/*
* Dissect RTSE PDUs inside a PPDU.
*/
static void
dissect_rtse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
{
int offset = 0;
int old_offset;
proto_item *item=NULL;
proto_tree *tree=NULL;
proto_tree *next_tree=NULL;
tvbuff_t *next_tvb = NULL;
tvbuff_t *data_tvb = NULL;
fragment_data *frag_msg = NULL;
guint32 fragment_length;
guint32 rtse_id = 0;
gboolean data_handled = FALSE;
conversation_t *conversation = NULL;
asn1_ctx_t asn1_ctx;
asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
/* save parent_tree so subdissectors can create new top nodes */
top_tree=parent_tree;
/* do we have application context from the acse dissector? */
if( !pinfo->private_data ){
if(parent_tree){
proto_tree_add_text(parent_tree, tvb, offset, -1,
"Internal error:can't get application context from ACSE dissector.");
}
return ;
} else {
session = ( (struct SESSION_DATA_STRUCTURE*)(pinfo->private_data) );
}
col_set_str(pinfo->cinfo, COL_PROTOCOL, "RTSE");
col_clear(pinfo->cinfo, COL_INFO);
if (rtse_reassemble &&
((session->spdu_type == SES_DATA_TRANSFER) ||
(session->spdu_type == SES_MAJOR_SYNC_POINT))) {
/* Use conversation index as fragment id */
conversation = find_conversation (pinfo->fd->num,
&pinfo->src, &pinfo->dst, pinfo->ptype,
pinfo->srcport, pinfo->destport, 0);
if (conversation != NULL) {
rtse_id = conversation->index;
}
session->rtse_reassemble = TRUE;
}
if (rtse_reassemble && session->spdu_type == SES_MAJOR_SYNC_POINT) {
frag_msg = fragment_end_seq_next (pinfo, rtse_id, rtse_segment_table,
rtse_reassembled_table);
next_tvb = process_reassembled_data (tvb, offset, pinfo, "Reassembled RTSE",
frag_msg, &rtse_frag_items, NULL, parent_tree);
}
if(parent_tree){
item = proto_tree_add_item(parent_tree, proto_rtse, next_tvb ? next_tvb : tvb, 0, -1, FALSE);
tree = proto_item_add_subtree(item, ett_rtse);
}
if (rtse_reassemble && session->spdu_type == SES_DATA_TRANSFER) {
/* strip off the OCTET STRING encoding - including any CONSTRUCTED OCTET STRING */
dissect_ber_octet_string(FALSE, &asn1_ctx, tree, tvb, offset, hf_rtse_segment_data, &data_tvb);
if (data_tvb) {
fragment_length = tvb_length_remaining (data_tvb, 0);
proto_item_append_text(asn1_ctx.created_item, " (%u byte%s)", fragment_length,
plurality(fragment_length, "", "s"));
frag_msg = fragment_add_seq_next (data_tvb, 0, pinfo,
rtse_id, rtse_segment_table,
rtse_reassembled_table, fragment_length, TRUE);
if (frag_msg && pinfo->fd->num != frag_msg->reassembled_in) {
/* Add a "Reassembled in" link if not reassembled in this frame */
proto_tree_add_uint (tree, *(rtse_frag_items.hf_reassembled_in),
data_tvb, 0, 0, frag_msg->reassembled_in);
}
pinfo->fragmented = TRUE;
data_handled = TRUE;
} else {
fragment_length = tvb_length_remaining (tvb, offset);
}
if (check_col(pinfo->cinfo, COL_INFO))
col_append_fstr(pinfo->cinfo, COL_INFO, "[RTSE fragment, %u byte%s]",
fragment_length, plurality(fragment_length, "", "s"));
} else if (rtse_reassemble && session->spdu_type == SES_MAJOR_SYNC_POINT) {
if (next_tvb) {
/* ROS won't do this for us */
session->ros_op = (ROS_OP_INVOKE | ROS_OP_ARGUMENT);
offset=dissect_ber_external_type(FALSE, tree, next_tvb, 0, &asn1_ctx, -1, call_rtse_external_type_callback);
} else {
offset = tvb_length (tvb);
}
pinfo->fragmented = FALSE;
data_handled = TRUE;
}
if (!data_handled) {
while (tvb_reported_length_remaining(tvb, offset) > 0){
old_offset=offset;
offset=dissect_rtse_RTSE_apdus(TRUE, tvb, offset, &asn1_ctx, tree, -1);
