Wrong parsing of Syslog RFC5424 fields
Summary
Wireshark doesn't decode correctly the Syslog message using RFC5424. It decode correctly the obsolete RFC 3164.
(Note SP is the ' ' char and NIL is '-')
Decoding of RFC 3164 messages(see https://datatracker.ietf.org/doc/html/rfc3164)
<PRI>TIMESTAMP SP MSGID SP MSG
Example: <34>Jan 1 00:00:00 myhostname.com mymsgtype mymessagecontent
Note(there should be 2 spaces between Jan and 1)
Decoding of RFC 5424 messages(see https://datatracker.ietf.org/doc/html/rfc5424)
<PRI>VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID SP STRUCTURED-DATA SP MSG
Example: <34>1 2024-01-01T00:00:00 myhostname.com myapp 42 mymsgtype - mymessagecontent
Sample capture file
Steps to reproduce
Send an udp packet with one of the above example string to 127.0.0.1:514 and monitor the loopback interface, or simpler just open the above capture file.
What is the current bug behavior?
MSGID SP STRUCTURED-DATA SP MSG are shown in the syslog.msgid field
I would have expected the timestamp field to display 1 Jan 24 0h (EST) as given, but instead it display it using (UTC). But that is a mere detail
What is the expected correct behavior?
See https://www.wireshark.org/docs/dfref/s/syslog.html
MSGID is shown in the syslog.msgid field
STRUCTURED-DATA is not shown, otherwise add a field for it. In my example, it is simply NIL '-'
MSG is shown in the syslog.msg field
Btw, I have no idea what the syslog.msu_present field refer to?
Notice my examples don't have syslog.msgid.bom, see https://en.wikipedia.org/wiki/Byte_order_mark
Build information
Version 4.2.0 (v4.2.0-0-g54eedfc63953).
Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with Qt 6.5.3, with libpcap, with zlib 1.3.0, with PCRE2, with
Lua 5.2.4 (with UfW patches), with GnuTLS 3.7.9 and PKCS #11 support, with
Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0,
with nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with
libxml2 2.11.5, with libsmi 0.5.0, with QtMultimedia, with automatic updates
using WinSparkle 0.8.0, with AirPcap, with Minizip, with binary plugins.
Running on 64-bit Windows 10 (1909), build 18363, with Intel(R) Core(TM)
i7-7820HQ CPU @ 2.90GHz (with SSE4.2), with 32648 MB of physical memory, with
GLib 2.78.0, with Qt 6.5.3, with Npcap version 1.78, based on libpcap version
1.10.4, with PCRE2 10.42 2022-12-11, with c-ares 1.19.0, with GnuTLS 3.7.9, with
Gcrypt 1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with brotli
1.0.9, with LZ4 1.9.3, with Zstandard 1.5.2, without AirPcap, with light display
mode, without HiDPI, with QPA plugin "windows", with
LC_TYPE=French_Switzerland.utf8, binary plugins supported.