Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] master 8d65ccf: Show answers a line at a

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxx>
Date: Wed, 25 Dec 2019 21:35:57 +0000
> -----Original Message-----
> From: Guy Harris [mailto:guy@xxxxxxxxxxxx]
> Sent: Wednesday, December 25, 2019 3:19 PM
> To: Maynard, Chris <Christopher.Maynard@xxxxxxx>
> Cc: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
> Subject: Re: [Wireshark-dev] [Wireshark-commits] master 8d65ccf: Show
> answers a line at a time, after the request frame and time delta.
>
> On Dec 25, 2019, at 10:44 AM, Maynard, Chris
> <Christopher.Maynard@xxxxxxx> wrote:
>
> > Or revert this change so whois.answer reflects the entire answer again, but
> add each line underneath the answer using a different filter, such as
> "whois.answer.line"?
>
> We could, but I think going back to the way it was before would be a bad idea.
>
> > I would prefer this solution as the answer is the entire answer and each line is
> only part of the answer.
>
> The argument could be made for other text protocols.  The problem is that "the
> entire answer" is hard to read.
>
> > For example:
> > V WHOIS: Answer
> >           V Answer [truncated]: % IANA WHOIS server\n% for more information
> on IANA, visit http://www.iana.org\n% This query returned 1 object\n\n
> domain:       EXAMPLE.COM\n\norganisation: Internet Assigned Numbers
> Authority\n\n created:      1992-01-
>
> Note the word "truncated" here.  That's not a good thing.
>
> >                    Line 1: % IANA WHOIS server\n
> >                    Line 2: % for more information on IANA, visit
> http://www.iana.org\n
> >                    Line 3: % This query returned 1 object\n
> >                    Line 4: \n
> >                    Line 5: domain:       EXAMPLE.COM\n
> >                    Line 6: \n
> >                    Line 7: organisation: Internet Assigned Numbers Authority\n
> >                    Line 8: \n
> >                    Line 9: created:      1992-01-01\n
> >                    Line 10: source:       IANA\n
> >                    Line 11: \n
>
> Something that displays it in *that* fashion, with each line shown underneath
> an item for the entire {WHOIS answer, SMTP mail message, HTTP/SIP/etc.
> header, HTTP text payload, etc.}, might be the right way to handle text
> protocols.
>
> And, given that, is there any need to show the full text in the top-level item?

Well, showing the full text allows for full "Copy -> Value" to continue to work, and including the full text in a single "whos.answer" should, in theory at least, allow for pattern matching with the matches operator across lines, which the current implementation no longer allows.  I write, "in theory", because I can't seem to successfully get this to actually work using master, 3.2.0 or 3.0.7.  For example, I'd expect whois.answer ~ "Domain.*TERMS OF USE" to match frame 11 of the whois.pcap capture file attached to Bug 16291 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16291), but this doesn't work.  In fact, a lot of regex's seem to fail.  Maybe I'm doing something wrong or maybe something is broken?  I'll have to try to investigate this further another day - the kids want their new toys assembled. :)

- Chris

CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the addressee. If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.