if(offset == old_offset){
item = proto_tree_add_text(tree, tvb, offset, -1, "Unknown RTSE PDU");
if(item){
expert_add_info_format (pinfo, item, PI_UNDECODED, PI_WARN, "Unknown RTSE PDU");
next_tree=proto_item_add_subtree(item, ett_rtse_unknown);
dissect_unknown_ber(pinfo, tvb, offset, next_tree);
}
offset = tvb_length(tvb);
break;
}
}
}
top_tree = NULL;
}
static void
dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
struct smtp_proto_data *spd_frame_data;
proto_tree *smtp_tree = NULL;
proto_tree *cmdresp_tree;
proto_item *ti, *hidden_item;
int offset = 0;
int request = 0;
conversation_t *conversation;
struct smtp_session_state *session_state;
const guchar *line, *linep, *lineend;
guint32 code;
int linelen = 0;
gint length_remaining;
gboolean eom_seen = FALSE;
gint next_offset;
gint loffset = 0;
int cmdlen;
fragment_data *frag_msg = NULL;
tvbuff_t *next_tvb;
/* As there is no guarantee that we will only see frames in the
* the SMTP conversation once, and that we will see them in
* order - in Wireshark, the user could randomly click on frames
* in the conversation in any order in which they choose - we
* have to store information with each frame indicating whether
* it contains commands or data or an EOM indication.
*
* XXX - what about frames that contain *both*? TCP is a
* byte-stream protocol, and there are no guarantees that
* TCP segment boundaries will correspond to SMTP commands
* or EOM indications.
*
* We only need that for the client->server stream; responses
* are easy to manage.
*
* If we have per frame data, use that, else, we must be on the first
* pass, so we figure it out on the first pass.
*/
/*
* Find or create the conversation for this.
*/
conversation = find_or_create_conversation(pinfo);
/*
* Is there a request structure attached to this conversation?
*/
session_state = conversation_get_proto_data(conversation, proto_smtp);
if (!session_state) {
/*
* No - create one and attach it.
*/
session_state = se_alloc(sizeof(struct smtp_session_state));
session_state->smtp_state = SMTP_STATE_READING_CMDS;
session_state->crlf_seen = FALSE;
session_state->data_seen = FALSE;
session_state->msg_read_len = 0;
session_state->msg_tot_len = 0;
session_state->msg_last = TRUE;
session_state->last_nontls_frame = 0;
conversation_add_proto_data(conversation, proto_smtp, session_state);
}
/* Are we doing TLS?
* FIXME In my understanding of RFC 2487 client and server can send SMTP cmds
* after a rejected TLS negotiation
*/
if (session_state->last_nontls_frame != 0 && pinfo->fd->num > session_state->last_nontls_frame) {
guint16 save_can_desegment;
guint32 save_last_nontls_frame;
/* This is TLS, not raw SMTP. TLS can desegment */
save_can_desegment = pinfo->can_desegment;
pinfo->can_desegment = pinfo->saved_can_desegment;
/* Make sure the SSL dissector will not be called again after decryption */
save_last_nontls_frame = session_state->last_nontls_frame;
session_state->last_nontls_frame = 0;
call_dissector(ssl_handle, tvb, pinfo, tree);
pinfo->can_desegment = save_can_desegment;
session_state->last_nontls_frame = save_last_nontls_frame;
return;
}
/* Is this a request or a response? */
request = pinfo->destport == pinfo->match_uint;
/*
* Is there any data attached to this frame?
*/
spd_frame_data = p_get_proto_data(pinfo->fd, proto_smtp);
if (!spd_frame_data) {
/*
* No frame data.
*/
if(request) {
/*
* Create a frame data structure and attach it to the packet.
*/
spd_frame_data = se_alloc0(sizeof(struct smtp_proto_data));
spd_frame_data->conversation_id = conversation->index;
spd_frame_data->more_frags = TRUE;
p_add_proto_data(pinfo->fd, proto_smtp, spd_frame_data);
}
/*
* Get the first line from the buffer.
*
* Note that "tvb_find_line_end()" will, if it doesn't return
* -1, return a value that is not longer than what's in the buffer,
* and "tvb_find_line_end()" will always return a value that is not
* longer than what's in the buffer, so the "tvb_get_ptr()" call
* won't throw an exception.
*/
loffset = offset;
while (tvb_offset_exists(tvb, loffset)) {
linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset,
smtp_desegment && pinfo->can_desegment);
if (linelen == -1) {
if (offset == loffset) {
/*
* We didn't find a line ending, and we're doing desegmentation;
* tell the TCP dissector where the data for this message starts
* in the data it handed us, and tell it we need more bytes
*/
pinfo->desegment_offset = loffset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return;
} else {
linelen = tvb_length_remaining(tvb, loffset);
next_offset = loffset + linelen;
}
}
line = tvb_get_ptr(tvb, loffset, linelen);
/*
* Check whether or not this packet is an end of message packet
* We should look for CRLF.CRLF and they may be split.
* We have to keep in mind that we may see what we want on
* two passes through here ...
*/
if (session_state->smtp_state == SMTP_STATE_READING_DATA) {
/*
* The order of these is important ... We want to avoid
* cases where there is a CRLF at the end of a packet and a
* .CRLF at the begining of the same packet.
*/
if ((session_state->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) ||
tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0)
eom_seen = TRUE;
length_remaining = tvb_length_remaining(tvb, loffset);
if (length_remaining == tvb_reported_length_remaining(tvb, loffset) &&
tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0)
session_state->crlf_seen = TRUE;
else
session_state->crlf_seen = FALSE;
}
/*
* OK, Check if we have seen a DATA request. We do it here for
* simplicity, but we have to be careful below.
*/
if (request) {
if (session_state->smtp_state == SMTP_STATE_READING_DATA) {
/*
* This is message data.
*/
if (eom_seen) { /* Seen the EOM */
/*
* EOM.
* Everything that comes after it is commands.
*/
spd_frame_data->pdu_type = SMTP_PDU_EOM;
session_state->smtp_state = SMTP_STATE_READING_CMDS;
break;
} else {
/*
* Message data with no EOM.
*/
spd_frame_data->pdu_type = SMTP_PDU_MESSAGE;
if (session_state->msg_tot_len > 0) {
/*
* We are handling a BDAT message.
* Check if we have reached end of the data chunk.
*/
session_state->msg_read_len += tvb_length_remaining(tvb, loffset);
if (session_state->msg_read_len == session_state->msg_tot_len) {
/*
* We have reached end of BDAT data chunk.
* Everything that comes after this is commands.
*/
session_state->smtp_state = SMTP_STATE_READING_CMDS;
if (session_state->msg_last) {
/*
* We have found the LAST data chunk.
* The message can now be reassembled.
*/
spd_frame_data->more_frags = FALSE;
}
break; /* no need to go through the remaining lines */
}
}
}
} else {
/*
* This is commands - unless the capture started in the
* middle of a session, and we're in the middle of data.
*
* Commands are not necessarily 4 characters; look
* for a space or the end of the line to see where
* the putative command ends.
*/
linep = line;
lineend = line + linelen;
while (linep < lineend && *linep != ' ')
linep++;
cmdlen = (int)(linep - line);
if (line_is_smtp_command(line, cmdlen)) {
if (g_ascii_strncasecmp(line, "DATA", 4) == 0) {
/*
* DATA command.
* This is a command, but everything that comes after it,
* until an EOM, is data.
*/
spd_frame_data->pdu_type = SMTP_PDU_CMD;
session_state->smtp_state = SMTP_STATE_READING_DATA;
session_state->data_seen = TRUE;
} else if (g_ascii_strncasecmp(line, "BDAT", 4) == 0) {
/*
* BDAT command.
* This is a command, but everything that comes after it,
* until given length is received, is data.
*/
guint32 msg_len;
msg_len = strtoul (line+5, NULL, 10);
spd_frame_data->pdu_type = SMTP_PDU_CMD;
session_state->data_seen = TRUE;
session_state->msg_tot_len += msg_len;
if (msg_len == 0) {
/* No data to read, next will be a command */
session_state->smtp_state = SMTP_STATE_READING_CMDS;
} else {
session_state->smtp_state = SMTP_STATE_READING_DATA;
}
if (g_ascii_strncasecmp(line+linelen-4, "LAST", 4) == 0) {
/*
* This is the last data chunk.
*/
session_state->msg_last = TRUE;
if (msg_len == 0) {
/*
* No more data to expect.
* The message can now be reassembled.
*/
spd_frame_data->more_frags = FALSE;
}
} else {
session_state->msg_last = FALSE;
}
} else if (g_ascii_strncasecmp(line, "STARTTLS", 8) == 0) {
/*
* STARTTLS command.
* This is a command, but if the response is 220,
* everything after the response is TLS.
*/
session_state->smtp_state = SMTP_STATE_AWAITING_STARTTLS_RESPONSE;
spd_frame_data->pdu_type = SMTP_PDU_CMD;
} else {
/*
* Regular command.
*/
spd_frame_data->pdu_type = SMTP_PDU_CMD;
}
} else {
/*
* Assume it's message data.
*/
spd_frame_data->pdu_type = session_state->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD;
}
}
}
/*
* Step past this line.
*/
loffset = next_offset;
}
}
/*
* From here, we simply add items to the tree and info to the info
* fields ...
*/
col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP");
if (check_col(pinfo->cinfo, COL_INFO)) { /* Add the appropriate type here */
col_clear(pinfo->cinfo, COL_INFO);
/*
* If it is a request, we have to look things up, otherwise, just
* display the right things
*/
if (request) {
/* We must have frame_data here ... */
switch (spd_frame_data->pdu_type) {
case SMTP_PDU_MESSAGE:
length_remaining = tvb_length_remaining(tvb, offset);
col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body");
col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining,
plurality (length_remaining, "", "s"));
break;
case SMTP_PDU_EOM:
col_set_str(pinfo->cinfo, COL_INFO, "C: .");
break;
case SMTP_PDU_CMD:
loffset = offset;
while (tvb_offset_exists(tvb, loffset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, loffset, linelen);
if(loffset == offset)
col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s",
format_text(line, linelen));
else {
col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
format_text(line, linelen));
}
loffset = next_offset;
}
break;
}
} else {
loffset = offset;
while (tvb_offset_exists(tvb, loffset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, loffset, linelen);
if (loffset == offset)
col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s",
format_text(line, linelen));
else {
col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
format_text(line, linelen));
}
loffset = next_offset;
}
}
}
if (tree) { /* Build the tree info ... */
ti = proto_tree_add_item(tree, proto_smtp, tvb, offset, -1, ENC_NA);
smtp_tree = proto_item_add_subtree(ti, ett_smtp);
}
if (request) {
/*
* Check out whether or not we can see a command in there ...
* What we are looking for is not data_seen and the word DATA
* and not eom_seen.
*
* We will see DATA and session_state->data_seen when we process the
* tree view after we have seen a DATA packet when processing
* the packet list pane.
*
* On the first pass, we will not have any info on the packets
* On second and subsequent passes, we will.
*/
switch (spd_frame_data->pdu_type) {
case SMTP_PDU_MESSAGE:
if (smtp_data_desegment) {
frag_msg = fragment_add_seq_next(tvb, 0, pinfo, spd_frame_data->conversation_id,
smtp_data_segment_table, smtp_data_reassembled_table,
tvb_length(tvb), spd_frame_data->more_frags);
} else {
/*
* Message body.
* Put its lines into the protocol tree, a line at a time.
*/
dissect_smtp_data(tvb, offset, smtp_tree);
}
break;
case SMTP_PDU_EOM:
/*
* End-of-message-body indicator.
*
* XXX - what about stuff after the first line?
* Unlikely, as the client should wait for a response to the
* DATA command this terminates before sending another
* request, but we should probably handle it.
*/
proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: .");
if (smtp_data_desegment) {
/* add final data segment */
if (loffset)
fragment_add_seq_next(tvb, 0, pinfo, spd_frame_data->conversation_id,
smtp_data_segment_table, smtp_data_reassembled_table,
loffset, spd_frame_data->more_frags);
/* terminate the desegmentation */
frag_msg = fragment_end_seq_next (pinfo, spd_frame_data->conversation_id, smtp_data_segment_table,
smtp_data_reassembled_table);
}
break;
case SMTP_PDU_CMD:
/*
* Command.
*
* XXX - what about stuff after the first line?
* Unlikely, as the client should wait for a response to the
* previous command before sending another request, but we
* should probably handle it.
*/
loffset = offset;
while (tvb_offset_exists(tvb, loffset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
if (linelen >= 4)
cmdlen = 4;
else
cmdlen = linelen;
hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_req, tvb,
0, 0, TRUE);
PROTO_ITEM_SET_HIDDEN(hidden_item);
/*
* Put the command line into the protocol tree.
*/
ti = proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb,
loffset, next_offset - loffset, ENC_ASCII|ENC_NA);
cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb,
loffset, cmdlen, ENC_ASCII|ENC_NA);
if (linelen > 5) {
proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
loffset + 5, linelen - 5, ENC_ASCII|ENC_NA);
}
if (smtp_data_desegment && !spd_frame_data->more_frags) {
/* terminate the desegmentation */
frag_msg = fragment_end_seq_next (pinfo, spd_frame_data->conversation_id, smtp_data_segment_table,
smtp_data_reassembled_table);
}
/*
* Step past this line.
*/
loffset = next_offset;
}
}
if (smtp_data_desegment) {
next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled SMTP",
frag_msg, &smtp_data_frag_items, NULL, smtp_tree);
if (next_tvb) {
/* XXX: this is presumptious - we may have negotiated something else */
if (imf_handle) {
call_dissector(imf_handle, next_tvb, pinfo, tree);
} else {
/*
* Message body.
* Put its lines into the protocol tree, a line at a time.
*/
dissect_smtp_data(tvb, offset, smtp_tree);
}
pinfo->fragmented = FALSE;
} else {
pinfo->fragmented = TRUE;
}
}
} else {
/*
* Process the response, a line at a time, until we hit a line
* that doesn't have a continuation indication on it.
*/
if (tree) {
hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_rsp, tvb,
0, 0, TRUE);
PROTO_ITEM_SET_HIDDEN(hidden_item);
}
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (tree) {
/*
* Put it into the protocol tree.
*/
ti = proto_tree_add_item(smtp_tree, hf_smtp_response, tvb,
offset, next_offset - offset, ENC_ASCII|ENC_NA);
cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
} else
cmdresp_tree = NULL;
line = tvb_get_ptr(tvb, offset, linelen);
if (linelen >= 3 && isdigit(line[0]) && isdigit(line[1])
&& isdigit(line[2])) {
/*
* We have a 3-digit response code.
*/
code = (line[0] - '0')*100 + (line[1] - '0')*10 + (line[2] - '0');
/*
* If we're awaiting the response to a STARTTLS code, this
* is it - if it's 220, all subsequent traffic will
* be TLS, otherwise we're back to boring old SMTP.
*/
if (session_state->smtp_state == SMTP_STATE_AWAITING_STARTTLS_RESPONSE) {
if (code == 220) {
/* This is the last non-TLS frame. */
session_state->last_nontls_frame = pinfo->fd->num;
}
session_state->smtp_state = SMTP_STATE_READING_CMDS;
}
if (tree) {
/*
* Put the response code and parameters into the protocol tree.
*/
proto_tree_add_uint(cmdresp_tree, hf_smtp_rsp_code, tvb, offset, 3,
code);
if (linelen >= 4) {
proto_tree_add_item(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
offset + 4, linelen - 4, ENC_ASCII|ENC_NA);
}
}
}
/*
* Step past this line.
*/
offset = next_offset;
}
}
}
