Wireshark · Wireshark-dev: Re: [Wireshark-dev] Filter registration limit

Wireshark-dev: Re: [Wireshark-dev] Filter registration limit

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>

Date: Mon, 08 Nov 2010 16:53:37 +0100

Hi,

There's no limit on this, but one thing that's changed is tighter
conformance checks on header fields during registration.
You should be able to find a problem at field #315. If you open up a
console you should see something there as well.
With your new loop you just reduce the impact. So, there's probably
still a block of 'filters' that's not initialized, you just haven't
found them yet.

If you can post fields 310 up to 320 we might spot an issue.

BTW: Blurbs as "" are deprecated, just put in NULL.

Thanks,
Jaap

On Mon, 8 Nov 2010 15:57:38 +0100, Martin Mizera
<martin.mizera@xxxxxxxxx> wrote:
> Hello,
> few moths ago(years), I finished writing own dissector for parsing
> proprietary protocol. Last moth, I have rebuild my project using
> wireshark 1.4.1( because some bugs appeard during parsing register
> table(hf_register_info) )
> 
> From this time, only first 0x13a (314) filters are successfully
> registered. (after calling method proto_register_field_array, only
> firs 314 items have valid value (no -1) , rest have still -1))
> 
> I register filters like that:
> 
> 
> void proto_register_tp_info (  int proto_medio  )
> {
>   static hf_register_info hf[] =
>   {
>    { &hf_tp_ip_address,                   { "IP Address",
>    "tp.IP",                        FT_NONE,     BASE_NONE,
> NULL,           0,             "IP Address",     HFILL } },
>    { &hf_tp_port_num,                     { "Port Number ",
>    "tp.PN",                        FT_NONE,     BASE_NONE,
> NULL,           0,           "Port Number ",   HFILL } },
>    ...
>    ... and lots of more
>    ...
> 
>    { &hf_tp_nwcref,                       { "Network Call Reference",
>            "tp.NWCREF",                    FT_NONE,     BASE_NONE,
>       NULL,               0,                "",
> HFILL } },
>    { &hf_tp_nwcref_value,                 { "Call Reference number",
>            "tp.NWCREF.VAL",                FT_UINT64,   BASE_HEX_DEC,
>       NULL,               0,                "",
> HFILL } },
> 
>   }; //totaly array length is more than 982
> 
>  proto_register_field_array(proto_medio, hf, array_length(hf));
> }
> 
> In watches I can see that only firs 314 was inicialized.
> 
> I was seeking for any registration limit, but I didn't found any.
> 
> 
> 
> So I rewrite my registration function like that:
> void proto_register_tp_info (  int proto_medio  )
> {
>   static hf_register_info hf[] =
>   {
>    { &hf_tp_ip_address,                   { "IP Address",
>    "tp.IP",                        FT_NONE,     BASE_NONE,
> NULL,           0,             "IP Address",     HFILL } },
>    { &hf_tp_port_num,                     { "Port Number ",
>    "tp.PN",                        FT_NONE,     BASE_NONE,
> NULL,           0,           "Port Number ",   HFILL } },
>    ...
>    ... and lots of more
>    ...
> 
>    { &hf_tp_nwcref,                       { "Network Call Reference",
>            "tp.NWCREF",                    FT_NONE,     BASE_NONE,
>       NULL,               0,                "",
> HFILL } },
>    { &hf_tp_nwcref_value,                 { "Call Reference number",
>            "tp.NWCREF.VAL",                FT_UINT64,   BASE_HEX_DEC,
>       NULL,               0,                "",
> HFILL } },
> 
>   }; //totaly array length is more than 982
> 
>   const gint c_hf_max = 128; //maximum registration filters at on time
>   const gint c_hf_total = array_length(hf); //total array len ... its
> more than 980
>   gint rest = c_hf_total;
>   gint cpy_cnt;
> 
>   while( rest > 0 )
>   {
>     cpy_cnt = min( rest, c_hf_max );
>     proto_register_field_array(proto_medio, &hf[c_hf_total - rest], cpy_cnt);
>     rest -= cpy_cnt;
>   }
> }
> 
> I have split registration in more pieces. And now, its allowed to
> register only 128 filters at one time.
> Sice this changed,  every think works fine (all filters were registered)
> 
> Is it some bug in wireshark api or it looks like bug in  my code?
> 
> *************************************
> wireshark version:
> Version 1.4.1 (SVN Rev 34476 from /trunk-1.4)
> 
> Compiled with GTK+ 2.16.6, (32-bit) with GLib 2.22.4, with WinPcap (version
> unknown), with libz 1.2.3, without POSIX capabilities, without
> libpcre, with SMI
> 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS
> 2.8.5, with
> Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel
> (built Oct
> 11 2010), with AirPcap.
> 
> Running on Windows XP Service Pack 3, build 2600, without WinPcap,
> GnuTLS 2.8.5,
> Gcrypt 1.4.5, without AirPcap.
> 
> Built using Microsoft Visual C++ 9.0 build 30729
> 
> Operating system Windows XP, compiling tool MS VS 2008
> *************************************
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-dev] Filter registration limit
  - From: Martin Mizera

References:
- [Wireshark-dev] Filter registration limit
  - From: Martin Mizera

Prev by Date: [Wireshark-dev] Filter registration limit
Next by Date: [Wireshark-dev] How to expand Manually Resolve Address?
Previous by thread: [Wireshark-dev] Filter registration limit
Next by thread: Re: [Wireshark-dev] Filter registration limit
Index(es):
- Date
- Thread