Skip to content

Custom Columns Fields limit

Summary

The Custom Columns Fields field is apparently limited to COL_MAX_LEN in column-info.h, #define COL_MAX_LEN 256 but it seems that there is no data validation all the way around (data entry, save to preferences file and verifying when reading the preferences back in), which causes problems when a value longer than COL_MAX_LEN is inserted.

Initially asked on the following community post.

Custom Columns Fields limit? - Ask Wireshark https://ask.wireshark.org/question/18857/custom-columns-fields-limit/

Steps to reproduce

I have a custom column with the following definition on the preferences file and it works fine.

"PDN Address IPv4", "%Cus:gtp.user_ipv4 || gtp.pdp_address.ipv4 || gtpv2.pdn_addr_and_prefix.ipv4 || radius.Framed-IP-Address || diameter.Framed-IP-Address.IPv4 || diameter.PDP-Address.IPv4 || gprscdr.iPBinV4Address || diameter.UE-Local-IP-Address.IPv4:0:R",

When I add a new field via the GUI, e.g. pfcp.ue_ip_addr_ipv4, it works ok and the custom column immediately reflects the change, but when I close and reopen Wireshark all my columns are gone like if Wireshark could not read my preferences.

After a bit of troubleshooting I realized that the big column below was to blame and as soon as I commented it or removed the last added field Wireshark could load all my columns again just fine.

"PDN Address IPv4", "%Cus:gtp.user_ipv4 || gtp.pdp_address.ipv4 || gtpv2.pdn_addr_and_prefix.ipv4 || radius.Framed-IP-Address || diameter.Framed-IP-Address.IPv4 || diameter.PDP-Address.IPv4 || gprscdr.iPBinV4Address || diameter.UE-Local-IP-Address.IPv4 || pfcp.ue_ip_addr_ipv4:0:R",

So I understand there is some kind of limit, and as answered on the Ask forum I believe it is COL_MAX_LEN as mentioned above, but when I add the new field on the Columns Preferences GUI there is no error, so given that there is a limit it would be good that the GUI could reflect it and warn about it or return an error if the limit was exceeded.

What is the current bug behavior?

As described on previous points, there's no data validation on either data entry, save to preferences file or reading the preferences back in.

What is the expected correct behavior?

If data validation is in place the application should not allow entering a string longer than the limit or saving the settings.

Nonetheless, it would be great if it would be possible to increase the limit in question. I analyse traces with many protocols with different fields for the same thing, like PDN Address in my example, so it would be great if I could continue using single custom columns for all the fields...

Sample capture file

Not relevant.

Relevant logs and/or screenshots

Easily reproduced as described above.

Build information

Version 3.2.7 (v3.2.7-0-gfb6522d8) Copyright 1998-2020 Gerald Combs gerald@wireshark.org and contributors. License GPLv2+: GNU GPL version 2 or later https://www.gnu.org/licenses/gpl-2.0.html This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with Qt 5.12.9, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 (closed) support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler), with SBC, with SpanDSP, with bcg729. Running on 64-bit Windows 10 (1809), build 17763, with AMD A8 PRO-7150B R5, 10 Compute Cores 4C+6G (with SSE4.2), with 15305 MB of physical memory, with locale Portuguese_Portugal.1252, with light display mode, without HiDPI, with Npcap version 0.9997, based on libpcap version 1.9.1, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, without AirPcap, binary plugins supported (19 loaded). Built using Microsoft Visual Studio 2019 (VC++ 14.27, build 29111). Wireshark is Open Source Software released under the GNU General Public License. Check the man page and https://www.wireshark.org for more information.

Thank you so much in advance for the feedback and support.

Kind regards, Hax.

Edited by Haxthausen
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information