Translate enterprise OIDs in SNMP traps to strings if possible AODV6 dissector compile fixes for AIX } Randy McEoin { Appletalk Data Stream Interface (used by AFP-over-TCP) support Xyplex protocol support Avaya IPSI Control } Edgar Iglesias { Fix to TCP reassembly code for retransmitted data } Martina Obermeier { ISUP (ISDN User Part, ITU-T recommendation Q.763) support } Javier Achirica { IEEE 802.11 bug fixes and WEP support } B. Johannessen { Gnutella support } Thierry Pelle { MP-BGP message support Redback vendor-specific items for RADIUS and L2TP IPv6CP support } Francisco Javier Cabello { RFC 2250 MPEG1 support } Laurent Rabret { LCP-over Ethernet and IPCP-over-Ethernet support (to handle captures on Windows; PPP packets show up as Ethernet packets, courtesy of NDISWAN, and apparently internal-to-PPP protocols get passed through, with PPP protocol types appearing in the Ethernet protocol type field) PAP support BGP bug fix ISIS fixes and enhancements OPSI support } nuf si { RTSP fixes } Jeff Morriss { M2PA support Support for ANSI flavor of MTP3 SCCP support SCCP Management support MTP3 Management support Support for China and Japan ITU SS7 variants SSCOP over UDP and SSCF-NNI support Various bug fixes and enhancements } Aamer Akhter { Support for draft-rosen-vpn-ospf-bgp-mpls Support for additional BGP extended communities LDP support for draft-martini-l2circuit-trans-mpls, LDP status code updates, and small LDP cleanups LDP support for draft-martini-l2circuit-encap-mpls for Ethernet-over-MPLS Fix initialization of ett_slarp in CHDLC dissector LDP PWE updates } Pekka Savola { Autoconf support for glibc IPv6 support } David Eisner { NCP-over-IP bug fix } Steve Dickson { PGM (Pragmatic General Multicast) support } Markus Seehofer { GMRP support IEEE 1588 / PTP version 2 support } Lee Berger { Fix to FT_UINT_STRING handling } Motonori Shindo { Shiva PAP, EAP, and CBCP negotiation in LCP Callback Operation support in PPP dissector Support for decoding additional data, for CHAP, in LCP Authentication Protocol option Additional vendor (CoSine) for Radius CoSine VSA support for Radius Patches to PPP for CHAP support Patches to packet-x11-keysym.h to clean up 8-bit chars Fixes to take the Vendor-Specific attribute into consideration when dissecting L2TP L2TP Dissconnect Cause Information AVP support PPP CCP support PPP compressed packet support Assorted BGP improvements CBCP support in PPP Fix Ascend/Lucent trace reading code to handle later trace formats that have an ASCII dump at the end of the line Get rid of "send output to /dev/null" hack in Ascend/Lucent trace reading code's Flex scanner BACP and BAP support in PPP dissector Add necessary cast in TCP graph code Fix up the generation of PDB files, clean them up on a "nmake -f makefile.nmake clean", and put all the PDB files into the Windows binary distribution Delete installed data files on a Windows uninstallation OSPF fixes Support for reading CoSine L2 debug output Assorted LDP enhancements and fixes Key Information dissection in EAPOL-Key messages sFlow/NetFlow/IPFIX dissector enhancement } Terje Krogdahl { Additional AVPs, and Event-Timestamp support, in RADIUS } Jean-Francois Mule { Additional SIP methods } Thomas Wittwer { HTTP dissector registered by name "prefs_register_string_preference()" made available to plugins Remove unnecessary calls to "prefs_module_foreach()" Support for stopping capture at specified capture file size or capture duration } Matthias Nyffenegger { Support for stopping capture at specified capture file size or capture duration } Palle Lyckegaard { OSPFv3 support } Nicolas Balkota { GTPv1 support and GTPv0 improvements } Tom Uijldert { WTP fixes MMSE support Push-traffic dissecting for WSP/WTLS UCP support SMPP support multipart-content support in WSP/MMSE WTP reassembly WTP TPI dissection } Akira Endoh { Support for dissecting multiple BGP capabilities Sync PPP protocol names with the IANA database MPLSCP, CDPCP, and CDP over PPP support BGP support for draft-ietf-idr-as4bytes-06.txt and draft-ietf-idr-dynamic-cap-03.txt Wellfleet Breath of Life support RSVP support for draft-ietf-mpls-nodeid-subobject-00.txt, and other bug fixes and enhancements Diffserv MPLS signaling protocol support IGAP support } Graeme Hewson { Additional Ascend codes, and IETF codes, for Radius Fix various capture problems Add some sanity checks to DNS dissector to avoid loops Command-line interface cleanups Varargs code cleanup in "simple_dialog.c" Make dialog box pop up only after a minimum period of time } Pasi Eronen { Patches to the dcerpc dissector for data representation decoding XDMCP support Support for PCT cipher suites and record layer in SSL Dissect the packet inside an LCP Protocol-Reject message } Georg von Zezschwitz { WSP fixes Support for concatenated PDUs Put URL of WSP GET/POST in the Info column Fix a bug with WSP Connect requests with headers > 256 bytes Implement attributes of WSP Suspend/Resume } Steffen Weinreich { UCP fixes } Marc Milgram { VMS TCPIPtrace wiretap module DBS Etherwatch wiretap module } Gordon McKinney { Enhanced Ethereal icon for Windows Support for time stamping packets in text2pcap Fix to text2pcap to handle colons after offset field Make IP-over-PPP work with the TCP graph code } Pavel Novotny { Additional items for RADIUS tunnels } Shinsuke Suzuki { DHCPv6 and PIM enhancements IPv6 payload for GRE MLDv2 enhancements } Andrew C. Feren { Makefile fix Solaris packaging fixes Add ifdefs to the top-level Makefile.nmake to avoid using Python if PYTHON isn't defined make-manuf fix Put all of Cisco's OUIs into manuf.tmpl Put human-readable descriptions in the combo box entries for "Interface:" on Windows ntop nProbe and Plixer Mailinizer extensions for the Netflow dissector } Tomas Kukosa { Additional routines made available to plugins Support in Wiretap for DLT_HHDLC Fix to summary-printing code to handle reallocated line buffer Support for registering subdissectors for Q.931 IEs and codesets Reassembly of segmented Q.931 messages ASN2ETH compiler to convert ASN.1 definitions to PER/DER dissectors } Andreas Stockmeier { IPCOMP transformation and ID_IPV4_ADDR_SUBNET for ISAKMP Fix the file dialog box code to use "g_strdup()", not "strdup()" to copy strings } Pekka Nikander { IEEE 802.1x, a/k/a EAPOL PPP/EAPOL EAP support } Hamish Moffatt { MPLS support for handling either IPv4 or IPv6 as the payload protocol type Win32 Makefile fixes Use pod2html rather than man2html to build HTML man pages Fix ethereal.nsi.in for recent versions of NSIS } Kazushi Sugyo { Fix to display of AH length field Fix to code to scan the SIOCGIFCONF list } Tim Potter { Support for DCE RPC atop SMB Support for several Microsoft DCE RPC services used with SMB Added code to call request and reply subdissectors in DCE RPC Display the FID in the Info column of NT Create and X replies Display the setup words in some SMB Transaction messages and extract the FID from them Use the FID, for DCE RPC-over-SMB, as part of the conversation matching Assorted SMB fixes NT SID dissection } Raghu Angadi { WCCP capability info dissection bug fix } Taisuke Sasaki { OSPF fixes } Tim Newsham { Support for 802.11+Prism II monitor-mode link-layer headers } Tom Nisbet { Support for reading Visual Networks traffic capture files SLIMP3 protocol version 2 support } Darren New { BXXP dissector modified to be a BEEP dissector } Pavel Mores { TCP time-sequence, round-trip time, and throughput graphs } Bernd Becker { Support for LOCATION_FORWARD, LOCATION_FORWARD_PERM and NEEDS_ADDRESSING_MODE replies in GIOP ethereal_gen.py cleanups Reset the Protocol column to GIOP if no heuristic dissectors succeed Enhancements to TNS dissector, including desegmentation GIOP fixes } Heinz Prantner { M2TP support } Irfan Khan { pppdump reader fixes Van Jacobson decompression support for PPP } Jayaram V.R { PPP multiplexing support } Dinesh Dutt { SCSI dissector, for use by iSCSI and other protocols that transport SCSI operations Fibre Channel (over IP) support, and support for various protocols running atop FC Cisco MDS switch Debug Port Adapter (Boardwalk) FC-inside-Ethernet dissector Cisco MDS switch internal FC-inside-Ethernet dissector } Nagarjuna Venna { Only display the reason in BYE RTCP packets if it's present Support for RTCP-XR support as in RFC 3611 } Jirka Novak { Support for generating filter expressions based on packet list column values Support for adding filter expressions generated from column or protocol tree field values to the current expression rather than replacing the current expression Support for hex dump mode in "Follow TCP Stream" window showing hex and ASCII data } Ricardo Barroetaveña { Enhanced LDP support Support TCP reassembly requiring multiple steps (e.g., reassemble the PDU header to get the length of the PDU, then reassemble the PDU based on that length) } Alan Harrison { Fixes to EtherPeek file reader code } Mike Frantzen { Support for capturing on, and reading captures from, OpenBSD firewall logging virtual interface } Charlie Duke { Added routines to the plugin table } Alfred Arnold { IAPP support } Dermot Bradley { Support for Openwave-specific WSP headers Support for Openwave-specific WSP field names Support for additional WSP content types from Openwave Support for additional WSP language values } Adam Sulmicki { Add more type values for EAP. Fix off-by-one bug when displaying Code of EAP message. Additional AVPs for RADIUS, and making RD_TP_CONNECT_INFO a RADIUS_STRING rather than a RADIUS_STRING_TAGGED Dissect EAP messages inside RADIUS Dissect SSL-encoded stuff inside EAP Cisco LEAP support EAP-TLS reassembly Other EAP enhancements } Kari Tiirikainen { COPS-PR extension support Support for reading MIBs containing converted PIBs in COPS dissector } John Mackenzie { Put missing initializations of table entries in "plugins.c" Register GIOP dissector as a UDP heuristic dissector } Peter Valchev { Fix editcap to assign the result of "getopt()" to an "int" and to check "getopt()"s return value with -1 rather than EOF } Alex Rozin { Support for IEEE 802.1w RST BPDUs } Jouni Malinen { 802.11 authentication frame dissection bug fix Fix offset of challenge element in 802.11 dissector Show fragmented 802.11 frames as fragments EAP bug fix for NAK packets EAP-MD5, EAP-SIM, EAP-PEAP, and EAP-MSCHAPv2 support 802.11g element support 802.11i enhancements New WSC 2.0 attributes and values support Wi-Fi Alliance P2P dissector } Paul E. Erkkila { Skinny Client Control Protocol enhancements Hazelcast Dissector } Jakob Schlyter { SIP method additions } Jim Sienicki { Additional vendor (Issani) for Radius Issani VSA support for Radius } Steven French { Add names for some additional spool service RPCs Decode NT Rename SMB } Diana Eichert { "-q" flag to Tethereal to suppress packet count display } Blair Cooper { WebDAV support } Kikuchi Ayamura { Include to fix IRIX compilation problems } Didier Gautheron { X11 bug fix AppleTalk Transaction Protocol, AppleTalk Stream Protocol, and AppleTalk Filing Protocol support DSI updates "frame.marked" field set on marked frames Don't show progress bar for quick "Find Frame" searches Add "Find Next" and "Find Previous" to repeat searches Move port number from AppleTalk addresses to separate column Put in hidden fields for AppleTalk source and destination addresses AppleTalk Zone Information Protocol support Fix to work with automake 1.7 Fix gtk Makefile entry to rebuild "ethereal-tap-register.c" Fix handling of cross in TCP graph code Fix sequence number overflow problems in TCP graph code and desegmentation code Don't update the progress bar too often (only every 100ms) } Phil Williams { Support for looking up fields by name } Kevin Humphries { Additional PIM hello options support } Erik Nordström { AODV dissection support } Devin Heitmueller { Additional RAP error code Give the user a warning if they click "New" in the filter list editing code without having specified a filter name and string Fix to treat the "send buffer length" in SMB RAP messages as being present in the packet Dissection of NTLMSSP authentication for DCERPC Show proper field names for SAMR UnicodeChangePassword2 Add MD4 and RC4 crypto support Decrypt the NT password encryption block in UnicodeChangePassword2 Supply offset to dissectors for connection-oriented DCERPC PDU types Support for decrypting DCERPC conversations using NTLMSSP version 1 AIM enhancements Follow TCP Stream support for showing stream data as C byte arrays YMSG desegmentation } Chenjiang Hu { ISIS bug fix for dissecting unreserved bandwidths } Kan Sasaki { VSA decoding and other changes to RADIUS } Stefan Wenk { SIP heuristic dissector Filterable header fields in SIP dissector } Ruud Linders { Report errors from "g_module_open()" Heuristic version of the RTP dissector } Andrew Esh { Support for additional interest levels in TRANS2_QUERY_FS_INFORMATION, and fix handling of level 1022 to treat the file name as always being in Unicode Fix a compiler warning Typo fix in iSCSI dissector } Greg Morris { NCP - NetWare Core Protocol NDPS - Novell Distributed Print System "Find Frame" code to search for text or binary data SRVLOC-over-TCP support } Dirk Steinberg { Fixes to BGP problems } Kari Heikkila { Fix for WTP PDUs not containing user data } Olivier Dreux { Add PPP support to GTP } Michael Stiller { Java RMI protocol support } Antti Tuominen { AODV6 support } Martin Gignac { Various MMSE fixes } John Wells { MIP fix. } Loic Tortay { Display AFS KAUTH information } Steve Housley { 802.3ad LACP support } Peter Hawkins { Various bounds-check fixes } Bill Fumerola { Recognize "Option negotiated failed" error in TFTP Rewritten Cisco NetFlow protocol support } Chris Waters { Don't use "bool" as a variable name or structure member, as it's a C++ keyword Check 802.11 FCS if present Put the "wlan.fc.fromds" and "wlan.fc.tods" fields into the protocol tree Export "find_dissector_table()" and add "dissector_handle_get_protocol_index()" Support Tazmen Sniffer Protocol and DLT_TZSP captures from network-based libpcaps that use that protocol MSN Messenger support } Solomon Peachy { WEP support and other mangling of the 802.11 dissector Support for new "wlancap" 802.11 extra-information header } Jaime Fournier { Handle DCE RPC connectionless CANCEL PDUs with no body DCE/RPC stub dissectors for RSEC_LOGIN, RS_ACCT, RS_ATTR, RS_MISC, RS_PGO, RS_REPLIST, RS_UNIX, RPRIV, ROVERRIDE, RS_REPADM, DTSSTIME_REQ, CDS_SOLICIT, CPRPC_SERVER, DTSPROVIDER, UBIKDISK, UBIKVOTE, BOSSVR, FTSERVER, CDS_CLERKSERVER, KRB5RPC, REP_PROC, SECIDMAP, TKN4INT, FLDB, AFS4INT, UPDATE, BUDB, BUTC, RS_BIND, RS_PLCY, ICL RPC, RS_PROP_ACCT, LLB, RDACLIF, RS_ATTR_SCHEMA, RS_PROP_ACL, RS_PROP_ATTR, RS_PROP_PGO, RS_PROP_PLCY, RS_PWD_MGMT, RS_REPMGR DCE RPC EPM version 4 support } Markus Steinmann { Add IPX SAP for SEH's InterCon Printserver Support for writing LANalyzer files } Tsutomu Mieno { DHCPv6 updates } Yasuhiro Shirasaki { DHCPv6 updates } Anand V. Narwani { gtk/Makefile.am fix DOCSIS support, including support for "Ethernet" captures where the raw frame is a DOCSIS frame rather than an Ethernet frame (some Cisco cable-modem head-end gear can send out a trace of all traffic on an Ethernet, but what it sends are the raw bytes of DOCSIS frames, not Ethernet frames) } Christopher K. St. John { Apache JServ Protocol v1.3 support } Nix { Don't add "-I/usr/include" to CFLAGS or CPPFLAGS Expand the plugin directory path at install time } Liviu Daia { Fix to eliminate crash when setting "column.format" preference from the command line } Richard Urwin { Developer documentation fixes and updates Support for a system-wide color filter file and color filter import and export } Prabhakar Krishnan { Add item to SMB protocol tree for time between request and response Dissect NetApp ONTAP file handles } Jim McDonough { Enhancements to SMB and the DCE RPC-based protocols used by SMB NTLMSSP updates } Sergei Shokhor { Bugfix for EPM } Hidetaka Ogawa { Fix PPP FCS computation to include address and control field if present } Jan Kratochvil { Fix to MMSE handling of strings with specified character set } Alfred Koebler { Support for interpreting Ethernet captures as CheckPoint FireWall-1 monitor files (those files look like snoop files for Ethernet) } Vassilii Khachaturov { Put protocol blurbs into tables generated with the "-G fields" flag } Bill Studenmund { Fix handling of SCSI mode sense } Brian Bruns { TDS } Flavio Poletti { Fix bug in decoding of maximum uplink and downlink rate in GTP v1 Handle 3GPP QoS in RADIUS messages } Marcus Haebler { Handle a sub-protocol field of 0x00 as PPP } Ulf Lamping { Put "bytes" after the byte counts for the frame sizes in the top-level item for the "Frame" protocol Put the source and destination MAC addresses into the top-level item for Ethernet Added more information to progress dialog box Change some #define names to avoid name collisions on Windows that cause compiler warnings Decoding of IEEE float and doubles for DCE-RPC Win32 fixes Count ARP packets in capture progress dialog box Show total running time of capture in capture progress dialog box Toolbar Redesign of the print dialog } Matthew Smart { Original Cisco NetFlow protocol support Partial NetFlow V9 support } Luke Howard { NETLOGON bugfix for LogonGetDomainInfo Various NETLOGON fixes } PC Drew { Dissector for the FIX protocol } Renzo Tomas { Skinny bugfix for configStat and serverRes } Clive A. Stubbings { 802.1s Multiple Spanning Tree Protocol } Steve Langasek { Support for MS SQL 7 authentication in TDS } Brad Hards { Support for SRVLOC v2 Support for mDNS/LLMNR "cache flush" bit Label mDNS and DNS differently in the Protocol column Clean up summary line for PTR records Initial rsync support ACAP support DISTCC support Jabber client-to-server protocol support Initial Laplink support } cjs 2895 { Compile fixes for IBM's C compiler for AIX Fix configure check for pcap_version } Lutz Jaenicke { Fix an "htonl()" to use "g_htonl()" } Senthil Kumar Nagappan { Small SCSI dissector fix Small OSPF dissector enhancement } Jason House { Win32 compilation fixes TAP support for TCP protocol } Peter Fales { ARCNET support } Fritz Budiyanto { Assorted GTP fixes } Jean-Baptiste Marchand { Make it possible to filter on UUIDs Fix typo in README.developer Added an MSRPC (DCERPC) atsvc dissector Added descriptions of permissions for SAM_SERVER and SAM_USER objects in SAMR Fix for NETLOGON/DsrGetSiteName and other NETLOGON functions Initial DRSUAPI (Active Directory directory replication) support Changed or added procedure names for a number of DCE RPC interfaces EncryptedFileSystem (EFS) support. MS Eventlog support WKSSVC enhancements File Replication Services (frsrpc and frsapi) support Stub dissectors for rras and pnp MSRPC interfaces } Andreas Trauer { GTP enhancements Add subtrees for each link in a Router-LSA in an OSPF LS Update packet Dissect the L2TP AVPs Initial Received LCP CONFREQ, Last Received LCP CONFREQ, Last Sent LCP CONFREQ } Ronald Henderson { In LDAP dissector, handle Sequence Of header being split across TCP segments Support for colored graphs in Gtk1 version of IO_STAT Make labels for filters in IO_STAT dialog box be "Filter:" buttons to pop up a filter dialog Fix up "snprintf()" and "vsnprintf()" calls in "epan/proto.c" to properly handle string truncation Make "format_text()", on Windows, escape all characters that aren't printable ASCII, as GTK+ for Windows thinks strings are UTF-8 but the strings we give it wouldn't be UTF-8 } Brian Ginsbach { "dissect_rpc_bytes()" routine to allow fixed-length opaque data to be dissected Support for SGI's variant of the ONC RPC mount protocol Support for additional snoop file encapsulations in UNICOS/mp Symbolic names for Fibre Channel Network Address Authority identifiers } Dave Richards { BACNET over 802.2 BACNET-over-ARCNET fix (it's really BACNET-over-802.2-over-ARCNET) } Martin Regner { RPC bug fix PIM bug fixes } Jason Greene { Fix for LDAPv3 modrdn requests } Marco Molteni { Fix a comment to reflect reality } James Harris { RADIUS user password decryption } rmkml { Support for capturing from a pipe in Tethereal } Anders Broman { Additional SCTP payload protocol identifiers Assorted ISUP enhancements MEGACO updates and fixes T.35 country code support for H.245 BICC dissection Multipart media dissector E.164 number dissector Assorted SIP enhancements Assorted DIAMETER enhancements SIP-T dissection PoC1 Application dissection in RTCP Initial SIGCOMP support UMA dissection Parlay dissection RANAP by asn2eth RNSAP dissection NBAP dissection MSRP dissection Initial TIPC support BSSAP+ dissection ULP dissection RRLP Dissection LDAP by asn2wrs SNMP by asn2wrs S1AP by asn2wrs X2AP by asn2wrs RRC by asn2wrs ANSI TCAP by asn2wrs CAMEL by asn2wrs INAP by asn2wrs PCAP by asn2wrs H264 dissection AMR dissection MP4V-ES dissection NAS EPS dissection GTPv2 dissection SGsAP dissection Work on the initial version of the new packet list ROHC dissection Miscellaneous enhancements and fixes } Christian Falckenberg { Initial MEGACO support GPRS SNDCP support } Huagang Xie { MySQL support SSH support } Pasi Kovanen { Display flow label IE in GTP v0 in hex } Teemu Rinta-aho { Draft 20 MIPv6 support } Martijn Schipper { Fix for tag for 802.11g ERP Information field Support for reading AiroPeek files in V9 capture file format (AiroPeek 2.x) } Wayne Parrott { Yahoo Messenger YMSG protocol support } Laurent Meyer { X.25 reassembly Filterable fields in COTP COTP reassembly } Lars Roland { MGCP request/response matching and MGCP statistics tap Common routines for use by statistics taps H.225 message and reason tag counter taps and Service Response Times Tethereal version of SIP statistics tap Support for building libethereal.dll with MSVC } Miha Jemec { Support to follow a RTP stream and save it as a file. Support for G.711 codec Original RTP analysis tap } Markus Friedl { Support for OpenBSD Encapsulating Device Support for Ethernet-within-IP encapsulation Remove duplicate SSH code } Todd Montgomery { Update PGM to RFC 3208 } emre { "Filter out this stream" feature for Follow TCP Stream } Stephen Shelley { Full payload dissection of compliance levels 0, 1 and 2 function codes for Modbus/TCP } Erwin Rol { ArtNET support RTNET support ACN support ENTTEC and RDM support Monotone support } Duncan Laurie { IPMI-over-LAN support (IPMI, RMCP, partial ASF) } Tony Schene { Initial stub Kerberos kadmin support Kerberos-over-TCP support AUTH_GSSAPI support } Matthijs Melchior { TCP support in text2pcap Support for automatically generating all declarations and definitions for plugin ABI from a single file Support for registering fields after all the protocol registration routines are called Generic ASN.1 dissection plugin } Garth Bushell { iSNS support } Mark C. Brown { Improvements to code that reads HP-UX nettl files Cisco Port Aggregation Protocol support Nettl dissector } Can Erkin Acar { Support for new DLT_PFLOG format } Martin Warnes { Support for VMS UCX$TRACE output in wiretap } J Bruce Fields { Some work on packet_rpc.c to support RPCSEC_GSS } tz { Decode the base-64 string for HTTP Basic authorization } Jeff Liu { WPA and WPA IE support } Niels Koot { Support for subdissectors in SUA Assorted SUA fixes DBS Etherwatch file reader enhancements } Lionel Ains { "-d" flag for decode-as support in Tethereal } Joakim Wiberg { Support for Common Industrial Protocol over IP } Jeff Rizzo { sFlow support } Christoph Wiest { Redo MEGACO dissector to more fully parse text-format messages } Xuan Zhang { eDonkey support } Thierry Martin { Support for reading files from Accellent 5Views LAN agents } Oleg Terletsky { LWRES support AgentX support SCTP chunk statistic } Michael Lum { Support for saving list of disabled protocols ANSI TCAP support ANSI MAP support ALCAP (Q.2630.1) support IS-637-A (SMS) support IS-683-A (OTA) support IS-801 (PLD) support BSSAP (GSM 08.06)/BSAP (IOS 4.0.1) support IOS 4.0.1 support GSM BSSMAP (GSM 08.08) support GSM DTAP (3GPP TS 24.008) support GSM SMS (3GPP TS 24.011) support GSM SS (3GPP TS 24.080) support GSM SMS TPDU (3GPP TS 23.040) support GSM Supplementary Services support GSM MAP fixes and parameter separation Taps for ANSI A-interface statistics Support for SS7 point codes as address types Taps for GSM A-interface statistics Tap for ANSI MAP message statistics Tap for ISUP message statistics Tap for GSM MAP message statistics Tap for MTP3 MSU statistics and summary } Shiang-Ming Huang { STUN (RFC 3489) support } Tony Lindstrom { Updates of DHCPV6 dissector to draft-ietf-dhc-dhcpv6-28, draft-ietf-dhc-dhcpv6-opt-prefix-delegation-04, and draft-ietf-dhc-dhcpv6-opt-dnsconfig-03, and addition of NIS and time configuration option drafts draft-ietf-dhc-dhcpv6-opt-nisconfig-02 and draft-ietf-dhc-dhcpv6-opt-timeconfig-02 } Niklas Ogren { H.263 support for RTP } Jesper Peterson { Cisco HDLC FCS support Support for reading Endace ERF files } Giles Scott { Nortel/SynOptics Network Management Protocol support Alteon/Nortel Transparent Proxy Control Protocol support Ethernet MAC Control Frame support Port weak key detection from Airsnort Wlan tap Retix spanning tree protocol support Aruba ADP protocol support } Vincent Jardin { Support for TEREDO Additional DHCPv6 options } Jean-Michel Fayard { Show in Tools:Summary window statistics about packets that passed the current display filter BOOTP/DHCP, HTTP, and WSP statistics taps } Josef Korelus { GPRS Network Service-over-Frame-Relay support GPRS BSSGP support GPRS LLC support } Brian K. Teravskis { Support for saving RTP analysis data in CSV form } Nathan Jennings { Support for user-supplied interface descriptions Support for hiding interfaces in drop-down list in capture dialog } Hans Viens { T.38 Support } Kevin A. Noll { RFC 2833 RTP Events support Support for WLCCP version 0xC1 } Emanuele Caratti { Full TACACS+ dissection } Graeme Reid { H.450 support } Lars Ruoff { Rewritten RTP analysis tap } Samuel Qu { ITU TCAP support } Baktha Muralitharan { Link Management Protocol (LMP) fixes } Loïc Minier { HTTP header and payload desegmentation } Marcel Holtmann { Support for reading Linux Bluez Bluetooth stack "hcidump -w" traces } Scott Emberley { Support for reading Network Instruments version 9 capture files } Brian Fundakowski Feldman { Support for setting link-layer type when capturing } Yuriy Sidelnikov { ISO 8327-1 Session Protocol support ISO 8823 Presentation Protocol support ISO 10035-1 ACSE support ISO 8571 FTAM support } Matthias Drochner { Support for mode 6 and mode 7 control packets, and NTP4 autokey extension data, in NTP } Dave Sclarsky { CPFI support } Scott Hovis { CCSDS (Consultative Committee for Space Data Systems) support } David Fort { DNS DS RR support MLDv2 report message decoding DNS IPSECKEY RR support } Felix Fei { GSM MAP support } Christoph Neusch { V5UA support } Jan Kiszka { IrDA support } Joshua Craig Douglas { Enterasys Interswitch Message Protocol (ISMP) Enterasys Discovery Protocol (EDP) (ISMP subprotocol) } Dick Gooris { Added packet range selections in the save(as) dialog PacketCable support in the COPS dissector Xcsl dissector } Michael Shuldman { X11 replies, events and errors (matched to their request) } Tadaaki Nagao { Added a global version of disabled_protos } Aaron Woo { Optimized Link State Routing Protocol (OLSR) } Chris Wilson { SMPP dissection of concatenated PDUs Separate GSM SMS User Data dissector from the SMPP dissector } Rolf Fiedler { ISDN TEI management frame support Support for reading and writing EyeSDN USB S0 trace files } Alastair Maw { IAX2 support } Sam Leffler { Support for Radiotap 802.11 radio header (header used by FreeBSD 5.2 and later and by NetBSD-current 802.11s mesh support } Martin Mathieson { SIP sipfrag support SIP statistics tap Show setupframe in RTP and RTCP H.225.0 updates MGCP updates RDT (RealPlayer) support MMS support (MS Media Server protocol) PPP Chap updates Catapult DCT2000 file support UMTS FP support LTE: MAC, RLC and PDCP support LTE MAC and RLC Stats Tshark expert info tap } Christian Wagner { Soul Seek (slsk) protocol support } Edwin Calo { Extract strings from a Postgresql datastream } Ian Schorr { "Host list" taps FMP support } Rowan McFarland { Support for Cisco CallManager 4.x in Skinny, CAST support. } John Engelhart { CDP Hello packet support } Ryuji Somegawa { CDMA2000 A11 support } metatech { IBM WebSphere MQ protocol support IBM MQ Programmable Command Formats protocol support Initial BEA Tuxedo protocol support Distributed Relational Database Architecture protocol support Borland StarTeam protocol support Adobe Real Time Messaging Protocol support ActiveMQ OpenWire protocol support } Brian Wheeler { DOCSIS 2.0 support } Josh Bailey { IPDC support Lucent/Ascend trace parsing updates } Jelmer Vernooij { AIM enhancements DCOM IRemUnknown and IRemUnknown2 support BitTorrent support } Duncan Sargeant { Cisco SS7 RUDP, RLM, and Session Management support } Love Hörnquist Åstrand { HAVE_HEIMDAL_KERBEROS support to allow Ethereal to use heimdal libraries to decrypt kerberos encrypted blobs. } Lukas Pokorny { RTPS (Real-Time Publish-Subscribe) support } Carlos Pignataro { Graceful Restart Mechanism for LDP [RFC3478] Fault Tolerance for LDP [RFC3479] Other LDP enhancements PPP OSI Network Layer Control Protocol [RFC1377] Fix dissecting of CLNS Protocols over Cisco HDLC PWE3 Interface parameter additions and miscelaneous updates from various IETF PWE3 drafts MPLS PW Control Channel Header Multiprotocol Label Switching Echo [draft-ietf-mpls-lsp-ping-05] MPLS in Generic Routing Encapsulation (GRE) OSPF Traffic Engineering enhancements MP-BGP Updates BGPv4 SAFI-Specific Attribute support Tunnel SAFI support for BGP Layer Two Tunneling Protocol version 3 [L2TPv3] updates and enhancements MPLS Echo updates and Label Switching Router Self-Test [draft-ietf-mpls-lsr-self-test-04] support } Thomas Anders { PacketCable DHCP options PacketCable (PKTC) updates and enhancements MGCP sub-parameter dissection SNMP Engine ID dissection for SNMP and PKTC } Rich Coe { DICOM support } Dominic Béchaz { IEEE 1588 / PTP support EPL v1 support } Richard van der Hoff { IAX2 updates CRC16 routines H.223 Support Exception logic fixes } Shaun Jackman { RDM enhancements Serial Infrared support IrDA support MPEG support } Jon Oberheide { giFT support } Henry Ptasinski { Support for 802.11e WME/QoS info } Roberto Morro { Support for GMPLS UNI and E-NNI objects/TLVs in RSVP and OSPF RSVP: Support for PROTECTION obj c-type 2 (RFC4872), new TLVs for IF_ID (RFC4920), Path Key subobj in ERO (RFC5520), new ASSOCIATION obj c-type 4 (oif2008.389), new LSP_ATTRIBUTES and LSP_REQUIRED_ATTRIBUTES objects (RFC5420), and various changes/improvements } Chris Maynard { Add support for RFC 2520: NHRP with Mobile NHCs and RFC 2735: NHRP Support for Virtual Private Networks Add support for PPP-over-USB WakeOnLAN support Miscellaneous enhancements and fixes } SEKINE Hideki { Routines for AX/4000 Test Block dissection } Jeff Connelly { MANOLITO support } Irene Rüngeler { ISC DHCP Server 3.0 failover protocol dissection } Kelly Byrd { DAAP support } Luis Ontanon { MATE plugin H.248 context tracing ALCAP call tracing RADIUS dictionary support XML dissector (DTD support) IuUP dissector Lua interface Tektronix K12 rf5 file support SNMPv3 decryption support } Luca Deri { NetFlow v9 enhancements } Viorel Suman { TALI (RFC 3094) support Various GSM SMS fixes Computer Interface to Message Distribution (CIMD) version 2 dissection } Alejandro Vaquero { RTP graphic analysis VoIP call analysis } Francesco Fondelli { ICE protocol support DCCP protocol support ITU-T Y.1711 (OAM mechanism for MPLS networks) support RSVP/OSPF Extensions for Support of Diffserv-aware MPLS-TE, RFC 4124 Linux Packet Generator support rval_to_str() and alike Export the capture file into C Arrays format PW Associated Channel Header dissection, RFC 4385 PW MPLS Control Word dissection, RFC 4385 MPLS subdissector table indexed by label value enhanced "what's past last MPLS label?" heuristic Ethernet PW (with/without CW) support, RFC 4448 ATM PW (with/without CW) support, RFC 4717 LMP, update to RFC 4204 RSVP extensions for G.709 Optical Transport Networks Control, RFC 4328 Update GMPLS GPID, Switching and Encoding type values Support for generalized label interpretation: SUKLM format for SONET/SDH label (RFC 4606), t3t2t1 format for G.709 ODUk label (RFC 4328), G.694 format for lambda label (draft-ietf-ccamp-gmpls-g-694-lambda-labels-05). Add related user preference option. RSVP IF_ID ERROR_STRING TLV support, RFC 4783 Support for Vendor Private objects, RFC 3936 Support for MPLS Packet Loss and Delay Measurement, RFC 6374 Support for DCCP Simultaneous-Open for NAT Traversal, RFC 5596 MPLS-TP Protection State Coordination (PSC) Protocol, RFC 6378 Support for Shared Use of Experimental TCP Options Support for TCP Fast Open } Artem Tamazov { Frame Relay PW in MPLS PSN, FR DLCI mode, RFC 4619 SAToP PW in MPLS PSN, no RTP headers, RFC 4553 SAToP PW in IP PSN/UDP demux, no RTP headers, RFC 4553 CESoPSN PW in MPLS PSN, Basic NxDS0 mode, no RTP headers, RFC 5086 CESoPSN PW in IP PSN/UDP demux, Basic NxDS0 mode, no RTP headers, RFC 5086 ATM PW in MPLS PSN, RFC 4717 LLC SNAP auto-detection in ATM decoder "Raw" BFD support in MPLS PW Associated Channel, RFC 4385 Decoding of UDP-multiplexed CESoPSN and SAToP traffic } Dmitry Trebich { Preference for selecting default dissector for MPLS payloads. HDLC PW in MPLS PSN, HDLC mode (no CW) with PPP payload, RFC 4618 5.1 HDLC PW in MPLS PSN, FR port mode (no CW), RFC 4618 5.2 Frame Relay PW in MPLS PSN, FR DLCI mode, RFC 4619 SAToP PW in MPLS PSN, no RTP headers, RFC 4553 CESoPSN PW in MPLS PSN, Basic NxDS0 mode, no RTP headers, RFC 5086 } Bill Meier { TDS4/TDS5 enhancements NetXRay/Windows Sniffer file enhancements TCP graph enhancements } Susanne Edlund { NSIP protocol support } Victor Stratan { GSM SMS enhancements } Peter Johansson { "Template" conversations } Stefan Metzmacher { LDAP Controls support in the LDAP dissector WINS Replication protocol Various SMB/SMB2 dissector enhancements } Abhijit Menon-Sen { Postgresql v3 dissector } James Fields { Correctly handle time stamps in some Windows Sniffer files } Kevin Johnson { Correctly handle time stamps in some Windows Sniffer files } Mike Duigou { Dissector for JXTA protocol } Deepak Jain { L2TP v3 support Next Hop Resolution Protocol support } Stefano Pettini { RMT support for ALC and NORM } Jon Ringle { Conversations demarked by setup frame number } Tim Endean { Dissector for INAP protocol } Charlie Lenahan { Support for the Cisco DTP Protocol Support for some HP switch protocol } Takeshi Nakashima { Support for the KINK protocol. } Shoichi Sakane { IKEv2 support COAP protocol support } Michael Richardson { SAMR updates and new info levels } Olivier Jacques { Support for the Camel protocol. } Francisco Alcoba { ASCII art version of VOIP call analysis } Nils O. Selåsdal { 9P support } Guillaume Chazarain { Armagetronad support } Angelo Bannack { CSM_ENCAPS support } Paolo Frigo { TANGO support } Jeremy J Ouellette { DIS support } Aboo Valappil { iFCP support } Fred Hoekstra { DEC DNA Routing support } Ankur Aggarwal { IEEE 802.11e (QoS) decoding Improved IEEE 802.11h decoding } Lucian Piros { Computer Interface to Message Distribution (CIMD) version 2 dissection } Juan Gonzalez { LLDP dissection } Brian Bogora { LLDP dissection } Jim Young { Improvements LLDP dissection (803.3 "PMD Auto-Negotiation Advertised Capability" and "Operational MAU Type") Capinfos time order checking Editcap time order forcing } Jeff Snyder { Desegmentation support in IAX2 H.223 Support } William Fiveash { Kerberos PA_ENCTYPE_INFO2 and aes crypto defines } Graeme Lunt { ROS support RTS support X.411 (P1) support X.420 (P22) support STANAG 4406 (P772) support X.500 (DAP) support X.500 (DSP) support X.500 (DISP) support } Menno Andriesse { http://s5066.nc3a.nato.int STANAG 5066 support } Stig Bjørlykke { P_Mul (ACP142) packet disassembly CDT (CompressedDataType) support DMP (STANAG 4406 Direct Message Profile) support COTP and RTSE reassembly improvements Configuration Profiles WLAN Traffic Statistics Filter autocompletion usability improvements Remote capture improvements and RPCAP support BJNP, DropBox, Memcache, nat-pmp, PacketLogger, rpcap Improved dissectors using ASN.1 (BER). Lua functions and improvements. Statistics improvements (Protocol Hierarchy, Conversations, IO Graph) Column handling functions (right-click column headers) Enhancements and fixes in the new packet list Various User Guide updates Miscellaneous enhancements and fixes } Kyle J. Harms { CIGI dissection } Eric Wedel { KPASSWD over TCP support } Secfire { OICQ Juniper NSRP } Eric Hultin { CableLab's DCC packet DCD packet } Paolo Abeni { SSL-decryption Dissector for USB packets and pcap/wiretap support } W. Borgert { GIOP enhancements } Frederic Roudaut { IPsec ESP payload decryption } Christoph Scholz { Bluetooth stack: http://affix.sourceforge.net/archive/ethereal_affix-3.patch } Wolfgang Hansmann { Part of bluetooth stack from http://affix.sourceforge.net/archive/ethereal_affix-3.patch } Kees Cook { TiVoConnect Discovery Protocol } Thomas Dreibholz { RSerPol protocol stack Scripting Service Protocol support } Authesserre Samuel { SSL decryption updates DTLS } Balint Reczey { Lua fixes and enhancements Miscellaneous enhancements and fixes } Stephen Fisher { REXEC support Veritas Low Latency Transport support MAPI new mail protocol support Initial work on custom columns VNC protocol support WoW protocol support Daytime protocol support Part of WLCCP support commview and packetlogger wiretap support Export Object support Pixmap saving routines Work on the initial version of the new packet list Miscellaneous enhancements and fixes } Krzysztof Burghardt { KISMET support } Peter Racz { PANA support } Jakob Bratkovic { Multicast stream analysis support } Mark Lewis { 2dParityFec dissector } David Buechi { EPL v1 support } Bill Florac { ACN support } Alex Burlyga { NetApp NFS filehandle dissectors } Douglas Pratley { Epoch timestamps } Giorgio Tino { AirPcap support WPA UI support Static text preferences } Davide Schiera { WPA and WPA2 decryption } Sebastien Tandel { embedding python in *shark subtrees management for ptvcursor gcc warning hunter Homeplug support } Clay Jones { Shomiti wireless packet support 802.11n support } Kriang Lerdsuwanakij { SSCOP improvements K12-rf5 file format improvements } Abhik Sarkar { Support for decoding of SS7 MSUs embedded in syslog messages (as generated by the Cisco ITP packet logging facility) SMPP statistics SMPP update to v5.0 Diameter conversations and statistics UAT for unknown HTTP headers } Robin Seggelmann { Support for SCTP reassembly. Improve chunk statistics. } Chris Bontje { Support for DNP3 Application Layer dissection Support for SEL Fast Message dissection } Ryan Wamsley { Connection Configuration Object support in EtherNet/IP } Dave Butt { RTP payload reassembly support H.223-over-RTP support } Julian Cable { DCP ETSI support } Joost Yervante Damad { Erlang Port Mapper Daemon dissection support } Martin Sustrik { AMQP support } Jon Smirl { USB conversations/endpoints list } David Kennedy { Symantec SGS v3 support } Matthijs Mekking { Shim6 support } Dustin Johnson { 802.11n support } Victor Fajardo { PANA draft 15a support } Tamas Regos { Lua Enhancements } Môshe van der Sterre { Firebird/Interbase dissection } Rob Casey { Kingfisher support } Ted Percival { Support for PA-S4U2Self Kerberos packet type } Marc Petit-Huguenin { Update STUN2 to draft-ietf-behave-rfc3489bis-07 } Florent Drouin { TCAP statistics } Karen Feng { 802.1ad and 802.1ah support } Stephen Croll { WiMAX ASN Control Plane dissection } Jens Bräuer { Wifi Simple Config aka Wifi Protected Setup } Sake Blok { Cisco proprietary MST format support "Copy as Filter" functionality Split time_delta in time delta captured and time delta displayed NetScreen snoop output (ascii) support TCP Conversation timestamps enable/disable indiviual coloring rules temporary coloring rules with hotkeys Copy Fieldname / Copy Value Ignore all packets functionality Enable printing of all occurrences of fields Follow TCP stream enhancements Export SSL Session Keys VSS-Monitoring dissector Miscellaneous enhancements and fixes } Fulko Hew { SITA protocol dissection (ALC, UTS, Frame Relay, X.25) UTS WAN protocol dissection IPARS/ALC (International Passenger Airline Reservation System/Airline Link Control) WAN protocol dissection } Yukiyo Akisada { FOUNDATION fieldbus } Andy Chu { China Mobile Point to Point } Shane Kearns { Support Symbian OS btsnoop } Loris Degioanni { Rawshark } Sven Meier { PRP (Parallel Redundancy Protocol; IEC62439 Chapter 6) dissection } Holger Pfrommer { Hilscher analyzer protocols dissection } Hariharan Ananthakrishnan { ISIS LSP-ID and hostname enhancements } Hannes Kälber { Automotive DLTs } Stephen Donnelly { Infiniband support } Philip Frey { iWARP dissectors (MPA, DDP and RDMAP) } Yves Geissbuehler { iWARP dissectors (MPA, DDP and RDMAP) } Shigeo Nakamura { Xpress Transport Protocol dissector } Sven Eckelmann { B.A.T.M.A.N. dissector B.A.T.M.A.N. Advanced dissector } Edward J. Paradise { RFC4938bis enhancements to PPPoE } Brian Stormont { WPA group key decryption } Vincent Helfre { SNDCP XID dissection } Brooss { Teamspeak2 dissector } Joan Ramió { IEC 60870-5-104 dissector } David Castleford { ISMACryp dissector Simulcrypt dissector } Peter Harris { X11 extension decoding X11 dissector fixes } Martin Lutz { IEC 61850 GOOSE Dissector } Johnny Mitrevski { BSSAP LE Dissector } Neil Horman { Netdump dissector } Andreas Schuler { DECT dissector } Matthias Wenzel { DECT dissector } Christian Durrer { sbus dissector } Naoyoshi Ueda { IKEv2 decryption support TLS 1.2 decryption support DTLS 1.0 decryption fixes } Javier Cardona { Mesh header dissector } Jens Steinhauser { IEEE C37.118 synchrophasor dissector } Julien Kerihuel { Exchange RFR dissector } Vincenzo Condoleo { IP packet comparison } Mohammad Ebrahim Mohammadi Panah { Initial Paltalk support } Greg Schwendimann { WPA decryption security association caching } Nick Lewis { Show timestamp problems in RTP player } Fred Fierling { Daintree's Sensor Network Analyzer file support } Samu Varjonen { Host Identity Protocol (HIP) support } Alexis La Goutte { Add FT_EUI64 Field Type Aruba ERM dissector ATMTCP dissector CAPWAP dissector PAPI dissector MONGO dissector WebSocket dissector Miscellaneous ISAKMP enhancements Miscellaneous ICMPv6 enhancements Miscellaneous 802.11 enhancements Packet TCP Mood Option (RFC5841) support PPTP, GRE, PPP PAP, RIPng dissector enhancements (Rework) } Varun Notibala { SCTP NR-SACK support } Nathan Hartwell { HP NIC Teaming dissector } Don Chirieleison { DTN Bundle Protocol } Harald Welte { GSM A-bis over IP dissector } Chris Costa { Add defragmentation code to NDMP dissectot Properly decode SMB2 error response } Bruno Prémont { CollectD dissector } Florian Forster { CollectD dissector } Ivan Sy Jr. { Added DNS RRs: DLV, SSHFP, SPF, HIP, DHCID, NSEC3PARAM, APL, PX, GPOS, NSAP, NSAP-PTR, AFSDB, RP, X25, ISDN, RT, RR Allow some network control block addresses with ttl != 1. Miscellaneous IPv6 enhancements. } Matthieu Patou { NTLM v1 and v2 decryption. LDAP fixes. Netlogon/Schannel decryption. } Kovarththanan Rajaratnam { Work on the new packet list. Miscellaneous fixes and enhancements. } Matt Watchinski { OMRON-FINS dissector } Ravi Kondamuru { Support to read citrix netscaler capture file format. } Jan Gerbecks { PNRP dissector } Vladimir Smrekar { V.52 dissector V5UA dissector } Tobias Erichsen { Apple network-midi session establishment dissector } Erwin van Eijk { ETSI ts 101 671 dissector } Venkateshwaran Dorai { Server/Application State Protocol [SASP] (RFC 4678 ) dissector } Ben Greear { LANforge dissector } Richard Kümmel { EtherCAT dissector } Yi Yu { Updates to the sFlow dissector } Aniruddha A { ANCP (Access Node Control Protocol) dissector } David Aggeler { Numerous DICOM dissector enhancements and fixes VMLAB (VMware Lab Manager) dissector } Jens Kilian { VXI-11 (a.k.a. Network Instrument Protocol) dissector } David Bond { TRILL (TRansparent Interconnection of Lots of Links) dissector } Paul J. Metzger { Add support for decoding DIS Electromagnetic Emission packets } Robert Hogan { TN3270 fixes TN5250 dissector } Torrey Atcitty { PTP dissector: Added support for 802.1AS D7.0 IEEE 802.1Qat (Multiple Stream Reservation Protocol) dissector IEEE 1722(AVB Transport Protocol) dissector } Dave Olsen { PTP dissector: Added support for 802.1AS D7.0 IEEE 1722(AVB Transport Protocol) dissector } Craig Gunther { IEEE 802.1Qat (Multiple Stream Reservation Protocol) dissector } Levi Pearson { IEEE 1722(AVB Transport Protocol) dissector } Allan M. Madsen { Bluetooth HCI cmd/evt dissectors ver. 2.1-4.0 support Bluetooth ATT dissector Bluetooth OBEX dissector Bluetooth SMP dissector } Slava { Support for PortCounters and PortCounters Extended performance management datagrams (Infiniband) Support for Infiniband-SDP } H.sivank { GtkOSXApplication support } Edgar Gladkich { Protocol help } Michael Bernhard { IEC 61850 dissector } Holger Hans Peter Freyther { NexusWare C7 MTP over UDP dissector DVB-H IPDC ESG } Jose Pico { Routines for exporting SMB objects } David Perez { Routines for exporting SMB objects } Håkon Nessjøen { Mikrotik RouterOS protocol dissector Digium TDMoE protocol dissector } Herbert Lischka { BACNET dissector fixes and enhancements } Felix Krämer { Stats Tree for BACapp dissector } Tom Hughes { FCGI dissector } Owen Kirby { SCoP dissector RPL support in ICMPv6 (with Colin O'Flynn) } Colin O'Flynn { RPL support in ICMPv6 (with Owen Kirby) } Juha Siltanen { FLIP dissector } Cal Turney { NFS access tracking tshark version of the SCSI tap } Lukasz Kotasa { WAI authentication protocol } Jason Masker { Updates for Cisco ERSPAN Type III (version 2) } Giuliano Fabris { Enhanced DVB Simulcrypt protocol dissector: EIS <-> SCS, (P)SIG <-> MUX, MUX <-> CiM and (P) <-> CiP support } Alexander Koeppe { TCP Graph - Window Scaling FTP Extensions for IPv6 and NATs (RFC2428) } Holger Grandy { ETCH dissector } Hadriel Kaplan { IPFIX wiretap support } Srinivasa Pradeep { LDP dissector: Add/Update PseudoWire TLV support } Lori Tribble { Support for vendor-specific subdissectors for BACnet Private Transfer Messages } Thomas Boehne { ADwin and ADwin-config protocol dissectors } Gerhard Gappmeier { OPCUA dissector plugin } David Katz { Support for versioning in the WiMAX ASN CP dissector } Toralf Förster { SAMETIME dissector } Stéphane Bryant { RELOAD dissector RELOAD Framing dissector } Emil Wojak { TDS dissector improvements } Steve Huston { AMQP 0-10 support } Loránd Jakab { Locator/ID Separation Protocol dissector } Grzegorz Szczytowski { Diameter dictionary RFC 3588 AVP 299 GTPv1 Bearer Control Mode dissection E212 dissector MCC 260 upgrade and modification } Martin Kaiser { DVB-CI (Common Interface) dissector HDCP dissector } Jakub Zawadzki { JSON dissector Wiretap cleanup and support for fast random access to gzipped files } Roland Knall { Support for heuristic subdissectors for SERCOS III openSAFETY dissector } Xiao Xiangquan { BT-UTP dissector BT-DHT dissector Vuze-DHT dissector } Hans-Christoph Schemmel { 3GPP TS 27.010 multiplexing protocol } Tyson Key { USB-encapsulated AT Commands dissector } Johannes Jochen { Multiple MAC Registration Protocol dissector } Florian Fainelli { HomePlug AV protocol dissector } Daniel Willmann { CN/IP (EIA-852) protocol dissector Lontalk protocol (EIA-709.1) dissector } Brian Cavagnolo { Update 802.11s packet dissecting } Allison { HDFS and HDFS data Dissector } Edwin Groothuis { Time Shift functionality Filter Toolbar Save functionality } Andrew Kampjes { Endace ERF channelisation and "New BFS" extension header support } Kurnia Hendrawan { Saving User Specified Decodes into profile } Leonard Tracy { Cisco FabricPath protocol dissector } Elliott Aldrich { Various icons } Glenn Matthews { XMCP dissector } Donnie Savage { EIGRP TLV 2.0 and 3.0 support SAF support } Spenser Sheng { LCS-AP support } Benjamin Stocks { CIP Motion dissector } Florian Reichert { HSR and PRP-1 dissector } Martin Renold { HSR and PRP-1 dissector } Iain Arnell { ajp13 enhancements } Mariusz Okrój { XMPP enhancements } Ivan Lawrow { Added IEEE 802.15.4-2003 AES-CCM security modes } Kari Vatjus-Anttila { kNet (KristalliNet) dissector } Shobhank Sharma { MPLS Enhancement - Generic Associated Channel, as per RFC 5586 } Salil Kanitkar { OSPF Router Informational Capabilities - Opaque RI TLV - RFC4970 OSPF Dynamic Hostname TLV in RI Opaque TLV - RFC5642 } Michael Sakaluk { BGP Encapsulation SAFI support (RFC 5512) Load balancing for mesh softwires (RFC 5640) } Mayuresh Raut { LSP ping over MPLS tunnels (RFC 6424) } Sheetal Kshirsagar { RPL SRH dissector enhancements (RFC 6554) } Andrew Williams { IPv6 preference for RPL SRH strict compliance to RFC 6554 } Per Liedberg { RoHC dissection improvments } Gaurav Tungatkar { Extended ICMP - Multipart Message Support (RFC 4884) and Extension for Interface and Next-Hop } Bill Schiller { HART/IP dissector } Aditya Ambadkar { Support for flow label sub-tlv according to RFC 6391 } Diana Chris { Support for flow label sub-tlv according to RFC 6391 } Guy Martin { DVB-DATA MultiProtocol Encapsulation dissector DVB Event Information Table (EIT) dissector DVB Network Information Table (NIT) dissector DVB Service Description Table (SDT) dissector DVB Time and Date Table (TDT) dissector DVB Time Offset Table (TOT) dissector DVB Bouquet Association Table (BAT) dissector MPEG2 Conditional Access Table (CA) dissector MPEG2 descriptors dissector MPEG2 Program Associate Table (PAT) dissector MPEG2 Program Map Table (PMT) dissector MPEG2 Section dissector } Deepti Ragha { Additions to ARP dissector to support opcodes as specified by IANA in http://www.iana.org/assignments/arp-parameters/arp-parameters.xml } Niels de Vos { Gluster dissectors } Clement Marrast { WSE Remote Ethernet protocol } Jacob Nordgren { UMTS FP/MAC/RLC dissection enhancement based on NBAP signaling } Rishie Sharma { UMTS FP/MAC/RLC dissection enhancement based on NBAP signaling } Richard Stearn { AX.25 support } Tobias Rutz { DVB-S2 Baseband Frame and GSE support } Michal Labedzki { Bluetooth BNEP dissector Bluetooth HID dissector Bluetooth SAP dissector Bluetooth AVCTP dissector Bluetooth AVRCP dissector Bluetooth HCI USB transport dissector Bluetooth MCAP dissector Bluetooth HCRP dissector Bluetooth AVDTP/A2DP/VDP/SBC dissectors } Wido Kelling { Profinet: Updated disecction regarding the IEC 61158 } Kaushal Shah { Support for Type Classification of Experimental and Reserved sub-TLVs as per Section 6 of RFC3630 } Subramanian Ramachandran { Support for BFD for MPLS LSP's as per RFC 5884 } Manuel Hofer { OpenVPN dissector } Gaurav Patwardhan { Support for GTSM Flag as per RFC 6720 } Peter Hatina { Gtk3 Wireshark fixes } Tomasz Moń { USBPcap support } and by: Georgi Guninski Jason Copenhaver Eric Perie David Yon Marcio Franco Kaloian Stoilov Steven Lass Gregory Stark Darren Steele Michael Kopp Bernd Leibing Chris Heath Gisle Vanem Ritchie Aki Immonen David E. Weekly Steve Ford Masaki Chikama Mohammad Hanif Reinhard Speyerer Patrick Kursawe Arsen Chaloyan Arnaud Jacques D. Manzella Jari Mustajarvi Pierre Juhen David Richards Shusaku Ueda Jonathan Perkins Holger Schurig Peter J. Creath Magnus Hansson Pavel Kankovsky Nick Black Bill Guyton Chernishov Yury Thomas Palmer Clinton Work Joe Marcus Clarke Kendy Kutzner James H. Cloos Jr. Tim Farley Daniel Thompson Chris Jepeway Matthew Bradley Nathan Alger Stas Grabois Ainsley Pereira Philippe Mazeau Carles Kishimoto Dennis Lim Martin van der Werff Marco van den Bovenkamp Ming Zhang Neil Piercy Rémi Denis-Courmont Thomas Palmer Mårten Svantesson Steve Sommars (e-mail address removed at contributor's request) Kestutis Kupciunas René Pilz Laurent Constantin Martin Pichlmaier Mark Phillips Nils Ohlmeier Ignacio Goyret Bart Braem Shingo Horisawa Lane Hu Marc Poulhiès Tomasz Mrugalski Brett Kuskie Brian Caswell Yann Julien Leproust Mutsuya Irie Yoshihiro Oyama Chris Eagle Dominique Bastien Nicolas Dichtel Ricardo Muggli Vladimir Kondratiev Jaap Keuter Frederic Peters Anton Ivanov Ilya Konstantinov Neil Kettle Steve Karg Javier Acuna Miklos Szurdi Cvetan Ivanov Vasanth Manickam Julian Onions Samuel Thibault Peter Kovář Paul Ollis Dominik Kuhlen Karl Knoebl Maria-Luiza Crivat Brice Augustin Matt Thornton Timo Metsala Tomer Shani Manu Pathak John Sullivan Martin André Andrei Emeltchenko Kirby Files Ravi Valmikam Diego Pettenò Daniel Black Christoph Werle Aaron Christensen Ian Abel Bryant Eastham Taner Kurtulus Joe Breher Patrick vd Lageweg Thomas Sillaber Mike Davies Boris Misenov Joe McEachern Charles Lepple Tuomas Maattanen Joe Eykholt Ian Brumby Todd J Martin Scott Robinson Martin Peylo Stéphane Loeuillet Andrei Rubaniuk Mikael Magnusson Timo Teräs Márton Németh Kai Blin Olivier Montanuy Thomas Morin Jesus Roman Giodi Giorgi Peter Hertting Jess Balint Bahaa Naamneh Magnus Sörman Roy Marples Ward van Wanrooij Federico Mena Quintero Andreas Heise Alex Lindberg Rama Chitta Roberto Mariani Sandhya Gopinath Raghav SN Murali Raja Devesh Prakash Darryl Champagne Michael Speck Gerasimos Dimitriadis Robert Simac Johanna Sochos Felix Obenhuber Hilko Bengen Hadar Shoham Robert Bullen Chuck Kristofek Markus Renz Toshihiro Kataoka Petr Lautrbach Frank Lahm Jon Ellch Alex Badea Dirk Jagdmann RSA Juliusz Chroboczek Vladimir Kazansky Peter Paluch Tom Brezinski Nick Glass Michael Mann Romain Fliedel Michael Chen Paul Stath DeCount Andras Veres-Szentkiralyi Jakob Hirsch Роман Донченко Evan Huus Tom Cook Tom Alexander Klaus Heckelmann Ben Bowen Bodo Petermann Martin Kupec Litao Gao Niels Widger Pontus Fuchs Bill Parker Tomofumi Hayashi Tim Hentenaar Krishnamurthy Mayya Nikitha Malgi Adam Butcher Hendrik Uhlmann Alex Gaertner Sebastiano Di Paola Steven J. Magnani David Arnold Dario Lombardo Alexander Chemeris Ivan Klyuchnikov Max Baker Mike Garratt Bart Van Assche Karl Beldan Masayuki Takemura Dan Lasley gave permission for his dumpit() hex-dump routine to be used. Mattia Cazzola provided a patch to the hex dump display routine. We use the exception module from Kazlib, a C library written by Kaz Kylheku . Thanks go to him for his well-written library. The Kazlib home page can be found at http://users.footprints.net/~kaz/kazlib.html We use Lua BitOp, written by Mike Pall, for bitwise operations on numbers in Lua. The Lua BitOp home page can be found at http://bitop.luajit.org/ Henrik Brix Andersen gave permission for his webbrowser calling routine to be used. Christophe Devine gave permission for his SHA1 routines to be used. snax gave permission to use his(?) weak key detection code from Airsnort. IANA gave permission for their port-numbers file to be used. ======================================================================== * README.macos ======================================================================== $Id$ This file tries to help building Wireshark for (Mac) OS X (Wireshark does not work on earlier versions of Mac OS). You must have the developer tools (called Xcode) installed. For versions of OS X up to and including Snow Leopard, Xcode 3 should be available on the install DVD; Xcode 4 is available for download from developer.apple.com and, for Lion and later releases, from the Mac App Store. See http://guide.macports.org/chunked/installing.xcode.html for details. For Xcode 4, you will need to install the command-line tools; select Preferences from the Xcode menu, select Downloads in the Preferences window, and install Command Line Tools. You must have X11 and the X11 developer headers and libraries installed; otherwise, you will not be able to build or install GTK+, and will only be able to build TShark. The X11 and X11 SDK that come with Mac OS X releases for releases from Panther to Lion can be used to build and run Wireshark. Mountain Lion does not include X11; you should install X11 from elsewhere, such as http://xquartz.macosforge.org/ You must also have GLib and, if you want to build Wireshark as well as TShark, GTK+. The macosx-setup.sh script can be used to download, patch as necessary, build, and install those libraries and the libraries on which they depend; it will, by default, also install other libraries that can be used by Wireshark and TShark. The versions of libraries to download are specified by variables set early in the script; you can comment out the settings of optional libraries if you don't want them downloaded and installed. Before running the macosx-setup.sh script, and before attempting to build Wireshark, make sure your PKG_CONFIG_PATH environment variable's setting includes both /usr/X11/lib/pkgconfig and /usr/local/lib/pkgconfig. After you have installed those libraries: If you are building from a Git tree, rather than from a source distribution tarball, run the autogen.sh script. This should not be necessary if you're building from a source distribution tarball, unless you've added new source files to the Wireshark source. Then run the configure script, and run make to build Wireshark. If you upgrade the major release of OS X on which you are building Wireshark, we advise that, before you do any builds after the upgrade, you do, in the build directory: If you are building from a release tarball: make distclean If you are building from Git: make maintainer-clean ./autogen.sh Then re-run the configure script and rebuild from scratch. On Snow Leopard (10.6) and later releases, if you are building on a machine with a 64-bit processor (with the exception of the early Intel Core Duo and Intel Core Solo machines, all Apple machines with Intel processors have 64-bit processors), the C/C++/Objective-C compiler will build 64-bit by default. This means that you will, by default, get a 64-bit version of Wireshark. One consequence of this is that, if you built and installed any required or optional libraries for Wireshark on an earlier release of OS X, those are probably 32-bit versions of the libraries, and you will need to un-install them and rebuild them on your current version of OS X, to get 64-bit versions. Some required and optional libraries require special attention if you install them by building from source code on Snow Leopard and later releases; the macosx-setup.sh script will handle that for you. GLib - the GLib configuration script determines whether the system's libiconv is GNU iconv or not by checking whether it has libiconv_open(), and the compile will fail if that test doesn't correctly indicate whether libiconv is GNU iconv. In OS X, libiconv is GNU iconv, but the 64-bit version doesn't have libiconv_open(); a workaround for this is to replace all occurrences of "libiconv_open" with "iconv_open" in the configure script before running the script. The macosx-setup.sh setup script will patch GLib to work around this. GTK+ - GTK+ 2.24.10, at least, doesn't build on Mountain Lion with the CUPS printing backend - either the CUPS API changed incompatibly or the backend was depending on non-API implementation details. The macosx-setup.sh setup script will, on Mountain Lion and later, configure GTK+ with the CUPS printing backend disabled. libgcrypt - the libgcrypt configuration script attempts to determine which flavor of assembler-language routines to use based on the platform type determined by standard autoconf code. That code uses uname to determine the processor type; however, in Mac OS X, uname always reports "i386" as the processor type on Intel machines, even Intel machines with 64-bit processors, so it will attempt to assemble the 32-bit x86 assembler-language routines, which will fail. The workaround for this is to run the configure script with the --disable-asm argument, so that the assembler-language routines are not used. The macosx-setup.sh will configure libgcrypt with that option. PortAudio - when compiling on OS X, the configure script for the pa_stable_v19_20071207 version of PortAudio will cause certain platform-dependent build environment #defines to be set in the Makefile rules, and to cause a universal build to be done; those #defines will be incorrect for all but one of the architectures for which the build is being done, and that will cause a compile-time error on Snow Leopard. Newer versions don't have this problem, but still fail to build on Lion if a universal build is attempted. The macosx-setup.sh script downloads a newer version, and also suppresses the universal build. GeoIP - Their man pages "helpfully" have an ISO 8859-1 copyright symbol in the copyright notice, but OS X's default character encoding is UTF-8. sed on Mountain Lion barfs at the "illegal character sequence" represented by an ISO 8859-1 copyright symbol, as it's not a valid UTF-8 sequence. The macosx-setup.sh script uses iconv to convert the man page files from ISO 8859-1 to UTF-8. If you want to build Wireshark installer packages on a system that doesn't include Xcode 3.x or earlier, you will need to install some additional tools. From the Xcode menu, select the Open Developer Tool menu, and then select More Developer Tools... from that menu. That will open up a page on the Apple Developer Connection Web site; you may need a developer account to download the additional tools. Download the Auxiliary Tools for Xcode package; when the dmg opens, drag all its contents to the Contents/Applications subdirectory of the Xcode.app directory (normally /Applications/Xcode.app/Contents/Applications); then copy .../Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker to /usr/bin/packagemaker (the PackageMaker app, when run from the command line rather than as a double-clicked app, is the packagemaker command). ======================================================================== * doc/README.developer ======================================================================== $Revision$ $Date$ $Author$ Tabsize: 4 This file is a HOWTO for Wireshark developers. It describes how to start coding a Wireshark protocol dissector and the use of some of the important functions and variables. This file is compiled to give in depth information on Wireshark. It is by no means all inclusive and complete. Please feel free to send remarks and patches to the developer mailing list. 0. Prerequisites. Before starting to develop a new dissector, a "running" Wireshark build environment is required - there's no such thing as a standalone "dissector build toolkit". How to setup such an environment is platform dependent; detailed information about these steps can be found in the "Developer's Guide" (available from: http://www.wireshark.org) and in the INSTALL and README files of the sources root dir. 0.1. General README files. You'll find additional information in the following README files: - README.capture - the capture engine internals - README.design - Wireshark software design - incomplete - README.developer - this file - README.display_filter - Display Filter Engine - README.idl2wrs - CORBA IDL converter - README.packaging - how to distribute a software package containing WS - README.regression - regression testing of WS and TS - README.stats_tree - a tree statistics counting specific packets - README.tapping - "tap" a dissector to get protocol specific events - README.xml-output - how to work with the PDML exported output - wiretap/README.developer - how to add additional capture file types to Wiretap 0.2. Dissector related README files. You'll find additional dissector related information in the following README files: - README.binarytrees - fast access to large data collections - README.heuristic - what are heuristic dissectors and how to write them - README.plugins - how to "pluginize" a dissector - README.python - writing a dissector in PYTHON. - README.request_response_tracking - how to track req./resp. times and such - README.wmem - how to obtain "memory leak free" memory 0.3 Contributors James Coe Gilbert Ramirez Jeff Foster Olivier Abad Laurent Deniel Gerald Combs Guy Harris Ulf Lamping 1. Setting up your protocol dissector code. This section provides skeleton code for a protocol dissector. It also explains the basic functions needed to enter values in the traffic summary columns, add to the protocol tree, and work with registered header fields. 1.1 Code style. 1.1.1 Portability. Wireshark runs on many platforms, and can be compiled with a number of different compilers; here are some rules for writing code that will work on multiple platforms. Don't use C++-style comments (comments beginning with "//" and running to the end of the line); Wireshark's dissectors are written in C, and thus run through C rather than C++ compilers, and not all C compilers support C++-style comments (GCC does, but IBM's C compiler for AIX, for example, doesn't do so by default). In general, don't use C99 features since some C compilers used to compile Wireshark don't support C99 (E.G. Microsoft C). Don't initialize variables in their declaration with non-constant values. Not all compilers support this. E.g. don't use guint32 i = somearray[2]; use guint32 i; i = somearray[2]; instead. Don't use zero-length arrays; not all compilers support them. If an array would have no members, just leave it out. Don't declare variables in the middle of executable code; not all C compilers support that. Variables should be declared outside a function, or at the beginning of a function or compound statement. Don't use anonymous unions; not all compilers support them. Example: typedef struct foo { guint32 foo; union { guint32 foo_l; guint16 foo_s; } u; /* have a name here */ } foo_t; Don't use "uchar", "u_char", "ushort", "u_short", "uint", "u_int", "ulong", "u_long" or "boolean"; they aren't defined on all platforms. If you want an 8-bit unsigned quantity, use "guint8"; if you want an 8-bit character value with the 8th bit not interpreted as a sign bit, use "guchar"; if you want a 16-bit unsigned quantity, use "guint16"; if you want a 32-bit unsigned quantity, use "guint32"; and if you want an "int-sized" unsigned quantity, use "guint"; if you want a boolean, use "gboolean". Use "%d", "%u", "%x", and "%o" to print those types; don't use "%ld", "%lu", "%lx", or "%lo", as longs are 64 bits long on many platforms, but "guint32" is 32 bits long. Don't use "long" to mean "signed 32-bit integer", and don't use "unsigned long" to mean "unsigned 32-bit integer"; "long"s are 64 bits long on many platforms. Use "gint32" for signed 32-bit integers and use "guint32" for unsigned 32-bit integers. Don't use "long" to mean "signed 64-bit integer" and don't use "unsigned long" to mean "unsigned 64-bit integer"; "long"s are 32 bits long on many other platforms. Don't use "long long" or "unsigned long long", either, as not all platforms support them; use "gint64" or "guint64", which will be defined as the appropriate types for 64-bit signed and unsigned integers. On LLP64 data model systems (notably 64-bit Windows), "int" and "long" are 32 bits while "size_t" and "ptrdiff_t" are 64 bits. This means that the following will generate a compiler warning: int i; i = strlen("hello, sailor"); /* Compiler warning */ Normally, you'd just make "i" a size_t. However, many GLib and Wireshark functions won't accept a size_t on LLP64: size_t i; char greeting[] = "hello, sailor"; guint byte_after_greet; i = strlen(greeting); byte_after_greet = tvb_get_guint8(tvb, i); /* Compiler warning */ Try to use the appropriate data type when you can. When you can't, you will have to cast to a compatible data type, e.g. size_t i; char greeting[] = "hello, sailor"; guint byte_after_greet; i = strlen(greeting); byte_after_greet = tvb_get_guint8(tvb, (gint) i); /* OK */ or gint i; char greeting[] = "hello, sailor"; guint byte_after_greet; i = (gint) strlen(greeting); byte_after_greet = tvb_get_guint8(tvb, i); /* OK */ See http://www.unix.org/version2/whatsnew/lp64_wp.html for more information on the sizes of common types in different data models. When printing or displaying the values of 64-bit integral data types, don't use "%lld", "%llu", "%llx", or "%llo" - not all platforms support "%ll" for printing 64-bit integral data types. Instead, for GLib routines, and routines that use them, such as all the routines in Wireshark that take format arguments, use G_GINT64_MODIFIER, for example: proto_tree_add_uint64_format_value(tree, hf_uint64, tvb, offset, len, val, "%" G_GINT64_MODIFIER "u", val); When specifying an integral constant that doesn't fit in 32 bits, don't use "LL" at the end of the constant - not all compilers use "LL" for that. Instead, put the constant in a call to the "G_GINT64_CONSTANT()" macro, e.g. G_GINT64_CONSTANT(11644473600U) rather than 11644473600ULL Don't assume that you can scan through a va_list initialized by va_start more than once without closing it with va_end and re-initializing it with va_start. This applies even if you're not scanning through it yourself, but are calling a routine that scans through it, such as vfprintf() or one of the routines in Wireshark that takes a format and a va_list as an argument. You must do va_start(ap, format); call_routine1(xxx, format, ap); va_end(ap); va_start(ap, format); call_routine2(xxx, format, ap); va_end(ap); rather va_start(ap, format); call_routine1(xxx, format, ap); call_routine2(xxx, format, ap); va_end(ap); Don't use a label without a statement following it. For example, something such as if (...) { ... done: } will not work with all compilers - you have to do if (...) { ... done: ; } with some statement, even if it's a null statement, after the label. Don't use "bzero()", "bcopy()", or "bcmp()"; instead, use the ANSI C routines "memset()" (with zero as the second argument, so that it sets all the bytes to zero); "memcpy()" or "memmove()" (note that the first and second arguments to "memcpy()" are in the reverse order to the arguments to "bcopy()"; note also that "bcopy()" is typically guaranteed to work on overlapping memory regions, while "memcpy()" isn't, so if you may be copying from one region to a region that overlaps it, use "memmove()", not "memcpy()" - but "memcpy()" might be faster as a result of not guaranteeing correct operation on overlapping memory regions); and "memcmp()" (note that "memcmp()" returns 0, 1, or -1, doing an ordered comparison, rather than just returning 0 for "equal" and 1 for "not equal", as "bcmp()" does). Not all platforms necessarily have "bzero()"/"bcopy()"/"bcmp()", and those that do might not declare them in the header file on which they're declared on your platform. Don't use "index()" or "rindex()"; instead, use the ANSI C equivalents, "strchr()" and "strrchr()". Not all platforms necessarily have "index()" or "rindex()", and those that do might not declare them in the header file on which they're declared on your platform. Don't use "tvb_get_ptr(). If you must use it, keep in mind that the pointer returned by a call to "tvb_get_ptr()" is not guaranteed to be aligned on any particular byte boundary; this means that you cannot safely cast it to any data type other than a pointer to "char", unsigned char", "guint8", or other one-byte data types. Casting a pointer returned by tvb_get_ptr() into any multi-byte data type or structure may cause crashes on some platforms (even if it does not crash on x86-based PCs). Even if such mis-aligned accesses don't crash on your platform they will be slower than properly aligned accesses would be. Furthermore, the data in a packet is not necessarily in the byte order of the machine on which Wireshark is running. Use the tvbuff routines to extract individual items from the packet, or, better yet, use "proto_tree_add_item()" and let it extract the items for you. Don't use structures that overlay packet data, or into which you copy packet data; the C programming language does not guarantee any particular alignment of fields within a structure, and even the extensions that try to guarantee that are compiler-specific and not necessarily supported by all compilers used to build Wireshark. Using bitfields in those structures is even worse; the order of bitfields is not guaranteed. Don't use "ntohs()", "ntohl()", "htons()", or "htonl()"; the header files required to define or declare them differ between platforms, and you might be able to get away with not including the appropriate header file on your platform but that might not work on other platforms. Instead, use "g_ntohs()", "g_ntohl()", "g_htons()", and "g_htonl()"; those are declared by , and you'll need to include that anyway, as Wireshark header files that all dissectors must include use stuff from . Don't fetch a little-endian value using "tvb_get_ntohs() or "tvb_get_ntohl()" and then using "g_ntohs()", "g_htons()", "g_ntohl()", or "g_htonl()" on the resulting value - the g_ routines in question convert between network byte order (big-endian) and *host* byte order, not *little-endian* byte order; not all machines on which Wireshark runs are little-endian, even though PCs are. Fetch those values using "tvb_get_letohs()" and "tvb_get_letohl()". Don't put a comma after the last element of an enum - some compilers may either warn about it (producing extra noise) or refuse to accept it. Don't include without protecting it with #ifdef HAVE_UNISTD_H ... #endif and, if you're including it to get routines such as "open()", "close()", "read()", and "write()" declared, also include if present: #ifdef HAVE_IO_H #include #endif in order to declare the Windows C library routines "_open()", "_close()", "_read()", and "_write()". Your file must include - which many of the Wireshark header files include, so you might not have to include it explicitly - in order to get "open()", "close()", "read()", "write()", etc. mapped to "_open()", "_close()", "_read()", "_write()", etc.. Do not use "open()", "rename()", "mkdir()", "stat()", "unlink()", "remove()", "fopen()", "freopen()" directly. Instead use "ws_open()", "ws_rename()", "ws_mkdir()", "ws_stat()", "ws_unlink()", "ws_remove()", "ws_fopen()", "ws_freopen()": these wrapper functions change the path and file name from UTF8 to UTF16 on Windows allowing the functions to work correctly when the path or file name contain non-ASCII characters. When opening a file with "ws_fopen()", "ws_freopen()", or "ws_fdopen()", if the file contains ASCII text, use "r", "w", "a", and so on as the open mode - but if it contains binary data, use "rb", "wb", and so on. On Windows, if a file is opened in a text mode, writing a byte with the value of octal 12 (newline) to the file causes two bytes, one with the value octal 15 (carriage return) and one with the value octal 12, to be written to the file, and causes bytes with the value octal 15 to be discarded when reading the file (to translate between C's UNIX-style lines that end with newline and Windows' DEC-style lines that end with carriage return/line feed). In addition, that also means that when opening or creating a binary file, you must use "ws_open()" (with O_CREAT and possibly O_TRUNC if the file is to be created if it doesn't exist), and OR in the O_BINARY flag. That flag is not present on most, if not all, UNIX systems, so you must also do #ifndef O_BINARY #define O_BINARY 0 #endif to properly define it for UNIX (it's not necessary on UNIX). Don't use forward declarations of static arrays without a specified size in a fashion such as this: static const value_string foo_vals[]; ... static const value_string foo_vals[] = { { 0, "Red" }, { 1, "Green" }, { 2, "Blue" }, { 0, NULL } }; as some compilers will reject the first of those statements. Instead, initialize the array at the point at which it's first declared, so that the size is known. Don't put a comma after the last tuple of an initializer of an array. For #define names and enum member names, prefix the names with a tag so as to avoid collisions with other names - this might be more of an issue on Windows, as it appears to #define names such as DELETE and OPTIONAL. Don't use the "numbered argument" feature that many UNIX printf's implement, e.g.: g_snprintf(add_string, 30, " - (%1$d) (0x%1$04x)", value); as not all UNIX printf's implement it, and Windows printf doesn't appear to implement it. Use something like g_snprintf(add_string, 30, " - (%d) (0x%04x)", value, value); instead. Don't use "variadic macros", such as #define DBG(format, args...) fprintf(stderr, format, ## args) as not all C compilers support them. Use macros that take a fixed number of arguments, such as #define DBG0(format) fprintf(stderr, format) #define DBG1(format, arg1) fprintf(stderr, format, arg1) #define DBG2(format, arg1, arg2) fprintf(stderr, format, arg1, arg2) ... or something such as #define DBG(args) printf args Don't use case N ... M: as that's not supported by all compilers. snprintf() -> g_snprintf() snprintf() is not available on all platforms, so it's a good idea to use the g_snprintf() function declared by instead. tmpnam() -> mkstemp() tmpnam is insecure and should not be used any more. Wireshark brings its own mkstemp implementation for use on platforms that lack mkstemp. Note: mkstemp does not accept NULL as a parameter. Wireshark supports platforms with GLib 2.14[.x]/GTK+ 2.12[.x] or newer. If a Glib/GTK+ mechanism is available only in Glib/GTK+ versions newer than 2.14/2.12 then use "#if GLIB_CHECK_VERSION(...)" or "#if GTK_CHECK_VERSION(...)" to conditionally compile code using that mechanism. When different code must be used on UN*X and Win32, use a #if or #ifdef that tests _WIN32, not WIN32. Try to write code portably whenever possible, however; note that there are some routines in Wireshark with platform-dependent implementations and platform-independent APIs, such as the routines in epan/filesystem.c, allowing the code that calls it to be written portably without #ifdefs. Wireshark uses libgcrypt as general-purpose crypto library. To use it from your dissector, protect libgcrypt calls with #ifdef HAVE_LIBGCRYPT. Don't include gcrypt.h directly, include the wrapper file wsutil/wsgcrypt.h instead. 1.1.2 String handling Do not use functions such as strcat() or strcpy(). A lot of work has been done to remove the existing calls to these functions and we do not want any new callers of these functions. Instead use g_snprintf() since that function will if used correctly prevent buffer overflows for large strings. Be sure that all pointers passed to %s specifiers in format strings are non- NULL. Some implementations will automatically replace NULL pointers with the string "(NULL)", but most will not. When using a buffer to create a string, do not use a buffer stored on the stack. I.e. do not use a buffer declared as char buffer[1024]; instead allocate a buffer dynamically using the string-specific or plain wmem routines (see README.wmem) such as wmem_strbuf_t *strbuf; strbuf = wmem_strbuf_new(wmem_packet_scope(), ""); wmem_strbuf_append_printf(strbuf, ... or char *buffer=NULL; ... #define MAX_BUFFER 1024 buffer=wmem_alloc(wmem_packet_scope(), MAX_BUFFER); buffer[0]='\0'; ... g_snprintf(buffer, MAX_BUFFER, ... This avoids the stack from being corrupted in case there is a bug in your code that accidentally writes beyond the end of the buffer. If you write a routine that will create and return a pointer to a filled in string and if that buffer will not be further processed or appended to after the routine returns (except being added to the proto tree), do not preallocate the buffer to fill in and pass as a parameter instead pass a pointer to a pointer to the function and return a pointer to a wmem-allocated buffer that will be automatically freed. (see README.wmem) I.e. do not write code such as static void foo_to_str(char *string, ... ){ } ... char buffer[1024]; ... foo_to_str(buffer, ... proto_tree_add_string(... buffer ... instead write the code as static void foo_to_str(char **buffer, ... #define MAX_BUFFER x *buffer=wmem_alloc(wmem_packet_scope(), MAX_BUFFER); } ... char *buffer; ... foo_to_str(&buffer, ... proto_tree_add_string(... *buffer ... Use wmem_ allocated buffers. They are very fast and nice. These buffers are all automatically free()d when the dissection of the current packet ends so you don't have to worry about free()ing them explicitly in order to not leak memory. Please read README.wmem. Don't use non-ASCII characters in source files; not all compiler environments will be using the same encoding for non-ASCII characters, and at least one compiler (Microsoft's Visual C) will, in environments with double-byte character encodings, such as many Asian environments, fail if it sees a byte sequence in a source file that doesn't correspond to a valid character. This causes source files using either an ISO 8859/n single-byte character encoding or UTF-8 to fail to compile. Even if the compiler doesn't fail, there is no guarantee that the compiler, or a developer's text editor, will interpret the characters the way you intend them to be interpreted. 1.1.3 Robustness. Wireshark is not guaranteed to read only network traces that contain correctly- formed packets. Wireshark is commonly used to track down networking problems, and the problems might be due to a buggy protocol implementation sending out bad packets. Therefore, protocol dissectors not only have to be able to handle correctly-formed packets without, for example, crashing or looping infinitely, they also have to be able to handle *incorrectly*-formed packets without crashing or looping infinitely. Here are some suggestions for making dissectors more robust in the face of incorrectly-formed packets: Do *NOT* use "g_assert()" or "g_assert_not_reached()" in dissectors. *NO* value in a packet's data should be considered "wrong" in the sense that it's a problem with the dissector if found; if it cannot do anything else with a particular value from a packet's data, the dissector should put into the protocol tree an indication that the value is invalid, and should return. The "expert" mechanism should be used for that purpose. If there is a case where you are checking not for an invalid data item in the packet, but for a bug in the dissector (for example, an assumption being made at a particular point in the code about the internal state of the dissector), use the DISSECTOR_ASSERT macro for that purpose; this will put into the protocol tree an indication that the dissector has a bug in it, and will not crash the application. If you are allocating a chunk of memory to contain data from a packet, or to contain information derived from data in a packet, and the size of the chunk of memory is derived from a size field in the packet, make sure all the data is present in the packet before allocating the buffer. Doing so means that: 1) Wireshark won't leak that chunk of memory if an attempt to fetch data not present in the packet throws an exception. and 2) it won't crash trying to allocate an absurdly-large chunk of memory if the size field has a bogus large value. If you're fetching into such a chunk of memory a string from the buffer, and the string has a specified size, you can use "tvb_get_*_string()", which will check whether the entire string is present before allocating a buffer for the string, and will also put a trailing '\0' at the end of the buffer. If you're fetching into such a chunk of memory a 2-byte Unicode string from the buffer, and the string has a specified size, you can use "tvb_get_ephemeral_faked_unicode()", which will check whether the entire string is present before allocating a buffer for the string, and will also put a trailing '\0' at the end of the buffer. The resulting string will be a sequence of single-byte characters; the only Unicode characters that will be handled correctly are those in the ASCII range. (Wireshark's ability to handle non-ASCII strings is limited; it needs to be improved.) If you're fetching into such a chunk of memory a sequence of bytes from the buffer, and the sequence has a specified size, you can use "tvb_memdup()", which will check whether the entire sequence is present before allocating a buffer for it. Otherwise, you can check whether the data is present by using "tvb_ensure_bytes_exist()" although this frequently is not needed: the TVB-accessor routines can handle requests to read data beyond the end of the TVB (by throwing an exception which will either mark the frame as truncated--not all the data was captured--or as malformed). Note also that you should only fetch string data into a fixed-length buffer if the code ensures that no more bytes than will fit into the buffer are fetched ("the protocol ensures" isn't good enough, as protocol specifications can't ensure only packets that conform to the specification will be transmitted or that only packets for the protocol in question will be interpreted as packets for that protocol by Wireshark). If there's no maximum length of string data to be fetched, routines such as "tvb_get_*_string()" are safer, as they allocate a buffer large enough to hold the string. (Note that some variants of this call require you to free the string once you're finished with it.) If you have gotten a pointer using "tvb_get_ptr()" (which you should not have: you should seriously consider a better alternative to this function), you must make sure that you do not refer to any data past the length passed as the last argument to "tvb_get_ptr()"; while the various "tvb_get" routines perform bounds checking and throw an exception if you refer to data not available in the tvbuff, direct references through a pointer gotten from "tvb_get_ptr()" do not do any bounds checking. If you have a loop that dissects a sequence of items, each of which has a length field, with the offset in the tvbuff advanced by the length of the item, then, if the length field is the total length of the item, and thus can be zero, you *MUST* check for a zero-length item and abort the loop if you see one. Otherwise, a zero-length item could cause the dissector to loop infinitely. You should also check that the offset, after having the length added to it, is greater than the offset before the length was added to it, if the length field is greater than 24 bits long, so that, if the length value is *very* large and adding it to the offset causes an overflow, that overflow is detected. If you have a for (i = {start}; i < {end}; i++) loop, make sure that the type of the loop index variable is large enough to hold the maximum {end} value plus 1; otherwise, the loop index variable can overflow before it ever reaches its maximum value. In particular, be very careful when using gint8, guint8, gint16, or guint16 variables as loop indices; you almost always want to use an "int"/"gint" or "unsigned int"/"guint" as the loop index rather than a shorter type. If you are fetching a length field from the buffer, corresponding to the length of a portion of the packet, and subtracting from that length a value corresponding to the length of, for example, a header in the packet portion in question, *ALWAYS* check that the value of the length field is greater than or equal to the length you're subtracting from it, and report an error in the packet and stop dissecting the packet if it's less than the length you're subtracting from it. Otherwise, the resulting length value will be negative, which will either cause errors in the dissector or routines called by the dissector, or, if the value is interpreted as an unsigned integer, will cause the value to be interpreted as a very large positive value. Any tvbuff offset that is added to as processing is done on a packet should be stored in a 32-bit variable, such as an "int"; if you store it in an 8-bit or 16-bit variable, you run the risk of the variable overflowing. sprintf() -> g_snprintf() Prevent yourself from using the sprintf() function, as it does not test the length of the given output buffer and might be writing into unintended memory areas. This function is one of the main causes of security problems like buffer exploits and many other bugs that are very hard to find. It's much better to use the g_snprintf() function declared by instead. You should test your dissector against incorrectly-formed packets. This can be done using the randpkt and editcap utilities that come with the Wireshark distribution. Testing using randpkt can be done by generating output at the same layer as your protocol, and forcing Wireshark/TShark to decode it as your protocol, e.g. if your protocol sits on top of UDP: randpkt -c 50000 -t dns randpkt.pcap tshark -nVr randpkt.pcap -d udp.port==53, Testing using editcap can be done using preexisting capture files and the "-E" flag, which introduces errors in a capture file. E.g.: editcap -E 0.03 infile.pcap outfile.pcap tshark -nVr outfile.pcap The script fuzz-test.sh is available to help automate these tests. 1.1.4 Name convention. Wireshark uses the underscore_convention rather than the InterCapConvention for function names, so new code should probably use underscores rather than intercaps for functions and variable names. This is especially important if you are writing code that will be called from outside your code. We are just trying to keep things consistent for other developers. 1.1.5 White space convention. Avoid using tab expansions different from 8 column widths, as not all text editors in use by the developers support this. For a detailed discussion of tabs, spaces, and indentation, see http://www.jwz.org/doc/tabs-vs-spaces.html When creating a new file, you are free to choose an indentation logic. Most of the files in Wireshark tend to use 2-space or 4-space indentation. You are encouraged to write a short comment on the indentation logic at the beginning of this new file, especially if you're using non-mod-8 tabs. The tabs-vs-spaces document above provides examples of Emacs and vi modelines for this purpose. Please do not leave trailing whitespace (spaces/tabs) on lines. When editing an existing file, try following the existing indentation logic and even if it very tempting, never ever use a restyler/reindenter utility on an existing file. If you run across wildly varying indentation styles within the same file, it might be helpful to send a note to wireshark-dev for guidance. 1.1.6 Compiler warnings You should write code that is free of compiler warnings. Such warnings will often indicate questionable code and sometimes even real bugs, so it's best to avoid warnings at all. The compiler flags in the Makefiles are set to "treat warnings as errors", so your code won't even compile when warnings occur. 1.2 Skeleton code. Wireshark requires certain things when setting up a protocol dissector. We provide basic skeleton code for a dissector that you can copy to a new file and fill in. Your dissector should follow the naming convention of "packet-" followed by the abbreviated name for the protocol. It is recommended that where possible you keep to the IANA abbreviated name for the protocol, if there is one, or a commonly-used abbreviation for the protocol, if any. The skeleton code lives in the file "packet-PROTOABBREV.c" in the same source directory as this README. If instead of using the skeleton you base your dissector on an existing real dissector, please put a little note in the copyright header indicating which dissector you started with. Usually, you will put your newly created dissector file into the directory epan/dissectors/, just like all the other packet-*.c files already in there. Also, please add your dissector file to the corresponding makefiles, described in section "1.9 Editing Makefile.common and CMakeLists.txt to add your dissector" below. Dissectors that use the dissector registration API to register with a lower level protocol (this is the vast majority) don't need to define a prototype in their .h file. For other dissectors the main dissector routine should have a prototype in a header file whose name is "packet-", followed by the abbreviated name for the protocol, followed by ".h"; any dissector file that calls your dissector should be changed to include that file. You may not need to include all the headers listed in the skeleton, and you may need to include additional headers. The "$Id$" tag in the header comment will be updated by Subversion when the file is checked in. 1.3 Explanation of needed substitutions in code skeleton. In the skeleton sample code the following strings should be substituted with your information. YOUR_NAME Your name, of course. You do want credit, don't you? It's the only payment you will receive.... YOUR_EMAIL_ADDRESS Keep those cards and letters coming. PROTONAME The name of the protocol; this is displayed in the top-level protocol tree item for that protocol. PROTOSHORTNAME An abbreviated name for the protocol; this is displayed in the "Preferences" dialog box if your dissector has any preferences, in the dialog box of enabled protocols, and in the dialog box for filter fields when constructing a filter expression. PROTOABBREV A name for the protocol for use in filter expressions; it shall contain only lower-case letters, digits, and hyphens. FIELDNAME The displayed name for the header field. FIELDABBREV The abbreviated name for the header field. (NO SPACES) FIELDTYPE FT_NONE, FT_BOOLEAN, FT_UINT8, FT_UINT16, FT_UINT24, FT_UINT32, FT_UINT64, FT_INT8, FT_INT16, FT_INT24, FT_INT32, FT_INT64, FT_FLOAT, FT_DOUBLE, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME, FT_STRING, FT_STRINGZ, FT_EUI64, FT_UINT_STRING, FT_ETHER, FT_BYTES, FT_UINT_BYTES, FT_IPv4, FT_IPv6, FT_IPXNET, FT_FRAMENUM, FT_PROTOCOL, FT_GUID, FT_OID FIELDDISPLAY --For FT_UINT{8,16,24,32,64} and FT_INT{8,16,24,32,64): BASE_DEC, BASE_HEX, BASE_OCT, BASE_DEC_HEX, BASE_HEX_DEC, or BASE_CUSTOM, possibly ORed with BASE_RANGE_STRING or BASE_EXT_STRING --For FT_ABSOLUTE_TIME: ABSOLUTE_TIME_LOCAL, ABSOLUTE_TIME_UTC, or ABSOLUTE_TIME_DOY_UTC --For FT_BOOLEAN: if BITMASK is non-zero: Number of bits in the field containing the FT_BOOLEAN bitfield. otherwise: (must be) BASE_NONE --For all other types: BASE_NONE FIELDCONVERT VALS(x), RVALS(x), TFS(x), NULL BITMASK Used to mask a field not 8-bit aligned or with a size other than a multiple of 8 bits FIELDDESCR A brief description of the field, or NULL. [Please do not use ""]. PARENT_SUBFIELD Lower level protocol field used for lookup, i.e. "tcp.port" ID_VALUE Lower level protocol field value that identifies this protocol For example the TCP or UDP port number If, for example, PROTONAME is "Internet Bogosity Discovery Protocol", PROTOSHORTNAME would be "IBDP", and PROTOABBREV would be "ibdp". Try to conform with IANA names. 1.4 The dissector and the data it receives. 1.4.1 Header file. This is only needed if the dissector doesn't use self-registration to register itself with the lower level dissector, or if the protocol dissector wants/needs to expose code to other subdissectors. The dissector must be declared exactly as follows in the file packet-PROTOABBREV.h: int dissect_PROTOABBREV(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree); 1.4.2 Extracting data from packets. NOTE: See the file /epan/tvbuff.h for more details. The "tvb" argument to a dissector points to a buffer containing the raw data to be analyzed by the dissector; for example, for a protocol running atop UDP, it contains the UDP payload (but not the UDP header, or any protocol headers above it). A tvbuffer is an opaque data structure, the internal data structures are hidden and the data must be accessed via the tvbuffer accessors. The accessors are: Bit accessors for a maximum of 8-bits, 16-bits 32-bits and 64-bits: guint8 tvb_get_bits8(tvbuff_t *tvb, gint bit_offset, const gint no_of_bits); guint16 tvb_get_bits16(tvbuff_t *tvb, guint bit_offset, const gint no_of_bits, const guint encoding); guint32 tvb_get_bits32(tvbuff_t *tvb, guint bit_offset, const gint no_of_bits, const guint encoding); guint64 tvb_get_bits64(tvbuff_t *tvb, guint bit_offset, const gint no_of_bits, const guint encoding); Single-byte accessor: guint8 tvb_get_guint8(tvbuff_t *tvb, const gint offset); Network-to-host-order accessors for 16-bit integers (guint16), 24-bit integers, 32-bit integers (guint32), 40-bit integers, 48-bit integers, 56-bit integers and 64-bit integers (guint64): guint16 tvb_get_ntohs(tvbuff_t *tvb, const gint offset); guint32 tvb_get_ntoh24(tvbuff_t *tvb, const gint offset); guint32 tvb_get_ntohl(tvbuff_t *tvb, const gint offset); guint64 tvb_get_ntoh40(tvbuff_t *tvb, const gint offset); guint64 tvb_get_ntoh48(tvbuff_t *tvb, const gint offset); guint64 tvb_get_ntoh56(tvbuff_t *tvb, const gint offset); guint64 tvb_get_ntoh64(tvbuff_t *tvb, const gint offset); Network-to-host-order accessors for single-precision and double-precision IEEE floating-point numbers: gfloat tvb_get_ntohieee_float(tvbuff_t *tvb, const gint offset); gdouble tvb_get_ntohieee_double(tvbuff_t *tvb, const gint offset); Little-Endian-to-host-order accessors for 16-bit integers (guint16), 24-bit integers, 32-bit integers (guint32), 40-bit integers, 48-bit integers, 56-bit integers, and 64-bit integers (guint64): guint16 tvb_get_letohs(tvbuff_t *tvb, const gint offset); guint32 tvb_get_letoh24(tvbuff_t *tvb, const gint offset); guint32 tvb_get_letohl(tvbuff_t *tvb, const gint offset); guint64 tvb_get_letoh40(tvbuff_t *tvb, const gint offset); guint64 tvb_get_letoh48(tvbuff_t *tvb, const gint offset); guint64 tvb_get_letoh56(tvbuff_t *tvb, const gint offset); guint64 tvb_get_letoh64(tvbuff_t *tvb, const gint offset); Little-Endian-to-host-order accessors for single-precision and double-precision IEEE floating-point numbers: gfloat tvb_get_letohieee_float(tvbuff_t *tvb, const gint offset); gdouble tvb_get_letohieee_double(tvbuff_t *tvb, const gint offset); Accessors for IPv4 and IPv6 addresses: guint32 tvb_get_ipv4(tvbuff_t *tvb, const gint offset); void tvb_get_ipv6(tvbuff_t *tvb, const gint offset, struct e_in6_addr *addr); NOTE: IPv4 addresses are not to be converted to host byte order before being passed to "proto_tree_add_ipv4()". You should use "tvb_get_ipv4()" to fetch them, not "tvb_get_ntohl()" *OR* "tvb_get_letohl()" - don't, for example, try to use "tvb_get_ntohl()", find that it gives you the wrong answer on the PC on which you're doing development, and try "tvb_get_letohl()" instead, as "tvb_get_letohl()" will give the wrong answer on big-endian machines. gchar *tvb_ip_to_str(tvbuff_t *tvb, const gint offset) gchar *tvb_ip6_to_str(tvbuff_t *tvb, const gint offset) Returns a null-terminated buffer containing a string with IPv4 or IPv6 Address from the specified tvbuff, starting at the specified offset. Accessors for GUID: void tvb_get_ntohguid(tvbuff_t *tvb, const gint offset, e_guid_t *guid); void tvb_get_letohguid(tvbuff_t *tvb, const gint offset, e_guid_t *guid); void tvb_get_guid(tvbuff_t *tvb, const gint offset, e_guid_t *guid, const guint representation); String accessors: guint8 *tvb_get_string(tvbuff_t *tvb, const gint offset, const gint length); gchar *tvb_get_unicode_string(tvbuff_t *tvb, const gint offset, gint length, const guint encoding); guint8 *tvb_get_ephemeral_string(tvbuff_t *tvb, const gint offset, const gint length); guint8 *tvb_get_ephemeral_string_enc(tvbuff_t *tvb, const gint offset, const gint length, const guint encoding); gchar *tvb_get_ephemeral_unicode_string(tvbuff_t *tvb, const gint offset, gint length, const guint encoding); guint8 *tvb_get_seasonal_string(tvbuff_t *tvb, const gint offset, const gint length); Returns a null-terminated buffer containing data from the specified tvbuff, starting at the specified offset, and containing the specified length worth of characters (the length of the buffer will be length+1, as it includes a null character to terminate the string). tvb_get_string() returns a buffer allocated by g_malloc() so you must g_free() it when you are finished with the string. Failure to g_free() this buffer will lead to memory leaks. tvb_get_unicode_string() is a unicode (UTF-16) version of above. This is intended for reading UTF-16 unicode strings out of a tvbuff and returning them as a UTF-8 string for use in Wireshark. The offset and returned length pointer are in bytes, not UTF-16 characters. tvb_get_ephemeral_string() returns a buffer allocated from a special heap with a lifetime until the next packet is dissected. You do not need to free() this buffer, it will happen automatically once the next packet is dissected. tvb_get_ephemeral_unicode_string() is a unicode (UTF-16) version of above. This is intended for reading UTF-16 unicode strings out of a tvbuff and returning them as a UTF-8 string for use in Wireshark. The offset and returned length pointer are in bytes, not UTF-16 characters. tvb_get_seasonal_string() returns a buffer allocated from a special heap with a lifetime of the current capture session. You do not need to free() this buffer, it will happen automatically once the a new capture or file is opened. guint8 *tvb_get_stringz(tvbuff_t *tvb, const gint offset, gint *lengthp); guint8 *tvb_get_stringz_enc(tvbuff_t *tvb, const gint offset, gint *lengthp, const guint encoding); const guint8 *tvb_get_const stringz(tvbuff_t *tvb, const gint offset, gint *lengthp); guint8 *tvb_get_ephemeral_stringz(tvbuff_t *tvb, const gint offset, gint *lengthp); guint8 *tvb_get_ephemeral_stringz_enc(tvbuff_t *tvb, const gint offset, gint *lengthp, const guint encoding); gchar *tvb_get_ephemeral_unicode_stringz(tvbuff_t *tvb, const gint offset, gint *lengthp, const guint encoding); guint8 *tvb_get_seasonal_stringz(tvbuff_t *tvb, const gint offset, gint *lengthp); gint tvb_get_nstringz(tvbuff_t *tvb, const gint offset, const guint bufsize, guint8* buffer); gint tvb_get_nstringz0(tvbuff_t *tvb, const gint offset, const guint bufsize, guint8* buffer); Returns a null-terminated buffer containing data from the specified tvbuff, starting at the specified offset, and containing all characters from the tvbuff up to and including a terminating null character in the tvbuff. "*lengthp" will be set to the length of the string, including the terminating null. tvb_get_stringz() returns a buffer allocated by g_malloc() so you must g_free() it when you are finished with the string. Failure to g_free() this buffer will lead to memory leaks. tvb_get_const_stringz() returns a pointer to the (const) string in the tvbuff. You do not need to free() this buffer, it will happen automatically once the next packet is dissected. This function is slightly more efficient than the others because it does not allocate memory and copy the string. tvb_get_ephemeral_stringz() returns a buffer allocated from a special heap with a lifetime until the next packet is dissected. You do not need to free() this buffer, it will happen automatically once the next packet is dissected. tvb_get_ephemeral_unicode_stringz() is a unicode (UTF-16) version of above. This is intended for reading UTF-16 unicode strings out of a tvbuff and returning them as a UTF-8 string for use in Wireshark. The offset and returned length pointer are in bytes, not UTF-16 characters. tvb_get_seasonal_stringz() returns a buffer allocated from a special heap with a lifetime of the current capture session. You do not need to free() this buffer, it will happen automatically once the a new capture or file is opened. tvb_fake_unicode() has been superseded by tvb_get_unicode_string(), which properly handles Unicode (UTF-16) strings by converting them to UTF-8. tvb_get_ephemeral_faked_unicode() has been superseded by tvb_get_ephemeral_string(), which properly handles Unicode (UTF-16) strings by converting them to UTF-8. Byte Array Accessors: gchar *tvb_bytes_to_str(tvbuff_t *tvb, gint offset, gint len); Formats a bunch of data from a tvbuff as bytes, returning a pointer to the string with the data formatted as two hex digits for each byte. The string pointed to is stored in an "ep_alloc'd" buffer which will be freed before the next frame is dissected. The formatted string will contain the hex digits for at most the first 16 bytes of the data. If len is greater than 16 bytes, a trailing "..." will be added to the string. gchar *tvb_bytes_to_str_punct(tvbuff_t *tvb, gint offset, gint len, gchar punct); This function is similar to tvb_bytes_to_str(...) except that 'punct' is inserted between the hex representation of each byte. gchar *tvb_bcd_dig_to_ep_str(tvbuff_t *tvb, const gint offset, const gint len, dgt_set_t *dgt, gboolean skip_first); Given a tvbuff, an offset into the tvbuff, and a length that starts at that offset (which may be -1 for "all the way to the end of the tvbuff"), fetch BCD encoded digits from a tvbuff starting from either the low or high half byte, formatting the digits according to an input digit set, if NUll a default digit set of 0-9 returning "?" for overdecadic digits will be used. A pointer to the EP allocated string will be returned. Note: a tvbuff content of 0xf is considered a 'filler' and will end the conversion. Copying memory: guint8* tvb_memcpy(tvbuff_t *tvb, guint8* target, gint offset, gint length); Copies into the specified target the specified length's worth of data from the specified tvbuff, starting at the specified offset. guint8* tvb_memdup(tvbuff_t *tvb, gint offset, gint length); guint8* ep_tvb_memdup(tvbuff_t *tvb, gint offset, gint length); Returns a buffer, allocated with "g_malloc()", containing the specified length's worth of data from the specified tvbuff, starting at the specified offset. The ephemeral variant is freed automatically after the packet is dissected. Pointer-retrieval: /* WARNING! Don't use this function. There is almost always a better way. * It's dangerous because once this pointer is given to the user, there's * no guarantee that the user will honor the 'length' and not overstep the * boundaries of the buffer. Also see the warning in the Portability section. */ guint8* tvb_get_ptr(tvbuff_t *tvb, gint offset, gint length); 1.5 Functions to handle columns in the traffic summary window. The topmost pane of the main window is a list of the packets in the capture, possibly filtered by a display filter. Each line corresponds to a packet, and has one or more columns, as configured by the user. Many of the columns are handled by code outside individual dissectors; most dissectors need only specify the value to put in the "Protocol" and "Info" columns. Columns are specified by COL_ values; the COL_ value for the "Protocol" field, typically giving an abbreviated name for the protocol (but not the all-lower-case abbreviation used elsewhere) is COL_PROTOCOL, and the COL_ value for the "Info" field, giving a summary of the contents of the packet for that protocol, is COL_INFO. The value for a column can be specified with one of several functions, all of which take the 'fd' argument to the dissector as their first argument, and the COL_ value for the column as their second argument. 1.5.1 The col_set_str function. 'col_set_str' takes a string as its third argument, and sets the value for the column to that value. It assumes that the pointer passed to it points to a string constant or a static "const" array, not to a variable, as it doesn't copy the string, it merely saves the pointer value; the argument can itself be a variable, as long as it always points to a string constant or a static "const" array. It is more efficient than 'col_add_str' or 'col_add_fstr'; however, if the dissector will be using 'col_append_str' or 'col_append_fstr" to append more information to the column, the string will have to be copied anyway, so it's best to use 'col_add_str' rather than 'col_set_str' in that case. For example, to set the "Protocol" column to "PROTOABBREV": col_set_str(pinfo->cinfo, COL_PROTOCOL, "PROTOABBREV"); 1.5.2 The col_add_str function. 'col_add_str' takes a string as its third argument, and sets the value for the column to that value. It takes the same arguments as 'col_set_str', but copies the string, so that if the string is, for example, an automatic variable that won't remain in scope when the dissector returns, it's safe to use. 1.5.3 The col_add_fstr function. 'col_add_fstr' takes a 'printf'-style format string as its third argument, and 'printf'-style arguments corresponding to '%' format items in that string as its subsequent arguments. For example, to set the "Info" field to " request, bytes", where "reqtype" is a string containing the type of the request in the packet and "n" is an unsigned integer containing the number of bytes in the request: col_add_fstr(pinfo->cinfo, COL_INFO, "%s request, %u bytes", reqtype, n); Don't use 'col_add_fstr' with a format argument of just "%s" - 'col_add_str', or possibly even 'col_set_str' if the string that matches the "%s" is a static constant string, will do the same job more efficiently. 1.5.4 The col_clear function. If the Info column will be filled with information from the packet, that means that some data will be fetched from the packet before the Info column is filled in. If the packet is so small that the data in question cannot be fetched, the routines to fetch the data will throw an exception (see the comment at the beginning about tvbuffers improving the handling of short packets - the tvbuffers keep track of how much data is in the packet, and throw an exception on an attempt to fetch data past the end of the packet, so that the dissector won't process bogus data), causing the Info column not to be filled in. This means that the Info column will have data for the previous protocol, which would be confusing if, for example, the Protocol column had data for this protocol. Therefore, before a dissector fetches any data whatsoever from the packet (unless it's a heuristic dissector fetching data to determine whether the packet is one that it should dissect, in which case it should check, before fetching the data, whether there's any data to fetch; if there isn't, it should return FALSE), it should set the Protocol column and the Info column. If the Protocol column will ultimately be set to, for example, a value containing a protocol version number, with the version number being a field in the packet, the dissector should, before fetching the version number field or any other field from the packet, set it to a value without a version number, using 'col_set_str', and should later set it to a value with the version number after it's fetched the version number. If the Info column will ultimately be set to a value containing information from the packet, the dissector should, before fetching any fields from the packet, clear the column using 'col_clear' (which is more efficient than clearing it by calling 'col_set_str' or 'col_add_str' with a null string), and should later set it to the real string after it's fetched the data to use when doing that. 1.5.5 The col_append_str function. Sometimes the value of a column, especially the "Info" column, can't be conveniently constructed at a single point in the dissection process; for example, it might contain small bits of information from many of the fields in the packet. 'col_append_str' takes, as arguments, the same arguments as 'col_add_str', but the string is appended to the end of the current value for the column, rather than replacing the value for that column. (Note that no blank separates the appended string from the string to which it is appended; if you want a blank there, you must add it yourself as part of the string being appended.) 1.5.6 The col_append_fstr function. 'col_append_fstr' is to 'col_add_fstr' as 'col_append_str' is to 'col_add_str' - it takes, as arguments, the same arguments as 'col_add_fstr', but the formatted string is appended to the end of the current value for the column, rather than replacing the value for that column. 1.5.7 The col_append_sep_str and col_append_sep_fstr functions. In specific situations the developer knows that a column's value will be created in a stepwise manner, where the appended values are listed. Both 'col_append_sep_str' and 'col_append_sep_fstr' functions will add an item separator between two consecutive items, and will not add the separator at the beginning of the column. The remainder of the work both functions do is identical to what 'col_append_str' and 'col_append_fstr' do. 1.5.8 The col_set_fence and col_prepend_fence_fstr functions. Sometimes a dissector may be called multiple times for different PDUs in the same frame (for example in the case of SCTP chunk bundling: several upper layer data packets may be contained in one SCTP packet). If the upper layer dissector calls 'col_set_str()' or 'col_clear()' on the Info column when it begins dissecting each of those PDUs then when the frame is fully dissected the Info column would contain only the string from the last PDU in the frame. The 'col_set_fence' function erects a "fence" in the column that prevents subsequent 'col_...' calls from clearing the data currently in that column. For example, the SCTP dissector calls 'col_set_fence' on the Info column after it has called any subdissectors for that chunk so that subdissectors of any subsequent chunks may only append to the Info column. 'col_prepend_fence_fstr' prepends data before a fence (moving it if necessary). It will create a fence at the end of the prepended data if the fence does not already exist. 1.5.9 The col_set_time function. The 'col_set_time' function takes an nstime value as its third argument. This nstime value is a relative value and will be added as such to the column. The fourth argument is the filtername holding this value. This way, rightclicking on the column makes it possible to build a filter based on the time-value. For example: nstime_delta(&ts, &pinfo->fd->abs_ts, &tcpd->ts_first); col_set_time(pinfo->cinfo, COL_REL_CONV_TIME, &ts, "tcp.time_relative"); 1.6 Constructing the protocol tree. The middle pane of the main window, and the topmost pane of a packet popup window, are constructed from the "protocol tree" for a packet. The protocol tree, or proto_tree, is a GNode, the N-way tree structure available within GLIB. Of course the protocol dissectors don't care what a proto_tree really is; they just pass the proto_tree pointer as an argument to the routines which allow them to add items and new branches to the tree. When a packet is selected in the packet-list pane, or a packet popup window is created, a new logical protocol tree (proto_tree) is created. The pointer to the proto_tree (in this case, 'protocol tree'), is passed to the top-level protocol dissector, and then to all subsequent protocol dissectors for that packet, and then the GUI tree is drawn via proto_tree_draw(). The logical proto_tree needs to know detailed information about the protocols and fields about which information will be collected from the dissection routines. By strictly defining (or "typing") the data that can be attached to a proto tree, searching and filtering becomes possible. This means that for every protocol and field (which I also call "header fields", since they are fields in the protocol headers) which might be attached to a tree, some information is needed. Every dissector routine will need to register its protocols and fields with the central protocol routines (in proto.c). At first I thought I might keep all the protocol and field information about all the dissectors in one file, but decentralization seemed like a better idea. That one file would have gotten very large; one small change would have required a re-compilation of the entire file. Also, by allowing registration of protocols and fields at run-time, loadable modules of protocol dissectors (perhaps even user-supplied) is feasible. To do this, each protocol should have a register routine, which will be called when Wireshark starts. The code to call the register routines is generated automatically; to arrange that a protocol's register routine be called at startup: the file containing a dissector's "register" routine must be added to "DISSECTOR_SRC" in "epan/dissectors/Makefile.common" (and in "epan/CMakeLists.txt"); the "register" routine must have a name of the form "proto_register_XXX"; the "register" routine must take no argument, and return no value; the "register" routine's name must appear in the source file either at the beginning of the line, or preceded only by "void " at the beginning of the line (that would typically be the definition) - other white space shouldn't cause a problem, e.g.: void proto_register_XXX(void) { ... } and void proto_register_XXX( void ) { ... } and so on should work. For every protocol or field that a dissector wants to register, a variable of type int needs to be used to keep track of the protocol. The IDs are needed for establishing parent/child relationships between protocols and fields, as well as associating data with a particular field so that it can be stored in the logical tree and displayed in the GUI protocol tree. Some dissectors will need to create branches within their tree to help organize header fields. These branches should be registered as header fields. Only true protocols should be registered as protocols. This is so that a display filter user interface knows how to distinguish protocols from fields. A protocol is registered with the name of the protocol and its abbreviation. Here is how the frame "protocol" is registered. int proto_frame; proto_frame = proto_register_protocol ( /* name */ "Frame", /* short name */ "Frame", /* abbrev */ "frame" ); A header field is also registered with its name and abbreviation, but information about its data type is needed. It helps to look at the header_field_info struct to see what information is expected: struct header_field_info { const char *name; const char *abbrev; enum ftenum type; int display; const void *strings; guint32 bitmask; const char *blurb; ..... }; name ---- A string representing the name of the field. This is the name that will appear in the graphical protocol tree. It must be a non-empty string. abbrev ------ A string with an abbreviation of the field. We concatenate the abbreviation of the parent protocol with an abbreviation for the field, using a period as a separator. For example, the "src" field in an IP packet would have "ip.src" as an abbreviation. It is acceptable to have multiple levels of periods if, for example, you have fields in your protocol that are then subdivided into subfields. For example, TRMAC has multiple error fields, so the abbreviations follow this pattern: "trmac.errors.iso", "trmac.errors.noniso", etc. The abbreviation is the identifier used in a display filter. If it is an empty string then the field will not be filterable. type ---- The type of value this field holds. The current field types are: FT_NONE No field type. Used for fields that aren't given a value, and that can only be tested for presence or absence; a field that represents a data structure, with a subtree below it containing fields for the members of the structure, or that represents an array with a subtree below it containing fields for the members of the array, might be an FT_NONE field. FT_PROTOCOL Used for protocols which will be placing themselves as top-level items in the "Packet Details" pane of the UI. FT_BOOLEAN 0 means "false", any other value means "true". FT_FRAMENUM A frame number; if this is used, the "Go To Corresponding Frame" menu item can work on that field. FT_UINT8 An 8-bit unsigned integer. FT_UINT16 A 16-bit unsigned integer. FT_UINT24 A 24-bit unsigned integer. FT_UINT32 A 32-bit unsigned integer. FT_UINT64 A 64-bit unsigned integer. FT_INT8 An 8-bit signed integer. FT_INT16 A 16-bit signed integer. FT_INT24 A 24-bit signed integer. FT_INT32 A 32-bit signed integer. FT_INT64 A 64-bit signed integer. FT_FLOAT A single-precision floating point number. FT_DOUBLE A double-precision floating point number. FT_ABSOLUTE_TIME An absolute time from some fixed point in time, displayed as the date, followed by the time, as hours, minutes, and seconds with 9 digits after the decimal point. FT_RELATIVE_TIME Seconds (4 bytes) and nanoseconds (4 bytes) of time relative to an arbitrary time. displayed as seconds and 9 digits after the decimal point. FT_STRING A string of characters, not necessarily NULL-terminated, but possibly NULL-padded. This, and the other string-of-characters types, are to be used for text strings, not raw binary data. FT_STRINGZ A NULL-terminated string of characters. The string length is normally the length given in the proto_tree_add_item() call. However if the length given in the call is -1, then the length used is that returned by calling tvb_strsize(). FT_UINT_STRING A counted string of characters, consisting of a count (represented as an integral value, of width given in the proto_tree_add_item() call) followed immediately by that number of characters. FT_ETHER A six octet string displayed in Ethernet-address format. FT_BYTES A string of bytes with arbitrary values; used for raw binary data. FT_UINT_BYTES A counted string of bytes, consisting of a count (represented as an integral value, of width given in the proto_tree_add_item() call) followed immediately by that number of arbitrary values; used for raw binary data. FT_IPv4 A version 4 IP address (4 bytes) displayed in dotted-quad IP address format (4 decimal numbers separated by dots). FT_IPv6 A version 6 IP address (16 bytes) displayed in standard IPv6 address format. FT_IPXNET An IPX address displayed in hex as a 6-byte network number followed by a 6-byte station address. FT_GUID A Globally Unique Identifier FT_OID An ASN.1 Object Identifier FT_EUI64 A EUI-64 Address Some of these field types are still not handled in the display filter routines, but the most common ones are. The FT_UINT* variables all represent unsigned integers, and the FT_INT* variables all represent signed integers; the number on the end represent how many bits are used to represent the number. Some constraints are imposed on the header fields depending on the type (e.g. FT_BYTES) of the field. Fields of type FT_ABSOLUTE_TIME must use 'ABSOLUTE_TIME_{LOCAL,UTC,DOY_UTC}, NULL, 0x0' as values for the 'display, 'strings', and 'bitmask' fields, and all other non-integral types (i.e.. types that are _not_ FT_INT* and FT_UINT*) must use 'BASE_NONE, NULL, 0x0' as values for the 'display', 'strings', 'bitmask' fields. The reason is simply that the type itself implicitly defines the nature of 'display', 'strings', 'bitmask'. display ------- The display field has a couple of overloaded uses. This is unfortunate, but since we're using C as an application programming language, this sometimes makes for cleaner programs. Right now I still think that overloading this variable was okay. For integer fields (FT_UINT* and FT_INT*), this variable represents the base in which you would like the value displayed. The acceptable bases are: BASE_DEC, BASE_HEX, BASE_OCT, BASE_DEC_HEX, BASE_HEX_DEC, BASE_CUSTOM BASE_DEC, BASE_HEX, and BASE_OCT are decimal, hexadecimal, and octal, respectively. BASE_DEC_HEX and BASE_HEX_DEC display value in two bases (the 1st representation followed by the 2nd in parenthesis). BASE_CUSTOM allows one to specify a callback function pointer that will format the value. The function pointer of the same type as defined by custom_fmt_func_t in epan/proto.h, specifically: void func(gchar *, guint32); The first argument is a pointer to a buffer of the ITEM_LABEL_LENGTH size and the second argument is the value to be formatted. For FT_BOOLEAN fields that are also bitfields (i.e., 'bitmask' is non-zero), 'display' is used specify a "field-width" (i.e., tell the proto_tree how wide the parent bitfield is). (If the FT_BOOLEAN 'bitmask' is zero, then 'display' must be BASE_NONE). For integer fields a "field-width" is not needed since the type of integer itself (FT_UINT8, FT_UINT16, FT_UINT24, FT_UINT32, etc.) tells the proto_tree how wide the parent bitfield is. For FT_ABSOLUTE_TIME fields, 'display' is used to indicate whether the time is to be displayed as a time in the time zone for the machine on which Wireshark/TShark is running or as UTC and, for UTC, whether the date should be displayed as "{monthname}, {month} {day_of_month}, {year}" or as "{year/day_of_year}". Additionally, BASE_NONE is used for 'display' as a NULL-value. That is, for non-integers other than FT_ABSOLUTE_TIME fields, and non-bitfield FT_BOOLEANs, you'll want to use BASE_NONE in the 'display' field. You may not use BASE_NONE for integers. It is possible that in the future we will record the endianness of integers. If so, it is likely that we'll use a bitmask on the display field so that integers would be represented as BEND|BASE_DEC or LEND|BASE_HEX. But that has not happened yet; note that there are protocols for which no endianness is specified, such as the X11 protocol and the DCE RPC protocol, so it would not be possible to record the endianness of all integral fields. strings ------- -- value_string Some integer fields, of type FT_UINT*, need labels to represent the true value of a field. You could think of those fields as having an enumerated data type, rather than an integral data type. A 'value_string' structure is a way to map values to strings. typedef struct _value_string { guint32 value; gchar *strptr; } value_string; For fields of that type, you would declare an array of "value_string"s: static const value_string valstringname[] = { { INTVAL1, "Descriptive String 1" }, { INTVAL2, "Descriptive String 2" }, { 0, NULL } }; (the last entry in the array must have a NULL 'strptr' value, to indicate the end of the array). The 'strings' field would be set to 'VALS(valstringname)'. If the field has a numeric rather than an enumerated type, the 'strings' field would be set to NULL. -- Extended value strings You can also use an extended version of the value_string for faster lookups. It requires a value_string array as input. If all of a contiguous range of values from min to max are present in the array in ascending order the value will be used as a direct index into a value_string array. If the values in the array are not contiguous (ie: there are "gaps"), but are in ascending order a binary search will be used. Note: "gaps" in a value_string array can be filled with "empty" entries eg: {value, "Unknown"} so that direct access to the array is is possible. Note: the value_string array values are *unsigned*; IOW: -1 is greater than 0. So: { -2, -1, 1, 2 }; wrong: linear search will be used (note gap) { 1, 2, -2, -1 }; correct: binary search will be used As a special case: { -2, -1, 0, 1, 2 }; OK: direct(indexed) access will be used (note no gap) The init macro (see below) will perform a check on the value string the first time it is used to determine which search algorithm fits and fall back to a linear search if the value_string does not meet the criteria above. Use this macro to initialize the extended value_string at compile time: static value_string_ext valstringname_ext = VALUE_STRING_EXT_INIT(valstringname); Extended value strings can be created at run time by calling value_string_ext_new(, , /* include {0, NULL} entry */ ); For hf[] array FT_(U)INT* fields that need a 'valstringname_ext' struct, the 'strings' field would be set to '&valstringname_ext'. Furthermore, the 'display' field must be ORed with 'BASE_EXT_STRING' (e.g. BASE_DEC|BASE_EXT_STRING). -- Ranges If the field has a numeric type that might logically fit in ranges of values one can use a range_string struct. Thus a 'range_string' structure is a way to map ranges to strings. typedef struct _range_string { guint32 value_min; guint32 value_max; const gchar *strptr; } range_string; For fields of that type, you would declare an array of "range_string"s: static const range_string rvalstringname[] = { { INTVAL_MIN1, INTVALMAX1, "Descriptive String 1" }, { INTVAL_MIN2, INTVALMAX2, "Descriptive String 2" }, { 0, 0, NULL } }; If INTVAL_MIN equals INTVAL_MAX for a given entry the range_string behavior collapses to the one of value_string. For FT_(U)INT* fields that need a 'range_string' struct, the 'strings' field would be set to 'RVALS(rvalstringname)'. Furthermore, 'display' field must be ORed with 'BASE_RANGE_STRING' (e.g. BASE_DEC|BASE_RANGE_STRING). -- Booleans FT_BOOLEANs have a default map of 0 = "False", 1 (or anything else) = "True". Sometimes it is useful to change the labels for boolean values (e.g., to "Yes"/"No", "Fast"/"Slow", etc.). For these mappings, a struct called true_false_string is used. typedef struct true_false_string { char *true_string; char *false_string; } true_false_string; For Boolean fields for which "False" and "True" aren't the desired labels, you would declare a "true_false_string"s: static const true_false_string boolstringname = { "String for True", "String for False" }; Its two fields are pointers to the string representing truth, and the string representing falsehood. For FT_BOOLEAN fields that need a 'true_false_string' struct, the 'strings' field would be set to 'TFS(&boolstringname)'. If the Boolean field is to be displayed as "False" or "True", the 'strings' field would be set to NULL. Wireshark predefines a whole range of ready made "true_false_string"s in tfs.h, included via packet.h. bitmask ------- If the field is a bitfield, then the bitmask is the mask which will leave only the bits needed to make the field when ANDed with a value. The proto_tree routines will calculate 'bitshift' automatically from 'bitmask', by finding the rightmost set bit in the bitmask. This shift is applied before applying string mapping functions or filtering. If the field is not a bitfield, then bitmask should be set to 0. blurb ----- This is a string giving a proper description of the field. It should be at least one grammatically complete sentence, or NULL in which case the name field is used. (Please do not use ""). It is meant to provide a more detailed description of the field than the name alone provides. This information will be used in the man page, and in a future GUI display-filter creation tool. We might also add tooltips to the labels in the GUI protocol tree, in which case the blurb would be used as the tooltip text. 1.6.1 Field Registration. Protocol registration is handled by creating an instance of the header_field_info struct (or an array of such structs), and calling the registration function along with the registration ID of the protocol that is the parent of the fields. Here is a complete example: static int proto_eg = -1; static int hf_field_a = -1; static int hf_field_b = -1; static hf_register_info hf[] = { { &hf_field_a, { "Field A", "proto.field_a", FT_UINT8, BASE_HEX, NULL, 0xf0, "Field A represents Apples", HFILL }}, { &hf_field_b, { "Field B", "proto.field_b", FT_UINT16, BASE_DEC, VALS(vs), 0x0, "Field B represents Bananas", HFILL }} }; proto_eg = proto_register_protocol("Example Protocol", "PROTO", "proto"); proto_register_field_array(proto_eg, hf, array_length(hf)); Be sure that your array of hf_register_info structs is declared 'static', since the proto_register_field_array() function does not create a copy of the information in the array... it uses that static copy of the information that the compiler created inside your array. Here's the layout of the hf_register_info struct: typedef struct hf_register_info { int *p_id; /* pointer to parent variable */ header_field_info hfinfo; } hf_register_info; Also be sure to use the handy array_length() macro found in packet.h to have the compiler compute the array length for you at compile time. If you don't have any fields to register, do *NOT* create a zero-length "hf" array; not all compilers used to compile Wireshark support them. Just omit the "hf" array, and the "proto_register_field_array()" call, entirely. It is OK to have header fields with a different format be registered with the same abbreviation. For instance, the following is valid: static hf_register_info hf[] = { { &hf_field_8bit, /* 8-bit version of proto.field */ { "Field (8 bit)", "proto.field", FT_UINT8, BASE_DEC, NULL, 0x00, "Field represents FOO", HFILL }}, { &hf_field_32bit, /* 32-bit version of proto.field */ { "Field (32 bit)", "proto.field", FT_UINT32, BASE_DEC, NULL, 0x00, "Field represents FOO", HFILL }} }; This way a filter expression can match a header field, irrespective of the representation of it in the specific protocol context. This is interesting for protocols with variable-width header fields. The HFILL macro at the end of the struct will set reasonable default values for internally used fields. 1.6.2 Adding Items and Values to the Protocol Tree. A protocol item is added to an existing protocol tree with one of a handful of proto_XXX_DO_YYY() functions. Subtrees can be made with the proto_item_add_subtree() function: item = proto_tree_add_item(....); new_tree = proto_item_add_subtree(item, tree_type); This will add a subtree under the item in question; a subtree can be created under an item made by any of the "proto_tree_add_XXX" functions, so that the tree can be given an arbitrary depth. Subtree types are integers, assigned by "proto_register_subtree_array()". To register subtree types, pass an array of pointers to "gint" variables to hold the subtree type values to "proto_register_subtree_array()": static gint ett_eg = -1; static gint ett_field_a = -1; static gint *ett[] = { &ett_eg, &ett_field_a }; proto_register_subtree_array(ett, array_length(ett)); in your "register" routine, just as you register the protocol and the fields for that protocol. The ett_ variables identify particular type of subtree so that if you expand one of them, Wireshark keeps track of that and, when you click on another packet, it automatically opens all subtrees of that type. If you close one of them, all subtrees of that type will be closed when you move to another packet. There are several functions that the programmer can use to add either protocol or field labels to the proto_tree: proto_item* proto_tree_add_item(tree, id, tvb, start, length, encoding); proto_item* proto_tree_add_text(tree, tvb, start, length, format, ...); proto_item* proto_tree_add_text_valist(tree, tvb, start, length, format, ap); proto_item* proto_tree_add_none_format(tree, id, tvb, start, length, format, ...); proto_item* proto_tree_add_protocol_format(tree, id, tvb, start, length, format, ...); proto_item * proto_tree_add_bytes(tree, id, tvb, start, length, start_ptr); proto_item * proto_tree_add_bytes_format(tree, id, tvb, start, length, start_ptr, format, ...); proto_item * proto_tree_add_bytes_format_value(tree, id, tvb, start, length, start_ptr, format, ...); proto_item * proto_tree_add_time(tree, id, tvb, start, length, value_ptr); proto_item * proto_tree_add_time_format(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_time_format_value(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_ipxnet(tree, id, tvb, start, length, value); proto_item * proto_tree_add_ipxnet_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_ipxnet_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_ipv4(tree, id, tvb, start, length, value); proto_item * proto_tree_add_ipv4_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_ipv4_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_ipv6(tree, id, tvb, start, length, value_ptr); proto_item * proto_tree_add_ipv6_format(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_ipv6_format_value(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_ax25(tree, id, tvb, start, length, value); proto_item * proto_tree_add_ether(tree, id, tvb, start, length, value_ptr); proto_item * proto_tree_add_ether_format(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_ether_format_value(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_guid(tree, id, tvb, start, length, value_ptr); proto_item * proto_tree_add_guid_format(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_guid_format_value(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_oid(tree, id, tvb, start, length, value_ptr); proto_item * proto_tree_add_oid_format(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_oid_format_value(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_string(tree, id, tvb, start, length, value_ptr); proto_item * proto_tree_add_string_format(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_string_format_value(tree, id, tvb, start, length, value_ptr, format, ...); proto_item * proto_tree_add_unicode_string(tree, id, tvb, start, length, value); proto_item * proto_tree_add_boolean(tree, id, tvb, start, length, value); proto_item * proto_tree_add_boolean_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_boolean_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_float(tree, id, tvb, start, length, value); proto_item * proto_tree_add_float_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_float_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_double(tree, id, tvb, start, length, value); proto_item * proto_tree_add_double_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_double_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_uint(tree, id, tvb, start, length, value); proto_item * proto_tree_add_uint_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_uint_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_uint64(tree, id, tvb, start, length, value); proto_item * proto_tree_add_uint64_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_uint64_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_int(tree, id, tvb, start, length, value); proto_item * proto_tree_add_int_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_int_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_int64(tree, id, tvb, start, length, value); proto_item * proto_tree_add_int64_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_int64_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_eui64(tree, id, tvb, start, length, value); proto_item * proto_tree_add_eui64_format(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_eui64_format_value(tree, id, tvb, start, length, value, format, ...); proto_item * proto_tree_add_bitmask(tree, tvb, start, header, ett, fields, encoding); proto_item * proto_tree_add_bitmask_len(tree, tvb, start, len, header, ett, fields, encoding); proto_item * proto_tree_add_bitmask_text(tree, tvb, offset, len, name, fallback, ett, fields, encoding, flags); proto_item* proto_tree_add_bits_item(tree, id, tvb, bit_offset, no_of_bits, encoding); proto_item * proto_tree_add_split_bits_item_ret_val(tree, hf_index, tvb, bit_offset, crumb_spec, return_value); void proto_tree_add_split_bits_crumb(tree, hf_index, tvb, bit_offset, crumb_spec, crumb_index); proto_item * proto_tree_add_bits_ret_val(tree, id, tvb, bit_offset, no_of_bits, return_value, encoding); proto_item * proto_tree_add_uint_bits_format_value(tree, id, tvb, bit_offset, no_of_bits, value, format, ...); proto_item * proto_tree_add_boolean_bits_format_value(tree, id, tvb, bit_offset, no_of_bits, value, format, ...); proto_item * proto_tree_add_int_bits_format_value(tree, id, tvb, bit_offset, no_of_bits, value, format, ...); proto_item * proto_tree_add_float_bits_format_value(tree, id, tvb, bit_offset, no_of_bits, value, format, ...); The 'tree' argument is the tree to which the item is to be added. The 'tvb' argument is the tvbuff from which the item's value is being extracted; the 'start' argument is the offset from the beginning of that tvbuff of the item being added, and the 'length' argument is the length, in bytes, of the item, bit_offset is the offset in bits and no_of_bits is the length in bits. The length of some items cannot be determined until the item has been dissected; to add such an item, add it with a length of -1, and, when the dissection is complete, set the length with 'proto_item_set_len()': void proto_item_set_len(ti, length); The "ti" argument is the value returned by the call that added the item to the tree, and the "length" argument is the length of the item. proto_tree_add_item() --------------------- proto_tree_add_item is used when you wish to do no special formatting. The item added to the GUI tree will contain the name (as passed in the proto_register_*() function) and a value. The value will be fetched from the tvbuff by proto_tree_add_item(), based on the type of the field and the encoding of the value as specified by the "encoding" argument. For FT_NONE, FT_BYTES, FT_ETHER, FT_IPv6, FT_IPXNET, FT_OID fields, and 'protocol' fields the encoding is not relevant; the 'encoding' argument should be ENC_NA (Not Applicable). For integral, floating-point, Boolean, FT_GUID, and FT_EUI64 fields, the encoding specifies the byte order of the value; the 'encoding' argument should be is ENC_LITTLE_ENDIAN if the value is little-endian and ENC_BIG_ENDIAN if it is big-endian. For FT_IPv4 fields, the encoding also specifies the byte order of the value. In almost all cases, the encoding is in network byte order, hence big-endian, but in at least one protocol dissected by Wireshark, at least one IPv4 address is byte-swapped, so it's in little-endian order. For string fields, the encoding specifies the character set used for the string and the way individual code points in that character set are encoded. For FT_UINT_STRING fields, the byte order of the count must be specified; for UCS-2 and UTF-16, the byte order of the encoding must be specified (for counted UCS-2 and UTF-16 strings, the byte order of the count and the 16-bit values in the string must be the same). In other cases, ENC_NA should be used. The character encodings that are currently supported are: ENC_ASCII - ASCII (currently treated as UTF-8; in the future, all bytes with the 8th bit set will be treated as errors) ENC_UTF_8 - UTF-8 ENC_UCS_2 - UCS-2 ENC_UTF_16 - UTF-16 (currently treated as UCS-2; in the future, surrogate pairs will be handled, and non-valid 16-bit code points and surrogate pairs will be treated as errors) ENC_EBCDIC - EBCDIC Other encodings will be added in the future. For FT_ABSOLUTE_TIME fields, the encoding specifies the form in which the time stamp is specified, as well as its byte order. The time stamp encodings that are currently supported are: ENC_TIME_TIMESPEC - seconds (4 bytes) and nanoseconds (4 bytes) of time since January 1, 1970, midnight UTC. ENC_TIME_NTP - an NTP timestamp, represented as a 64-bit unsigned fixed-point number, in seconds relative to 0h on 1 January 1900. The integer part is in the first 32 bits and the fraction part in the last 32 bits. For other types, there is no support for proto_tree_add_item(). Now that definitions of fields have detailed information about bitfield fields, you can use proto_tree_add_item() with no extra processing to add bitfield values to your tree. Here's an example. Take the Format Identifier (FID) field in the Transmission Header (TH) portion of the SNA protocol. The FID is the high nibble of the first byte of the TH. The FID would be registered like this: name = "Format Identifier" abbrev = "sna.th.fid" type = FT_UINT8 display = BASE_HEX strings = sna_th_fid_vals bitmask = 0xf0 The bitmask contains the value which would leave only the FID if bitwise-ANDed against the parent field, the first byte of the TH. The code to add the FID to the tree would be; proto_tree_add_item(bf_tree, hf_sna_th_fid, tvb, offset, 1, ENC_BIG_ENDIAN); The definition of the field already has the information about bitmasking and bitshifting, so it does the work of masking and shifting for us! This also means that you no longer have to create value_string structs with the values bitshifted. The value_string for FID looks like this, even though the FID value is actually contained in the high nibble. (You'd expect the values to be 0x0, 0x10, 0x20, etc.) /* Format Identifier */ static const value_string sna_th_fid_vals[] = { { 0x0, "SNA device <--> Non-SNA Device" }, { 0x1, "Subarea Node <--> Subarea Node" }, { 0x2, "Subarea Node <--> PU2" }, { 0x3, "Subarea Node or SNA host <--> Subarea Node" }, { 0x4, "?" }, { 0x5, "?" }, { 0xf, "Adjacent Subarea Nodes" }, { 0, NULL } }; The final implication of this is that display filters work the way you'd naturally expect them to. You'd type "sna.th.fid == 0xf" to find Adjacent Subarea Nodes. The user does not have to shift the value of the FID to the high nibble of the byte ("sna.th.fid == 0xf0") as was necessary in the past. proto_tree_add_protocol_format() -------------------------------- proto_tree_add_protocol_format is used to add the top-level item for the protocol when the dissector routine wants complete control over how the field and value will be represented on the GUI tree. The ID value for the protocol is passed in as the "id" argument; the rest of the arguments are a "printf"-style format and any arguments for that format. The caller must include the name of the protocol in the format; it is not added automatically as in proto_tree_add_item(). proto_tree_add_none_format() ---------------------------- proto_tree_add_none_format is used to add an item of type FT_NONE. The caller must include the name of the field in the format; it is not added automatically as in proto_tree_add_item(). proto_tree_add_bytes() proto_tree_add_time() proto_tree_add_ipxnet() proto_tree_add_ipv4() proto_tree_add_ipv6() proto_tree_add_ether() proto_tree_add_string() proto_tree_add_boolean() proto_tree_add_float() proto_tree_add_double() proto_tree_add_uint() proto_tree_add_uint64() proto_tree_add_int() proto_tree_add_int64() proto_tree_add_guid() proto_tree_add_oid() proto_tree_add_eui64() ------------------------ These routines are used to add items to the protocol tree if either: the value of the item to be added isn't just extracted from the packet data, but is computed from data in the packet; the value was fetched into a variable. The 'value' argument has the value to be added to the tree. NOTE: in all cases where the 'value' argument is a pointer, a copy is made of the object pointed to; if you have dynamically allocated a buffer for the object, that buffer will not be freed when the protocol tree is freed - you must free the buffer yourself when you don't need it any more. For proto_tree_add_bytes(), the 'value_ptr' argument is a pointer to a sequence of bytes. For proto_tree_add_bytes_format() and proto_tree_add_bytes_format_value(), the 'value_ptr' argument is a pointer to a sequence of bytes or NULL if the bytes should be taken from the given TVB using the given offset and length. For proto_tree_add_time(), the 'value_ptr' argument is a pointer to an "nstime_t", which is a structure containing the time to be added; it has 'secs' and 'nsecs' members, giving the integral part and the fractional part of a time in units of seconds, with 'nsecs' being the number of nanoseconds. For absolute times, "secs" is a UNIX-style seconds since January 1, 1970, 00:00:00 GMT value. For proto_tree_add_ipxnet(), the 'value' argument is a 32-bit IPX network address. For proto_tree_add_ipv4(), the 'value' argument is a 32-bit IPv4 address, in network byte order. For proto_tree_add_ipv6(), the 'value_ptr' argument is a pointer to a 128-bit IPv6 address. For proto_tree_add_ether(), the 'value_ptr' argument is a pointer to a 48-bit MAC address. For proto_tree_add_string(), the 'value_ptr' argument is a pointer to a text string. For proto_tree_add_boolean(), the 'value' argument is a 32-bit integer. It is masked and shifted as defined by the field info after which zero means "false", and non-zero means "true". For proto_tree_add_float(), the 'value' argument is a 'float' in the host's floating-point format. For proto_tree_add_double(), the 'value' argument is a 'double' in the host's floating-point format. For proto_tree_add_uint(), the 'value' argument is a 32-bit unsigned integer value, in host byte order. (This routine cannot be used to add 64-bit integers.) For proto_tree_add_uint64(), the 'value' argument is a 64-bit unsigned integer value, in host byte order. For proto_tree_add_int(), the 'value' argument is a 32-bit signed integer value, in host byte order. (This routine cannot be used to add 64-bit integers.) For proto_tree_add_int64(), the 'value' argument is a 64-bit signed integer value, in host byte order. For proto_tree_add_guid(), the 'value_ptr' argument is a pointer to an e_guid_t structure. For proto_tree_add_oid(), the 'value_ptr' argument is a pointer to an ASN.1 Object Identifier. For proto_tree_add_eui64(), the 'value' argument is a 64-bit integer value proto_tree_add_bytes_format() proto_tree_add_time_format() proto_tree_add_ipxnet_format() proto_tree_add_ipv4_format() proto_tree_add_ipv6_format() proto_tree_add_ether_format() proto_tree_add_string_format() proto_tree_add_boolean_format() proto_tree_add_float_format() proto_tree_add_double_format() proto_tree_add_uint_format() proto_tree_add_uint64_format() proto_tree_add_int_format() proto_tree_add_int64_format() proto_tree_add_guid_format() proto_tree_add_oid_format() proto_tree_add_eui64_format() ---------------------------- These routines are used to add items to the protocol tree when the dissector routine wants complete control over how the field and value will be represented on the GUI tree. The argument giving the value is the same as the corresponding proto_tree_add_XXX() function; the rest of the arguments are a "printf"-style format and any arguments for that format. The caller must include the name of the field in the format; it is not added automatically as in the proto_tree_add_XXX() functions. proto_tree_add_bytes_format_value() proto_tree_add_time_format_value() proto_tree_add_ipxnet_format_value() proto_tree_add_ipv4_format_value() proto_tree_add_ipv6_format_value() proto_tree_add_ether_format_value() proto_tree_add_string_format_value() proto_tree_add_boolean_format_value() proto_tree_add_float_format_value() proto_tree_add_double_format_value() proto_tree_add_uint_format_value() proto_tree_add_uint64_format_value() proto_tree_add_int_format_value() proto_tree_add_int64_format_value() proto_tree_add_guid_format_value() proto_tree_add_oid_format_value() proto_tree_add_eui64_format_value() ------------------------------------ These routines are used to add items to the protocol tree when the dissector routine wants complete control over how the value will be represented on the GUI tree. The argument giving the value is the same as the corresponding proto_tree_add_XXX() function; the rest of the arguments are a "printf"-style format and any arguments for that format. With these routines, unlike the proto_tree_add_XXX_format() routines, the name of the field is added automatically as in the proto_tree_add_XXX() functions; only the value is added with the format. proto_tree_add_text() --------------------- proto_tree_add_text() is used to add a label to the GUI tree. It will contain no value, so it is not searchable in the display filter process. This function was needed in the transition from the old-style proto_tree to this new-style proto_tree so that Wireshark would still decode all protocols w/o being able to filter on all protocols and fields. Otherwise we would have had to cripple Wireshark's functionality while we converted all the old-style proto_tree calls to the new-style proto_tree calls. In other words, you should not use this in new code unless you've got a specific reason (see below). This can (and should only) be used for items with subtrees, which may not have values themselves - the items in the subtree are the ones with values. In other words, if you're using proto_tree_add_text() and not using the return value to build a new tree, you probably shouldn't be using this function: you probably should be using proto_tree_add_item() instead. For a subtree, the label on the subtree might reflect some of the items in the subtree. This means the label can't be set until at least some of the items in the subtree have been dissected. To do this, use 'proto_item_set_text()' or 'proto_item_append_text()': void proto_item_set_text(proto_item *ti, ...); void proto_item_append_text(proto_item *ti, ...); 'proto_item_set_text()' takes as an argument the value returned by 'proto_tree_add_text()', a 'printf'-style format string, and a set of arguments corresponding to '%' format items in that string, and replaces the text for the item created by 'proto_tree_add_text()' with the result of applying the arguments to the format string. 'proto_item_append_text()' is similar, but it appends to the text for the item the result of applying the arguments to the format string. For example, early in the dissection, one might do: ti = proto_tree_add_text(tree, tvb, offset, length,