Re: Is this a bug in display filter engine or something I have done wrong?

[Richard Sharpe <realrichardsharpe () gmail com>]

On Tue, Aug 18, 2015 at 5:18 AM, Gilbert Ramirez <gram () alumni rice edu> wrote:
> Hi Richard.
>
> You can use the 'dftest' executable that is built along with Wireshark to
> convert a display filter string to the byte-code used for the Display Filter
> Virtual Machine. Do that for for "wlan.dmg_params.bss == 1" and compare that
> to the output for a similar display filter for another field that is also
> FT_UINT8.
>
> I suspect they will be the same; if so, it wouldn't be an issue within the
> display filter code.
>
> Is there any possibility that add_ff_dmg_params() isn't being called or
> isn't adding dmg_params to the proto_tree in some cases?

So, that is what is happening. When the filter engine is called, isDMG
evals to 0, so add_ff_dmg_params is not called.

Now, why is that?

In dissect_ieee80211_common we have this code:

  gboolean         isDMG = (tree == NULL) ? FALSE :

proto_tree_traverse_post_order(proto_tree_get_root(tree),
                                  is_80211ad, NULL);

(reformatted for readability).

Printfs establish that tree is not NULL when this statement is called,
so it would seem that the proto_tree_traverse_post_order failed during
filtering.

is_80211ad is a function that does a number of tests, anyone of which
could fail, I guess.

Checking further.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe