Hello all! I'm writing to request fresh eyes, and possibly hands, on a
somewhat significant potential change to Wireshark.
There's an old bug, 14329, requesting support for multiple comments per
packet. I've got a proposed solution in merge request #2859: Instead of
creating new fields on wtap_rec for every block option type we want to
know (currently comments, packet verdicts, and most recently added,
custom packet options), act on the code comment in wiretap/wtap.h that
suggests "this should become a full set of options", and carry a
stripped down wtap_block that can be queried for its options with
existing methods that act on wtap_blocks.
Bug: https://gitlab.com/wireshark/wireshark/-/issues/14329
MR: https://gitlab.com/wireshark/wireshark/-/merge_requests/2859
I've done nearly as much as I can on this over the past month or so, and
it's maybe 85% complete. It currently supports:
* Loading and saving pcapng files with multiple packet comments
* Editing existing comments in the GUI
* Adding new comments in the GUI and in editcap
* Removing specific comments in the GUI
* Handles packet verdicts as pcapng options
* Handles custom packet options (currently untested; that code was new
to me this morning)
Issues that still need resolution:
* Memory leak on multi-pass analysis
* sharkd's role is a mystery to me
* Other file formats that support comments (I did what I could with ERF)
* Lua support for multiple comments
* The Lua API in general for this revised approach
... and of course, whether this approach would even be accepted into
Wireshark. I personally think this is a natural evolution of the code,
and I've worked to try and demonstrate how that would look.
I unfortunately have not been able to get it to 100% on my own, but I
hope that I've done enough to start a conversation. I'd be grateful for
any help to address the issues above, and anything I may have missed.
Thanks in advance for your time and consideration,
David