static int
dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
gboolean is_verifier, gssapi_encrypt_info_t* encrypt_info)
{
proto_item *volatile item;
proto_tree *volatile subtree;
volatile int return_offset = 0;
gssapi_conv_info_t *volatile gss_info;
gssapi_oid_value *oidvalue;
dissector_handle_t handle;
conversation_t *conversation;
tvbuff_t *oid_tvb;
int len, start_offset, oid_start_offset;
volatile int offset;
gint8 appclass;
gboolean pc, ind_field;
gint32 tag;
guint32 len1;
const char *oid;
fragment_head *fd_head=NULL;
gssapi_frag_info_t *fi;
tvbuff_t *volatile gss_tvb=NULL;
asn1_ctx_t asn1_ctx;
start_offset=0;
offset=0;
asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
/*
* We don't know whether the data is encrypted, so say it's
* not, for now. The subdissector must set gssapi_data_encrypted
* if it is.
*/
encrypt_info->gssapi_data_encrypted = FALSE;
/*
* We need a conversation for later
*/
conversation = find_or_create_conversation(pinfo);
gss_info = (gssapi_conv_info_t *)conversation_get_proto_data(conversation, proto_gssapi);
if (!gss_info) {
gss_info = wmem_new(wmem_file_scope(), gssapi_conv_info_t);
gss_info->oid=NULL;
gss_info->do_reassembly=FALSE;
gss_info->frags=wmem_tree_new(wmem_file_scope());
conversation_add_proto_data(conversation, proto_gssapi, gss_info);
}
item = proto_tree_add_item(
tree, proto_gssapi, tvb, offset, -1, ENC_NA);
subtree = proto_item_add_subtree(item, ett_gssapi);
/*
* Catch the ReportedBoundsError exception; the stuff we've been
* handed doesn't necessarily run to the end of the packet, it's
* an item inside a packet, so if it happens to be malformed (or
* we, or a dissector we call, has a bug), so that an exception
* is thrown, we want to report the error, but return and let
* our caller dissect the rest of the packet.
*
* If it gets a BoundsError, we can stop, as there's nothing more
* in the packet after our blob to see, so we just re-throw the
* exception.
*/
TRY {
gss_tvb=tvb;
/* First of all, if it's the first time we see this packet
* then check whether we are in the middle of reassembly or not
*/
if( (!pinfo->fd->flags.visited)
&& (gss_info->do_reassembly)
&& (gssapi_reassembly) ){
fi=(gssapi_frag_info_t *)wmem_tree_lookup32(gss_info->frags, gss_info->first_frame);
if(!fi){
goto done;
}
wmem_tree_insert32(gss_info->frags, pinfo->num, fi);
fd_head=fragment_add(&gssapi_reassembly_table,
tvb, 0, pinfo, fi->first_frame, NULL,
gss_info->frag_offset,
tvb_captured_length(tvb), TRUE);
gss_info->frag_offset+=tvb_captured_length(tvb);
/* we need more fragments */
if(!fd_head){
goto done;
}
/* this blob is now fully reassembled */
gss_info->do_reassembly=FALSE;
fi->reassembled_in=pinfo->num;
gss_tvb=tvb_new_chain(tvb, fd_head->tvb_data);
add_new_data_source(pinfo, gss_tvb, "Reassembled GSSAPI");
}
/* We have seen this packet before.
* Is this blob part of reassembly or a normal blob ?
*/
if( (pinfo->fd->flags.visited)
&& (gssapi_reassembly) ){
fi=(gssapi_frag_info_t *)wmem_tree_lookup32(gss_info->frags, pinfo->num);
if(fi){
fd_head=fragment_get(&gssapi_reassembly_table,
pinfo, fi->first_frame, NULL);
if(fd_head && (fd_head->flags&FD_DEFRAGMENTED)){
if(pinfo->num==fi->reassembled_in){
proto_item *frag_tree_item;
gss_tvb=tvb_new_chain(tvb, fd_head->tvb_data);
add_new_data_source(pinfo, gss_tvb, "Reassembled GSSAPI");
show_fragment_tree(fd_head, &gssapi_frag_items, tree, pinfo, tvb, &frag_tree_item);
} else {
proto_item *it;
it=proto_tree_add_uint(tree, hf_gssapi_reassembled_in, tvb, 0, 0, fi->reassembled_in);
PROTO_ITEM_SET_GENERATED(it);
goto done;
}
}
}
}
/* Read header */
offset = get_ber_identifier(gss_tvb, offset, &appclass, &pc, &tag);
offset = get_ber_length(gss_tvb, offset, &len1, &ind_field);
if (!(appclass == BER_CLASS_APP && pc && tag == 0)) {
/* It could be NTLMSSP, with no OID. This can happen
for anything that microsoft calls 'Negotiate' or GSS-SPNEGO */
if ((tvb_captured_length_remaining(gss_tvb, start_offset)>7) && (tvb_strneql(gss_tvb, start_offset, "NTLMSSP", 7) == 0)) {
return_offset = call_dissector(ntlmssp_handle,
tvb_new_subset_remaining(gss_tvb, start_offset),
pinfo, subtree);
goto done;
}
/* Maybe it's new NTLMSSP payload */
if ((tvb_captured_length_remaining(gss_tvb, start_offset)>16) &&
((tvb_memeql(gss_tvb, start_offset, "\x01\x00\x00\x00", 4) == 0))) {
return_offset = call_dissector(ntlmssp_payload_handle,
tvb_new_subset_remaining(gss_tvb, start_offset),
pinfo, subtree);
encrypt_info->gssapi_data_encrypted = TRUE;
goto done;
}
if ((tvb_captured_length_remaining(gss_tvb, start_offset)==16) &&
((tvb_memeql(gss_tvb, start_offset, "\x01\x00\x00\x00", 4) == 0))) {
if( is_verifier ) {
return_offset = call_dissector(ntlmssp_verf_handle,
tvb_new_subset_remaining(gss_tvb, start_offset),
pinfo, subtree);
}
else if( encrypt_info->gssapi_encrypted_tvb ) {
return_offset = call_dissector_with_data(ntlmssp_data_only_handle,
tvb_new_subset_remaining(encrypt_info->gssapi_encrypted_tvb, 0),
pinfo, subtree, &encrypt_info->gssapi_decrypted_tvb);
encrypt_info->gssapi_data_encrypted = TRUE;
}
goto done;
}
/* Maybe it's new GSSKRB5 CFX Wrapping */
if ((tvb_captured_length_remaining(gss_tvb, start_offset)>2) &&
((tvb_memeql(gss_tvb, start_offset, "\04\x04", 2) == 0) ||
(tvb_memeql(gss_tvb, start_offset, "\05\x04", 2) == 0))) {
return_offset = call_dissector_with_data(spnego_krb5_wrap_handle,
tvb_new_subset_remaining(gss_tvb, start_offset),
pinfo, subtree, encrypt_info);
goto done;
}
/*
* If we do not recognise an Application class,
* then we are probably dealing with an inner context
* token or a wrap token, and we should retrieve the
* gssapi_oid_value pointer from the per-frame data or,
* if there is no per-frame data (as would be the case
* the first time we dissect this frame), from the
* conversation that exists or that we created from
* pinfo (and then make it per-frame data).
* We need to make it per-frame data as there can be
* more than one GSS-API negotiation in a conversation.
*
* Note! We "cheat". Since we only need the pointer,
* we store that as the data. (That's not really
* "cheating" - the per-frame data and per-conversation
* data code doesn't care what you supply as a data
* pointer; it just treats it as an opaque pointer, it
* doesn't dereference it or free what it points to.)
*/
oidvalue = (gssapi_oid_value *)p_get_proto_data(wmem_file_scope(), pinfo, proto_gssapi, 0);
if (!oidvalue && !pinfo->fd->flags.visited)
{
/* No handle attached to this frame, but it's the first */
/* pass, so it'd be attached to the conversation. */
oidvalue = gss_info->oid;
if (gss_info->oid)
p_add_proto_data(wmem_file_scope(), pinfo, proto_gssapi, 0, gss_info->oid);
}
if (!oidvalue)
{
proto_tree_add_expert_format(subtree, pinfo, &ei_gssapi_unknown_header, gss_tvb, start_offset, 0,
"Unknown header (class=%d, pc=%d, tag=%d)",
appclass, pc, tag);
return_offset = tvb_captured_length(gss_tvb);
goto done;
} else {
tvbuff_t *oid_tvb_local;
oid_tvb_local = tvb_new_subset_remaining(gss_tvb, start_offset);
if (is_verifier)
handle = oidvalue->wrap_handle;
else
handle = oidvalue->handle;
len = call_dissector_with_data(handle, oid_tvb_local, pinfo, subtree, encrypt_info);
if (len == 0)
return_offset = tvb_captured_length(gss_tvb);
else
return_offset = start_offset + len;
goto done; /* We are finished here */
}
}
/* Read oid */
oid_start_offset=offset;
offset=dissect_ber_object_identifier_str(FALSE, &asn1_ctx, subtree, gss_tvb, offset, hf_gssapi_oid, &oid);
oidvalue = gssapi_lookup_oid_str(oid);
/* Check if we need reassembly of this blob.
* Only try reassembly for OIDs we recognize
* and when we have the entire tvb
*
* SMB will sometimes split one large GSSAPI blob
* across multiple SMB/SessionSetup commands.
* While we should look at the uid returned in the response
* to the first SessionSetup and use that as a key
* instead for simplicity we assume there will not be several
* such authentication at once on a single tcp session
*/
if( (!pinfo->fd->flags.visited)
&& (oidvalue)
&& (tvb_captured_length(gss_tvb)==tvb_reported_length(gss_tvb))
&& (len1>(guint32)tvb_captured_length_remaining(gss_tvb, oid_start_offset))
&& (gssapi_reassembly) ){
fi=wmem_new(wmem_file_scope(), gssapi_frag_info_t);
fi->first_frame=pinfo->num;
fi->reassembled_in=0;
wmem_tree_insert32(gss_info->frags, pinfo->num, fi);
fragment_add(&gssapi_reassembly_table,
gss_tvb, 0, pinfo, pinfo->num, NULL,
0, tvb_captured_length(gss_tvb), TRUE);
fragment_set_tot_len(&gssapi_reassembly_table,
pinfo, pinfo->num, NULL, len1+oid_start_offset);
gss_info->do_reassembly=TRUE;
gss_info->first_frame=pinfo->num;
gss_info->frag_offset=tvb_captured_length(gss_tvb);
goto done;
}
/*
* Hand off to subdissector.
*/
if ((oidvalue == NULL) ||
!proto_is_protocol_enabled(oidvalue->proto)) {
/* No dissector for this oid */
proto_tree_add_item(subtree, hf_gssapi_token_object, gss_tvb, oid_start_offset, -1, ENC_NA);
return_offset = tvb_captured_length(gss_tvb);
goto done;
}
/* Save a pointer to the data for the OID for the
* GSSAPI protocol for this conversation.
*/
/*
* Now add the proto data ...
* but only if it is not already there.
*/
if(!gss_info->oid){
gss_info->oid=oidvalue;
}
if (is_verifier) {
handle = oidvalue->wrap_handle;
if (handle != NULL) {
oid_tvb = tvb_new_subset_remaining(gss_tvb, offset);
len = call_dissector_with_data(handle, oid_tvb, pinfo, subtree, encrypt_info);
if (len == 0)
return_offset = tvb_captured_length(gss_tvb);
else
return_offset = offset + len;
} else {
proto_tree_add_item(subtree, hf_gssapi_auth_verifier, gss_tvb, offset, -1, ENC_NA);
return_offset = tvb_captured_length(gss_tvb);
}
} else {
handle = oidvalue->handle;
if (handle != NULL) {
oid_tvb = tvb_new_subset_remaining(gss_tvb, offset);
len = call_dissector_with_data(handle, oid_tvb, pinfo, subtree, encrypt_info);
if (len == 0)
return_offset = tvb_captured_length(gss_tvb);
else
return_offset = offset + len;
} else {
proto_tree_add_item(subtree, hf_gssapi_auth_credentials, gss_tvb, offset, -1, ENC_NA);
return_offset = tvb_captured_length(gss_tvb);
}
}
done:
;
} CATCH_NONFATAL_ERRORS {
/*
* Somebody threw an exception that means that there
* was a problem dissecting the payload; that means
* that a dissector was found, so we don't need to
* dissect the payload as data or update the protocol
* or info columns.
*
* Just show the exception and then drive on to show
* the trailer, after noting that a dissector was found
* and restoring the protocol value that was in effect
* before we called the subdissector.
*/
show_exception(gss_tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
} ENDTRY;
proto_item_set_len(item, return_offset);
return return_offset;
}
static gint
dissect_adb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
proto_item *main_item;
proto_tree *main_tree;
proto_item *arg0_item;
proto_tree *arg0_tree;
proto_item *arg1_item;
proto_tree *arg1_tree;
proto_item *magic_item;
proto_item *crc_item;
proto_tree *crc_tree = NULL;
proto_item *sub_item;
gint offset = 0;
guint32 command;
guint32 arg0;
guint32 arg1;
guint32 data_length = 0;
guint32 crc32 = 0;
usb_conv_info_t *usb_conv_info = NULL;
wmem_tree_key_t key[5];
guint32 interface_id;
guint32 bus_id;
guint32 device_address;
guint32 side_id;
guint32 frame_number;
gboolean is_command = TRUE;
gboolean is_next_fragment = FALSE;
gboolean is_service = FALSE;
gint proto;
gint direction = P2P_DIR_UNKNOWN;
wmem_tree_t *wmem_tree;
command_data_t *command_data = NULL;
service_data_t *service_data = NULL;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ADB");
col_clear(pinfo->cinfo, COL_INFO);
main_item = proto_tree_add_item(tree, proto_adb, tvb, offset, -1, ENC_NA);
main_tree = proto_item_add_subtree(main_item, ett_adb);
frame_number = pinfo->fd->num;
/* XXX: Why? If interface is USB only first try is correct
* (and seems strange...), in other cases standard check for
* previous protocol is correct */
proto = (gint) GPOINTER_TO_INT(wmem_list_frame_data(/*wmem_list_frame_prev*/(wmem_list_tail(pinfo->layers))));
if (proto != proto_usb) {
proto = (gint) GPOINTER_TO_INT(wmem_list_frame_data(wmem_list_frame_prev(wmem_list_tail(pinfo->layers))));
}
if (proto == proto_usb) {
usb_conv_info = (usb_conv_info_t *) data;
DISSECTOR_ASSERT(usb_conv_info);
direction = usb_conv_info->direction;
} else if (proto == proto_tcp) {
if (pinfo->destport == ADB_TCP_PORT)
direction = P2P_DIR_SENT;
else
direction = P2P_DIR_RECV;
} else {
return offset;
}
if (pinfo->phdr->presence_flags & WTAP_HAS_INTERFACE_ID)
interface_id = pinfo->phdr->interface_id;
else
interface_id = 0;
if (proto == proto_usb) {
bus_id = usb_conv_info->bus_id;
device_address = usb_conv_info->device_address;
key[0].length = 1;
key[0].key = &interface_id;
key[1].length = 1;
key[1].key = &bus_id;
key[2].length = 1;
key[2].key = &device_address;
key[3].length = 0;
key[3].key = NULL;
} else { /* tcp */
key[0].length = 1;
key[0].key = &interface_id;
key[1].length = 1;
key[2].length = 1;
if (direction == P2P_DIR_SENT) {
key[1].key = &pinfo->srcport;
key[2].key = &pinfo->destport;
} else {
key[1].key = &pinfo->destport;
key[2].key = &pinfo->srcport;
}
key[3].length = 0;
key[3].key = NULL;
}
wmem_tree = (wmem_tree_t *) wmem_tree_lookup32_array(command_info, key);
if (wmem_tree) {
command_data = (command_data_t *) wmem_tree_lookup32_le(wmem_tree, frame_number);
if (command_data && command_data->completed_in_frame >= frame_number &&
command_data->command_in_frame <= frame_number) {
if (command_data->command_in_frame != frame_number) {
is_command = FALSE;
is_next_fragment = TRUE;
}
data_length = command_data->data_length;
crc32 = command_data->crc32;
if (direction == P2P_DIR_SENT)
if (command_data->command == A_CLSE)
side_id = command_data->arg1; /* OUT: local id */
else
side_id = command_data->arg0; /* OUT: local id */
else
if (command_data->command == A_OKAY) {
side_id = command_data->arg1; /* IN: remote id */
} else
side_id = command_data->arg1; /* IN: remote id */
key[3].length = 1;
key[3].key = &side_id;
key[4].length = 0;
key[4].key = NULL;
wmem_tree = (wmem_tree_t *) wmem_tree_lookup32_array(service_info, key);
if (wmem_tree) {
service_data = (service_data_t *) wmem_tree_lookup32_le(wmem_tree, frame_number);
if (service_data && command_data->command == A_OPEN) {
is_service = TRUE;
}
}
}
}
/* Simple heuristics to check if packet is command or data */
if ((command_data && command_data->completed_in_frame <= frame_number) || !command_data) {
if (tvb_reported_length(tvb) < 24) {
is_command = FALSE;
} else if (tvb_reported_length(tvb) >= 24) {
command = tvb_get_letohl(tvb, offset);
if (command != A_SYNC && command != A_CLSE && command != A_WRTE &&
command != A_AUTH && command != A_CNXN && command != A_OPEN && command != A_OKAY)
is_command = FALSE;
else if (command != (0xFFFFFFFF ^ tvb_get_letohl(tvb, offset + 20)))
is_command = FALSE;
if (is_command) {
data_length = tvb_get_letohl(tvb, offset + 12);
crc32 = tvb_get_letohl(tvb, offset + 16);
}
if (command == A_OPEN) is_service = TRUE;
}
}
if (service_data && !(command_data->command == A_OPEN && is_next_fragment)) {
sub_item = proto_tree_add_string(main_tree, hf_service, tvb, offset, 0, service_data->service);
PROTO_ITEM_SET_GENERATED(sub_item);
}
if (service_data) {
sub_item = proto_tree_add_uint(main_tree, hf_service_start_in_frame, tvb, offset, 0, service_data->start_in_frame);
PROTO_ITEM_SET_GENERATED(sub_item);
if (service_data->close_local_in_frame < max_in_frame) {
sub_item = proto_tree_add_uint(main_tree, hf_close_local_in_frame, tvb, offset, 0, service_data->close_local_in_frame);
PROTO_ITEM_SET_GENERATED(sub_item);
}
if (service_data->close_remote_in_frame < max_in_frame) {
sub_item = proto_tree_add_uint(main_tree, hf_close_remote_in_frame, tvb, offset, 0, service_data->close_remote_in_frame);
PROTO_ITEM_SET_GENERATED(sub_item);
}
}
if (is_command) {
proto_tree_add_item(main_tree, hf_command, tvb, offset, 4, ENC_LITTLE_ENDIAN);
command = tvb_get_letohl(tvb, offset);
offset += 4;
col_append_str(pinfo->cinfo, COL_INFO, val_to_str_const(command, command_vals, "Unknown command"));
arg0_item = proto_tree_add_item(main_tree, hf_argument_0, tvb, offset, 4, ENC_LITTLE_ENDIAN);
arg0_tree = proto_item_add_subtree(arg0_item, ett_adb_arg0);
arg0 = tvb_get_letohl(tvb, offset);
offset += 4;
arg1_item = proto_tree_add_item(main_tree, hf_argument_1, tvb, offset, 4, ENC_LITTLE_ENDIAN);
arg1_tree = proto_item_add_subtree(arg1_item, ett_adb_arg1);
arg1 = tvb_get_letohl(tvb, offset);
offset += 4;
switch (command) {
case A_CNXN:
proto_tree_add_item(arg0_tree, hf_version, tvb, offset - 8, 4, ENC_LITTLE_ENDIAN);
proto_tree_add_item(arg1_tree, hf_max_data, tvb, offset - 4, 4, ENC_LITTLE_ENDIAN);
col_append_fstr(pinfo->cinfo, COL_INFO, "(version=%u.%u.%u, max_data=%u)", tvb_get_guint8(tvb, offset - 5), tvb_get_guint8(tvb, offset - 6), tvb_get_letohs(tvb, offset - 7), tvb_get_letohl(tvb, offset - 4));
break;
case A_AUTH:
proto_tree_add_item(arg0_tree, hf_auth_type, tvb, offset - 8, 4, ENC_LITTLE_ENDIAN);
proto_tree_add_item(arg1_tree, hf_zero, tvb, offset - 4, 4, ENC_LITTLE_ENDIAN);
col_append_fstr(pinfo->cinfo, COL_INFO, "(type=%s, 0)", val_to_str_const(tvb_get_letohl(tvb, offset - 8), auth_type_vals, "Unknown"));
break;
case A_OPEN:
proto_tree_add_item(arg0_tree, hf_local_id, tvb, offset - 8, 4, ENC_LITTLE_ENDIAN);
proto_tree_add_item(arg1_tree, hf_zero, tvb, offset - 4, 4, ENC_LITTLE_ENDIAN);
col_append_fstr(pinfo->cinfo, COL_INFO, "(local=%u, 0)", tvb_get_letohl(tvb, offset - 8));
break;
case A_WRTE:
proto_tree_add_item(arg0_tree, hf_zero, tvb, offset - 8, 4, ENC_LITTLE_ENDIAN);
proto_tree_add_item(arg1_tree, hf_remote_id, tvb, offset - 4, 4, ENC_LITTLE_ENDIAN);
col_append_fstr(pinfo->cinfo, COL_INFO, "(0, remote=%u)", tvb_get_letohl(tvb, offset - 4));
break;
case A_CLSE:
case A_OKAY:
proto_tree_add_item(arg0_tree, hf_local_id, tvb, offset - 8, 4, ENC_LITTLE_ENDIAN);
proto_tree_add_item(arg1_tree, hf_remote_id, tvb, offset - 4, 4, ENC_LITTLE_ENDIAN);
col_append_fstr(pinfo->cinfo, COL_INFO, "(local=%u, remote=%u)", tvb_get_letohl(tvb, offset - 8), tvb_get_letohl(tvb, offset - 4));
break;
case A_SYNC:
proto_tree_add_item(arg0_tree, hf_online, tvb, offset - 8, 4, ENC_LITTLE_ENDIAN);
proto_tree_add_item(arg1_tree, hf_sequence, tvb, offset - 4, 4, ENC_LITTLE_ENDIAN);
col_append_fstr(pinfo->cinfo, COL_INFO, "(online=%s, sequence=%u)", tvb_get_letohl(tvb, offset - 8) ? "Yes": "No", tvb_get_letohl(tvb, offset - 4));
break;
}
proto_tree_add_item(main_tree, hf_data_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
if (data_length > 0)
col_append_fstr(pinfo->cinfo, COL_INFO, " length=%u ", data_length);
crc_item = proto_tree_add_item(main_tree, hf_data_crc32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
crc_tree = proto_item_add_subtree(crc_item, ett_adb_crc);
crc32 = tvb_get_letohl(tvb, offset);
offset += 4;
magic_item = proto_tree_add_item(main_tree, hf_magic, tvb, offset, 4, ENC_LITTLE_ENDIAN);
if ((tvb_get_letohl(tvb, offset) ^ 0xFFFFFFFF) != command) {
proto_tree *expert_tree;
expert_tree = proto_item_add_subtree(magic_item, ett_adb_magic);
proto_tree_add_expert(expert_tree, pinfo, &ei_invalid_magic, tvb, offset, 4);
}
if (!pinfo->fd->flags.visited)
save_command(command, arg0, arg1, data_length, crc32, service_data, proto, data, pinfo, &service_data, &command_data);
offset += 4;
}
if (!pinfo->fd->flags.visited && command_data) {
if (command_data->command_in_frame != frame_number) {
is_command = FALSE;
is_next_fragment = TRUE;
}
data_length = command_data->data_length;
crc32 = command_data->crc32;
if ((command_data->command_in_frame != frame_number && tvb_captured_length(tvb) == data_length) ||
(command_data->command_in_frame == frame_number && tvb_captured_length(tvb) == data_length + 24)
) {
command_data->reassemble_data_length = command_data->data_length;
command_data->completed_in_frame = frame_number;
}
}
if (is_next_fragment && command_data) {
sub_item = proto_tree_add_uint(main_tree, hf_command_in_frame, tvb, offset, 0, command_data->command_in_frame);
PROTO_ITEM_SET_GENERATED(sub_item);
sub_item = proto_tree_add_uint(main_tree, hf_command, tvb, offset, 0, command_data->command);
PROTO_ITEM_SET_GENERATED(sub_item);
sub_item = proto_tree_add_uint(main_tree, hf_data_length, tvb, offset, 0, command_data->data_length);
PROTO_ITEM_SET_GENERATED(sub_item);
crc_item = proto_tree_add_uint(main_tree, hf_data_crc32, tvb, offset, 0, command_data->crc32);
crc_tree = proto_item_add_subtree(crc_item, ett_adb_crc);
PROTO_ITEM_SET_GENERATED(crc_item);
}
if (command_data && command_data->completed_in_frame != frame_number) {
sub_item = proto_tree_add_uint(main_tree, hf_completed_in_frame, tvb, offset, 0, command_data->completed_in_frame);
PROTO_ITEM_SET_GENERATED(sub_item);
}
if (tvb_captured_length_remaining(tvb, offset) > 0 && (!is_command || data_length > 0)) {
guint32 crc = 0;
guint32 i_offset;
if ((!pinfo->fd->flags.visited && command_data && command_data->reassemble_data_length < command_data->data_length) || data_length > (guint32) tvb_captured_length_remaining(tvb, offset)) { /* need reassemble */
if (!pinfo->fd->flags.visited && command_data && command_data->reassemble_data_length < command_data->data_length) {
tvb_memcpy(tvb, command_data->reassemble_data + command_data->reassemble_data_length, offset, tvb_captured_length_remaining(tvb, offset));
command_data->reassemble_data_length += tvb_captured_length_remaining(tvb, offset);
if (command_data->reassemble_data_length >= command_data->data_length)
command_data->completed_in_frame = frame_number;
}
proto_tree_add_item(main_tree, hf_data_fragment, tvb, offset, -1, ENC_NA);
col_append_str(pinfo->cinfo, COL_INFO, "Data Fragment");
offset = tvb_captured_length(tvb);
if (service_data && command_data && command_data->reassemble_data_length >= command_data->data_length && frame_number == command_data->completed_in_frame) {
tvbuff_t *next_tvb;
adb_service_data_t adb_service_data;
next_tvb = tvb_new_child_real_data(tvb, command_data->reassemble_data, command_data->reassemble_data_length, command_data->reassemble_data_length);
add_new_data_source(pinfo, next_tvb, "ADB Reassembled Data");
adb_service_data.service = service_data->service;
adb_service_data.direction = direction;
adb_service_data.session_key_length = 3;
adb_service_data.session_key = (guint32 *) wmem_alloc(wmem_packet_scope(), adb_service_data.session_key_length * sizeof(guint32));
adb_service_data.session_key[0] = interface_id;
if (proto == proto_usb) {
adb_service_data.session_key[1] = usb_conv_info->bus_id;
adb_service_data.session_key[2] = usb_conv_info->device_address;
} else { /* tcp */
if (direction == P2P_DIR_SENT) {
adb_service_data.session_key[1] = pinfo->srcport;
adb_service_data.session_key[2] = pinfo->destport;
} else {
adb_service_data.session_key[1] = pinfo->destport;
adb_service_data.session_key[2] = pinfo->srcport;
}
}
call_dissector_with_data(adb_service_handle, next_tvb, pinfo, tree, &adb_service_data);
}
} else { /* full message */
for (i_offset = 0; i_offset < data_length; ++i_offset)
crc += tvb_get_guint8(tvb, offset + i_offset);
if (crc32 > 0 && crc32 != crc)
proto_tree_add_expert(crc_tree, pinfo, &ei_invalid_crc, tvb, offset, -1);
if (is_service) {
proto_tree_add_item(main_tree, hf_service, tvb, offset, -1, ENC_ASCII | ENC_NA);
if (!pinfo->fd->flags.visited && service_data) {
service_data->service = tvb_get_stringz_enc(wmem_file_scope(), tvb, offset, NULL, ENC_ASCII);
}
col_append_fstr(pinfo->cinfo, COL_INFO, "Service: %s", tvb_get_stringz_enc(wmem_packet_scope(), tvb, offset, NULL, ENC_ASCII));
offset = tvb_captured_length(tvb);
} else if (command_data && command_data->command == A_CNXN) {
gchar *info;
gint len;
info = tvb_get_stringz_enc(wmem_packet_scope(), tvb, offset, &len, ENC_ASCII);
col_append_fstr(pinfo->cinfo, COL_INFO, "Connection Info: %s", info);
proto_tree_add_item(main_tree, hf_connection_info, tvb, offset, len, ENC_ASCII | ENC_NA);
offset += len;
} else {
col_append_str(pinfo->cinfo, COL_INFO, "Data");
/* Decode service payload */
if (service_data) {
tvbuff_t *next_tvb;
adb_service_data_t adb_service_data;
adb_service_data.service = service_data->service;
adb_service_data.direction = direction;
adb_service_data.session_key_length = 3;
adb_service_data.session_key = (guint32 *) wmem_alloc(wmem_packet_scope(), adb_service_data.session_key_length * sizeof(guint32));
adb_service_data.session_key[0] = interface_id;
if (proto == proto_usb) {
adb_service_data.session_key[1] = usb_conv_info->bus_id;
adb_service_data.session_key[2] = usb_conv_info->device_address;
} else { /* tcp */
if (direction == P2P_DIR_SENT) {
adb_service_data.session_key[1] = pinfo->srcport;
adb_service_data.session_key[2] = pinfo->destport;
} else {
adb_service_data.session_key[1] = pinfo->destport;
adb_service_data.session_key[2] = pinfo->srcport;
}
}
next_tvb = tvb_new_subset(tvb, offset, tvb_captured_length_remaining(tvb, offset), tvb_captured_length_remaining(tvb, offset));
call_dissector_with_data(adb_service_handle, next_tvb, pinfo, tree, &adb_service_data);
} else {
proto_item *data_item;
gchar *data_str;
data_item = proto_tree_add_item(main_tree, hf_data, tvb, offset, data_length, ENC_NA);
data_str = tvb_format_text(tvb, offset, data_length);
proto_item_append_text(data_item, ": %s", data_str);
col_append_fstr(pinfo->cinfo, COL_INFO, " Raw: %s", data_str);
}
offset = tvb_captured_length(tvb);
}
}
}
return offset;
}
/*
void
ethertype(guint16 etype, tvbuff_t *tvb, int offset_after_etype,
packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree,
int etype_id, int trailer_id, int fcs_len)
*/
static int
dissect_ethertype(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
const char *description;
tvbuff_t *volatile next_tvb;
guint length_before;
gint captured_length, reported_length;
volatile int dissector_found = 0;
const char *volatile saved_proto;
ethertype_data_t *ethertype_data;
/* Reject the packet if data is NULL */
if (data == NULL)
return 0;
ethertype_data = (ethertype_data_t*)data;
/* Add the Ethernet type to the protocol tree */
proto_tree_add_uint(ethertype_data->fh_tree, ethertype_data->etype_id, tvb,
ethertype_data->offset_after_ethertype - 2, 2, ethertype_data->etype);
/* Get the captured length and reported length of the data
after the Ethernet type. */
captured_length = tvb_captured_length_remaining(tvb, ethertype_data->offset_after_ethertype);
reported_length = tvb_reported_length_remaining(tvb,
ethertype_data->offset_after_ethertype);
/* Remember how much data there is after the Ethernet type,
including any trailer and FCS. */
length_before = reported_length;
/* Construct a tvbuff for the payload after the Ethernet type.
If the FCS length is positive, remove the FCS.
(If it's zero, there's no FCS; if it's negative,
we don't know whether there's an FCS, so we'll
guess based on the length of the trailer.) */
if (ethertype_data->fcs_len > 0) {
if (captured_length >= 0 && reported_length >= 0) {
if (reported_length >= ethertype_data->fcs_len)
reported_length -= ethertype_data->fcs_len;
if (captured_length > reported_length)
captured_length = reported_length;
}
}
next_tvb = tvb_new_subset(tvb, ethertype_data->offset_after_ethertype, captured_length,
reported_length);
p_add_proto_data(pinfo->pool, pinfo, proto_ethertype, 0, GUINT_TO_POINTER((guint)ethertype_data->etype));
/* Look for sub-dissector, and call it if found.
Catch exceptions, so that if the reported length of "next_tvb"
was reduced by some dissector before an exception was thrown,
we can still put in an item for the trailer. */
saved_proto = pinfo->current_proto;
TRY {
dissector_found = dissector_try_uint(ethertype_dissector_table,
ethertype_data->etype, next_tvb, pinfo, tree);
}
CATCH_NONFATAL_ERRORS {
/* Somebody threw an exception that means that there
was a problem dissecting the payload; that means
that a dissector was found, so we don't need to
dissect the payload as data or update the protocol
or info columns.
Just show the exception and then drive on to show
the trailer, after noting that a dissector was found
and restoring the protocol value that was in effect
before we called the subdissector. */
show_exception(next_tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
dissector_found = 1;
pinfo->current_proto = saved_proto;
}
ENDTRY;
if (!dissector_found) {
/* No sub-dissector found.
Label rest of packet as "Data" */
call_data_dissector(next_tvb, pinfo, tree);
/* Label protocol */
col_add_fstr(pinfo->cinfo, COL_PROTOCOL, "0x%04x", ethertype_data->etype);
description = try_val_to_str(ethertype_data->etype, etype_vals);
if (description) {
col_add_str(pinfo->cinfo, COL_INFO, description);
}
}
add_dix_trailer(pinfo, tree, ethertype_data->fh_tree, ethertype_data->trailer_id, tvb, next_tvb, ethertype_data->offset_after_ethertype,
length_before, ethertype_data->fcs_len);
return tvb_captured_length(tvb);
}
static void
dissect_epmd_request(packet_info *pinfo, tvbuff_t *tvb, gint offset, proto_tree *tree) {
guint8 type;
guint16 name_length = 0;
const gchar *name = NULL;
proto_tree_add_item(tree, hf_epmd_len, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
type = tvb_get_guint8(tvb, offset);
proto_tree_add_item(tree, hf_epmd_type, tvb, offset, 1, ENC_BIG_ENDIAN);
offset++;
col_add_str(pinfo->cinfo, COL_INFO, val_to_str(type, VALS(message_types), "unknown (0x%02X)"));
switch (type) {
case EPMD_ALIVE2_REQ:
proto_tree_add_item(tree, hf_epmd_port_no, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(tree, hf_epmd_node_type, tvb, offset, 1, ENC_BIG_ENDIAN);
offset++;
proto_tree_add_item(tree, hf_epmd_protocol, tvb, offset, 1, ENC_BIG_ENDIAN);
offset++;
proto_tree_add_item(tree, hf_epmd_dist_high, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(tree, hf_epmd_dist_low, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
name_length = tvb_get_ntohs(tvb, offset);
proto_tree_add_item(tree, hf_epmd_name_len, tvb, offset, 2, ENC_BIG_ENDIAN);
proto_tree_add_item(tree, hf_epmd_name, tvb, offset + 2, name_length, ENC_ASCII|ENC_NA);
name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset + 2, name_length, ENC_ASCII);
offset += 2 + name_length;
if (tvb_reported_length_remaining(tvb, offset) >= 2) {
guint16 elen=0;
elen = tvb_get_ntohs(tvb, offset);
proto_tree_add_item(tree, hf_epmd_elen, tvb, offset, 2, ENC_BIG_ENDIAN);
if (elen > 0)
proto_tree_add_item(tree, hf_epmd_edata, tvb, offset + 2, elen, ENC_NA);
/*offset += 2 + elen;*/
}
break;
case EPMD_PORT_REQ:
case EPMD_PORT2_REQ:
name_length = tvb_captured_length_remaining(tvb, offset);
proto_tree_add_item(tree, hf_epmd_name, tvb, offset, name_length, ENC_ASCII|ENC_NA);
name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, name_length, ENC_ASCII);
break;
case EPMD_ALIVE_REQ:
proto_tree_add_item(tree, hf_epmd_port_no, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
name_length = tvb_captured_length_remaining(tvb, offset);
proto_tree_add_item(tree, hf_epmd_name, tvb, offset, name_length, ENC_ASCII|ENC_NA);
name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, name_length, ENC_ASCII);
break;
case EPMD_NAMES_REQ:
break;
}
if (name) {
col_append_fstr(pinfo->cinfo, COL_INFO, " %s", name);
}
}
static int
dissect_data_segment(proto_tree *ltp_tree, tvbuff_t *tvb,packet_info *pinfo,int frame_offset,int ltp_type, guint64 session_num)
{
guint64 client_id;
guint64 data_offset;
guint64 data_length;
guint64 chkp_sno = 0;
guint64 rpt_sno = 0;
guint64 sda_client_id = 0;
unsigned segment_size = 0;
int sdnv_length;
int sdnv_status;
proto_tree *ltp_data_tree;
proto_item *ti;
fragment_head *frag_msg = NULL;
gboolean more_frags = TRUE;
tvbuff_t *new_tvb = NULL;
/* Create a subtree for data segment and add the other fields under it */
ltp_data_tree = proto_tree_add_subtree(ltp_tree, tvb, frame_offset, tvb_captured_length_remaining(tvb, frame_offset), ett_data_segm, NULL, "Data Segment");
/* Client ID - 0 = Bundle Protocol, 1 = CCSDS LTP Service Data Aggregation */
sdnv_status = evaluate_sdnv64(tvb, frame_offset, &sdnv_length, &client_id);
ti = proto_tree_add_uint64_format_value(ltp_data_tree, hf_ltp_data_clid, tvb, frame_offset, sdnv_length, client_id,
"%" G_GINT64_MODIFIER "u (%s)", client_id,
val_to_str_const((const guint32) client_id, client_service_id_info, "Invalid"));
if (!sdnv_status) {
expert_add_info(pinfo, ti, &ei_ltp_sdnv_length);
return 0;
}
frame_offset += sdnv_length;
segment_size += sdnv_length;
/* data segment offset */
if ((sdnv_length = add_sdnv64_to_tree(ltp_data_tree, tvb, pinfo, frame_offset, hf_ltp_data_offset, &data_offset, &ti)) > 0) {
frame_offset += sdnv_length;
segment_size += sdnv_length;
} else {
return 0;
}
/* data segment length */
if ((sdnv_length = add_sdnv64_to_tree(ltp_data_tree, tvb, pinfo, frame_offset, hf_ltp_data_length, &data_length, &ti)) > 0) {
frame_offset += sdnv_length;
segment_size += sdnv_length;
/* add in the data length also */
segment_size += (unsigned int) data_length;
} else {
return 0;
}
more_frags = FALSE;
if (ltp_type != 0 && ltp_type < 4)
{
/* checkpoint serial number - 32 bits per CCSDS */
if ((sdnv_length = add_sdnv64_to_tree(ltp_data_tree, tvb, pinfo, frame_offset, hf_ltp_data_chkp, &chkp_sno, &ti)) > 0) {
frame_offset += sdnv_length;
segment_size += sdnv_length;
if (chkp_sno > 4294967295U) {
/* just a warning - continue processing */
expert_add_info(pinfo, ti, &ei_ltp_sno_larger_than_ccsds);
}
} else {
return 0;
}
/* report serial number - 32 bits per CCSDS */
if ((sdnv_length = add_sdnv64_to_tree(ltp_data_tree, tvb, pinfo, frame_offset, hf_ltp_data_rpt, &rpt_sno, &ti)) > 0) {
frame_offset += sdnv_length;
segment_size += sdnv_length;
if (rpt_sno > 4294967295U) {
/* just a warning - continue processing */
expert_add_info(pinfo, ti, &ei_ltp_sno_larger_than_ccsds);
}
} else {
return 0;
}
} else if (ltp_type != 7) {
more_frags = TRUE;
}
if (segment_size >= tvb_captured_length(tvb)) {
/* did not capture the entire packet */
proto_tree_add_string(ltp_data_tree, hf_ltp_partial_packet, tvb, 0, 0, "<increase capture size?>");
return tvb_captured_length(tvb);
}
frag_msg = fragment_add_check(<p_reassembly_table,
tvb, frame_offset, pinfo, (guint32)session_num, NULL,
(guint32)data_offset, (guint32)data_length, more_frags);
if(frag_msg)
{
/* Checking if the segment is completely reassembled */
if(!(frag_msg->flags & FD_PARTIAL_REASSEMBLY))
{
/* if the segment has not been fragmented, then no reassembly is needed */
if(!more_frags && data_offset == 0)
{
new_tvb = tvb_new_subset_remaining(tvb, frame_offset);
}
else
{
new_tvb = process_reassembled_data(tvb, frame_offset, pinfo, "Reassembled LTP Segment",
frag_msg, <p_frag_items,NULL, ltp_data_tree);
}
}
}
if(new_tvb)
{
int data_count = 1;
int parse_length;
int parse_offset = 0;
parse_length = tvb_captured_length(new_tvb);
while(parse_offset < parse_length)
{
int bundle_size;
int sda_header_size;
proto_tree *ltp_data_data_tree;
tvbuff_t *datatvb;
ltp_data_data_tree = proto_tree_add_subtree_format(ltp_data_tree, tvb,frame_offset, 0,
ett_data_data_segm, NULL, "Data[%d]",data_count);
sda_header_size = 0;
if (client_id == 2) {
sdnv_status = evaluate_sdnv64(tvb, frame_offset+parse_offset, &sdnv_length, &sda_client_id);
ti = proto_tree_add_uint64_format_value(ltp_data_data_tree, hf_ltp_data_sda_clid, tvb, frame_offset+parse_offset, sdnv_length, sda_client_id,
"%" G_GINT64_MODIFIER "u (%s)", sda_client_id, val_to_str_const((const guint32) sda_client_id, client_service_id_info, "Invalid"));
if (!sdnv_status) {
expert_add_info(pinfo, ti, &ei_ltp_sdnv_length);
return 0;
}
sda_header_size = sdnv_length;
parse_offset += sdnv_length;
if (parse_offset == parse_length) {
col_set_str(pinfo->cinfo, COL_INFO, "CCSDS LTP SDA Protocol Error");
return 0; /* Give up*/
}
}
datatvb = tvb_new_subset_length_caplen(new_tvb, parse_offset, (int)parse_length - parse_offset, tvb_captured_length(new_tvb));
bundle_size = call_dissector(bundle_handle, datatvb, pinfo, ltp_data_data_tree);
if(bundle_size == 0) { /*Couldn't parse bundle*/
col_set_str(pinfo->cinfo, COL_INFO, "Dissection Failed");
return 0; /*Give up*/
}
/* update the length of the data set */
proto_item_set_len(ltp_data_data_tree, bundle_size+sda_header_size);
parse_offset += bundle_size;
data_count++;
}
}
else
{
if(frag_msg && more_frags)
{
col_append_frame_number(pinfo, COL_INFO, "[Reassembled in %d] ",frag_msg->reassembled_in);
}
else
{
col_append_str(pinfo->cinfo, COL_INFO, "[Unfinished LTP Segment] ");
}
}
return segment_size;
}
/* echo(4) */
proto_tree_add_uint(xtp_subtree, hf_xtp_cntl_echo,
tvb, offset, 4, cntl->echo);
return;
}
static void
dissect_xtp_first(tvbuff_t *tvb, proto_tree *tree, guint32 offset) {
if (!dissect_xtp_aseg(tvb, tree, offset))
return;
offset += XTP_IP_ADDR_SEG_LEN;
dissect_xtp_tspec(tvb, tree, offset);
return;
}
#define XTP_MAX_NSPANS 10000 /* Arbitrary. (Documentation link is dead.) */
static void
dissect_xtp_ecntl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
guint32 offset) {
guint32 len = tvb_captured_length_remaining(tvb, offset);
guint32 start = offset;
proto_item *top_ti;
proto_tree *xtp_subtree;
struct xtp_ecntl ecntl[1];
guint spans_len;
guint i;
top_ti = proto_tree_add_text(tree, tvb, offset, len,
"Error Control Segment");
xtp_subtree = proto_item_add_subtree(top_ti, ett_xtp_ecntl);
if (len < MIN_XTP_ECNTL_PKT_LEN) {
proto_item_append_text(top_ti,
", bogus length (%u, must be at least %u)",
len, MIN_XTP_ECNTL_PKT_LEN);
return;
}
/** parse **/
/* rseq(8) */
ecntl->rseq = tvb_get_ntohl(tvb, offset);
ecntl->rseq <<= 32;
ecntl->rseq += tvb_get_ntohl(tvb, offset+4);
offset += 8;
/* alloc(8) */
ecntl->alloc = tvb_get_ntohl(tvb, offset);
ecntl->alloc <<= 32;
ecntl->alloc += tvb_get_ntohl(tvb, offset+4);
offset += 8;
/* echo(4) */
ecntl->echo = tvb_get_ntohl(tvb, offset);
offset += 4;
/* nspan(4) */
ecntl->nspan = tvb_get_ntohl(tvb, offset);
offset += 4;
len = len + XTP_HEADER_LEN - offset;
spans_len = 16 * ecntl->nspan;
if (len != spans_len) {
expert_add_info_format(pinfo, top_ti, &ei_xtp_spans_bad, "Number of spans (%u) incorrect. Should be %u.", ecntl->nspan, len);
THROW(ReportedBoundsError);
}
if (ecntl->nspan > XTP_MAX_NSPANS) {
expert_add_info_format(pinfo, top_ti, &ei_xtp_spans_bad, "Too many spans: %u", ecntl->nspan);
THROW(ReportedBoundsError);
}
/** add summary **/
col_append_fstr(pinfo->cinfo, COL_INFO,
" Recv-Seq=%" G_GINT64_MODIFIER "u", ecntl->rseq);
col_append_fstr(pinfo->cinfo, COL_INFO,
" Alloc=%" G_GINT64_MODIFIER "u", ecntl->alloc);
proto_item_append_text(top_ti,
", Recv-Seq: %" G_GINT64_MODIFIER "u", ecntl->rseq);
/** display **/
offset = start;
/* rseq(8) */
proto_tree_add_uint64(xtp_subtree, hf_xtp_ecntl_rseq,
tvb, offset, 8, ecntl->rseq);
offset += 8;
/* alloc(8) */
proto_tree_add_uint64(xtp_subtree, hf_xtp_ecntl_alloc,
tvb, offset, 8, ecntl->alloc);
offset += 8;
/* echo(4) */
proto_tree_add_uint(xtp_subtree, hf_xtp_ecntl_echo,
tvb, offset, 4, ecntl->echo);
offset += 4;
/* nspan(4) */
proto_tree_add_uint(xtp_subtree, hf_xtp_ecntl_nspan,
tvb, offset, 4, ecntl->nspan);
offset += 4;
/* spans(16n) */
for (i = 0; i < ecntl->nspan; i++) {
proto_tree_add_item(xtp_subtree, hf_xtp_ecntl_span_left,
tvb, offset, 8, ENC_LITTLE_ENDIAN);
offset += 8;
proto_tree_add_item(xtp_subtree, hf_xtp_ecntl_span_right,
tvb, offset, 8, ENC_LITTLE_ENDIAN);
offset += 8;
}
return;
}
/* -------------- */
static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len)
{
volatile gboolean is_802_2;
volatile int length;
gint captured_length, reported_length;
is_802_2 = TRUE;
/* Is there an 802.2 layer? I can tell by looking at the first 2
bytes after the 802.3 header. If they are 0xffff, then what
follows the 802.3 header is an IPX payload, meaning no 802.2.
A non-0xffff value means that there's an 802.2 layer or CCSDS
layer inside the 802.3 layer */
TRY {
if (tvb_get_ntohs(tvb, 14) == 0xffff) {
is_802_2 = FALSE;
}
/* Is this a CCSDS payload instead of an 802.2 (LLC)?
Check the conditions enabled by the user for CCSDS presence */
else if (ccsds_heuristic_length || ccsds_heuristic_version ||
ccsds_heuristic_header || ccsds_heuristic_bit) {
gboolean CCSDS_len = TRUE;
gboolean CCSDS_ver = TRUE;
gboolean CCSDS_head = TRUE;
gboolean CCSDS_bit = TRUE;
/* See if the reported payload size matches the
size contained in the CCSDS header. */
if (ccsds_heuristic_length) {
/* The following technique to account for FCS
is copied from packet-ieee8023.c dissect_802_3() */
length = tvb_get_ntohs(tvb, 12);
reported_length = tvb_reported_length_remaining(tvb, ETH_HEADER_SIZE);
if (fcs_len > 0) {
if (reported_length >= fcs_len)
reported_length -= fcs_len;
}
/* Make sure the length in the 802.3 header doesn't go past the end of
the payload. */
if (length > reported_length) {
length = reported_length;
}
/* Only allow inspection of 'length' number of bytes. */
captured_length = tvb_captured_length_remaining(tvb, ETH_HEADER_SIZE);
if (captured_length > length)
captured_length = length;
/* Check if payload is large enough to contain a CCSDS header */
if (captured_length >= 6) {
/* Compare length to packet length contained in CCSDS header. */
if (length != 7 + tvb_get_ntohs(tvb, ETH_HEADER_SIZE + 4))
CCSDS_len = FALSE;
}
}
/* Check if CCSDS Version number (first 3 bits of payload) is zero */
if ((ccsds_heuristic_version) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE, 3)!=0))
CCSDS_ver = FALSE;
/* Check if Secondary Header Flag (4th bit of payload) is set to one. */
if ((ccsds_heuristic_header) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 4, 1)!=1))
CCSDS_head = FALSE;
/* Check if spare bit (1st bit of 7th word of payload) is zero. */
if ((ccsds_heuristic_bit) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 16*6, 1)!=0))
CCSDS_bit = FALSE;
/* If all the conditions are true, don't interpret payload as an 802.2 (LLC).
* Additional check in packet-802.3.c will distinguish between
* IPX and CCSDS packets*/
if (CCSDS_len && CCSDS_ver && CCSDS_head && CCSDS_bit)
is_802_2 = FALSE;
}
}
CATCH_BOUNDS_ERRORS {
; /* do nothing */
}
ENDTRY;
return is_802_2;
}
static void
dissect_tacplus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
tvbuff_t *new_tvb=NULL;
proto_tree *tacplus_tree, *body_tree;
proto_item *ti, *hidden_item;
guint8 version,flags;
proto_tree *flags_tree;
proto_item *tf;
proto_item *tmp_pi;
guint32 len;
gboolean request=( pinfo->destport == TCP_PORT_TACACS );
const char *key=NULL;
len = tvb_get_ntohl(tvb, 8);
if(len > (guint)tvb_captured_length_remaining(tvb, 12) &&
pinfo->can_desegment && tacplus_preference_desegment) {
pinfo->desegment_offset = 0;
pinfo->desegment_len = len;
return;
}
if( request ) {
key=find_key( &pinfo->dst, &pinfo->src );
} else {
key=find_key( &pinfo->src, &pinfo->dst );
}
col_set_str(pinfo->cinfo, COL_PROTOCOL, "TACACS+");
col_add_fstr( pinfo->cinfo, COL_INFO, "%s: %s",
request ? "Q" : "R",
val_to_str(tvb_get_guint8(tvb,1), tacplus_type_vals, "Unknown (0x%02x)"));
if (tree)
{
ti = proto_tree_add_item(tree, proto_tacplus, tvb, 0, -1, ENC_NA);
tacplus_tree = proto_item_add_subtree(ti, ett_tacplus);
if (pinfo->match_uint == pinfo->destport)
{
hidden_item = proto_tree_add_boolean(tacplus_tree,
hf_tacplus_request, tvb, 0, 0, TRUE);
}
else
{
hidden_item = proto_tree_add_boolean(tacplus_tree,
hf_tacplus_response, tvb, 0, 0, TRUE);
}
PROTO_ITEM_SET_HIDDEN(hidden_item);
version = tvb_get_guint8(tvb,0);
proto_tree_add_uint_format_value(tacplus_tree, hf_tacplus_majvers, tvb, 0, 1,
version,
"%s",
(version&0xf0)==0xc0?"TACACS+":"Unknown Version");
proto_tree_add_uint(tacplus_tree, hf_tacplus_minvers, tvb, 0, 1,
version&0xf);
proto_tree_add_item(tacplus_tree, hf_tacplus_type, tvb, 1, 1,
ENC_BIG_ENDIAN);
proto_tree_add_item(tacplus_tree, hf_tacplus_seqno, tvb, 2, 1,
ENC_BIG_ENDIAN);
flags = tvb_get_guint8(tvb,3);
tf = proto_tree_add_uint_format_value(tacplus_tree, hf_tacplus_flags,
tvb, 3, 1, flags,
"0x%02x (%s payload, %s)", flags,
(flags&FLAGS_UNENCRYPTED) ? "Unencrypted" : "Encrypted",
(flags&FLAGS_SINGLE) ? "Single connection" : "Multiple Connections" );
flags_tree = proto_item_add_subtree(tf, ett_tacplus_flags);
proto_tree_add_boolean(flags_tree, hf_tacplus_flags_payload_type,
tvb, 3, 1, flags);
proto_tree_add_boolean(flags_tree, hf_tacplus_flags_connection_type,
tvb, 3, 1, flags);
proto_tree_add_item(tacplus_tree, hf_tacplus_session_id, tvb, 4, 4,
ENC_BIG_ENDIAN);
tmp_pi = proto_tree_add_uint(tacplus_tree, hf_tacplus_packet_len, tvb, 8, 4, len);
if ((gint)len < 1) {
expert_add_info_format(pinfo, tmp_pi, &ei_tacplus_packet_len_invalid, "Invalid length: %u", len);
}
body_tree = proto_tree_add_subtree_format(tacplus_tree, tvb, TAC_PLUS_HDR_SIZE, len,
ett_tacplus_body, NULL, "%s%s", ((flags&FLAGS_UNENCRYPTED)?"":"Encrypted "), request?"Request":"Reply" );
if( flags&FLAGS_UNENCRYPTED ) {
new_tvb = tvb_new_subset_length( tvb, TAC_PLUS_HDR_SIZE, len );
} else {
new_tvb=NULL;
if( key && *key ){
tacplus_decrypted_tvb_setup( tvb, &new_tvb, pinfo, len, version, key );
}
}
if( new_tvb ) {
/* Check to see if I've a decrypted tacacs packet */
if( !(flags&FLAGS_UNENCRYPTED) ){
body_tree = proto_tree_add_subtree_format(tacplus_tree, new_tvb, 0, len,
ett_tacplus_body, NULL, "Decrypted %s", request?"Request":"Reply" );
}
dissect_tacplus_body( tvb, pinfo, new_tvb, body_tree);
}
}
}
static void
dissect_edsa(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
guint8 edsa_tag;
guint8 edsa_tagged;
guint8 edsa_dev;
guint8 edsa_port;
guint8 edsa_trunk;
guint8 edsa_cfi;
guint8 edsa_prio;
guint8 edsa_vid;
guint8 edsa_code;
guint16 edsa_ethtype;
gboolean is_802_2;
proto_tree *edsa_tree = NULL;
proto_item *ti;
edsa_tag = tvb_get_bits8(tvb, (8 * 2) + 0 , 2);
edsa_tagged = tvb_get_bits8(tvb, (8 * 2) + 2, 1);
edsa_dev = tvb_get_bits8(tvb, (8 * 2) + 3, 5);
edsa_port = tvb_get_bits8(tvb, (8 * 3) + 0, 5);
edsa_trunk = tvb_get_bits8(tvb, (8 * 3) + 5, 1);
edsa_cfi = tvb_get_bits8(tvb, (8 * 3) + 7, 0);
edsa_prio = tvb_get_bits8(tvb, (8 * 4) + 0, 3);
edsa_vid = tvb_get_bits16(tvb, (8 * 4) + 4, 12, TRUE);
edsa_code = (tvb_get_bits8(tvb, (8 * 3) + 5, 2) << 2 |
tvb_get_bits8(tvb, (8 * 4) + 3, 1));
edsa_ethtype = tvb_get_ntohs(tvb, 6);
if (tree) {
ti = proto_tree_add_protocol_format(
tree, proto_edsa, tvb, 0, EDSA_HEADER_SIZE,
"EtherType Distributed Switch Architecture, %s Dev: %d Port: %d VID: %d",
val_to_str(edsa_tag, tag_vals, "tag %d"),
edsa_dev, edsa_port, edsa_vid);
edsa_tree = proto_item_add_subtree(ti, ett_edsa);
proto_tree_add_uint(edsa_tree, hf_edsa_tag,
tvb, 2, 1, edsa_tag);
switch (edsa_tag) {
case TAG_TO_CPU:
proto_tree_add_boolean(
edsa_tree, hf_edsa_tagged, tvb, 2, 1,
edsa_tagged);
proto_tree_add_uint(
edsa_tree, hf_edsa_dev, tvb, 2, 1, edsa_dev);
proto_tree_add_uint(
edsa_tree, hf_edsa_port, tvb, 3, 1, edsa_port);
proto_tree_add_uint(
edsa_tree, hf_edsa_vid, tvb, 4, 2, edsa_vid);
proto_tree_add_uint(
edsa_tree, hf_edsa_code, tvb, 3, 2, edsa_code);
proto_tree_add_uint(
edsa_tree, hf_edsa_prio, tvb, 4, 1, edsa_prio);
proto_tree_add_boolean(
edsa_tree, hf_edsa_cfi, tvb, 3, 1, edsa_cfi);
break;
case TAG_FROM_CPU:
proto_tree_add_boolean(
edsa_tree, hf_edsa_tagged, tvb, 2, 1,
edsa_tagged);
proto_tree_add_uint(
edsa_tree, hf_edsa_dev, tvb, 2, 1, edsa_dev);
proto_tree_add_uint(
edsa_tree, hf_edsa_port, tvb, 3, 1, edsa_port);
proto_tree_add_uint(
edsa_tree, hf_edsa_vid, tvb, 4, 2, edsa_vid);
proto_tree_add_uint(
edsa_tree, hf_edsa_prio, tvb, 4, 1, edsa_prio);
proto_tree_add_boolean(
edsa_tree, hf_edsa_cfi, tvb, 3, 1, edsa_cfi);
break;
case TAG_FORWARD:
proto_tree_add_boolean(
edsa_tree, hf_edsa_tagged, tvb, 2, 1,
edsa_tagged);
proto_tree_add_uint(
edsa_tree, hf_edsa_dev, tvb, 2, 1, edsa_dev);
proto_tree_add_uint(
edsa_tree, hf_edsa_port, tvb, 3, 1, edsa_port);
proto_tree_add_boolean(
edsa_tree, hf_edsa_trunk, tvb, 3, 1,
edsa_trunk);
proto_tree_add_uint(
edsa_tree, hf_edsa_vid, tvb, 4, 2, edsa_vid);
proto_tree_add_uint(
edsa_tree, hf_edsa_prio, tvb, 4, 1, edsa_prio);
proto_tree_add_boolean(
edsa_tree, hf_edsa_cfi, tvb, 3, 1, edsa_cfi);
break;
}
}
if (edsa_ethtype <= IEEE_802_3_MAX_LEN) {
/* Is there an 802.2 layer? I can tell by looking at
the first 2 bytes after the VLAN header. If they
are 0xffff, then what follows the VLAN header is an
IPX payload, meaning no 802.2. (IPX/SPX is they
only thing that can be contained inside a straight
802.3 packet, so presumably the same applies for
Ethernet VLAN packets). A non-0xffff value means
that there's an 802.2 layer inside the VLAN
layer */
is_802_2 = TRUE;
/* Don't throw an exception for this check (even a
* BoundsError) */
if (tvb_captured_length_remaining(tvb, 8) >= 2) {
if (tvb_get_ntohs(tvb, 8) == 0xffff) {
is_802_2 = FALSE;
}
dissect_802_3(edsa_ethtype, is_802_2, tvb, 8, pinfo,
tree, edsa_tree, hf_edsa_len,
hf_edsa_trailer, &ei_edsa_len, 0);
}
} else {
ethertype_data_t ethertype_data;
ethertype_data.etype = edsa_ethtype;
ethertype_data.offset_after_ethertype = 8;
ethertype_data.fh_tree = edsa_tree;
ethertype_data.etype_id = hf_edsa_ethtype;
ethertype_data.trailer_id = hf_edsa_trailer;
ethertype_data.fcs_len = 0;
call_dissector_with_data(ethertype_handle, tvb, pinfo, tree,
ðertype_data);
}
}
static void
dissect_cmd(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
guint16 encap_proto;
ethertype_data_t ethertype_data;
proto_tree *cmd_tree = NULL;
gint offset = 0;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "CMD");
col_clear(pinfo->cinfo, COL_INFO);
if (tree) {
proto_item *ti = proto_tree_add_item(tree, proto_cmd, tvb, 0, 6, ENC_NA);
cmd_tree = proto_item_add_subtree(ti, ett_cmd);
proto_tree_add_item(cmd_tree, hf_cmd_version, tvb, offset, 1, ENC_BIG_ENDIAN);
offset += 1;
proto_tree_add_item(cmd_tree, hf_cmd_length, tvb, offset, 1, ENC_BIG_ENDIAN);
offset += 1;
proto_tree_add_item(cmd_tree, hf_cmd_options, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(cmd_tree, hf_cmd_sgt, tvb, offset, 2, ENC_BIG_ENDIAN);
/*offset += 2;*/
}
encap_proto = tvb_get_ntohs(tvb, 6);
/* This Logic to identify and decode IEEE 802.3 frames is not working correctly. Carry over code from packet-vlan.c
* Commenting it out for now will display as Unknown for L2 control frames instead of showing a wrong decode.
*/
#if 0
if (encap_proto <= IEEE_802_3_MAX_LEN) {
gboolean is_802_2 = TRUE;
/* Don't throw an exception for this check (even a BoundsError) */
if (tvb_captured_length_remaining(tvb, 4) >= 2) {
if (tvb_get_ntohs(tvb, 4) == 0xffff)
is_802_2 = FALSE;
}
dissect_802_3(encap_proto, is_802_2, tvb, 4, pinfo, tree, cmd_tree, hf_eth_type, hf_cmd_trailer, 0);
} else {
#endif
ethertype_data.etype = encap_proto;
ethertype_data.offset_after_ethertype = 8;
ethertype_data.fh_tree = cmd_tree;
ethertype_data.etype_id = hf_eth_type;
ethertype_data.trailer_id = hf_cmd_trailer;
ethertype_data.fcs_len = 0;
call_dissector_with_data(ethertype_handle, tvb, pinfo, tree, ðertype_data);
}
void
proto_register_cmd(void)
{
static hf_register_info hf[] = {
{ &hf_cmd_version,
{ "Version", "cmd.version", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
},
{ &hf_cmd_length,
{ "Length", "cmd.length", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
},
{ &hf_cmd_options,
{ "Options", "cmd.options", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }
},
{ &hf_cmd_sgt,
{ "SGT", "cmd.sgt", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
},
{ &hf_eth_type,
{ "Type", "cmd.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0, NULL, HFILL }
},
{ &hf_cmd_trailer,
{ "Trailer", "cmd.trailer", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
},
};
static gint *ett[] = {
&ett_cmd
};
proto_cmd = proto_register_protocol("Cisco MetaData", "Cisco MetaData", "cmd");
proto_register_field_array(proto_cmd, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
}
void
proto_reg_handoff_cmd(void)
{
dissector_handle_t cmd_handle;
ethertype_handle = find_dissector("ethertype");
cmd_handle = create_dissector_handle(dissect_cmd, proto_cmd);
dissector_add_uint("ethertype", ETHERTYPE_CMD, cmd_handle);
}
/*FUNCTION:------------------------------------------------------
* NAME
* dissect_zbee_secure
* DESCRIPTION
* Dissects and decrypts secured ZigBee frames.
*
* Will return a valid tvbuff only if security processing was
* successful. If processing fails, then this function will
* handle internally and return NULL.
* PARAMETERS
* tvbuff_t *tvb - pointer to buffer containing raw packet.
* packet_info *pinfo - pointer to packet information fields
* proto_tree *tree - pointer to data tree Wireshark uses to display packet.
* guint offset - pointer to the start of the auxiliary security header.
* guint64 src64 - extended source address, or 0 if unknown.
* RETURNS
* tvbuff_t *
*---------------------------------------------------------------
*/
tvbuff_t *
dissect_zbee_secure(tvbuff_t *tvb, packet_info *pinfo, proto_tree* tree, guint offset)
{
proto_tree *sec_tree;
zbee_security_packet packet;
guint mic_len;
gint payload_len;
tvbuff_t *payload_tvb;
#ifdef HAVE_LIBGCRYPT
proto_item *ti;
proto_item *key_item;
guint8 *enc_buffer;
guint8 *dec_buffer;
gboolean decrypted;
GSList **nwk_keyring;
GSList *GSList_i;
key_record_t *key_rec = NULL;
#endif
zbee_nwk_hints_t *nwk_hints;
ieee802154_hints_t *ieee_hints;
ieee802154_map_rec *map_rec = NULL;
static const int * sec_flags[] = {
&hf_zbee_sec_key_id,
&hf_zbee_sec_nonce,
NULL
};
/* Init */
memset(&packet, 0, sizeof(zbee_security_packet));
/* Get pointers to any useful frame data from lower layers */
nwk_hints = (zbee_nwk_hints_t *)p_get_proto_data(wmem_file_scope(), pinfo,
proto_get_id_by_filter_name(ZBEE_PROTOABBREV_NWK), 0);
ieee_hints = (ieee802154_hints_t *)p_get_proto_data(wmem_file_scope(), pinfo,
proto_get_id_by_filter_name(IEEE802154_PROTOABBREV_WPAN), 0);
/* Create a subtree for the security information. */
sec_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_zbee_sec, NULL, "ZigBee Security Header");
/* Get and display the Security control field */
packet.control = tvb_get_guint8(tvb, offset);
/* Patch the security level. */
packet.control &= ~ZBEE_SEC_CONTROL_LEVEL;
packet.control |= (ZBEE_SEC_CONTROL_LEVEL & gPREF_zbee_sec_level);
/*
* Eww, I think I just threw up a little... ZigBee requires this field
* to be patched before computing the MIC, but we don't have write-access
* to the tvbuff. So we need to allocate a copy of the whole thing just
* so we can fix these 3 bits. Memory allocated by tvb_memdup(wmem_packet_scope(),...)
* is automatically freed before the next packet is processed.
*/
#ifdef HAVE_LIBGCRYPT
enc_buffer = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, 0, tvb_captured_length(tvb));
/*
* Override the const qualifiers and patch the security level field, we
* know it is safe to overide the const qualifiers because we just
* allocated this memory via tvb_memdup(wmem_packet_scope(),...).
*/
enc_buffer[offset] = packet.control;
#endif /* HAVE_LIBGCRYPT */
packet.level = zbee_get_bit_field(packet.control, ZBEE_SEC_CONTROL_LEVEL);
packet.key_id = zbee_get_bit_field(packet.control, ZBEE_SEC_CONTROL_KEY);
packet.nonce = zbee_get_bit_field(packet.control, ZBEE_SEC_CONTROL_NONCE);
proto_tree_add_bitmask(sec_tree, tvb, offset, hf_zbee_sec_field, ett_zbee_sec_control, sec_flags, ENC_NA);
offset += 1;
/* Get and display the frame counter field. */
packet.counter = tvb_get_letohl(tvb, offset);
proto_tree_add_uint(sec_tree, hf_zbee_sec_counter, tvb, offset, 4, packet.counter);
offset += 4;
if (packet.nonce) {
/* Get and display the source address of the device that secured this payload. */
packet.src64 = tvb_get_letoh64(tvb, offset);
proto_tree_add_item(sec_tree, hf_zbee_sec_src64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
#if 1
if (!pinfo->fd->flags.visited) {
switch ( packet.key_id ) {
case ZBEE_SEC_KEY_LINK:
if (nwk_hints && ieee_hints) {
/* Map this long address with the nwk layer short address. */
nwk_hints->map_rec = ieee802154_addr_update(&zbee_nwk_map, nwk_hints->src,
ieee_hints->src_pan, packet.src64, pinfo->current_proto, pinfo->num);
}
break;
case ZBEE_SEC_KEY_NWK:
if (ieee_hints) {
/* Map this long address with the ieee short address. */
ieee_hints->map_rec = ieee802154_addr_update(&zbee_nwk_map, ieee_hints->src16,
ieee_hints->src_pan, packet.src64, pinfo->current_proto, pinfo->num);
}
break;
/* We ignore the extended source addresses used to encrypt payloads with these
* types of keys, because they can emerge from APS tunnels created by nodes whose
* short address is not recorded in the packet. */
case ZBEE_SEC_KEY_TRANSPORT:
case ZBEE_SEC_KEY_LOAD:
break;
}
}
#endif
offset += 8;
}
else {
/* Look for a source address in hints */
switch ( packet.key_id ) {
case ZBEE_SEC_KEY_NWK:
/* use the ieee extended source address for NWK decryption */
if ( ieee_hints && (map_rec = ieee_hints->map_rec) )
packet.src64 = map_rec->addr64;
else
proto_tree_add_expert(sec_tree, pinfo, &ei_zbee_sec_extended_source_unknown, tvb, 0, 0);
break;
default:
/* use the nwk extended source address for APS decryption */
if ( nwk_hints && (map_rec = nwk_hints->map_rec) )
packet.src64 = map_rec->addr64;
else
proto_tree_add_expert(sec_tree, pinfo, &ei_zbee_sec_extended_source_unknown, tvb, 0, 0);
break;
}
}
if (packet.key_id == ZBEE_SEC_KEY_NWK) {
/* Get and display the key sequence number. */
packet.key_seqno = tvb_get_guint8(tvb, offset);
proto_tree_add_uint(sec_tree, hf_zbee_sec_key_seqno, tvb, offset, 1, packet.key_seqno);
offset += 1;
}
/* Determine the length of the MIC. */
switch (packet.level) {
case ZBEE_SEC_ENC:
case ZBEE_SEC_NONE:
default:
mic_len=0;
break;
case ZBEE_SEC_ENC_MIC32:
case ZBEE_SEC_MIC32:
mic_len=4;
break;
case ZBEE_SEC_ENC_MIC64:
case ZBEE_SEC_MIC64:
mic_len=8;
break;
case ZBEE_SEC_ENC_MIC128:
case ZBEE_SEC_MIC128:
mic_len=16;
break;
} /* switch */
/* Get and display the MIC. */
if (mic_len) {
/* Display the MIC. */
proto_tree_add_item(sec_tree, hf_zbee_sec_mic, tvb, (gint)(tvb_captured_length(tvb)-mic_len),
mic_len, ENC_NA);
}
/* Check for null payload. */
payload_len = tvb_reported_length_remaining(tvb, offset+mic_len);
if (payload_len == 0)
return NULL;
/**********************************************
* Perform Security Operations on the Frame *
**********************************************
*/
if ((packet.level == ZBEE_SEC_NONE) ||
(packet.level == ZBEE_SEC_MIC32) ||
(packet.level == ZBEE_SEC_MIC64) ||
(packet.level == ZBEE_SEC_MIC128)) {
/* Payload is only integrity protected. Just return the sub-tvbuff. */
return tvb_new_subset_length(tvb, offset, payload_len);
}
#ifdef HAVE_LIBGCRYPT
/* Have we captured all the payload? */
if (tvb_captured_length_remaining(tvb, offset+mic_len) < payload_len) {
/*
* No - don't try to decrypt it.
*
* XXX - it looks as if the decryption code is assuming we have the
* MIC, which won't be the case if the packet was cut short. Is
* that in fact that case, or can we still make this work with a
* partially-captured packet?
*/
/* Add expert info. */
expert_add_info(pinfo, sec_tree, &ei_zbee_sec_encrypted_payload_sliced);
/* Create a buffer for the undecrypted payload. */
payload_tvb = tvb_new_subset_length(tvb, offset, payload_len);
/* Dump the payload to the data dissector. */
call_data_dissector(payload_tvb, pinfo, tree);
/* Couldn't decrypt, so return NULL. */
return NULL;
}
/* Allocate memory to decrypt the payload into. */
dec_buffer = (guint8 *)g_malloc(payload_len);
decrypted = FALSE;
if ( packet.src64 ) {
if (pinfo->fd->flags.visited) {
if ( nwk_hints ) {
/* Use previously found key */
switch ( packet.key_id ) {
case ZBEE_SEC_KEY_NWK:
if ( (key_rec = nwk_hints->nwk) ) {
decrypted = zbee_sec_decrypt_payload( &packet, enc_buffer, offset, dec_buffer,
payload_len, mic_len, nwk_hints->nwk->key);
}
break;
default:
if ( (key_rec = nwk_hints->link) ) {
decrypted = zbee_sec_decrypt_payload( &packet, enc_buffer, offset, dec_buffer,
payload_len, mic_len, nwk_hints->link->key);
}
break;
}
}
} /* ( !pinfo->fd->flags.visited ) */
else {
/* We only search for sniffed keys in the first pass,
* to save time, and because decrypting with keys
* transported in future packets is cheating */
/* Lookup NWK and link key in hash for this pan. */
/* This overkill approach is a placeholder for a hash that looks up
* a key ring for a link key associated with a pair of devices.
*/
if ( nwk_hints ) {
nwk_keyring = (GSList **)g_hash_table_lookup(zbee_table_nwk_keyring, &nwk_hints->src_pan);
if ( nwk_keyring ) {
GSList_i = *nwk_keyring;
while ( GSList_i && !decrypted ) {
decrypted = zbee_sec_decrypt_payload( &packet, enc_buffer, offset, dec_buffer,
payload_len, mic_len, ((key_record_t *)(GSList_i->data))->key);
if (decrypted) {
/* save pointer to the successful key record */
switch (packet.key_id) {
case ZBEE_SEC_KEY_NWK:
key_rec = nwk_hints->nwk = (key_record_t *)(GSList_i->data);
break;
default:
key_rec = nwk_hints->link = (key_record_t *)(GSList_i->data);
break;
}
} else {
GSList_i = g_slist_next(GSList_i);
}
}
}
/* Loop through user's password table for preconfigured keys, our last resort */
GSList_i = zbee_pc_keyring;
while ( GSList_i && !decrypted ) {
decrypted = zbee_sec_decrypt_payload( &packet, enc_buffer, offset, dec_buffer,
payload_len, mic_len, ((key_record_t *)(GSList_i->data))->key);
if (decrypted) {
/* save pointer to the successful key record */
switch (packet.key_id) {
case ZBEE_SEC_KEY_NWK:
key_rec = nwk_hints->nwk = (key_record_t *)(GSList_i->data);
break;
default:
key_rec = nwk_hints->link = (key_record_t *)(GSList_i->data);
break;
}
} else {
GSList_i = g_slist_next(GSList_i);
}
}
}
} /* ( ! pinfo->fd->flags.visited ) */
} /* ( packet.src64 ) */
if ( decrypted ) {
if ( tree && key_rec ) {
key_item = proto_tree_add_bytes(sec_tree, hf_zbee_sec_key, tvb, 0, ZBEE_SEC_CONST_KEYSIZE, key_rec->key);
PROTO_ITEM_SET_GENERATED(key_item);
if ( key_rec->frame_num == ZBEE_SEC_PC_KEY ) {
ti = proto_tree_add_string(sec_tree, hf_zbee_sec_decryption_key, tvb, 0, 0, key_rec->label);
} else {
ti = proto_tree_add_uint(sec_tree, hf_zbee_sec_key_origin, tvb, 0, 0,
key_rec->frame_num);
}
PROTO_ITEM_SET_GENERATED(ti);
}
/* Found a key that worked, setup the new tvbuff_t and return */
payload_tvb = tvb_new_child_real_data(tvb, dec_buffer, payload_len, payload_len);
tvb_set_free_cb(payload_tvb, g_free); /* set up callback to free dec_buffer */
add_new_data_source(pinfo, payload_tvb, "Decrypted ZigBee Payload");
/* Done! */
return payload_tvb;
}
g_free(dec_buffer);
#endif /* HAVE_LIBGCRYPT */
/* Add expert info. */
expert_add_info(pinfo, sec_tree, &ei_zbee_sec_encrypted_payload);
/* Create a buffer for the undecrypted payload. */
payload_tvb = tvb_new_subset_length(tvb, offset, payload_len);
/* Dump the payload to the data dissector. */
call_data_dissector(payload_tvb, pinfo, tree);
/* Couldn't decrypt, so return NULL. */
return NULL;
} /* dissect_zbee_secure */
static void
dissect_icap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *icap_tree = NULL;
proto_item *ti = NULL;
proto_item *hidden_item;
gint offset = 0;
const guchar *line;
gint next_offset;
const guchar *linep, *lineend;
int linelen;
guchar c;
icap_type_t icap_type;
int datalen;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ICAP");
/*
* Put the first line from the buffer into the summary
* if it's an ICAP header (but leave out the
* line terminator).
* Otherwise, just call it a continuation.
*
* Note that "tvb_find_line_end()" will return a value that
* is not longer than what's in the buffer, so the
* "tvb_get_ptr()" call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
icap_type = ICAP_OTHER; /* type not known yet */
if (is_icap_message(line, linelen, &icap_type))
col_add_str(pinfo->cinfo, COL_INFO,
format_text(line, linelen));
else
col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
if (tree) {
ti = proto_tree_add_item(tree, proto_icap, tvb, offset, -1,
ENC_NA);
icap_tree = proto_item_add_subtree(ti, ett_icap);
}
/*
* Process the packet data, a line at a time.
*/
icap_type = ICAP_OTHER; /* type not known yet */
while (tvb_offset_exists(tvb, offset)) {
gboolean is_icap = FALSE;
gboolean loop_done = FALSE;
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
FALSE);
/*
* Get a buffer that refers to the line.
*/
line = tvb_get_ptr(tvb, offset, linelen);
lineend = line + linelen;
/*
* find header format
*/
if (is_icap_message(line, linelen, &icap_type)) {
goto is_icap_header;
}
/*
* if it looks like a blank line, end of header perhaps?
*/
if (linelen == 0) {
goto is_icap_header;
}
/*
* No. Does it look like a header?
*/
linep = line;
loop_done = FALSE;
while (linep < lineend && (!loop_done)) {
c = *linep++;
/*
* This must be a CHAR to be part of a token; that
* means it must be ASCII.
*/
if (!isascii(c)) {
is_icap = FALSE;
break; /* not ASCII, thus not a CHAR */
}
/*
* This mustn't be a CTL to be part of a token.
*
* XXX - what about leading LWS on continuation
* lines of a header?
*/
if (iscntrl(c)) {
is_icap = FALSE;
break; /* CTL, not part of a header */
}
switch (c) {
case '(':
case ')':
case '<':
case '>':
case '@':
case ',':
case ';':
case '\\':
case '"':
case '/':
case '[':
case ']':
case '?':
case '=':
case '{':
case '}':
/*
* It's a separator, so it's not part of a
* token, so it's not a field name for the
* beginning of a header.
*
* (We don't have to check for HT; that's
* already been ruled out by "iscntrl()".)
*
* XXX - what about ' '? HTTP's checks
* check for that.
*/
is_icap = FALSE;
loop_done = TRUE;
break;
case ':':
/*
* This ends the token; we consider this
* to be a header.
*/
goto is_icap_header;
}
}
/*
* We don't consider this part of an ICAP message,
* so we don't display it.
* (Yeah, that means we don't display, say, a text/icap
* page, but you can get that from the data pane.)
*/
if (!is_icap)
break;
is_icap_header:
proto_tree_add_format_text(icap_tree, tvb, offset, next_offset - offset);
offset = next_offset;
}
if (tree) {
switch (icap_type) {
case ICAP_OPTIONS:
hidden_item = proto_tree_add_boolean(icap_tree,
hf_icap_options, tvb, 0, 0, 1);
PROTO_ITEM_SET_HIDDEN(hidden_item);
break;
case ICAP_REQMOD:
hidden_item = proto_tree_add_boolean(icap_tree,
hf_icap_reqmod, tvb, 0, 0, 1);
PROTO_ITEM_SET_HIDDEN(hidden_item);
break;
case ICAP_RESPMOD:
hidden_item = proto_tree_add_boolean(icap_tree,
hf_icap_respmod, tvb, 0, 0, 1);
PROTO_ITEM_SET_HIDDEN(hidden_item);
break;
case ICAP_RESPONSE:
hidden_item = proto_tree_add_boolean(icap_tree,
hf_icap_response, tvb, 0, 0, 1);
PROTO_ITEM_SET_HIDDEN(hidden_item);
break;
case ICAP_OTHER:
default:
break;
}
}
datalen = tvb_captured_length_remaining(tvb, offset);
if (datalen > 0) {
call_dissector(data_handle,
tvb_new_subset_remaining(tvb, offset), pinfo, icap_tree);
}
}
static void
dissect_imap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
gboolean is_request;
proto_tree *imap_tree, *reqresp_tree;
proto_item *ti, *hidden_item;
gint offset = 0;
gint uid_offset = 0;
gint folder_offset = 0;
const guchar *line;
const guchar *uid_line;
const guchar *folder_line;
gint next_offset;
int linelen;
int tokenlen;
int uid_tokenlen;
int folder_tokenlen;
const guchar *next_token;
const guchar *uid_next_token;
const guchar *folder_next_token;
guchar *tokenbuf;
guchar *command_token;
int iter;
int commandlen;
tokenbuf = (guchar *)wmem_alloc(wmem_packet_scope(), MAX_BUFFER);
command_token = (guchar *)wmem_alloc(wmem_packet_scope(), MAX_BUFFER);
memset(tokenbuf, '\0', MAX_BUFFER);
memset(command_token, '\0', MAX_BUFFER);
commandlen = 0;
folder_offset = 0;
folder_tokenlen = 0;
folder_line = NULL;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "IMAP");
if (pinfo->match_uint == pinfo->destport)
is_request = TRUE;
else
is_request = FALSE;
/*
* Put the first line from the buffer into the summary
* (but leave out the line terminator).
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
is_request ? "Request" : "Response",
format_text(line, linelen));
if (tree) {
ti = proto_tree_add_item(tree, proto_imap, tvb, offset, -1, ENC_NA);
imap_tree = proto_item_add_subtree(ti, ett_imap);
hidden_item = proto_tree_add_boolean(imap_tree, hf_imap_isrequest, tvb, 0, 0, is_request);
PROTO_ITEM_SET_HIDDEN(hidden_item);
while(tvb_captured_length_remaining(tvb, offset) > 0) {
/*
* Find the end of each line
*
* Note that "tvb_find_line_end()" will return a value that is
* not longer than what's in the buffer, so the "tvb_get_ptr()"
* call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
/*
* Put the line into the protocol tree.
*/
ti = proto_tree_add_item(imap_tree, hf_imap_line, tvb, offset,
next_offset - offset, ENC_ASCII|ENC_NA);
reqresp_tree = proto_item_add_subtree(ti, ett_imap_reqresp);
/*
* Check that the line doesn't begin with '*', because that's a continuation line.
* Otherwise if a tag is present then extract tokens.
*/
if ( (line) && ((line[0] != '*') || (TRUE == is_request)) ) {
/*
* Show each line as tags + requests or replies.
*/
/*
* Extract the first token, and, if there is a first
* token, add it as the request or reply tag.
*/
tokenlen = get_token_len(line, line + linelen, &next_token);
if (tokenlen != 0) {
proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request_tag : hf_imap_response_tag,
tvb, offset, tokenlen, ENC_ASCII|ENC_NA);
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
}
/*
* Extract second token, and, if there is a second
* token, and it's not uid, add it as the request or reply command.
*/
tokenlen = get_token_len(line, line + linelen, &next_token);
if (tokenlen != 0) {
for (iter = 0; iter < tokenlen && iter < MAX_BUFFER-1; iter++) {
tokenbuf[iter] = tolower(line[iter]);
}
if ( TRUE == is_request && strncmp(tokenbuf,"uid",tokenlen) == 0) {
proto_tree_add_item(reqresp_tree, hf_imap_request_uid, tvb, offset, tokenlen, ENC_ASCII|ENC_NA);
/*
* UID is a precursor to a command, if following the tag,
* so move to next token to grab the actual command.
*/
uid_offset = offset;
uid_offset += (gint) (next_token - line);
uid_line = next_token;
uid_tokenlen = get_token_len(uid_line, uid_line + (linelen - tokenlen), &uid_next_token);
if (tokenlen != 0) {
proto_tree_add_item(reqresp_tree, hf_imap_request_command,
tvb, uid_offset, uid_tokenlen, ENC_ASCII|ENC_NA);
/*
* Save command string to do specialized processing.
*/
for (iter = 0; iter < uid_tokenlen && iter < MAX_BUFFER-1; iter++) {
command_token[iter] = tolower(uid_line[iter]);
}
commandlen = uid_tokenlen;
folder_offset = uid_offset;
folder_offset += (gint) (uid_next_token - uid_line);
folder_line = uid_next_token;
folder_tokenlen = get_token_len(folder_line, folder_line + (linelen - tokenlen - uid_tokenlen), &folder_next_token);
}
} else {
/*
* Not a UID request so perform normal parsing.
*/
proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request_command : hf_imap_response_status,
tvb, offset, tokenlen, ENC_ASCII|ENC_NA);
if (is_request) {
/*
* Save command string to do specialized processing.
*/
for (iter = 0; iter < tokenlen && iter < 256; iter++) {
command_token[iter] = tolower(line[iter]);
}
commandlen = tokenlen;
folder_offset = offset;
folder_offset += (gint) (next_token - line);
folder_line = next_token;
folder_tokenlen = get_token_len(folder_line, folder_line + (linelen - tokenlen - 1), &folder_next_token);
}
}
if (commandlen > 0 && (
strncmp(command_token, "select", commandlen) == 0 ||
strncmp(command_token, "examine", commandlen) == 0 ||
strncmp(command_token, "create", commandlen) == 0 ||
strncmp(command_token, "delete", commandlen) == 0 ||
strncmp(command_token, "rename", commandlen) == 0 ||
strncmp(command_token, "subscribe", commandlen) == 0 ||
strncmp(command_token, "unsubscribe", commandlen) == 0 ||
strncmp(command_token, "status", commandlen) == 0 ||
strncmp(command_token, "append", commandlen) == 0 ||
strncmp(command_token, "search", commandlen) == 0)) {
/*
* These commands support folder as an argument,
* so parse out the folder name.
*/
if (folder_tokenlen != 0)
proto_tree_add_item(reqresp_tree, hf_imap_request_folder, tvb, folder_offset, folder_tokenlen, ENC_ASCII|ENC_NA);
}
if ( is_request && (NULL != folder_line) &&
strncmp(command_token, "copy", commandlen) == 0) {
/*
* Handle the copy command separately since folder
* is the second argument for this command.
*/
folder_offset += (gint) (folder_next_token - folder_line);
folder_line = folder_next_token;
folder_tokenlen = get_token_len(folder_line, folder_line + (linelen - tokenlen), &folder_next_token);
if (folder_tokenlen != 0)
proto_tree_add_item(reqresp_tree, hf_imap_request_folder, tvb, folder_offset, folder_tokenlen, ENC_ASCII|ENC_NA);
}
}
/*
* Add the rest of the line as request or reply data.
*/
if (linelen != 0) {
proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request : hf_imap_response,
tvb, offset, linelen, ENC_ASCII|ENC_NA);
}
}
offset = next_offset; /* Skip over last line and \r\n at the end of it */
}
}
}
static void
dissect_rpl_container(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
guint16 len, type, sublen, subtyp;
proto_tree *rpl_container_tree;
guint16 offset;
gint ett_type;
gint length, reported_length;
len = tvb_get_ntohs(tvb, 0);
proto_tree_add_item(tree, hf_rpl_len, tvb, 0, 2, ENC_BIG_ENDIAN);
type = tvb_get_ntohs(tvb, 2);
proto_tree_add_item(tree, hf_rpl_type, tvb, 2, 2, ENC_BIG_ENDIAN);
offset = 4;
switch (type) {
case 1:
case 2:
case 4:
case 8:
case 0x10:
case 0x20:
while (len >= offset+4) {
sublen = tvb_get_ntohs(tvb, offset);
subtyp = tvb_get_ntohs(tvb, offset+2);
ett_type = ett_rpl_unkn;
if(subtyp == 0x0004) ett_type = ett_rpl_0004;
if(subtyp == 0x0008) ett_type = ett_rpl_0008;
if(subtyp == 0x4003) ett_type = ett_rpl_4003;
if(subtyp == 0x4006) ett_type = ett_rpl_4006;
if(subtyp == 0x4007) ett_type = ett_rpl_4007;
if(subtyp == 0x4009) ett_type = ett_rpl_4009;
if(subtyp == 0x400a) ett_type = ett_rpl_400a;
if(subtyp == 0x400b) ett_type = ett_rpl_400b;
if(subtyp == 0x400c) ett_type = ett_rpl_400c;
if(subtyp == 0x4011) ett_type = ett_rpl_4011;
if(subtyp == 0x4018) ett_type = ett_rpl_4018;
if(subtyp == 0xc005) ett_type = ett_rpl_c005;
if(subtyp == 0xc014) ett_type = ett_rpl_c014;
rpl_container_tree = proto_tree_add_subtree(tree, tvb,
offset, sublen, ett_type, NULL,
val_to_str_const(subtyp,
rpl_type_vals,
"Unknown Type"));
length = tvb_captured_length_remaining(tvb, offset);
if (length > sublen)
length = sublen;
reported_length = tvb_reported_length_remaining(tvb, offset);
if (reported_length > sublen)
reported_length = sublen;
if ( length > 0) {
dissect_rpl_container(tvb_new_subset_length_caplen(tvb,
offset, length, reported_length),
pinfo, rpl_container_tree);
offset += reported_length;
} else {
/* no more data, exit the loop */
offset += reported_length;
break;
}
}
break;
case 0x4003:
proto_tree_add_item(tree, hf_rpl_corrval,
tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
break;
case 0x4006:
proto_tree_add_item(tree, hf_rpl_lmac,
tvb, offset, 6, ENC_NA);
offset += 6;
break;
case 0x4007:
proto_tree_add_item(tree, hf_rpl_sap,
tvb, offset, 1, ENC_BIG_ENDIAN);
offset ++;
break;
case 0x4009:
proto_tree_add_item(tree, hf_rpl_maxframe,
tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
break;
case 0x400a:
proto_tree_add_item(tree, hf_rpl_connclass,
tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
break;
case 0x400b:
proto_tree_add_item(tree, hf_rpl_respval,
tvb, offset, 1, ENC_BIG_ENDIAN);
offset ++;
break;
case 0x400c:
proto_tree_add_item(tree, hf_rpl_smac,
tvb, offset, 6, ENC_NA);
offset += 6;
break;
case 0x4011:
proto_tree_add_item(tree, hf_rpl_sequence,
tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
break;
case 0x4018:
proto_tree_add_item(tree, hf_rpl_data,
tvb, offset, len-4, ENC_NA);
offset += len - 4;
break;
case 0xc005:
proto_tree_add_item(tree, hf_rpl_config,
tvb, offset, 8, ENC_NA);
offset += 8;
proto_tree_add_item(tree, hf_rpl_equipment,
tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(tree, hf_rpl_memsize,
tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(tree, hf_rpl_bsmversion,
tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(tree, hf_rpl_ec,
tvb, offset, 6, ENC_NA);
offset += 6;
proto_tree_add_item(tree, hf_rpl_adapterid,
tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(tree, hf_rpl_shortname,
tvb, offset, 10, ENC_NA);
offset += 10;
break;
case 0xc014:
proto_tree_add_item(tree, hf_rpl_laddress,
tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
proto_tree_add_item(tree, hf_rpl_xaddress,
tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
proto_tree_add_item(tree, hf_rpl_flags,
tvb, offset, 1, ENC_BIG_ENDIAN);
offset ++;
break;
default:
call_data_dissector(tvb_new_subset_remaining(tvb, 4), pinfo,
tree);
break;
}
if (tvb_reported_length(tvb) > offset)
call_data_dissector(tvb_new_subset_remaining(tvb, offset), pinfo, tree);
}
static int
dissect_xtp_traffic_cntl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
guint32 offset) {
guint32 len = tvb_captured_length_remaining(tvb, offset);
guint32 start = offset;
proto_item *top_ti;
proto_tree *xtp_subtree;
struct xtp_traffic_cntl tcntl[1];
top_ti = proto_tree_add_text(tree, tvb, offset, len,
"Traffic Control Segment");
xtp_subtree = proto_item_add_subtree(top_ti, ett_xtp_tcntl);
if (len < XTP_TRAFFIC_CNTL_LEN) {
proto_item_append_text(top_ti,
", bogus length(%u, must be at least %u)",
len, XTP_TRAFFIC_CNTL_LEN);
return 0;
}
/** parse **/
/* rseq(8) */
tcntl->rseq = tvb_get_ntohl(tvb, offset);
tcntl->rseq <<= 32;
tcntl->rseq += tvb_get_ntohl(tvb, offset+4);
offset += 8;
/* alloc(8) */
tcntl->alloc = tvb_get_ntohl(tvb, offset);
tcntl->alloc <<= 32;
tcntl->alloc += tvb_get_ntohl(tvb, offset+4);
offset += 8;
/* echo(4) */
tcntl->echo = tvb_get_ntohl(tvb, offset);
offset += 4;
/* rsvd(4) */
tcntl->rsvd = tvb_get_ntohl(tvb, offset);
offset += 4;
/* xkey(8) */
tcntl->xkey = tvb_get_ntohl(tvb, offset);
tcntl->xkey <<= 32;
tcntl->xkey += tvb_get_ntohl(tvb, offset+4);
/** add summary **/
col_append_fstr(pinfo->cinfo, COL_INFO,
" Recv-Seq=%" G_GINT64_MODIFIER "u", tcntl->rseq);
col_append_fstr(pinfo->cinfo, COL_INFO,
" Alloc=%" G_GINT64_MODIFIER "u", tcntl->alloc);
proto_item_append_text(top_ti,
", Recv-Seq: %" G_GINT64_MODIFIER "u", tcntl->rseq);
/** display **/
offset = start;
/* rseq(8) */
proto_tree_add_uint64(xtp_subtree, hf_xtp_tcntl_rseq,
tvb, offset, 8, tcntl->rseq);
offset += 8;
/* alloc(8) */
proto_tree_add_uint64(xtp_subtree, hf_xtp_tcntl_alloc,
tvb, offset, 8, tcntl->alloc);
offset += 4;
/* echo(4) */
proto_tree_add_uint(xtp_subtree, hf_xtp_tcntl_echo,
tvb, offset, 4, tcntl->echo);
offset += 4;
/* rsvd(4) */
proto_tree_add_uint(xtp_subtree, hf_xtp_tcntl_rsvd,
tvb, offset, 4, tcntl->rsvd);
offset += 4;
/* xkey(8) */
proto_tree_add_uint64(xtp_subtree, hf_xtp_tcntl_xkey,
tvb, offset, 8, tcntl->xkey);
offset += 8;
return (offset - start);
}
/*
* Dissect TPKT-encapsulated data in a TCP stream.
*/
void
dissect_tpkt_encap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
gboolean desegment, dissector_handle_t subdissector_handle)
{
proto_item *ti = NULL;
proto_tree *tpkt_tree = NULL;
volatile int offset = 0;
int length_remaining;
int data_len;
volatile int length;
tvbuff_t *volatile next_tvb;
const char *saved_proto;
/*
* If we're reassembling segmented TPKT PDUs, empty the COL_INFO
* column, so subdissectors can append information
* without having to worry about emptying the column.
*
* We use "col_add_str()" because the subdissector
* might be appending information to the column, in
* which case we'd have to zero the buffer out explicitly
* anyway.
*/
if (desegment)
col_set_str(pinfo->cinfo, COL_INFO, "");
while (tvb_reported_length_remaining(tvb, offset) != 0) {
/*
* Is the first byte of this putative TPKT header
* a valid TPKT version number, i.e. 3?
*/
if (tvb_get_guint8(tvb, offset) != 3) {
/*
* No, so don't assume this is a TPKT header;
* we might be in the middle of TPKT data,
* so don't get the length and don't try to
* do reassembly.
*/
col_set_str(pinfo->cinfo, COL_PROTOCOL, "TPKT");
col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
if (tree) {
ti = proto_tree_add_item(tree, proto_tpkt, tvb,
offset, -1, ENC_NA);
tpkt_tree = proto_item_add_subtree(ti, ett_tpkt);
proto_tree_add_item(tpkt_tree, hf_tpkt_continuation_data, tvb, offset, -1, ENC_NA);
}
return;
}
length_remaining = tvb_captured_length_remaining(tvb, offset);
/*
* Can we do reassembly?
*/
if (desegment && pinfo->can_desegment) {
/*
* Yes - is the TPKT header split across segment
* boundaries?
*/
if (length_remaining < 4) {
/*
* Yes. Tell the TCP dissector where the data
* for this message starts in the data it
* handed us and that we need "some more data."
* Don't tell it exactly how many bytes we need
* because if/when we ask for even more (after
* the header) that will break reassembly.
*/
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return;
}
}
/*
* Get the length from the TPKT header.
*/
data_len = tvb_get_ntohs(tvb, offset + 2);
/*
* Can we do reassembly?
*/
if (desegment && pinfo->can_desegment) {
/*
* Yes - is the payload split across segment
* boundaries?
*/
if (length_remaining < data_len) {
/*
* Yes. Tell the TCP dissector where
* the data for this message starts in
* the data it handed us, and how many
* more bytes we need, and return.
*/
pinfo->desegment_offset = offset;
pinfo->desegment_len =
data_len - length_remaining;
return;
}
}
/*
* Dissect the TPKT header.
* Save and restore "pinfo->current_proto".
*/
saved_proto = pinfo->current_proto;
pinfo->current_proto = "TPKT";
col_set_str(pinfo->cinfo, COL_PROTOCOL, "TPKT");
/*
* Don't add the TPKT header information if we're
* reassembling segmented TPKT PDUs or if this
* PDU isn't reassembled.
*
* XXX - the first is so that subdissectors can append
* information without getting TPKT stuff in the middle;
* why the second?
*/
if (!desegment && !pinfo->fragmented) {
col_add_fstr(pinfo->cinfo, COL_INFO,
"TPKT Data length = %u", data_len);
}
if (tree) {
ti = proto_tree_add_item(tree, proto_tpkt, tvb,
offset, 4, ENC_NA);
tpkt_tree = proto_item_add_subtree(ti, ett_tpkt);
proto_item_set_text(ti, "TPKT");
/* Version */
proto_tree_add_item(tpkt_tree, hf_tpkt_version, tvb,
offset, 1, ENC_BIG_ENDIAN);
proto_item_append_text(ti, ", Version: 3");
/* Reserved octet*/
proto_tree_add_item(tpkt_tree, hf_tpkt_reserved, tvb,
offset + 1, 1, ENC_BIG_ENDIAN);
/* Length */
proto_tree_add_uint(tpkt_tree, hf_tpkt_length, tvb,
offset + 2, 2, data_len);
proto_item_append_text(ti, ", Length: %u", data_len);
}
pinfo->current_proto = saved_proto;
/* Skip the TPKT header. */
offset += 4;
data_len -= 4;
/*
* Construct a tvbuff containing the amount of the payload
* we have available. Make its reported length the
* amount of data in this TPKT packet.
*
* XXX - if reassembly isn't enabled. the subdissector
* will throw a BoundsError exception, rather than a
* ReportedBoundsError exception. We really want
* a tvbuff where the length is "length", the reported
* length is "plen + 2", and the "if the snapshot length
* were infinite" length were the minimum of the
* reported length of the tvbuff handed to us and "plen+2",
* with a new type of exception thrown if the offset is
* within the reported length but beyond that third length,
* with that exception getting the "Unreassembled Packet"
* error.
*/
length = length_remaining - 4;
if (length > data_len)
length = data_len;
next_tvb = tvb_new_subset(tvb, offset, length, data_len);
/*
* Call the subdissector.
*
* If it gets an error that means there's no point in
* dissecting any more TPKT messages, rethrow the
* exception in question.
*
* If it gets any other error, report it and continue,
* as that means that TPKT message got an error, but
* that doesn't mean we should stop dissecting TPKT
* messages within this frame or chunk of reassembled
* data.
*/
TRY {
call_dissector(subdissector_handle, next_tvb, pinfo,
tree);
}
CATCH_NONFATAL_ERRORS {
show_exception(tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
}
ENDTRY;
/*
* Skip the payload.
*/
offset += length;
}
}
static int
dissect_xtp_tspec(tvbuff_t *tvb, proto_tree *tree, guint32 offset) {
guint32 len = tvb_captured_length_remaining(tvb, offset);
guint32 start = offset;
proto_item *ti, *ti2;
proto_tree *xtp_subtree;
struct xtp_traffic_spec1 tspec[1];
int error = 0;
ti = proto_tree_add_text(tree, tvb, offset, len, "Traffic Specifier");
xtp_subtree = proto_item_add_subtree(ti, ett_xtp_tspec);
if (len < XTP_TRAFFIC_SPEC0_LEN) {
proto_item_append_text(ti,
", bogus length(%u, must be at least %u)",
len, XTP_TRAFFIC_SPEC0_LEN);
return 0;
}
/** parse common fields **/
/* tlen(2) */
tspec->tlen = tvb_get_ntohs(tvb, offset);
offset += 2;
/* service(1) */
tspec->service = tvb_get_guint8(tvb, offset);
offset++;
/* tformat(1) */
tspec->tformat = tvb_get_guint8(tvb, offset);
/** display common fields */
offset = start;
/* tlen(2) */
ti = proto_tree_add_uint(xtp_subtree, hf_xtp_tspec_tlen,
tvb, offset, 2, tspec->tlen);
offset += 2;
if (tspec->tlen > len) {
proto_item_append_text(ti, ", bogus length(%u, must be at most %u)",
tspec->tlen, len);
error = 1;
}
/* service(1) */
proto_tree_add_uint(xtp_subtree, hf_xtp_tspec_service,
tvb, offset, 1, tspec->service);
offset++;
/* tformat(1) */
ti2 = proto_tree_add_uint(xtp_subtree, hf_xtp_tspec_tformat,
tvb, offset, 1, tspec->tformat);
offset++;
switch (tspec->tformat) {
case 0:
if (tspec->tlen != XTP_TRAFFIC_SPEC0_LEN) {
proto_item_append_text(ti, ", bogus length(%u, must be %u)",
tspec->tlen, XTP_TRAFFIC_SPEC0_LEN);
error = 1;
}
break;
case 1:
if (tspec->tlen != XTP_TRAFFIC_SPEC1_LEN) {
proto_item_append_text(ti, ", bogus length(%u, must be %u)",
tspec->tlen, XTP_TRAFFIC_SPEC1_LEN);
error = 1;
}
break;
default:
proto_item_append_text(ti2, ", Unsupported tformat(%u)",
tspec->tformat);
error = 1;
break;
}
if (error)
return (offset - start);
/** parse and display each traffic fields **/
switch (tspec->tformat) {
case 0:
/* traffic(4) */
tspec->maxdata = tvb_get_ntohl(tvb, offset);
proto_tree_add_uint(xtp_subtree, hf_xtp_tspec_traffic,
tvb, offset, 4, tspec->maxdata);
offset += 4;
break;
case 1:
/* maxdata(4) */
tspec->maxdata = tvb_get_ntohl(tvb, offset);
proto_tree_add_uint(xtp_subtree, hf_xtp_tspec_maxdata,
tvb, offset, 4, tspec->maxdata);
offset += 4;
/* inrate(4) */
tspec->inrate = tvb_get_ntohl(tvb, offset);
proto_tree_add_uint(xtp_subtree, hf_xtp_tspec_inrate,
tvb, offset, 4, tspec->inrate);
offset += 4;
/* inburst(4) */
tspec->inburst = tvb_get_ntohl(tvb, offset);
proto_tree_add_uint(xtp_subtree, hf_xtp_tspec_inburst,
tvb, offset, 4, tspec->inburst);
offset += 4;
/* outrate(4) */
tspec->outrate = tvb_get_ntohl(tvb, offset);
proto_tree_add_uint(xtp_subtree, hf_xtp_tspec_outrate,
tvb, offset, 4, tspec->outrate);
offset += 4;
/* outburst(4) */
tspec->outburst = tvb_get_ntohl(tvb, offset);
proto_tree_add_uint(xtp_subtree, hf_xtp_tspec_outburst,
tvb, offset, 4, tspec->outburst);
offset += 4;
break;
default:
break;
}
return (offset - start);
}
void
decode_udp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, int uh_sport, int uh_dport, int uh_ulen)
{
tvbuff_t *next_tvb;
int low_port, high_port;
gint len, reported_len;
udp_p_info_t *udp_p_info = NULL;
/* Save curr_layer_num as it might be changed by subdissector */
guint8 curr_layer_num = pinfo->curr_layer_num;
heur_dtbl_entry_t *hdtbl_entry;
len = tvb_captured_length_remaining(tvb, offset);
reported_len = tvb_reported_length_remaining(tvb, offset);
if (uh_ulen != -1) {
/* This is the length from the UDP header; the payload should be cut
off at that length. (If our caller passed a value here, they
are assumed to have checked that it's >= 8, and hence >= offset.)
XXX - what if it's *greater* than the reported length? */
if ((uh_ulen - offset) < reported_len)
reported_len = uh_ulen - offset;
if (len > reported_len)
len = reported_len;
}
next_tvb = tvb_new_subset(tvb, offset, len, reported_len);
/* If the user has a "Follow UDP Stream" window loading, pass a pointer
* to the payload tvb through the tap system. */
if (have_tap_listener(udp_follow_tap))
tap_queue_packet(udp_follow_tap, pinfo, next_tvb);
if (pinfo->fd->flags.visited) {
udp_p_info = (udp_p_info_t*)p_get_proto_data(wmem_file_scope(), pinfo, hfi_udp->id, pinfo->curr_layer_num);
if (udp_p_info) {
call_heur_dissector_direct(udp_p_info->heur_dtbl_entry, next_tvb, pinfo, tree, NULL);
return;
}
}
/* determine if this packet is part of a conversation and call dissector */
/* for the conversation if available */
if (try_conversation_dissector(&pinfo->dst, &pinfo->src, PT_UDP,
uh_dport, uh_sport, next_tvb, pinfo, tree, NULL)) {
return;
}
if (try_heuristic_first) {
/* Do lookup with the heuristic subdissector table */
if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, NULL)) {
if (!udp_p_info) {
udp_p_info = wmem_new0(wmem_file_scope(), udp_p_info_t);
udp_p_info->heur_dtbl_entry = hdtbl_entry;
p_add_proto_data(wmem_file_scope(), pinfo, hfi_udp->id, curr_layer_num, udp_p_info);
}
return;
}
}
/* Do lookups with the subdissector table.
We try the port number with the lower value first, followed by the
port number with the higher value. This means that, for packets
where a dissector is registered for *both* port numbers:
1) we pick the same dissector for traffic going in both directions;
2) we prefer the port number that's more likely to be the right
one (as that prefers well-known ports to reserved ports);
although there is, of course, no guarantee that any such strategy
will always pick the right port number.
XXX - we ignore port numbers of 0, as some dissectors use a port
number of 0 to disable the port, and as RFC 768 says that the source
port in UDP datagrams is optional and is 0 if not used. */
if (uh_sport > uh_dport) {
low_port = uh_dport;
high_port = uh_sport;
} else {
low_port = uh_sport;
high_port = uh_dport;
}
if ((low_port != 0) &&
dissector_try_uint(udp_dissector_table, low_port, next_tvb, pinfo, tree))
return;
if ((high_port != 0) &&
dissector_try_uint(udp_dissector_table, high_port, next_tvb, pinfo, tree))
return;
if (!try_heuristic_first) {
/* Do lookup with the heuristic subdissector table */
if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, NULL)) {
if (!udp_p_info) {
udp_p_info = wmem_new0(wmem_file_scope(), udp_p_info_t);
udp_p_info->heur_dtbl_entry = hdtbl_entry;
p_add_proto_data(wmem_file_scope(), pinfo, hfi_udp->id, curr_layer_num, udp_p_info);
}
return;
}
}
call_dissector(data_handle,next_tvb, pinfo, tree);
}
guint8 *text;
int len;
int offset;
guint32 marker;
marker = tvb_get_ntohl(tvb, 0);
cl_tree = proto_tree_add_subtree(tree, tvb,
0, -1, ett_quake2_connectionless, NULL, "Connectionless");
proto_tree_add_uint(cl_tree, hf_quake2_connectionless_marker,
tvb, 0, 4, marker);
/* all the rest of the packet is just text */
offset = 4;
len = tvb_captured_length_remaining(tvb, offset);
text = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_ASCII);
proto_tree_add_string(cl_tree, hf_quake2_connectionless_text,
tvb, offset, len, text);
/*offset += len;*/
/* we should analyse the result 'text' a bit further */
/* for this we need the direction parameter */
}
static const value_string hf_quake2_game_client_command_move_vals[] = {
{ 0x00, "-" },
{ 0x01, "set" },
{ 0, NULL }
};
static void
dissect(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 ip_proto)
{
proto_tree *udp_tree = NULL;
proto_item *ti, *hidden_item, *port_item;
guint len;
guint reported_len;
vec_t cksum_vec[4];
guint32 phdr[2];
guint16 computed_cksum;
guint16 expected_cksum;
int offset = 0;
e_udphdr *udph;
proto_tree *checksum_tree;
proto_item *item;
conversation_t *conv = NULL;
struct udp_analysis *udpd = NULL;
proto_tree *process_tree;
gchar *src_port_str, *dst_port_str;
udph=wmem_new(wmem_packet_scope(), e_udphdr);
SET_ADDRESS(&udph->ip_src, pinfo->src.type, pinfo->src.len, pinfo->src.data);
SET_ADDRESS(&udph->ip_dst, pinfo->dst.type, pinfo->dst.len, pinfo->dst.data);
col_set_str(pinfo->cinfo, COL_PROTOCOL, (ip_proto == IP_PROTO_UDP) ? "UDP" : "UDPlite");
col_clear(pinfo->cinfo, COL_INFO);
udph->uh_sport=tvb_get_ntohs(tvb, offset);
udph->uh_dport=tvb_get_ntohs(tvb, offset+2);
src_port_str = ep_udp_port_to_display(udph->uh_sport);
dst_port_str = ep_udp_port_to_display(udph->uh_dport);
col_add_lstr(pinfo->cinfo, COL_INFO,
"Source port: ", src_port_str, " "
"Destination port: ", dst_port_str,
COL_ADD_LSTR_TERMINATOR);
if (tree) {
if (udp_summary_in_tree) {
if (ip_proto == IP_PROTO_UDP) {
ti = proto_tree_add_protocol_format(tree, hfi_udp->id, tvb, offset, 8,
"User Datagram Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
src_port_str, udph->uh_sport, dst_port_str, udph->uh_dport);
} else {
ti = proto_tree_add_protocol_format(tree, hfi_udplite->id, tvb, offset, 8,
"Lightweight User Datagram Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
src_port_str, udph->uh_sport, dst_port_str, udph->uh_dport);
}
} else {
ti = proto_tree_add_item(tree, (ip_proto == IP_PROTO_UDP) ? hfi_udp : hfi_udplite, tvb, offset, 8, ENC_NA);
}
udp_tree = proto_item_add_subtree(ti, ett_udp);
port_item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_srcport.id, tvb, offset, 2, udph->uh_sport,
"%s (%u)", src_port_str, udph->uh_sport);
/* The beginning port number, 32768 + 666 (33434), is from LBL's traceroute.c source code and this code
* further assumes that 3 attempts are made per hop */
if ((udph->uh_sport > (32768 + 666)) && (udph->uh_sport <= (32768 + 666 + 30)))
expert_add_info_format(pinfo, port_item, &ei_udp_possible_traceroute, "Possible traceroute: hop #%u, attempt #%u",
((udph->uh_sport - 32768 - 666 - 1) / 3) + 1,
((udph->uh_sport - 32768 - 666 - 1) % 3) + 1
);
port_item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_dstport.id, tvb, offset + 2, 2, udph->uh_dport,
"%s (%u)", dst_port_str, udph->uh_dport);
if ((udph->uh_dport > (32768 + 666)) && (udph->uh_dport <= (32768 + 666 + 30)))
expert_add_info_format(pinfo, port_item, &ei_udp_possible_traceroute, "Possible traceroute: hop #%u, attempt #%u",
((udph->uh_dport - 32768 - 666 - 1) / 3) + 1,
((udph->uh_dport - 32768 - 666 - 1) % 3) + 1
);
hidden_item = proto_tree_add_uint(udp_tree, &hfi_udp_port, tvb, offset, 2, udph->uh_sport);
PROTO_ITEM_SET_HIDDEN(hidden_item);
hidden_item = proto_tree_add_uint(udp_tree, &hfi_udp_port, tvb, offset+2, 2, udph->uh_dport);
PROTO_ITEM_SET_HIDDEN(hidden_item);
}
if (ip_proto == IP_PROTO_UDP) {
udph->uh_ulen = udph->uh_sum_cov = tvb_get_ntohs(tvb, offset+4);
if (udph->uh_ulen < 8) {
/* Bogus length - it includes the header, so it must be >= 8. */
/* XXX - should handle IPv6 UDP jumbograms (RFC 2675), where the length is zero */
item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_length.id, tvb, offset + 4, 2,
udph->uh_ulen, "%u (bogus, must be >= 8)", udph->uh_ulen);
expert_add_info_format(pinfo, item, &ei_udp_length, "Bad length value %u < 8", udph->uh_ulen);
col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD UDP LENGTH %u < 8]", udph->uh_ulen);
return;
}
if ((udph->uh_ulen > tvb_reported_length(tvb)) && ! pinfo->fragmented && ! pinfo->flags.in_error_pkt) {
/* Bogus length - it goes past the end of the IP payload */
item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_length.id, tvb, offset + 4, 2,
udph->uh_ulen, "%u (bogus, payload length %u)", udph->uh_ulen, tvb_reported_length(tvb));
expert_add_info_format(pinfo, item, &ei_udp_length, "Bad length value %u > IP payload length", udph->uh_ulen);
col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD UDP LENGTH %u > IP PAYLOAD LENGTH]", udph->uh_ulen);
} else {
if (tree) {
proto_tree_add_uint(udp_tree, &hfi_udp_length, tvb, offset + 4, 2, udph->uh_ulen);
/* XXX - why is this here, given that this is UDP, not Lightweight UDP? */
hidden_item = proto_tree_add_uint(udp_tree, &hfi_udplite_checksum_coverage, tvb, offset + 4,
0, udph->uh_sum_cov);
PROTO_ITEM_SET_HIDDEN(hidden_item);
}
}
} else {
udph->uh_ulen = tvb_reported_length(tvb);
udph->uh_sum_cov = tvb_get_ntohs(tvb, offset+4);
if (((udph->uh_sum_cov > 0) && (udph->uh_sum_cov < 8)) || (udph->uh_sum_cov > udph->uh_ulen)) {
/* Bogus length - it includes the header, so it must be >= 8, and no larger then the IP payload size. */
if (tree) {
hidden_item = proto_tree_add_boolean(udp_tree, &hfi_udplite_checksum_coverage_bad, tvb, offset + 4, 2, TRUE);
PROTO_ITEM_SET_HIDDEN(hidden_item);
hidden_item = proto_tree_add_uint(udp_tree, &hfi_udp_length, tvb, offset + 4, 0, udph->uh_ulen);
PROTO_ITEM_SET_HIDDEN(hidden_item);
}
item = proto_tree_add_uint_format_value(udp_tree, hfi_udplite_checksum_coverage.id, tvb, offset + 4, 2,
udph->uh_sum_cov, "%u (bogus, must be >= 8 and <= %u (ip.len-ip.hdr_len))",
udph->uh_sum_cov, udph->uh_ulen);
expert_add_info_format(pinfo, item, &ei_udplite_checksum_coverage, "Bad checksum coverage length value %u < 8 or > %u",
udph->uh_sum_cov, udph->uh_ulen);
col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD LIGHTWEIGHT UDP CHECKSUM COVERAGE LENGTH %u < 8 or > %u]",
udph->uh_sum_cov, udph->uh_ulen);
if (!udplite_ignore_checksum_coverage)
return;
} else {
if (tree) {
hidden_item = proto_tree_add_uint(udp_tree, &hfi_udp_length, tvb, offset + 4, 0, udph->uh_ulen);
PROTO_ITEM_SET_HIDDEN(hidden_item);
proto_tree_add_uint(udp_tree, &hfi_udplite_checksum_coverage, tvb, offset + 4, 2, udph->uh_sum_cov);
}
}
}
udph->uh_sum_cov = (udph->uh_sum_cov) ? udph->uh_sum_cov : udph->uh_ulen;
udph->uh_sum = tvb_get_ntohs(tvb, offset+6);
reported_len = tvb_reported_length(tvb);
len = tvb_captured_length(tvb);
if (udph->uh_sum == 0) {
/* No checksum supplied in the packet. */
if ((ip_proto == IP_PROTO_UDP) && (pinfo->src.type == AT_IPv4)) {
item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb, offset + 6, 2, 0,
"0x%04x (none)", 0);
checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
offset + 6, 2, FALSE);
PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
offset + 6, 2, FALSE);
PROTO_ITEM_SET_GENERATED(item);
} else {
item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb, offset + 6, 2, 0,
"0x%04x (Illegal)", 0);
expert_add_info(pinfo, item, &ei_udp_checksum_zero);
col_append_str(pinfo->cinfo, COL_INFO, " [ILLEGAL CHECKSUM (0)]");
checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
offset + 6, 2, FALSE);
PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
offset + 6, 2, TRUE);
PROTO_ITEM_SET_GENERATED(item);
}
} else if (!pinfo->fragmented && (len >= reported_len) &&
(len >= udph->uh_sum_cov) && (reported_len >= udph->uh_sum_cov) &&
(udph->uh_sum_cov >= 8)) {
/* The packet isn't part of a fragmented datagram and isn't
truncated, so we can checksum it.
XXX - make a bigger scatter-gather list once we do fragment
reassembly? */
if (((ip_proto == IP_PROTO_UDP) && udp_check_checksum) ||
((ip_proto == IP_PROTO_UDPLITE) && udplite_check_checksum)) {
/* Set up the fields of the pseudo-header. */
cksum_vec[0].ptr = (const guint8 *)pinfo->src.data;
cksum_vec[0].len = pinfo->src.len;
cksum_vec[1].ptr = (const guint8 *)pinfo->dst.data;
cksum_vec[1].len = pinfo->dst.len;
cksum_vec[2].ptr = (const guint8 *)&phdr;
switch (pinfo->src.type) {
case AT_IPv4:
if (ip_proto == IP_PROTO_UDP)
phdr[0] = g_htonl((ip_proto<<16) | udph->uh_ulen);
else
phdr[0] = g_htonl((ip_proto<<16) | reported_len);
cksum_vec[2].len = 4;
break;
case AT_IPv6:
if (ip_proto == IP_PROTO_UDP)
phdr[0] = g_htonl(udph->uh_ulen);
else
phdr[0] = g_htonl(reported_len);
phdr[1] = g_htonl(ip_proto);
cksum_vec[2].len = 8;
break;
default:
/* UDP runs only atop IPv4 and IPv6.... */
DISSECTOR_ASSERT_NOT_REACHED();
break;
}
cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, udph->uh_sum_cov);
cksum_vec[3].len = udph->uh_sum_cov;
computed_cksum = in_cksum(&cksum_vec[0], 4);
if (computed_cksum == 0) {
item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb,
offset + 6, 2, udph->uh_sum, "0x%04x [correct]", udph->uh_sum);
checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
item = proto_tree_add_uint(checksum_tree, &hfi_udp_checksum_calculated,
tvb, offset + 6, 2, udph->uh_sum);
PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
offset + 6, 2, TRUE);
PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
offset + 6, 2, FALSE);
PROTO_ITEM_SET_GENERATED(item);
} else {
expected_cksum = in_cksum_shouldbe(udph->uh_sum, computed_cksum);
item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb,
offset + 6, 2, udph->uh_sum,
"0x%04x [incorrect, should be 0x%04x (maybe caused by \"UDP checksum offload\"?)]", udph->uh_sum,
expected_cksum);
checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
item = proto_tree_add_uint(checksum_tree, &hfi_udp_checksum_calculated,
tvb, offset + 6, 2, expected_cksum);
PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
offset + 6, 2, FALSE);
PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
offset + 6, 2, TRUE);
PROTO_ITEM_SET_GENERATED(item);
expert_add_info(pinfo, item, &ei_udp_checksum_bad);
col_append_str(pinfo->cinfo, COL_INFO, " [UDP CHECKSUM INCORRECT]");
}
} else {
item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb,
offset + 6, 2, udph->uh_sum, "0x%04x [validation disabled]", udph->uh_sum);
checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
offset + 6, 2, FALSE);
PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
offset + 6, 2, FALSE);
PROTO_ITEM_SET_GENERATED(item);
}
} else {
item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb,
offset + 6, 2, udph->uh_sum, "0x%04x [unchecked, not all data available]", udph->uh_sum);
checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
offset + 6, 2, FALSE);
PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
offset + 6, 2, FALSE);
PROTO_ITEM_SET_GENERATED(item);
}
/* Skip over header */
offset += 8;
pinfo->ptype = PT_UDP;
pinfo->srcport = udph->uh_sport;
pinfo->destport = udph->uh_dport;
tap_queue_packet(udp_tap, pinfo, udph);
/* find(or create if needed) the conversation for this udp session */
conv=find_or_create_conversation(pinfo);
udpd=get_udp_conversation_data(conv,pinfo);
if (udpd) {
item = proto_tree_add_uint(udp_tree, &hfi_udp_stream, tvb, offset, 0, udpd->stream);
PROTO_ITEM_SET_GENERATED(item);
/* Copy the stream index into the header as well to make it available
* to tap listeners.
*/
udph->uh_stream = udpd->stream;
}
if (udpd && ((udpd->fwd && udpd->fwd->command) || (udpd->rev && udpd->rev->command))) {
process_tree = proto_tree_add_subtree(udp_tree, tvb, offset, 0, ett_udp_process_info, &ti, "Process Information");
PROTO_ITEM_SET_GENERATED(ti);
if (udpd->fwd && udpd->fwd->command) {
proto_tree_add_uint_format_value(process_tree, hfi_udp_proc_dst_uid.id, tvb, 0, 0,
udpd->fwd->process_uid, "%u", udpd->fwd->process_uid);
proto_tree_add_uint_format_value(process_tree, hfi_udp_proc_dst_pid.id, tvb, 0, 0,
udpd->fwd->process_pid, "%u", udpd->fwd->process_pid);
proto_tree_add_string_format_value(process_tree, hfi_udp_proc_dst_uname.id, tvb, 0, 0,
udpd->fwd->username, "%s", udpd->fwd->username);
proto_tree_add_string_format_value(process_tree, hfi_udp_proc_dst_cmd.id, tvb, 0, 0,
udpd->fwd->command, "%s", udpd->fwd->command);
}
if (udpd->rev->command) {
proto_tree_add_uint_format_value(process_tree, hfi_udp_proc_src_uid.id, tvb, 0, 0,
udpd->rev->process_uid, "%u", udpd->rev->process_uid);
proto_tree_add_uint_format_value(process_tree, hfi_udp_proc_src_pid.id, tvb, 0, 0,
udpd->rev->process_pid, "%u", udpd->rev->process_pid);
proto_tree_add_string_format_value(process_tree, hfi_udp_proc_src_uname.id, tvb, 0, 0,
udpd->rev->username, "%s", udpd->rev->username);
proto_tree_add_string_format_value(process_tree, hfi_udp_proc_src_cmd.id, tvb, 0, 0,
udpd->rev->command, "%s", udpd->rev->command);
}
}
/*
* Call sub-dissectors.
*
* XXX - should we do this if this is included in an error packet?
* It might be nice to see the details of the packet that caused the
* ICMP error, but it might not be nice to have the dissector update
* state based on it.
* Also, we probably don't want to run UDP taps on those packets.
*
* We definitely don't want to do it for an error packet if there's
* nothing left in the packet.
*/
if (!pinfo->flags.in_error_pkt || (tvb_captured_length_remaining(tvb, offset) > 0))
decode_udp_ports(tvb, offset, pinfo, tree, udph->uh_sport, udph->uh_dport,
udph->uh_ulen);
}
static void dissect_packetlogger (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *packetlogger_tree = NULL;
tvbuff_t *next_tvb;
proto_item *ti = NULL;
guint8 pl_type;
gint len;
col_set_str (pinfo->cinfo, COL_PROTOCOL, PSNAME);
col_clear (pinfo->cinfo, COL_INFO);
ti = proto_tree_add_item (tree, proto_packetlogger, tvb, 0, -1, ENC_NA);
packetlogger_tree = proto_item_add_subtree (ti, ett_packetlogger);
pl_type = tvb_get_guint8 (tvb, 0);
proto_tree_add_item (packetlogger_tree, hf_type, tvb, 0, 1, ENC_BIG_ENDIAN);
proto_item_append_text (ti, " %s", val_to_str (pl_type, type_vals, "Unknown 0x%02x"));
len = tvb_captured_length_remaining (tvb, 1);
next_tvb = tvb_new_subset_remaining (tvb, 1);
if (pl_type <= PKT_RECV_ACL_DATA) {
/* HCI H1 packages */
switch (pl_type) {
case PKT_HCI_COMMAND:
pinfo->pseudo_header->bthci.channel = BTHCI_CHANNEL_COMMAND;
pinfo->pseudo_header->bthci.sent = P2P_DIR_SENT;
pinfo->p2p_dir = P2P_DIR_SENT;
break;
case PKT_HCI_EVENT:
pinfo->pseudo_header->bthci.channel = BTHCI_CHANNEL_EVENT;
pinfo->pseudo_header->bthci.sent = P2P_DIR_RECV;
pinfo->p2p_dir = P2P_DIR_RECV;
break;
case PKT_SENT_ACL_DATA:
pinfo->pseudo_header->bthci.channel = BTHCI_CHANNEL_ACL;
pinfo->pseudo_header->bthci.sent = P2P_DIR_SENT;
pinfo->p2p_dir = P2P_DIR_SENT;
break;
case PKT_RECV_ACL_DATA:
pinfo->pseudo_header->bthci.channel = BTHCI_CHANNEL_ACL;
pinfo->pseudo_header->bthci.sent = P2P_DIR_RECV;
pinfo->p2p_dir = P2P_DIR_RECV;
break;
default:
pinfo->pseudo_header->bthci.channel = pl_type;
pinfo->pseudo_header->bthci.sent = P2P_DIR_UNKNOWN;
pinfo->p2p_dir = P2P_DIR_UNKNOWN;
break;
}
proto_item_set_len (ti, 1);
col_add_fstr (pinfo->cinfo, COL_INFO, "%s", val_to_str(pl_type, type_vals, "Unknown 0x%02x"));
if (!dissector_try_uint (hci_h1_table, pinfo->pseudo_header->bthci.channel, next_tvb, pinfo, tree)) {
call_dissector (data_handle, next_tvb, pinfo, tree);
}
} else {
/* PacketLogger data */
switch (pl_type) {
case PKT_POWER:
case PKT_NOTE:
case PKT_NEW_CONTROLLER:
proto_tree_add_item (packetlogger_tree, hf_info, next_tvb, 0, len, ENC_ASCII|ENC_NA);
col_add_fstr (pinfo->cinfo, COL_INFO, "%s", tvb_format_stringzpad_wsp (next_tvb, 0, len));
break;
default:
call_dissector (data_handle, next_tvb, pinfo, tree);
col_add_fstr (pinfo->cinfo, COL_INFO, "Unknown 0x%02x", pl_type);
break;
}
}
}
/*
* Optionally do reassembly of the request/response line, headers, and body.
*/
gboolean
req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo,
const gboolean desegment_headers, const gboolean desegment_body)
{
gint next_offset;
gint next_offset_sav;
gint length_remaining, reported_length_remaining;
int linelen;
gchar *header_val;
int content_length;
gboolean content_length_found = FALSE;
gboolean content_type_found = FALSE;
gboolean chunked_encoding = FALSE;
gboolean keepalive_found = FALSE;
gchar *line;
gchar *content_type = NULL;
/*
* Do header desegmentation if we've been told to.
*
* RFC 2616 defines HTTP messages as being either of the
* Request or the Response type
* (HTTP-message = Request | Response).
* Request and Response are defined as:
* Request = Request-Line
* *(( general-header
* | request-header
* | entity-header ) CRLF)
* CRLF
* [ message-body ]
* Response = Status-Line
* *(( general-header
* | response-header
* | entity-header ) CRLF)
* CRLF
* [ message-body ]
* that's why we can always assume two consecutive line
* endings (we allow CR, LF, or CRLF, as some clients
* or servers might not use a full CRLF) to mark the end
* of the headers. The worst thing that would happen
* otherwise would be the packet not being desegmented
* or being interpreted as only headers.
*
* RFC 2326 says RTSP works the same way; RFC 3261 says SIP
* works the same way.
*/
/*
* If header desegmentation is activated, check that all
* headers are in this tvbuff (search for an empty line
* marking end of headers) or request one more byte (we
* don't know how many bytes we'll need, so we just ask
* for one).
*/
if (desegment_headers && pinfo->can_desegment) {
next_offset = offset;
for (;;) {
next_offset_sav = next_offset;
reported_length_remaining =
tvb_reported_length_remaining(tvb, next_offset);
/*
* Request one more byte if there're no
* bytes left in the reported data (if there're
* bytes left in the reported data, but not in
* the available data, requesting more bytes
* won't help, as those bytes weren't captured).
*/
if (reported_length_remaining < 1) {
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
length_remaining = tvb_captured_length_remaining(tvb,
next_offset);
/*
* Request one more byte if we cannot find a
* header (i.e. a line end).
*/
linelen = tvb_find_line_end(tvb, next_offset,
length_remaining, &next_offset, TRUE);
if (linelen == -1 &&
length_remaining >= reported_length_remaining) {
/*
* Not enough data; ask for one more
* byte.
*/
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
if (linelen == 0) {
/*
* We found the end of the headers.
*/
break;
}
/*
* Is this a Content-Length or Transfer-Encoding
* header? If not, it either means that we are in
* a different header line, or that we are
* at the end of the headers, or that there
* isn't enough data; the two latter cases
* have already been handled above.
*/
if (desegment_body) {
/* Optimization to avoid fetching the whole (potentially very long)
* line and doing expensive string comparisons if the first
* character doesn't match. Shaves about 20% off the load time of
* one of my sample files that's HTTP-alike. */
guchar first_byte = tvb_get_guint8(tvb, next_offset_sav);
if (! (first_byte == 'c' || first_byte == 'C' ||
first_byte == 't' || first_byte == 'T')) {
continue;
}
/*
* Check if we've found Content-Length.
*/
line = tvb_get_string_enc(wmem_packet_scope(), tvb, next_offset_sav, linelen, ENC_UTF_8|ENC_NA);
if (g_ascii_strncasecmp(line, "Content-Length:", 15) == 0) {
/* XXX - what if it doesn't fit in an int?
(Do not "fix" that by making this
a "long"; make it a gint64 or a
guint64.) */
if (sscanf(line+15,"%i", &content_length) == 1)
content_length_found = TRUE;
} else if (g_ascii_strncasecmp(line, "Content-Type:", 13) == 0) {
content_type_found = TRUE;
content_type = line+13;
while (*content_type == ' ') {
content_type++;
}
} else if (g_ascii_strncasecmp(line, "Connection:", 11) == 0) {
/* Check for keep-alive */
header_val = line+11;
if(header_val){
while(*header_val==' '){
header_val++;
}
if(!g_ascii_strncasecmp(header_val, "Keep-Alive", 10)){
keepalive_found = TRUE;
}
}
} else if (g_ascii_strncasecmp( line, "Transfer-Encoding:", 18) == 0) {
/*
* Find out if this Transfer-Encoding is
* chunked. It should be, since there
* really aren't any other types, but
* RFC 2616 allows for them.
*/
gchar *p;
guint len;
header_val = line+18;
p = header_val;
len = (guint) strlen(header_val);
/* Skip white space */
while (p < header_val + len &&
(*p == ' ' || *p == '\t'))
p++;
if (p <= header_val + len) {
if (g_ascii_strncasecmp(p, "chunked", 7)
== 0) {
/*
* Don't bother looking
* for extensions;
* since we don't
* understand them,
* they should be
* ignored.
*/
chunked_encoding = TRUE;
}
}
}
}
}
}
/*
* The above loop ends when we reached the end of the headers, so
* there should be content_length bytes after the 4 terminating bytes
* and next_offset points to after the end of the headers.
*/
if (desegment_body) {
if (chunked_encoding) {
/*
* This data is chunked, so we need to keep pulling
* data until we reach the end of the stream, or a
* zero sized chunk.
*
* XXX
* This doesn't bother with trailing headers; I don't
* think they are really used, and we'd have to use
* is_http_request_or_reply() to determine if it was
* a trailing header, or the start of a new response.
*/
gboolean done_chunking = FALSE;
while (!done_chunking) {
guint chunk_size = 0;
gint chunk_offset = 0;
gchar *chunk_string = NULL;
gchar *c = NULL;
reported_length_remaining =
tvb_reported_length_remaining(tvb,
next_offset);
if (reported_length_remaining < 1) {
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
length_remaining = tvb_captured_length_remaining(tvb,
next_offset);
linelen = tvb_find_line_end(tvb, next_offset,
length_remaining, &chunk_offset, TRUE);
if (linelen == -1 &&
length_remaining >=
reported_length_remaining) {
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
/* We have a line with the chunk size in it.*/
chunk_string = tvb_get_string(wmem_packet_scope(), tvb, next_offset,
linelen);
c = chunk_string;
/*
* We don't care about the extensions.
*/
if ((c = strchr(c, ';'))) {
*c = '\0';
}
if (sscanf(chunk_string, "%x", &chunk_size) < 1) {
/* We couldn't get the chunk size,
* so stop trying.
*/
return TRUE;
}
if (chunk_size > (guint)1<<31) {
/* Chunk size is unreasonable. */
/* XXX What /is/ reasonable? */
return TRUE;
}
if (chunk_size == 0) {
/*
* This is the last chunk. Let's pull in the
* trailing CRLF.
*/
linelen = tvb_find_line_end(tvb,
chunk_offset, length_remaining, &chunk_offset, TRUE);
if (linelen == -1 &&
length_remaining >=
reported_length_remaining) {
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
pinfo->desegment_offset = chunk_offset;
pinfo->desegment_len = 0;
done_chunking = TRUE;
} else {
/*
* Skip to the next chunk if we
* already have it
*/
if (reported_length_remaining >
(gint) chunk_size) {
next_offset = chunk_offset
+ chunk_size + 2;
} else {
/*
* Fetch this chunk, plus the
* trailing CRLF.
*/
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
}
}
} else if (content_length_found) {
if (content_length >= 128*1024) { /* MS-RPCH stipulate that the content-length must be between 128K and 2G */
gchar *tmp;
if (content_type_found &&
strncmp(content_type, "application/rpc", 15) == 0) {
/* It looks like a RPC_IN_DATA request or a RPC_OUT_DATA response
* in which the content-length is meaningless
*/
return TRUE;
}
/* Following sizeof will return the length of the string + \0 we need to not count it*/
tmp = tvb_get_string(wmem_packet_scope(), tvb, 0, sizeof("RPC_OUT_DATA") - 1);
if ((strncmp(tmp, "RPC_IN_DATA", sizeof("RPC_IN_DATA") - 1) == 0) ||
(strncmp(tmp, "RPC_OUT_DATA", sizeof("RPC_OUT_DATA") - 1) == 0)) {
return TRUE;
}
}
/* next_offset has been set to the end of the headers */
if (!tvb_bytes_exist(tvb, next_offset, content_length)) {
length_remaining = tvb_captured_length_remaining(tvb,
next_offset);
reported_length_remaining =
tvb_reported_length_remaining(tvb, next_offset);
if (length_remaining < reported_length_remaining) {
/*
* It's a waste of time asking for more
* data, because that data wasn't captured.
*/
return TRUE;
}
if (length_remaining == -1)
length_remaining = 0;
pinfo->desegment_offset = offset;
pinfo->desegment_len =
content_length - length_remaining;
return FALSE;
}
} else if (content_type_found && pinfo->can_desegment) {
/* We found a content-type but no content-length.
* This is probably a HTTP header for a session with
* only one HTTP PDU and where the content spans
* until the end of the tcp session, unless there
* is a keepalive header present in which case we
* assume there is no message body at all and thus
* we won't do any reassembly.
* Set up tcp reassembly until the end of this session.
*/
length_remaining = tvb_captured_length_remaining(tvb, next_offset);
reported_length_remaining = tvb_reported_length_remaining(tvb, next_offset);
if (length_remaining < reported_length_remaining) {
/*
* It's a waste of time asking for more
* data, because that data wasn't captured.
*/
return TRUE;
}
if (keepalive_found) {
/* We have a keep-alive but no content-length.
* Assume there is no message body and don't
* do any reassembly.
*/
return TRUE;
}
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_UNTIL_FIN;
return FALSE;
}
}
/*
* No further desegmentation needed.
*/
return TRUE;
}
/* Dissect details of packet */
static void rlogin_display(rlogin_hash_entry_t *hash_info,
tvbuff_t *tvb,
packet_info *pinfo,
proto_tree *tree,
struct tcpinfo *tcpinfo)
{
/* Display the proto tree */
int offset = 0;
proto_tree *rlogin_tree, *user_info_tree, *window_tree;
proto_item *ti;
guint length;
int str_len;
gint ti_offset;
proto_item *user_info_item, *window_info_item;
/* Create rlogin subtree */
ti = proto_tree_add_item(tree, proto_rlogin, tvb, 0, -1, ENC_NA);
rlogin_tree = proto_item_add_subtree(ti, ett_rlogin);
/* Return if data empty */
length = tvb_captured_length(tvb);
if (length == 0)
{
return;
}
/*
* XXX - this works only if the urgent pointer points to something
* in this segment; to make it work if the urgent pointer points
* to something past this segment, we'd have to remember the urgent
* pointer setting for this conversation.
*/
if (tcpinfo && IS_TH_URG(tcpinfo->flags) && /* if urgent pointer set */
length >= tcpinfo->urgent_pointer) /* and it's in this frame */
{
/* Get urgent byte into Temp */
int urgent_offset = tcpinfo->urgent_pointer - 1;
guint8 control_byte;
/* Check for text data in front */
if (urgent_offset > offset)
{
proto_tree_add_item(rlogin_tree, hf_data, tvb, offset, urgent_offset, ENC_ASCII|ENC_NA);
}
/* Show control byte */
proto_tree_add_item(rlogin_tree, hf_control_message, tvb,
urgent_offset, 1, ENC_BIG_ENDIAN);
control_byte = tvb_get_guint8(tvb, urgent_offset);
col_append_fstr(pinfo->cinfo, COL_INFO,
" (%s)", val_to_str_const(control_byte, control_message_vals, "Unknown"));
offset = urgent_offset + 1; /* adjust offset */
}
else
if (tvb_get_guint8(tvb, offset) == '\0')
{
/* Startup */
if (pinfo->srcport == RLOGIN_PORT) /* from server */
{
proto_tree_add_item(rlogin_tree, hf_startup_info_received_flag,
tvb, offset, 1, ENC_BIG_ENDIAN);
}
else
{
proto_tree_add_item(rlogin_tree, hf_client_startup_flag,
tvb, offset, 1, ENC_BIG_ENDIAN);
}
++offset;
}
if (!tvb_offset_exists(tvb, offset))
{
/* No more data to check */
return;
}
if (hash_info->info_framenum == pinfo->num)
{
gint info_len;
gint slash_offset;
/* First frame of conversation, assume user info... */
info_len = tvb_captured_length_remaining(tvb, offset);
if (info_len <= 0)
return;
/* User info tree */
user_info_item = proto_tree_add_string_format(rlogin_tree, hf_user_info, tvb,
offset, info_len, FALSE,
"User info (%s)",
tvb_format_text(tvb, offset, info_len));
user_info_tree = proto_item_add_subtree(user_info_item,
ett_rlogin_user_info);
/* Client user name. */
str_len = tvb_strsize(tvb, offset);
proto_tree_add_item(user_info_tree, hf_user_info_client_user_name,
tvb, offset, str_len, ENC_ASCII|ENC_NA);
offset += str_len;
/* Server user name. */
str_len = tvb_strsize(tvb, offset);
proto_tree_add_item(user_info_tree, hf_user_info_server_user_name,
tvb, offset, str_len, ENC_ASCII|ENC_NA);
offset += str_len;
/* Terminal type/speed. */
slash_offset = tvb_find_guint8(tvb, offset, -1, '/');
if (slash_offset != -1)
{
guint8* str = NULL;
guint32 term_len = 0;
gboolean term_len_valid;
proto_item* pi = NULL;
/* Terminal type */
proto_tree_add_item(user_info_tree, hf_user_info_terminal_type,
tvb, offset, slash_offset-offset, ENC_ASCII|ENC_NA);
offset = slash_offset + 1;
/* Terminal speed */
str_len = tvb_strsize(tvb, offset);
str = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, str_len,
ENC_NA|ENC_ASCII);
term_len_valid = ws_strtou32(str, NULL, &term_len);
pi = proto_tree_add_uint(user_info_tree,
hf_user_info_terminal_speed,
tvb, offset, str_len, term_len);
if (!term_len_valid)
expert_add_info(pinfo, pi, &ei_rlogin_termlen_invalid);
offset += str_len;
}
}
if (!tvb_offset_exists(tvb, offset))
{
/* No more data to check */
return;
}
/* Test for terminal information, the data will have 2 0xff bytes */
/* look for first 0xff byte */
ti_offset = tvb_find_guint8(tvb, offset, -1, 0xff);
/* Next byte must also be 0xff */
if (ti_offset != -1 &&
tvb_bytes_exist(tvb, ti_offset + 1, 1) &&
tvb_get_guint8(tvb, ti_offset + 1) == 0xff)
{
guint16 rows, columns;
/* Have found terminal info. */
if (ti_offset > offset)
{
/* There's data before the terminal info. */
proto_tree_add_item(rlogin_tree, hf_data, tvb,
offset, ti_offset - offset, ENC_ASCII|ENC_NA);
}
/* Create window info tree */
window_info_item =
proto_tree_add_item(rlogin_tree, hf_window_info, tvb, offset, 12, ENC_NA);
window_tree = proto_item_add_subtree(window_info_item, ett_rlogin_window);
/* Cookie */
proto_tree_add_item(window_tree, hf_magic_cookie, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
/* These bytes should be "ss" */
proto_tree_add_item(window_tree, hf_window_info_ss, tvb, offset, 2, ENC_ASCII|ENC_NA);
offset += 2;
/* Character rows */
rows = tvb_get_ntohs(tvb, offset);
proto_tree_add_item(window_tree, hf_window_info_rows, tvb,
offset, 2, ENC_BIG_ENDIAN);
offset += 2;
/* Characters per row */
columns = tvb_get_ntohs(tvb, offset);
proto_tree_add_item(window_tree, hf_window_info_cols, tvb,
offset, 2, ENC_BIG_ENDIAN);
offset += 2;
/* x pixels */
proto_tree_add_item(window_tree, hf_window_info_x_pixels, tvb,
offset, 2, ENC_BIG_ENDIAN);
offset += 2;
/* y pixels */
proto_tree_add_item(window_tree, hf_window_info_y_pixels, tvb,
offset, 2, ENC_BIG_ENDIAN);
offset += 2;
/* Show setting highlights in info column */
col_append_fstr(pinfo->cinfo, COL_INFO, " (rows=%u, cols=%u)",
rows, columns);
}
if (tvb_offset_exists(tvb, offset))
{
/* There's more data in the frame. */
proto_tree_add_item(rlogin_tree, hf_data, tvb, offset, -1, ENC_ASCII|ENC_NA);
}
}
static int
call_rtse_external_type_callback(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_)
{
const char *oid = NULL;
if (actx->external.indirect_ref_present) {
oid = (const char *)find_oid_by_pres_ctx_id(actx->pinfo, actx->external.indirect_reference);
if (!oid)
proto_tree_add_expert_format(tree, actx->pinfo, &ei_rtse_abstract_syntax, tvb, offset, tvb_captured_length_remaining(tvb, offset),
"Unable to determine abstract syntax for indirect reference: %d.", actx->external.indirect_reference);
} else if (actx->external.direct_ref_present) {
oid = actx->external.direct_reference;
}
if (oid)
offset = call_rtse_oid_callback(oid, tvb, offset, actx->pinfo, top_tree ? top_tree : tree, actx->private_data);
return offset;
}
static int
dissect_report_segment(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ltp_tree, int frame_offset) {
gint64 rpt_sno;
gint64 chkp_sno;
guint64 upper_bound;
guint64 lower_bound;
int rcpt_clm_cnt;
guint64 offset;
guint64 length;
int rpt_sno_size;
int chkp_sno_size;
int upper_bound_size;
int lower_bound_size;
int rcpt_clm_cnt_size;
int offset_size;
int length_size;
int segment_offset = 0;
int i;
proto_item *ltp_rpt_item;
proto_item *ltp_rpt_clm_item;
proto_tree *ltp_rpt_tree;
proto_tree *ltp_rpt_clm_tree;
/* Create the subtree for report segment under the main LTP tree and all the report segment fields under it */
ltp_rpt_tree = proto_tree_add_subtree(ltp_tree, tvb, frame_offset, -1, ett_rpt_segm, <p_rpt_item, "Report Segment");
/* Extract the report segment info */
rpt_sno = evaluate_sdnv_64(tvb, frame_offset, &rpt_sno_size);
proto_tree_add_uint64(ltp_rpt_tree, hf_ltp_rpt_sno, tvb, frame_offset + segment_offset, rpt_sno_size, (guint64)rpt_sno);
segment_offset += rpt_sno_size;
chkp_sno = evaluate_sdnv_64(tvb, frame_offset + segment_offset, &chkp_sno_size);
proto_tree_add_uint64(ltp_rpt_tree, hf_ltp_rpt_chkp, tvb, frame_offset + segment_offset, chkp_sno_size, (guint64)chkp_sno);
segment_offset += chkp_sno_size;
upper_bound = evaluate_sdnv(tvb, frame_offset + segment_offset, &upper_bound_size);
proto_tree_add_uint64(ltp_rpt_tree, hf_ltp_rpt_ub, tvb, frame_offset + segment_offset, upper_bound_size, (guint64)upper_bound);
segment_offset += upper_bound_size;
lower_bound = evaluate_sdnv(tvb, frame_offset + segment_offset, &lower_bound_size);
proto_tree_add_uint64(ltp_rpt_tree, hf_ltp_rpt_lb, tvb, frame_offset + segment_offset, lower_bound_size, (guint64)lower_bound);
segment_offset += lower_bound_size;
rcpt_clm_cnt = evaluate_sdnv(tvb, frame_offset + segment_offset, &rcpt_clm_cnt_size);
if (rcpt_clm_cnt < 0){
proto_item_set_end(ltp_rpt_item, tvb, frame_offset + segment_offset);
expert_add_info_format(pinfo, ltp_tree, &ei_ltp_neg_reception_claim_count,
"Negative reception claim count: %d", rcpt_clm_cnt);
return 0;
}
/* Each reception claim is at least 2 bytes, so if the count is larger than the
* max number of claims we can possibly squeeze into the remaining tvbuff, then
* the packet is malformed.
*/
if (rcpt_clm_cnt > tvb_captured_length_remaining(tvb, frame_offset + segment_offset) / 2) {
proto_item_set_end(ltp_rpt_item, tvb, frame_offset + segment_offset);
expert_add_info_format(pinfo, ltp_tree, &ei_ltp_mal_reception_claim,
"Reception claim count impossibly large: %d > %d", rcpt_clm_cnt,
tvb_captured_length_remaining(tvb, frame_offset + segment_offset) / 2);
return 0;
}
proto_tree_add_uint(ltp_rpt_tree, hf_ltp_rpt_clm_cnt, tvb, frame_offset + segment_offset, rcpt_clm_cnt_size, rcpt_clm_cnt);
segment_offset += rcpt_clm_cnt_size;
ltp_rpt_clm_tree = proto_tree_add_subtree(ltp_rpt_tree, tvb, frame_offset + segment_offset, -1, ett_rpt_clm, <p_rpt_clm_item, "Reception claims");
/* There can be multiple reception claims in the same report segment */
for(i = 0; i<rcpt_clm_cnt; i++){
offset = evaluate_sdnv(tvb,frame_offset + segment_offset, &offset_size);
proto_tree_add_uint64_format(ltp_rpt_clm_tree, hf_ltp_rpt_clm_off, tvb, frame_offset + segment_offset, offset_size, offset,
"Offset[%d] : %"G_GINT64_MODIFIER"d", i, offset);
segment_offset += offset_size;
length = evaluate_sdnv(tvb,frame_offset + segment_offset, &length_size);
proto_tree_add_uint64_format(ltp_rpt_clm_tree, hf_ltp_rpt_clm_len, tvb, frame_offset + segment_offset, length_size, length,
"Length[%d] : %"G_GINT64_MODIFIER"d",i, length);
segment_offset += length_size;
}
proto_item_set_end(ltp_rpt_clm_item, tvb, frame_offset + segment_offset);
proto_item_set_end(ltp_rpt_item, tvb, frame_offset + segment_offset);
return segment_offset;
}
void
dissect_802_3(volatile int length, gboolean is_802_2, tvbuff_t *tvb,
int offset_after_length, packet_info *pinfo, proto_tree *tree,
proto_tree *fh_tree, int length_id, int trailer_id, expert_field* ei_len,
int fcs_len)
{
proto_item *length_it;
tvbuff_t *volatile next_tvb = NULL;
tvbuff_t *trailer_tvb = NULL;
const char *saved_proto;
gint captured_length, reported_length;
void *pd_save;
length_it = proto_tree_add_uint(fh_tree, length_id, tvb,
offset_after_length - 2, 2, length);
/* Get the length of the payload.
If the FCS length is positive, remove the FCS.
(If it's zero, there's no FCS; if it's negative, we don't know whether
there's an FCS, so we'll guess based on the length of the trailer.) */
reported_length = tvb_reported_length_remaining(tvb, offset_after_length);
if (fcs_len > 0) {
if (reported_length >= fcs_len)
reported_length -= fcs_len;
}
/* Make sure the length in the 802.3 header doesn't go past the end of
the payload. */
if (length > reported_length) {
length = reported_length;
expert_add_info(pinfo, length_it, ei_len);
}
/* Give the next dissector only 'length' number of bytes. */
captured_length = tvb_captured_length_remaining(tvb, offset_after_length);
if (captured_length > length)
captured_length = length;
next_tvb = tvb_new_subset(tvb, offset_after_length, captured_length, length);
/* Dissect the payload either as IPX or as an LLC frame.
Catch non-fatal exceptions, so that if the reported length
of "next_tvb" was reduced by some dissector before an
exception was thrown, we can still put in an item for
the trailer. */
saved_proto = pinfo->current_proto;
pd_save = pinfo->private_data;
TRY {
if (is_802_2)
call_dissector(llc_handle, next_tvb, pinfo, tree);
else {
/* Check if first three bits of payload are 0x7.
If so, then payload is IPX. If not, then it's CCSDS.
Refer to packet-eth.c for setting of is_802_2 variable. */
if (tvb_get_bits8(next_tvb, 0, 3) == 7)
call_dissector(ipx_handle, next_tvb, pinfo, tree);
else
call_dissector(ccsds_handle, next_tvb, pinfo, tree);
}
}
CATCH_NONFATAL_ERRORS {
/* Somebody threw an exception that means that there was a problem
dissecting the payload; that means that a dissector was found,
so we don't need to dissect the payload as data or update the
protocol or info columns.
Just show the exception and then drive on to show the trailer,
after noting that a dissector was found and restoring the
protocol value that was in effect before we called the subdissector. */
pinfo->private_data = pd_save;
show_exception(next_tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
}
ENDTRY;
/* Restore the protocol value, so that any exception thrown by
tvb_new_subset_remaining() refers to the protocol for which
this is a trailer, and restore the private_data structure in
case one of the called dissectors modified it. */
pinfo->private_data = pd_save;
pinfo->current_proto = saved_proto;
/* Construct a tvbuff for the trailer; if the trailer is past the
end of the captured data, this will throw a BoundsError, which
is what we want, as it'll report that the packet was cut short. */
trailer_tvb = tvb_new_subset_remaining(tvb, offset_after_length + length);
add_ethernet_trailer(pinfo, tree, fh_tree, trailer_id, tvb, trailer_tvb, fcs_len);
}
static void
dissect_v5dl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *v5dl_tree, *addr_tree;
proto_item *v5dl_ti, *addr_ti;
int direction;
guint v5dl_header_len;
guint16 control;
#if 0
proto_tree *checksum_tree;
proto_item *checksum_ti;
guint16 checksum, checksum_calculated;
guint checksum_offset;
#endif
guint16 addr, cr, eah, eal, v5addr;
gboolean is_response = 0;
#if 0
guint length, reported_length;
#endif
tvbuff_t *next_tvb;
const char *srcname = "?";
const char *dstname = "?";
col_set_str(pinfo->cinfo, COL_PROTOCOL, "V5DL");
col_clear(pinfo->cinfo, COL_INFO);
addr = tvb_get_ntohs(tvb, 0);
cr = addr & V5DL_CR;
eal = (addr & V5DL_EAL) >> V5DL_EAL_SHIFT;
eah = (addr & V5DL_EAH) >> V5DL_EAH_SHIFT;
v5addr = (eah << 7) + eal;
v5dl_header_len = 2; /* addr */
direction = pinfo->p2p_dir;
if (pinfo->p2p_dir == P2P_DIR_RECV) {
is_response = cr ? FALSE : TRUE;
srcname = "Network";
dstname = "User";
}
else if (pinfo->p2p_dir == P2P_DIR_SENT) {
is_response = cr ? TRUE : FALSE;
srcname = "User";
dstname = "Network";
}
col_set_str(pinfo->cinfo, COL_RES_DL_SRC, srcname);
col_set_str(pinfo->cinfo, COL_RES_DL_DST, dstname);
if (tree) {
proto_item *direction_ti;
v5dl_ti = proto_tree_add_item(tree, proto_v5dl, tvb, 0, -1,
ENC_NA);
v5dl_tree = proto_item_add_subtree(v5dl_ti, ett_v5dl);
/*
* Don't show the direction if we don't know it.
*/
if (direction != P2P_DIR_UNKNOWN) {
direction_ti = proto_tree_add_uint(v5dl_tree, hf_v5dl_direction,
tvb, 0, 0, pinfo->p2p_dir);
PROTO_ITEM_SET_GENERATED(direction_ti);
}
addr_ti = proto_tree_add_uint(v5dl_tree, hf_v5dl_ef, tvb,
0, 2, v5addr);
addr_tree = proto_item_add_subtree(addr_ti, ett_v5dl_address);
proto_tree_add_uint(addr_tree, hf_v5dl_eah, tvb, 0, 1, addr);
proto_tree_add_uint(addr_tree, hf_v5dl_cr, tvb, 0, 1, addr);
proto_tree_add_uint(addr_tree, hf_v5dl_ea1, tvb, 0, 1, addr);
proto_tree_add_uint(addr_tree, hf_v5dl_eal, tvb, 1, 1, addr);
proto_tree_add_uint(addr_tree, hf_v5dl_ea2, tvb, 1, 1, addr);
}
else {
v5dl_ti = NULL;
v5dl_tree = NULL;
}
control = dissect_xdlc_control(tvb, 2, pinfo, v5dl_tree, hf_v5dl_control,
ett_v5dl_control, &v5dl_cf_items, &v5dl_cf_items_ext, NULL, NULL,
is_response, TRUE, FALSE);
v5dl_header_len += XDLC_CONTROL_LEN(control, TRUE);
if (tree)
proto_item_set_len(v5dl_ti, v5dl_header_len);
/*
* XXX - the sample capture supplied with bug 7027 does not
* appear to include checksums in the packets.
*/
#if 0
/*
* Check the checksum, if available.
* The checksum is a CCITT CRC-16 at the end of the packet, so
* if we don't have the entire packet in the capture - i.e., if
* tvb_captured_length(tvb) != tvb_reported_length(tvb) we can't check it.
*/
length = tvb_captured_length(tvb);
reported_length = tvb_reported_length(tvb);
/*
* If the reported length isn't big enough for the V5DL header
* and 2 bytes of checksum, the packet is malformed, as the
* checksum overlaps the header.
*/
if (reported_length < v5dl_header_len + 2)
THROW(ReportedBoundsError);
if (length == reported_length) {
/*
* There's no snapshot length cutting off any of the
* packet.
*/
checksum_offset = reported_length - 2;
checksum = tvb_get_ntohs(tvb, checksum_offset);
checksum_calculated = crc16_ccitt_tvb(tvb, checksum_offset);
checksum_calculated = g_htons(checksum_calculated); /* Note: g_htons() macro may eval arg multiple times */
if (checksum == checksum_calculated) {
checksum_ti = proto_tree_add_uint_format_value(v5dl_tree, hf_v5dl_checksum, tvb, checksum_offset,
2, 0,
"0x%04x [correct]",
checksum);
checksum_tree = proto_item_add_subtree(checksum_ti, ett_v5dl_checksum);
proto_tree_add_boolean(checksum_tree, hf_v5dl_checksum_good, tvb, checksum_offset, 2, TRUE);
proto_tree_add_boolean(checksum_tree, hf_v5dl_checksum_bad, tvb, checksum_offset, 2, FALSE);
} else {
checksum_ti = proto_tree_add_uint_format_value(v5dl_tree, hf_v5dl_checksum, tvb, checksum_offset,
2, 0,
"0x%04x [incorrect, should be 0x%04x]",
checksum, checksum_calculated);
checksum_tree = proto_item_add_subtree(checksum_ti, ett_v5dl_checksum);
proto_tree_add_boolean(checksum_tree, hf_v5dl_checksum_good, tvb, checksum_offset, 2, FALSE);
proto_tree_add_boolean(checksum_tree, hf_v5dl_checksum_bad, tvb, checksum_offset, 2, TRUE);
}
/*
* Remove the V5DL header *and* the checksum.
*/
next_tvb = tvb_new_subset(tvb, v5dl_header_len,
tvb_captured_length_remaining(tvb, v5dl_header_len) - 2,
tvb_reported_length_remaining(tvb, v5dl_header_len) - 2);
} else {
/*
* Some or all of the packet is cut off by a snapshot
* length.
*/
if (length == reported_length - 1) {
/*
* One byte is cut off, so there's only one
* byte of checksum in the captured data.
* Remove that byte from the captured length
* and both bytes from the reported length.
*/
next_tvb = tvb_new_subset(tvb, v5dl_header_len,
tvb_captured_length_remaining(tvb, v5dl_header_len) - 1,
tvb_reported_length_remaining(tvb, v5dl_header_len) - 2);
} else {
/*
* Two or more bytes are cut off, so there are
* no bytes of checksum in the captured data.
* Just remove the checksum from the reported
* length.
*/
next_tvb = tvb_new_subset(tvb, v5dl_header_len,
tvb_captured_length_remaining(tvb, v5dl_header_len),
tvb_reported_length_remaining(tvb, v5dl_header_len) - 2);
}
}
#else
next_tvb = tvb_new_subset_remaining(tvb, v5dl_header_len);
#endif
if (XDLC_IS_INFORMATION(control)) {
/* call V5.2 dissector */
call_dissector(v52_handle, next_tvb, pinfo, tree);
}
}
/* dissector of each payload */
static int
dissect_xtp_aseg(tvbuff_t *tvb, proto_tree *tree, guint32 offset) {
guint32 len = tvb_captured_length_remaining(tvb, offset);
guint32 start = offset;
proto_item *ti, *ti2, *top_ti;
proto_tree *xtp_subtree;
struct xtp_ip_addr_seg aseg[1];
int error = 0;
top_ti = proto_tree_add_text(tree, tvb, offset, len, "Address Segment");
xtp_subtree = proto_item_add_subtree(top_ti, ett_xtp_aseg);
if (len < XTP_NULL_ADDR_SEG_LEN) {
proto_item_append_text(top_ti, ", bogus length(%u, must be at least %u)",
len, XTP_NULL_ADDR_SEG_LEN);
return 0;
}
/** parse common fields **/
/* alen(2) */
aseg->alen = tvb_get_ntohs(tvb, offset);
offset += 2;
/* adomain(1) */
aseg->adomain = tvb_get_guint8(tvb, offset);
offset++;
/* aformat(1) */
aseg->aformat = tvb_get_guint8(tvb, offset);
/** display common fields **/
offset = start;
/* alen(2) */
ti = proto_tree_add_uint(xtp_subtree, hf_xtp_aseg_alen,
tvb, offset, 2, aseg->alen);
offset += 2;
if (aseg->alen > len) {
proto_item_append_text(ti, ", bogus length(%u, must be at most %u)",
aseg->alen, len);
error = 1;
}
/* adomain(1) */
proto_tree_add_uint(xtp_subtree, hf_xtp_aseg_adomain,
tvb, offset, 1, aseg->adomain);
offset++;
/* aformat(1) */
ti2 = proto_tree_add_uint(xtp_subtree, hf_xtp_aseg_aformat,
tvb, offset, 1, aseg->aformat);
offset++;
switch (aseg->aformat) {
case 0:
if (aseg->alen != XTP_NULL_ADDR_SEG_LEN) {
proto_item_append_text(ti, ", bogus length(%u, must be %u)",
aseg->alen, XTP_NULL_ADDR_SEG_LEN);
error = 1;
}
break;
case 1:
if (aseg->alen != XTP_IP_ADDR_SEG_LEN) {
proto_item_append_text(ti, ", bogus length(%u, must be %u)",
aseg->alen, XTP_IP_ADDR_SEG_LEN);
error = 1;
}
break;
default:
if (aseg->aformat < 128) {
proto_item_append_text(ti2,
", Unsupported aformat(%u)", aseg->aformat);
error = 1;
}
break;
}
if (error)
return (offset - start);
/** parse and display each address fileds */
switch (aseg->aformat) {
case 0:
/* address(4) */
aseg->dsthost = tvb_get_ntohl(tvb, offset);
proto_tree_add_uint(xtp_subtree, hf_xtp_aseg_address,
tvb, offset, 4, aseg->dsthost);
offset += 4;
break;
case 1:
/* dsthost(4) */
aseg->dsthost = tvb_get_ipv4(tvb, offset);
proto_tree_add_ipv4(xtp_subtree, hf_xtp_aseg_dsthost,
tvb, offset, 4, aseg->dsthost);
offset += 4;
/* srchost(4) */
aseg->srchost = tvb_get_ipv4(tvb, offset);
proto_tree_add_ipv4(xtp_subtree, hf_xtp_aseg_srchost,
tvb, offset, 4, aseg->srchost);
offset += 4;
/* dstport(2) */
aseg->dstport = tvb_get_ntohs(tvb, offset);
proto_tree_add_uint(xtp_subtree, hf_xtp_aseg_dstport,
tvb, offset, 2, aseg->dstport);
offset += 2;
/* srcport(2) */
aseg->srcport = tvb_get_ntohs(tvb, offset);
proto_tree_add_uint(xtp_subtree, hf_xtp_aseg_srcport,
tvb, offset, 2, aseg->srcport);
offset += 2;
/** add summary **/
proto_item_append_text(top_ti, ", Dst Port: %u", aseg->dstport);
proto_item_append_text(top_ti, ", Src Port: %u", aseg->srcport);
break;
default:
break;
}
return (offset - start);
}
/*
* Dissect ASCII TPKT-encapsulated data in a TCP stream.
*/
void
dissect_asciitpkt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
dissector_handle_t subdissector_handle)
{
proto_item *ti = NULL;
proto_tree *tpkt_tree = NULL;
volatile int offset = 0;
int length_remaining;
int data_len;
volatile int mgcp_packet_len = 0;
int mgcp_version = 0;
int mgcp_reserved = 0;
volatile int length;
tvbuff_t *volatile next_tvb;
const char *saved_proto;
guint8 string[4];
void *pd_save;
/*
* If we're reassembling segmented TPKT PDUs, empty the COL_INFO
* column, so subdissectors can append information
* without having to worry about emptying the column.
*
* We use "col_add_str()" because the subdissector
* might be appending information to the column, in
* which case we'd have to zero the buffer out explicitly
* anyway.
*/
if (tpkt_desegment)
col_set_str(pinfo->cinfo, COL_INFO, "");
while (tvb_reported_length_remaining(tvb, offset) != 0) {
/*
* Is the first byte of this putative TPKT header
* a valid TPKT version number, i.e. 3?
*/
if (tvb_get_guint8(tvb, offset) != 48) {
/*
* No, so don't assume this is a TPKT header;
* we might be in the middle of TPKT data,
* so don't get the length and don't try to
* do reassembly.
*/
col_set_str(pinfo->cinfo, COL_PROTOCOL, "TPKT");
col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
if (tree) {
ti = proto_tree_add_item(tree, proto_tpkt, tvb,
offset, -1, ENC_NA);
tpkt_tree = proto_item_add_subtree(ti, ett_tpkt);
proto_item_set_text(ti, "TPKT");
proto_tree_add_text(tpkt_tree, tvb, offset, -1,
"Continuation data");
}
return;
}
length_remaining = tvb_captured_length_remaining(tvb, offset);
/*
* Get the length from the TPKT header.
*/
tvb_memcpy(tvb, (guint8 *)string, offset, 2);
mgcp_version = parseVersionText(string);
tvb_memcpy(tvb, (guint8 *)string, offset +2, 2);
mgcp_reserved = parseReservedText(string);
tvb_memcpy(tvb, (guint8 *)string, offset + 4, 4);
mgcp_packet_len = parseLengthText(string);
data_len = mgcp_packet_len;
/*
* Dissect the TPKT header.
* Save and restore "pinfo->current_proto".
*/
saved_proto = pinfo->current_proto;
pinfo->current_proto = "TPKT";
col_set_str(pinfo->cinfo, COL_PROTOCOL, "TPKT");
/*
* Don't add the TPKT header information if we're
* reassembling segmented TPKT PDUs or if this
* PDU isn't reassembled.
*
* XXX - the first is so that subdissectors can append
* information without getting TPKT stuff in the middle;
* why the second?
*/
if (!tpkt_desegment && !pinfo->fragmented) {
col_add_fstr(pinfo->cinfo, COL_INFO,
"TPKT Data length = %u", data_len);
}
if (tree) {
ti = proto_tree_add_item(tree, proto_tpkt, tvb,
offset, 8, ENC_NA);
tpkt_tree = proto_item_add_subtree(ti, ett_tpkt);
proto_item_set_text(ti, "TPKT");
/* Version */
proto_tree_add_uint(tpkt_tree, hf_tpkt_version, tvb,
offset, 2, mgcp_version);
/* Reserved octet*/
proto_tree_add_uint(tpkt_tree, hf_tpkt_reserved, tvb,
offset + 2, 2, mgcp_reserved);
/* Length */
proto_tree_add_uint(tpkt_tree, hf_tpkt_length, tvb,
offset + 4, 4, mgcp_packet_len);
}
pinfo->current_proto = saved_proto;
/* Skip the TPKT header. */
offset += TEXT_LAYER_LENGTH;
length = length_remaining - TEXT_LAYER_LENGTH;
if (length > data_len)
length = data_len;
next_tvb = tvb_new_subset(tvb, offset,length, data_len);
/*
* Call the subdissector.
*
* If it gets an error that means there's no point in
* dissecting any more TPKT messages, rethrow the
* exception in question.
*
* If it gets any other error, report it and continue, as that
* means that TPKT message got an error, but that doesn't mean
* we should stop dissecting TPKT messages within this frame
* or chunk of reassembled data.
*/
pd_save = pinfo->private_data;
TRY {
call_dissector(subdissector_handle, next_tvb, pinfo,
tree);
}
CATCH_NONFATAL_ERRORS {
/* Restore the private_data structure in case one of the
* called dissectors modified it (and, due to the exception,
* was unable to restore it).
*/
pinfo->private_data = pd_save;
show_exception(tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
}
ENDTRY;
/*
* Skip the payload.
*/
offset += data_len;
}
}
/*
* Dissect RTSE PDUs inside a PPDU.
*/
static int
dissect_rtse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data)
{
int offset = 0;
int old_offset;
proto_item *item;
proto_tree *tree;
proto_tree *next_tree=NULL;
tvbuff_t *next_tvb = NULL;
tvbuff_t *data_tvb = NULL;
fragment_head *frag_msg = NULL;
guint32 fragment_length;
guint32 rtse_id = 0;
gboolean data_handled = FALSE;
struct SESSION_DATA_STRUCTURE* session;
conversation_t *conversation = NULL;
asn1_ctx_t asn1_ctx;
asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
/* do we have application context from the acse dissector? */
if (data == NULL)
return 0;
session = (struct SESSION_DATA_STRUCTURE*)data;
/* save parent_tree so subdissectors can create new top nodes */
top_tree=parent_tree;
asn1_ctx.private_data = session;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "RTSE");
col_clear(pinfo->cinfo, COL_INFO);
if (rtse_reassemble &&
((session->spdu_type == SES_DATA_TRANSFER) ||
(session->spdu_type == SES_MAJOR_SYNC_POINT))) {
/* Use conversation index as fragment id */
conversation = find_conversation (pinfo->fd->num,
&pinfo->src, &pinfo->dst, pinfo->ptype,
pinfo->srcport, pinfo->destport, 0);
if (conversation != NULL) {
rtse_id = conversation->index;
}
session->rtse_reassemble = TRUE;
}
if (rtse_reassemble && session->spdu_type == SES_MAJOR_SYNC_POINT) {
frag_msg = fragment_end_seq_next (&rtse_reassembly_table,
pinfo, rtse_id, NULL);
next_tvb = process_reassembled_data (tvb, offset, pinfo, "Reassembled RTSE",
frag_msg, &rtse_frag_items, NULL, parent_tree);
}
item = proto_tree_add_item(parent_tree, proto_rtse, next_tvb ? next_tvb : tvb, 0, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_rtse);
if (rtse_reassemble && session->spdu_type == SES_DATA_TRANSFER) {
/* strip off the OCTET STRING encoding - including any CONSTRUCTED OCTET STRING */
dissect_ber_octet_string(FALSE, &asn1_ctx, tree, tvb, offset, hf_rtse_segment_data, &data_tvb);
if (data_tvb) {
fragment_length = tvb_captured_length_remaining (data_tvb, 0);
proto_item_append_text(asn1_ctx.created_item, " (%u byte%s)", fragment_length,
plurality(fragment_length, "", "s"));
frag_msg = fragment_add_seq_next (&rtse_reassembly_table,
data_tvb, 0, pinfo,
rtse_id, NULL,
fragment_length, TRUE);
if (frag_msg && pinfo->fd->num != frag_msg->reassembled_in) {
/* Add a "Reassembled in" link if not reassembled in this frame */
proto_tree_add_uint (tree, *(rtse_frag_items.hf_reassembled_in),
data_tvb, 0, 0, frag_msg->reassembled_in);
}
pinfo->fragmented = TRUE;
data_handled = TRUE;
} else {
fragment_length = tvb_captured_length_remaining (tvb, offset);
}
col_append_fstr(pinfo->cinfo, COL_INFO, "[RTSE fragment, %u byte%s]",
fragment_length, plurality(fragment_length, "", "s"));
} else if (rtse_reassemble && session->spdu_type == SES_MAJOR_SYNC_POINT) {
if (next_tvb) {
/* ROS won't do this for us */
session->ros_op = (ROS_OP_INVOKE | ROS_OP_ARGUMENT);
/*offset=*/dissect_ber_external_type(FALSE, tree, next_tvb, 0, &asn1_ctx, -1, call_rtse_external_type_callback);
top_tree = NULL;
/* Return other than 0 to indicate that we handled this packet */
return 1;
} else {
offset = tvb_captured_length (tvb);
}
pinfo->fragmented = FALSE;
data_handled = TRUE;
}
if (!data_handled) {
while (tvb_reported_length_remaining(tvb, offset) > 0){
old_offset=offset;
offset=dissect_rtse_RTSE_apdus(TRUE, tvb, offset, &asn1_ctx, tree, -1);
if(offset == old_offset){
next_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
ett_rtse_unknown, &item, "Unknown RTSE PDU");
expert_add_info (pinfo, item, &ei_rtse_unknown_rtse_pdu);
dissect_unknown_ber(pinfo, tvb, offset, next_tree);
break;
}
}
}
top_tree = NULL;
return tvb_captured_length(tvb);
}
