Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] How to use properly proto_field_is_referenced?

From: Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx>
Date: Tue, 8 May 2012 23:20:37 +0200
Hi,

proto_field_is_referenced() is currently used only by 4 dissectors: frame, eth, ip and nflog

I performed some tests with tshark and it looks like that using it more (e.g. in 802.11 dissectors) 
can really speedup filtering.

But there're some pitfalls, I'm aware of some:

1/ Protocol Hierarchy Statistics

To make it work we need to call epan_dissect_fake_protocols(edt, FALSE);
currently it's only done by proto_hier_stats.c[1] which is used by wireshark.

In tshark -z io,phs uses taps, which doesn't have flag to do it.

eth and ip dissectors have workaround for it. In frame dissector it was removed in r29428[2].
So this bug can can be easily shown:

Without tree:
#v+
$ ./tshark -r /tmp/a.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 
                                                                   
radiotap                                 frames:2593 bytes:961027  <---- BAD: top protocol is radiotap
  wlan                                   frames:2593 bytes:961027
#v-

With full tree:
#v+
$ ./tshark -r /tmp/a.pcap -z io,phs -q -V | tail -n60
===================================================================
Protocol Hierarchy Statistics
Filter: 

frame                                    frames:2593 bytes:961027   <--- OK: top protocol is frame
  radiotap                               frames:2593 bytes:961027
    wlan                                 frames:2593 bytes:961027
#v-

I have initial patch to fix, but I'm not sure if it should be fixed globaly or only in tshark.
Currently only frame and nflog dissectors are affected, so not big priority.

2/ Adding items from other protocol

Some dissectors (without greping I remember ipv6) adds to their protocol tree fields from other protocols.
In ipv6 case it's ip.version (added by add_ip_version_to_tree())

Using proto_field_is_referenced in such cases will break filtering,
I'm not sure how big the problem is, but we need some smart workaround.

3/ Malformed packets

We have special protocol "malformed" which gets added to tree when some exception occured, or protocol requested it with
expert PI_MALFORMED group. It can be added to any tree, so we should also check for it in proto_field_is_referenced().

It's like 2/ but I'm pretty sure that right now not all malformed packet has proto_malformed added to tree.

IMHO in TRY_TO_FAKE_THIS_ITEM we should check if malformed_proto is referenced (i.e. used in filter), and if it is,
we should try to fetch value from tvb (which might throw exception).

It's problem for dissectors which only add items to tree without logic involving fetching values from tvb (so should be quite rare),
and I currently don't have sample to show this bug, just making FUD :)

[1] btw. proto_hier_stats.c is used only by wireshark and still in top directory, should it be moved to ui/gtk?
[2] http://anonsvn.wireshark.org/viewvc?view=revision&revision=29428

Cheers,
 Kuba.