This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark crashes when comparing display filter to a string

0

Hello everyone,

in the last weeks I developed my first wireshark dissector in C.
On my last testings there have been no errors, except one.
When I want to set a display filter e.g. ("proto.type == 9") it works,
but as soon as I want to type in a letter instead of number wireshark crashes.
I had this error before but I found the mistake: There where the same display names on different field types.
But this time there are no duplicate field names.

Any ideas yet? I have no access to the source code right now, but I will post it tomorrow. Thank you very much.

asked 12 Oct '14, 02:09

lal12's gravatar image

lal12
367712
accept rate: 33%

edited 12 Oct '14, 02:10

One Answer:

0

OK I found the mistake:
value_string arrays have to end with an NULL element, e.g.:

static const value_string packettypenames[] = {
        { 1, "Type1" },
        { 2, "Type2" },
        { 3, "Type3" },
        { 0, NULL } // This has to be at the end of every array
};
Sadly I did not find a reason to this in the dissector readme, but maybe it is used as a NULL terminated array, which is mentioned in the readme for other cases.
Additionally while you can find this NULL element in every example code, it is not written explicitly in the Readme, at least I did not find it.

answered 13 Oct '14, 01:57

lal12's gravatar image

lal12
367712
accept rate: 33%

edited 13 Oct '14, 01:58

1

It's generally a good example to run tools/checkAPIs.pl on your dissector code: it will find all sorts of problems including un-terminated value_strings.

(13 Oct '14, 03:09) JeffMorriss ♦
1

@lal12,

From README.developerdissector (trunk) I haven't checked other branches:

-- value_string ... (the last entry in the array must have a NULL 'strptr' value, to indicate the end of the array). The 'strings' field would be set to 'VALS(valstringname)'.

Also section 1.10 of README.developerdissector lists CheckAPIs and other scripts to check your dissector for errors.

Edit: Corrected typos

(13 Oct '14, 03:38) grahamb ♦

OK now I found it, but in the README.dissector and not in the README.developer. There I also found the information about the check scripts.

(13 Oct '14, 10:00) lal12

Oops, typos.

(13 Oct '14, 10:34) grahamb ♦