Wireshark-dev: Re: [Wireshark-dev] problem with "contains" filter

From: Yang Ning <yang.ning@xxxxxxxxxxx>
Date: Tue, 12 May 2009 21:07:47 -0400
Thanks. I got rid off of the problem. 

I accidently found the bug when I was stripping off all the functions that definitely didn't have a problem. 

Heh.

The "contains" keyword in the display filter now works after I changed the first 

proto_tree_add_protocol_format(tree, proto_mbdmp, tvb, 0, 8,
            "MBDMP Header Common (%s)", desc);

to 

proto_tree_add_protocol_format(tree, proto_mbdmp, tvb, 0, tvb_length(tvb),
            "MBDMP Header Common (%s)", desc);

As the protocol was running over UDP, I'm guessing that the previous coder just copied the 
line over from the UDP dissector.

I'm also guessing that the length specified is used to extract some portion 
of the tvb to search through. 

I'm not entirely sure why that line worked fine for the udp dissector but not for mine. 

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen Fisher
Sent: Monday, May 11, 2009 2:56 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] problem with "contains" filter

On Mon, May 11, 2009 at 02:15:22PM -0400, Yang Ning wrote:

> I have helped add/maintain a dissector that was written by someone 
> else. Only recently did I discover that wireshark crashes if the 
> display filter uses "contains".

That's not good.

> Is there something that I have to set so that "contains" keyword can 
> be used in the display filter? How does it know what after which 
> offset in the tvb, it is to search for?

Nothing special needs to be done.  As an example, I just opened a 
capture with IP/TCP/HTTP traffic in it and all of the following work 
properly ("HTTP" is in one of the headers - it's not referring to the 
HTTP dissector):

  ip contains HTTP
  tcp contains HTTP
  http contains HTTP

I suspect that there is a bug in the dissector code.  If you are allowed 
to share it and a sample capture file with us, we may be able to help 
solve it.


Steve

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe