2 * Collecting Expert information.
4 * Implemented as a tap named "expert".
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
30 #include <wsutil/ws_printf.h>
36 #include "wmem/wmem.h"
39 /* proto_expert cannot be static because it's referenced in the
42 int proto_expert = -1;
44 static int proto_malformed = -1;
46 static int expert_tap = -1;
47 static int highest_severity = 0;
49 static int ett_expert = -1;
50 static int ett_subexpert = -1;
52 static int hf_expert_msg = -1;
53 static int hf_expert_group = -1;
54 static int hf_expert_severity = -1;
58 const char *proto_name;
59 int proto_id; /* Cache this for registering hfs */
62 /* List which stores protocols and expert_info that have been registered */
63 typedef struct _gpa_expertinfo_t {
65 guint32 allocated_len;
66 expert_field_info **ei;
68 static gpa_expertinfo_t gpa_expertinfo;
70 /* Hash table of abbreviations and IDs */
71 static GHashTable *gpa_name_map = NULL;
73 /* Deregistered expert infos */
74 static GPtrArray *deregistered_expertinfos = NULL;
76 const value_string expert_group_vals[] = {
77 { PI_CHECKSUM, "Checksum" },
78 { PI_SEQUENCE, "Sequence" },
79 { PI_RESPONSE_CODE, "Response" },
80 { PI_REQUEST_CODE, "Request" },
81 { PI_UNDECODED, "Undecoded" },
82 { PI_REASSEMBLE, "Reassemble" },
83 { PI_MALFORMED, "Malformed" },
84 { PI_DEBUG, "Debug" },
85 { PI_PROTOCOL, "Protocol" },
86 { PI_SECURITY, "Security" },
87 { PI_COMMENTS_GROUP, "Comment" },
88 { PI_DECRYPTION, "Decryption" },
89 { PI_ASSUMPTION, "Assumption" },
90 { PI_DEPRECATED, "Deprecated" },
94 const value_string expert_severity_vals[] = {
95 { PI_ERROR, "Error" },
96 { PI_WARN, "Warning" },
99 { PI_COMMENT, "Comment" },
104 /* Possible values for a checksum evaluation */
105 const value_string expert_checksum_vals[] = {
106 { EXPERT_CHECKSUM_DISABLED, "Disabled" },
107 { EXPERT_CHECKSUM_UNKNOWN, "Unknown" },
108 { EXPERT_CHECKSUM_GOOD, "Good" },
109 { EXPERT_CHECKSUM_BAD, "Bad" },
113 static expert_field_info *expert_registrar_get_byname(const char *field_name);
115 /*----------------------------------------------------------------------------*/
116 /* UAT for customizing severity levels. */
117 /*----------------------------------------------------------------------------*/
122 } expert_level_entry_t;
124 static expert_level_entry_t *uat_expert_entries = NULL;
125 static guint expert_level_entry_count = 0;
126 /* Array of field names currently in UAT */
127 static GArray *uat_saved_fields = NULL;
129 UAT_CSTRING_CB_DEF(uat_expert_entries, field, expert_level_entry_t)
130 UAT_VS_DEF(uat_expert_entries, severity, expert_level_entry_t, guint32, PI_ERROR, "Error")
132 static gboolean uat_expert_update_cb(void *r, char **err)
134 expert_level_entry_t *rec = (expert_level_entry_t *)r;
136 if (expert_registrar_get_byname(rec->field) == NULL) {
137 *err = g_strdup_printf("Expert Info field doesn't exist");
143 static void *uat_expert_copy_cb(void *n, const void *o, size_t siz _U_)
145 expert_level_entry_t *new_record = (expert_level_entry_t*)n;
146 const expert_level_entry_t *old_record = (const expert_level_entry_t *)o;
148 new_record->field = g_strdup(old_record->field);
150 new_record->severity = old_record->severity;
155 static void uat_expert_free_cb(void*r)
157 expert_level_entry_t *rec = (expert_level_entry_t *)r;
162 static void uat_expert_post_update_cb(void)
165 expert_field_info *field;
167 /* Reset any of the previous list of expert info fields to their original severity */
168 for ( i = 0 ; i < uat_saved_fields->len; i++ ) {
169 field = g_array_index(uat_saved_fields, expert_field_info*, i);
171 field->severity = field->orig_severity;
175 g_array_set_size(uat_saved_fields, 0);
177 for (i = 0; i < expert_level_entry_count; i++)
179 field = expert_registrar_get_byname(uat_expert_entries[i].field);
182 field->severity = uat_expert_entries[i].severity;
183 g_array_append_val(uat_saved_fields, field);
188 #define EXPERT_REGISTRAR_GET_NTH(eiindex, expinfo) \
189 if((guint)eiindex >= gpa_expertinfo.len && getenv("WIRESHARK_ABORT_ON_DISSECTOR_BUG")) \
190 g_error("Unregistered expert info! index=%d", eiindex); \
191 DISSECTOR_ASSERT_HINT((guint)eiindex < gpa_expertinfo.len, "Unregistered expert info!"); \
192 DISSECTOR_ASSERT_HINT(gpa_expertinfo.ei[eiindex] != NULL, "Unregistered expert info!"); \
193 expinfo = gpa_expertinfo.ei[eiindex];
196 expert_packet_init(void)
198 module_t *module_expert;
201 static hf_register_info hf[] = {
203 { "Message", "_ws.expert.message", FT_STRING, BASE_NONE, NULL, 0, "Wireshark expert information", HFILL }
206 { "Group", "_ws.expert.group", FT_UINT32, BASE_NONE, VALS(expert_group_vals), 0, "Wireshark expert group", HFILL }
208 { &hf_expert_severity,
209 { "Severity level", "_ws.expert.severity", FT_UINT32, BASE_NONE, VALS(expert_severity_vals), 0, "Wireshark expert severity level", HFILL }
212 static gint *ett[] = {
217 /* UAT for overriding severity levels */
218 static uat_field_t custom_expert_fields[] = {
219 UAT_FLD_CSTRING(uat_expert_entries, field, "Field name", "Expert Info filter name"),
220 UAT_FLD_VS(uat_expert_entries, severity, "Severity", expert_severity_vals, "Custom severity level"),
224 if (expert_tap == -1) {
225 expert_tap = register_tap("expert");
228 if (proto_expert == -1) {
229 proto_expert = proto_register_protocol("Expert Info", "Expert", "_ws.expert");
230 proto_register_field_array(proto_expert, hf, array_length(hf));
231 proto_register_subtree_array(ett, array_length(ett));
232 proto_set_cant_toggle(proto_expert);
234 module_expert = prefs_register_protocol(proto_expert, NULL);
236 expert_uat = uat_new("Expert Info Severity Level Configuration",
237 sizeof(expert_level_entry_t),
240 (void **)&uat_expert_entries,
241 &expert_level_entry_count,
242 UAT_AFFECTS_DISSECTION,
245 uat_expert_update_cb,
247 uat_expert_post_update_cb,
249 custom_expert_fields);
251 prefs_register_uat_preference(module_expert,
252 "expert_severity_levels",
253 "Severity Level Configuration",
254 "A table that overrides Expert Info field severity levels to user configured levels",
259 highest_severity = 0;
261 proto_malformed = proto_get_id_by_filter_name("_ws.malformed");
267 gpa_expertinfo.len = 0;
268 gpa_expertinfo.allocated_len = 0;
269 gpa_expertinfo.ei = NULL;
270 gpa_name_map = g_hash_table_new_full(g_str_hash, g_str_equal, NULL, NULL);
271 uat_saved_fields = g_array_new(FALSE, FALSE, sizeof(expert_field_info*));
272 deregistered_expertinfos = g_ptr_array_new();
276 expert_packet_cleanup(void)
283 if (gpa_expertinfo.allocated_len) {
284 gpa_expertinfo.len = 0;
285 gpa_expertinfo.allocated_len = 0;
286 g_free(gpa_expertinfo.ei);
287 gpa_expertinfo.ei = NULL;
290 /* Free the abbrev/ID GTree */
292 g_hash_table_destroy(gpa_name_map);
296 /* Free the UAT saved fields */
297 if (uat_saved_fields) {
298 g_array_free(uat_saved_fields, TRUE);
299 uat_saved_fields = NULL;
302 if (deregistered_expertinfos) {
303 g_ptr_array_free(deregistered_expertinfos, FALSE);
304 deregistered_expertinfos = NULL;
310 expert_get_highest_severity(void)
312 return highest_severity;
316 expert_update_comment_count(guint64 count)
318 if (count==0 && highest_severity==PI_COMMENT)
319 highest_severity = 0;
322 expert_module_t *expert_register_protocol(int id)
324 expert_module_t *module;
325 protocol_t *protocol;
327 protocol = find_protocol_by_id(id);
329 module = wmem_new(wmem_epan_scope(), expert_module_t);
330 module->proto_id = id;
331 module->proto_name = proto_get_protocol_short_name(protocol);
337 expert_deregister_expertinfo (const char *abbrev)
339 expert_field_info *expinfo = (expert_field_info*)g_hash_table_lookup(gpa_name_map, abbrev);
341 g_ptr_array_add(deregistered_expertinfos, gpa_expertinfo.ei[expinfo->id]);
342 g_hash_table_steal(gpa_name_map, abbrev);
347 expert_deregister_protocol (expert_module_t *module)
349 wmem_free(wmem_epan_scope(), module);
353 free_deregistered_expertinfo (gpointer data, gpointer user_data _U_)
355 expert_field_info *expinfo = (expert_field_info *) data;
356 gpa_expertinfo.ei[expinfo->id] = NULL; /* Invalidate this id */
360 expert_free_deregistered_expertinfos (void)
362 g_ptr_array_foreach(deregistered_expertinfos, free_deregistered_expertinfo, NULL);
363 g_ptr_array_free(deregistered_expertinfos, TRUE);
364 deregistered_expertinfos = g_ptr_array_new();
368 expert_register_field_init(expert_field_info *expinfo, expert_module_t *module)
370 expinfo->protocol = module->proto_name;
372 /* if we always add and never delete, then id == len - 1 is correct */
373 if (gpa_expertinfo.len >= gpa_expertinfo.allocated_len) {
374 if (!gpa_expertinfo.ei) {
375 gpa_expertinfo.allocated_len = PRE_ALLOC_EXPERT_FIELDS_MEM;
376 gpa_expertinfo.ei = (expert_field_info **)g_malloc(sizeof(expert_field_info *)*PRE_ALLOC_EXPERT_FIELDS_MEM);
378 gpa_expertinfo.allocated_len += 1000;
379 gpa_expertinfo.ei = (expert_field_info **)g_realloc(gpa_expertinfo.ei,
380 sizeof(expert_field_info *)*gpa_expertinfo.allocated_len);
383 gpa_expertinfo.ei[gpa_expertinfo.len] = expinfo;
384 gpa_expertinfo.len++;
385 expinfo->id = gpa_expertinfo.len - 1;
386 /* Save the original severity so it can be restored by the UAT */
387 expinfo->orig_severity = expinfo->severity;
389 /* save field name for lookup */
390 g_hash_table_insert(gpa_name_map, (gpointer) (expinfo->name), expinfo);
396 /* for use with static arrays only, since we don't allocate our own copies
397 of the expert_field_info struct contained within the exp_register_info struct */
399 expert_register_field_array(expert_module_t *module, ei_register_info *exp, const int num_records)
402 ei_register_info *ptr = exp;
404 for (i = 0; i < num_records; i++, ptr++) {
406 * Make sure we haven't registered this yet.
407 * Most fields have variables associated with them
408 * that are initialized to -1; some have array elements,
409 * or possibly uninitialized variables, so we also allow
410 * 0 (which is unlikely to be the field ID we get back
411 * from "expert_register_field_init()").
413 if (ptr->ids->ei != -1 && ptr->ids->ei != 0) {
415 "Duplicate field detected in call to expert_register_field_array: '%s' is already registered, name=%s\n",
416 ptr->eiinfo.summary, ptr->eiinfo.name);
420 /* Register the field with the experts */
421 ptr->ids->ei = expert_register_field_init(&ptr->eiinfo, module);
423 /* Register with the header field info, so it's display filterable */
424 ptr->eiinfo.hf_info.p_id = &ptr->ids->hf;
425 ptr->eiinfo.hf_info.hfinfo.name = ptr->eiinfo.summary;
426 ptr->eiinfo.hf_info.hfinfo.abbrev = ptr->eiinfo.name;
428 proto_register_field_array(module->proto_id, &ptr->eiinfo.hf_info, 1);
432 /* Finds a record in the expert array by name.
433 * For the moment, this function is only used "internally"
434 * but may find a reason to be exported
436 static expert_field_info *
437 expert_registrar_get_byname(const char *field_name)
439 expert_field_info *hfinfo;
444 hfinfo = (expert_field_info*)g_hash_table_lookup(gpa_name_map, field_name);
450 * Get summary text of an expert_info field.
451 * This is intended for use in expert_add_info_format or proto_tree_add_expert_format
452 * to get the "base" string to then append additional information
454 const gchar* expert_get_summary(expert_field *eiindex)
456 expert_field_info *eiinfo;
458 /* Look up the item */
459 EXPERT_REGISTRAR_GET_NTH(eiindex->ei, eiinfo);
461 return eiinfo->summary;
464 /** clear flags according to the mask and set new flag values */
465 #define FI_REPLACE_FLAGS(fi, mask, flags_in) { \
466 (fi->flags = (fi)->flags & ~(mask)); \
467 (fi->flags = (fi)->flags | (flags_in)); \
470 /* set's the PI_ flags to a protocol item
471 * (and its parent items till the toplevel) */
473 expert_set_item_flags(proto_item *pi, const int group, const guint severity)
475 if (pi != NULL && PITEM_FINFO(pi) != NULL && (severity >= FI_GET_FLAG(PITEM_FINFO(pi), PI_SEVERITY_MASK))) {
476 FI_REPLACE_FLAGS(PITEM_FINFO(pi), PI_GROUP_MASK, group);
477 FI_REPLACE_FLAGS(PITEM_FINFO(pi), PI_SEVERITY_MASK, severity);
479 /* propagate till toplevel item */
480 pi = proto_item_get_parent(pi);
481 expert_set_item_flags(pi, group, severity);
486 expert_create_tree(proto_item *pi, int group, int severity, const char *msg)
491 tree = proto_item_add_subtree(pi, ett_expert);
492 ti = proto_tree_add_protocol_format(tree, proto_expert, NULL, 0, 0, "Expert Info (%s/%s): %s",
493 val_to_str(severity, expert_severity_vals, "Unknown (%u)"),
494 val_to_str(group, expert_group_vals, "Unknown (%u)"),
496 PROTO_ITEM_SET_GENERATED(ti);
498 if (group == PI_MALFORMED) {
499 /* Add hidden malformed protocol filter */
500 proto_item *malformed_ti = proto_tree_add_item(tree, proto_malformed, NULL, 0, 0, ENC_NA);
501 PROTO_ITEM_SET_HIDDEN(malformed_ti);
504 return proto_item_add_subtree(ti, ett_subexpert);
508 expert_set_info_vformat(packet_info *pinfo, proto_item *pi, int group, int severity, int hf_index, gboolean use_vaformat,
509 const char *format, va_list ap)
511 char formatted[ITEM_LABEL_LENGTH];
517 if (pinfo == NULL && pi && pi->tree_data) {
518 pinfo = PTREE_DATA(pi)->pinfo;
521 /* if this packet isn't loaded because of a read filter, don't output anything */
522 if (pinfo == NULL || pinfo->num == 0) {
526 if (severity > highest_severity) {
527 highest_severity = severity;
530 /* XXX: can we get rid of these checks and make them programming errors instead now? */
531 if (pi != NULL && PITEM_FINFO(pi) != NULL) {
532 expert_set_item_flags(pi, group, severity);
535 if ((pi == NULL) || (PITEM_FINFO(pi) == NULL) ||
536 ((guint)severity >= FI_GET_FLAG(PITEM_FINFO(pi), PI_SEVERITY_MASK))) {
537 col_add_str(pinfo->cinfo, COL_EXPERT, val_to_str(severity, expert_severity_vals, "Unknown (%u)"));
541 ws_vsnprintf(formatted, ITEM_LABEL_LENGTH, format, ap);
543 g_strlcpy(formatted, format, ITEM_LABEL_LENGTH);
546 tree = expert_create_tree(pi, group, severity, formatted);
548 if (hf_index == -1) {
549 /* If no filterable expert info, just add the message */
550 ti = proto_tree_add_string(tree, hf_expert_msg, NULL, 0, 0, formatted);
551 PROTO_ITEM_SET_GENERATED(ti);
553 /* If filterable expert info, hide the "generic" form of the message,
554 and generate the formatted filterable expert info */
555 ti = proto_tree_add_none_format(tree, hf_index, NULL, 0, 0, "%s", formatted);
556 PROTO_ITEM_SET_GENERATED(ti);
557 ti = proto_tree_add_string(tree, hf_expert_msg, NULL, 0, 0, formatted);
558 PROTO_ITEM_SET_HIDDEN(ti);
561 ti = proto_tree_add_uint_format_value(tree, hf_expert_severity, NULL, 0, 0, severity,
562 "%s", val_to_str_const(severity, expert_severity_vals, "Unknown"));
563 PROTO_ITEM_SET_GENERATED(ti);
564 ti = proto_tree_add_uint_format_value(tree, hf_expert_group, NULL, 0, 0, group,
565 "%s", val_to_str_const(group, expert_group_vals, "Unknown"));
566 PROTO_ITEM_SET_GENERATED(ti);
568 tap = have_tap_listener(expert_tap);
573 ei = wmem_new(wmem_packet_scope(), expert_info_t);
575 ei->packet_num = pinfo->num;
577 ei->severity = severity;
578 ei->hf_index = hf_index;
579 ei->protocol = pinfo->current_proto;
580 ei->summary = wmem_strdup(wmem_packet_scope(), formatted);
582 /* if we have a proto_item (not a faked item), set expert attributes to it */
583 if (pi != NULL && PITEM_FINFO(pi) != NULL) {
586 /* XXX: remove this because we don't have an internal-only function now? */
591 tap_queue_packet(expert_tap, pinfo, ei);
594 /* Helper function for expert_add_info() to work around compiler's special needs on ARM */
596 expert_add_info_internal(packet_info *pinfo, proto_item *pi, expert_field *expindex, ...)
598 /* the va_list is ignored */
600 expert_field_info *eiinfo;
602 /* Look up the item */
603 EXPERT_REGISTRAR_GET_NTH(expindex->ei, eiinfo);
605 va_start(unused, expindex);
606 expert_set_info_vformat(pinfo, pi, eiinfo->group, eiinfo->severity, *eiinfo->hf_info.p_id, FALSE, eiinfo->summary, unused);
611 expert_add_info(packet_info *pinfo, proto_item *pi, expert_field *expindex)
613 expert_add_info_internal(pinfo, pi, expindex);
617 expert_add_info_format(packet_info *pinfo, proto_item *pi, expert_field *expindex, const char *format, ...)
620 expert_field_info *eiinfo;
622 /* Look up the item */
623 EXPERT_REGISTRAR_GET_NTH(expindex->ei, eiinfo);
625 va_start(ap, format);
626 expert_set_info_vformat(pinfo, pi, eiinfo->group, eiinfo->severity, *eiinfo->hf_info.p_id, TRUE, format, ap);
630 /* Helper function for expert_add_expert() to work around compiler's special needs on ARM */
631 static inline proto_item *
632 proto_tree_add_expert_internal(proto_tree *tree, packet_info *pinfo, expert_field *expindex,
633 tvbuff_t *tvb, gint start, gint length, ...)
635 expert_field_info *eiinfo;
639 /* Look up the item */
640 EXPERT_REGISTRAR_GET_NTH(expindex->ei, eiinfo);
642 ti = proto_tree_add_text_internal(tree, tvb, start, length, "%s", eiinfo->summary);
643 va_start(unused, length);
644 expert_set_info_vformat(pinfo, ti, eiinfo->group, eiinfo->severity, *eiinfo->hf_info.p_id, FALSE, eiinfo->summary, unused);
650 proto_tree_add_expert(proto_tree *tree, packet_info *pinfo, expert_field *expindex,
651 tvbuff_t *tvb, gint start, gint length)
653 return proto_tree_add_expert_internal(tree, pinfo, expindex, tvb, start, length);
657 proto_tree_add_expert_format(proto_tree *tree, packet_info *pinfo, expert_field *expindex,
658 tvbuff_t *tvb, gint start, gint length, const char *format, ...)
661 expert_field_info *eiinfo;
664 /* Look up the item */
665 EXPERT_REGISTRAR_GET_NTH(expindex->ei, eiinfo);
667 va_start(ap, format);
668 ti = proto_tree_add_text_valist_internal(tree, tvb, start, length, format, ap);
671 va_start(ap, format);
672 expert_set_info_vformat(pinfo, ti, eiinfo->group, eiinfo->severity, *eiinfo->hf_info.p_id, TRUE, format, ap);
679 * Editor modelines - http://www.wireshark.org/tools/modelines.html
684 * indent-tabs-mode: t
687 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
688 * :indentSize=8:tabSize=8:noTabs=false: