static void
dissect_msnms(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *msnms_tree;
proto_item *ti;
gint offset = 0;
const guchar *line;
gint next_offset;
int linelen;
/* int tokenlen; */
/* const guchar *next_token; */
col_set_str(pinfo->cinfo, COL_PROTOCOL, "MSNMS");
/*
* Find the end of the first line.
*
* Note that "tvb_find_line_end()" will return a value that is
* not longer than what's in the buffer, so the "tvb_get_ptr()"
* call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
if (check_col(pinfo->cinfo, COL_INFO)) {
/*
* Put the first line from the buffer into the summary.
*/
col_add_str(pinfo->cinfo, COL_INFO,
format_text(line, linelen));
}
if (tree) {
ti = proto_tree_add_item(tree, proto_msnms, tvb, offset, -1,
FALSE);
msnms_tree = proto_item_add_subtree(ti, ett_msnms);
/*
* Show the rest of the packet as text,
* a line at a time.
*/
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, offset, -1,
&next_offset, FALSE);
/*
* Put this line.
*/
proto_tree_add_text(msnms_tree, tvb, offset,
next_offset - offset, "%s",
tvb_format_text(tvb, offset, next_offset - offset));
offset = next_offset;
}
}
}
static void
dissect_rsh(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *rsh_tree;
proto_item *ti, *hidden_item;
gint offset = 0;
gint next_offset;
int linelen;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "RSH");
if (check_col(pinfo->cinfo, COL_INFO)) {
/* Put the first line from the buffer into the summary. */
tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
linelen = next_offset - offset; /* include the line terminator */
/*
* Make sure the line terminator isn't past the end of
* the captured data in the packet, so we don't throw
* an exception in the "tvb_get_ptr()" call.
*/
if (linelen > (int) tvb_length(tvb))
linelen = tvb_length(tvb);
col_add_str(pinfo->cinfo, COL_INFO,
tvb_format_text(tvb, offset, linelen));
}
if (tree) {
ti = proto_tree_add_item(tree, proto_rsh, tvb, offset, -1,
FALSE);
rsh_tree = proto_item_add_subtree(ti, ett_rsh);
/*
* Process the packet data, a line at a time.
*/
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
tvb_find_line_end(tvb, offset, -1, &next_offset,
FALSE);
/*
* Put this line.
*/
proto_tree_add_text(rsh_tree, tvb, offset,
next_offset - offset, "%s",
tvb_format_text(tvb, offset, next_offset - offset));
offset = next_offset;
}
if (pinfo->match_port == pinfo->destport) {
hidden_item = proto_tree_add_boolean(rsh_tree,
hf_rsh_request, tvb, 0, 0, 1);
} else {
hidden_item = proto_tree_add_boolean(rsh_tree,
hf_rsh_response, tvb, 0, 0, 1);
}
PROTO_ITEM_SET_HIDDEN(hidden_item);
}
}
static int dissect_proxy_to_host(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
int offset = 0;
gint next_offset;
gint proxy_to_length;
gchar *pmproxy_host_and_port_string;
gchar **host_and_port;
gchar *host;
gchar *port;
col_set_str(pinfo->cinfo, COL_INFO, "Proxy");
proxy_to_length = tvb_find_line_end(tvb, offset, tvb_ensure_captured_length_remaining(tvb, offset), &next_offset, FALSE);
if(proxy_to_length != -1) {
pmproxy_host_and_port_string = (gchar *) tvb_get_string_enc(wmem_packet_scope(), tvb, offset, proxy_to_length, ENC_ASCII);
host_and_port = wmem_strsplit(wmem_packet_scope(), pmproxy_host_and_port_string, " ", -1);
if(host_and_port != NULL) {
host = host_and_port[0];
if (host) {
proto_tree_add_string(tree, hf_pmproxy_host, tvb, offset, (guint32)strlen(host), host);
offset += (int)strlen(host) + PMPROXY_HOST_AND_PORT_DELIMETER_LENGTH;
port = host_and_port[1];
if (port) {
proto_tree_add_string(tree, hf_pmproxy_port, tvb, offset, (guint32)strlen(port), port);
}
} else {
port = NULL;
}
col_append_fstr(pinfo->cinfo, COL_INFO, " Host=%s, Port=%s", host ? host : "", port ? port : "");
}
}
return proxy_to_length;
}
static void
dissect_smtp_data(tvbuff_t *tvb, int offset, proto_tree *smtp_tree)
{
gint next_offset;
if (smtp_tree) {
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
/*
* Put this line.
*/
proto_tree_add_item(smtp_tree, hf_smtp_message, tvb,
offset, next_offset - offset, ENC_ASCII|ENC_NA);
/*
* Step to the next line.
*/
offset = next_offset;
}
}
}
static void
dissect_smtp_data(tvbuff_t *tvb, int offset, proto_tree *smtp_tree)
{
gint next_offset;
if (smtp_tree) {
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
/*
* Put this line.
*/
proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset,
"Message: %s",
tvb_format_text(tvb, offset, next_offset - offset));
/*
* Step to the next line.
*/
offset = next_offset;
}
}
}
static gboolean
find_dir_tokens(tvbuff_t *tvb, gint name_start, gint *sel_start, gint *host_start, gint *port_start, gint *line_len, gint *next_offset) {
gint remain;
if (tvb_length_remaining(tvb, name_start) < MIN_DIR_LINE_LEN)
return FALSE;
if (! (sel_start && host_start && port_start && line_len && next_offset) )
return FALSE;
*line_len = tvb_find_line_end(tvb, name_start, MAX_DIR_LINE_LEN, next_offset, FALSE);
if (*line_len < MIN_DIR_LINE_LEN)
return FALSE;
remain = *line_len;
*sel_start = tvb_find_guint8(tvb, name_start, remain, '\t') + 1;
if (*sel_start < name_start + 1)
return FALSE;
remain -= *sel_start - name_start;
*host_start = tvb_find_guint8(tvb, *sel_start, remain, '\t') + 1;
if (*host_start < *sel_start + 1)
return FALSE;
remain -= *host_start - *sel_start;
*port_start = tvb_find_guint8(tvb, *host_start, remain, '\t') + 1;
if (*port_start < *host_start + 1)
return FALSE;
return TRUE;
}
/*
* Unless the first boundary, subsequent boundaries include a line-end sequence
* before the dashed boundary string.
*
* Return the offset to the 1st byte of the boundary delimiter line.
* Set boundary_line_len to the length of the entire boundary delimiter.
* Set last_boundary to TRUE if we've seen the last-boundary delimiter.
*/
static gint
find_next_boundary(tvbuff_t *tvb, gint start, const guint8 *boundary,
gint boundary_len, gint *boundary_line_len, gboolean *last_boundary)
{
gint offset = start, next_offset, line_len, boundary_start;
while (tvb_offset_exists(tvb, offset + 2 + boundary_len)) {
line_len = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (line_len == -1) {
return -1;
}
boundary_start = offset + line_len;
if (((tvb_strneql(tvb, next_offset, (const guint8 *)"--", 2) == 0)
&& (tvb_strneql(tvb, next_offset + 2, boundary, boundary_len) == 0)))
{
/* Boundary string; now check if last */
if ((tvb_reported_length_remaining(tvb, next_offset + 2 + boundary_len + 2) >= 0)
&& (tvb_strneql(tvb, next_offset + 2 + boundary_len,
(const guint8 *)"--", 2) == 0)) {
*last_boundary = TRUE;
} else {
*last_boundary = FALSE;
}
/* Look for line end of the boundary line */
line_len = tvb_find_line_end(tvb, next_offset, -1, &offset, FALSE);
if (line_len == -1) {
*boundary_line_len = -1;
} else {
*boundary_line_len = offset - boundary_start;
}
return boundary_start;
/* check if last before CRLF; some ignore the standard, so there is no CRLF before the boundary */
} else if ((tvb_strneql(tvb, boundary_start - 2, (const guint8 *)"--", 2) == 0)
&& (tvb_strneql(tvb, boundary_start - (2 + boundary_len), boundary, boundary_len) == 0)
&& (tvb_strneql(tvb, boundary_start - (2 + boundary_len + 2),
(const guint8 *)"--", 2) == 0)) {
boundary_start -= 2 + boundary_len + 2;
*boundary_line_len = next_offset - boundary_start;
*last_boundary = TRUE;
return boundary_start;
}
offset = next_offset;
}
return -1;
}
static void
dissect_jabber(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
gboolean is_request;
proto_tree *jabber_tree = NULL;
proto_item *ti, *hidden_item;
gint offset = 0;
const guchar *line;
gint next_offset;
int linelen;
tvbuff_t *xmltvb;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "Jabber");
/*
* Find the end of the first line.
*
* Note that "tvb_find_line_end()" will return a value that is
* not longer than what's in the buffer, so the "tvb_get_ptr()"
* call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
if (pinfo->match_uint == pinfo->destport)
is_request = TRUE;
else
is_request = FALSE;
if (check_col(pinfo->cinfo, COL_INFO)) {
/*
* Put the first line from the buffer into the summary
* (but leave out the line terminator).
*/
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
is_request ? "Request" : "Response",
format_text(line, linelen));
}
if (tree) {
ti = proto_tree_add_item(tree, proto_jabber, tvb, offset, -1,
FALSE);
jabber_tree = proto_item_add_subtree(ti, ett_jabber);
if (is_request) {
hidden_item = proto_tree_add_boolean(jabber_tree,
hf_jabber_request, tvb, 0, 0, TRUE);
} else {
hidden_item = proto_tree_add_boolean(jabber_tree,
hf_jabber_response, tvb, 0, 0, TRUE);
}
PROTO_ITEM_SET_HIDDEN(hidden_item);
}
xmltvb = tvb_new_subset_remaining(tvb, offset);
call_dissector(xml_handle, xmltvb, pinfo, jabber_tree);
}
static void
dissect_irc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *irc_tree, *ti;
gint offset = 0;
gint next_offset;
int linelen;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "IRC");
if (check_col(pinfo->cinfo, COL_INFO))
{
col_set_str(pinfo->cinfo, COL_INFO,
(pinfo->match_uint == pinfo->destport) ? "Request" : "Response");
}
if (tree)
{
ti = proto_tree_add_item(tree, proto_irc, tvb, 0, -1, ENC_NA);
irc_tree = proto_item_add_subtree(ti, ett_irc);
/*
* Process the packet data, a line at a time.
*/
while (tvb_reported_length_remaining(tvb, offset) > 0)
{
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (next_offset == offset) {
/*
* XXX - we really want the "show data a
* line at a time" loops in various
* dissectors to do reassembly and to
* throw an exception if there's no
* line ending in the current packet
* and we're not doing reassembly.
*/
break;
}
if (linelen != 0)
{
if (pinfo->match_uint == pinfo->destport)
{
dissect_irc_request(irc_tree, tvb, pinfo, offset, linelen);
}
else
{
dissect_irc_response(irc_tree, tvb, pinfo, offset, linelen);
}
}
offset = next_offset;
}
}
}
/* This code is modeled on the code in packet-sip.c
* ABNF code for the MSRP header:
* The following syntax specification uses the augmented Backus-Naur
* Form (BNF) as described in RFC-2234 [6].
*
*
* msrp-req-or-resp = msrp-request / msrp-response
* msrp-request = req-start headers [content-stuff] end-line
* msrp-response = resp-start headers end-line
*
* req-start = pMSRP SP transact-id SP method CRLF
* resp-start = pMSRP SP transact-id SP status-code [SP phrase] CRLF
* phrase = utf8text
*
* pMSRP = %x4D.53.52.50 ; MSRP in caps
* transact-id = ident
* method = mSEND / mREPORT / other-method
* mSEND = %x53.45.4e.44 ; SEND in caps
* mREPORT = %x52.45.50.4f.52.54; REPORT in caps
* other-method = 1*UPALPHA
* Examples:
* "MSRP 1234 SEND(CRLF)"
* "MSRP 1234 200 OK(CRLF)
*/
static gboolean
check_msrp_header(tvbuff_t *tvb)
{
gint offset = 0;
gint linelen;
gint space_offset;
gint next_offset = 0;
guint token_1_len;
gint token_2_start;
/*
* Note that "tvb_find_line_end()" will return a value that
* is not longer than what's in the buffer, so the
* "tvb_get_ptr()" calls below won't throw exceptions. *
*/
offset = 0;
if(tvb_length(tvb) < 4 || tvb_get_ntohl(tvb, 0) != 0x4d535250 /* MSRP */){
return FALSE;
}
linelen = tvb_find_line_end(tvb, 0, -1, &next_offset, FALSE);
/* Find the first SP */
space_offset = tvb_find_guint8(tvb, 0, -1, ' ');
if (space_offset <= 0) {
/*
* Either there's no space in the line (which means
* the line is empty or doesn't have a token followed
* by a space; neither is valid for a request or response), or
* the first character in the line is a space ( which isn't valid
* for a MSRP header.)
*/
return FALSE;
}
token_1_len = space_offset;
token_2_start = space_offset + 1;
space_offset = tvb_find_guint8(tvb, token_2_start, -1, ' ');
if (space_offset == -1) {
/*
* There's no space after the second token, so we don't
* have a third token.
*/
return FALSE;
}
/*
* Is the first token "MSRP"?
*/
if (token_1_len == MSRP_HDR_LEN) { /* && tvb_strneql(tvb, 0, MSRP_HDR, MSRP_HDR_LEN) == 0){ */
/* This check can be made more strict but accept we do have MSRP for now */
return TRUE;
}
return FALSE;
}
/* ---------------------------- */
static void
dissect_nasdaq_soup(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_item *ti;
proto_tree *nasdaq_soup_tree = NULL;
guint8 nasdaq_soup_type;
int linelen;
gint next_offset;
int offset = 0;
gint col_info;
gint counter = 0;
col_info = check_col(pinfo->cinfo, COL_INFO);
while (tvb_offset_exists(tvb, offset)) {
/* there's only a \n no \r */
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, nasdaq_soup_desegment && pinfo->can_desegment);
if (linelen == -1) {
/*
* We didn't find a line ending, and we're doing desegmentation;
* tell the TCP dissector where the data for this message starts
* in the data it handed us, and tell it we need one more byte
* (we may need more, but we'll try again if what we get next
* isn't enough), and return.
*/
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return;
}
nasdaq_soup_type = tvb_get_guint8(tvb, offset);
if (counter == 0) {
col_set_str(pinfo->cinfo, COL_PROTOCOL, "Nasdaq-SOUP");
if (col_info)
col_clear(pinfo->cinfo, COL_INFO);
}
if (col_info ) {
if (counter) {
col_append_str(pinfo->cinfo, COL_INFO, "; ");
col_set_fence(pinfo->cinfo, COL_INFO);
}
col_append_str(pinfo->cinfo, COL_INFO, val_to_str(nasdaq_soup_type, message_types_val, "Unknown packet type (0x%02x)"));
}
counter++;
if (tree) {
ti = proto_tree_add_item(tree, proto_nasdaq_soup, tvb, offset, linelen +1, ENC_NA);
nasdaq_soup_tree = proto_item_add_subtree(ti, ett_nasdaq_soup);
}
dissect_nasdaq_soup_packet(tvb, pinfo, tree, nasdaq_soup_tree, offset, linelen);
offset = next_offset;
}
}
/*
* Unless the first boundary, subsequent boundaries include a line-end sequence
* before the dashed boundary string.
*
* Return the offset to the 1st byte of the boundary delimiter line.
* Set boundary_line_len to the length of the entire boundary delimiter.
* Set last_boundary to TRUE if we've seen the last-boundary delimiter.
*/
static gint
find_next_boundary(tvbuff_t *tvb, gint start, const guint8 *boundary,
gint boundary_len, gint *boundary_line_len, gboolean *last_boundary)
{
gint offset = start, next_offset, line_len, boundary_start;
while (tvb_length_remaining(tvb, offset + 2 + boundary_len) > 0) {
line_len = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (line_len == -1) {
return -1;
}
boundary_start = offset + line_len;
if (((tvb_strneql(tvb, next_offset, (const guint8 *)"--", 2) == 0)
&& (tvb_strneql(tvb, next_offset + 2, boundary, boundary_len) == 0)))
{
/* Boundary string; now check if last */
if ((tvb_length_remaining(tvb, next_offset + 2 + boundary_len + 2) >= 0)
&& (tvb_strneql(tvb, next_offset + 2 + boundary_len,
(const guint8 *)"--", 2) == 0)) {
*last_boundary = TRUE;
} else {
*last_boundary = FALSE;
}
/* Look for line end of the boundary line */
line_len = tvb_find_line_end(tvb, next_offset, -1, &offset, FALSE);
if (line_len == -1) {
*boundary_line_len = -1;
} else {
*boundary_line_len = offset - boundary_start;
}
return boundary_start;
}
offset = next_offset;
}
return -1;
}
/*
* Display the entire message as raw text.
*/
static void
tvb_raw_text_add(tvbuff_t *tvb, proto_tree *tree)
{
int offset, next_offset, linelen;
offset = 0;
while (tvb_offset_exists(tvb, offset)) {
/* 'desegment' is FALSE so will set next_offset to beyond the end of
the buffer if no line ending is found */
tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
linelen = next_offset - offset;
if(tree) {
proto_tree_add_text(tree, tvb, offset, linelen,
"%s", tvb_format_text(tvb, offset, linelen));
}
offset = next_offset;
}
}
/* ABNF of line-end:
* end-line = "-------" transact-id continuation-flag CRLF
* This code is modeled on the code in packet-multipart.c
*/
static int
find_end_line(tvbuff_t *tvb, gint start)
{
gint offset = start, next_offset, linelen;
while (tvb_length_remaining(tvb, offset) > 0) {
/* 'desegment' is FALSE so will set next_offset to beyond the end of
the buffer if no line ending is found */
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (linelen == -1) {
return -1;
}
if (tvb_strneql(tvb, next_offset, (const gchar *)"-------", 7) == 0)
return next_offset;
offset = next_offset;
}
return -1;
}
static void
dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
struct smtp_proto_data *spd_frame_data;
proto_tree *smtp_tree = NULL;
proto_tree *cmdresp_tree;
proto_item *ti, *hidden_item;
int offset = 0;
int request = 0;
conversation_t *conversation;
struct smtp_session_state *session_state;
const guchar *line, *linep, *lineend;
guint32 code;
int linelen = 0;
gint length_remaining;
gboolean eom_seen = FALSE;
gint next_offset;
gint loffset = 0;
int cmdlen;
fragment_data *frag_msg = NULL;
tvbuff_t *next_tvb;
/* As there is no guarantee that we will only see frames in the
* the SMTP conversation once, and that we will see them in
* order - in Wireshark, the user could randomly click on frames
* in the conversation in any order in which they choose - we
* have to store information with each frame indicating whether
* it contains commands or data or an EOM indication.
*
* XXX - what about frames that contain *both*? TCP is a
* byte-stream protocol, and there are no guarantees that
* TCP segment boundaries will correspond to SMTP commands
* or EOM indications.
*
* We only need that for the client->server stream; responses
* are easy to manage.
*
* If we have per frame data, use that, else, we must be on the first
* pass, so we figure it out on the first pass.
*/
/*
* Find or create the conversation for this.
*/
conversation = find_or_create_conversation(pinfo);
/*
* Is there a request structure attached to this conversation?
*/
session_state = conversation_get_proto_data(conversation, proto_smtp);
if (!session_state) {
/*
* No - create one and attach it.
*/
session_state = se_alloc(sizeof(struct smtp_session_state));
session_state->smtp_state = SMTP_STATE_READING_CMDS;
session_state->crlf_seen = FALSE;
session_state->data_seen = FALSE;
session_state->msg_read_len = 0;
session_state->msg_tot_len = 0;
session_state->msg_last = TRUE;
session_state->last_nontls_frame = 0;
conversation_add_proto_data(conversation, proto_smtp, session_state);
}
/* Are we doing TLS?
* FIXME In my understanding of RFC 2487 client and server can send SMTP cmds
* after a rejected TLS negotiation
*/
if (session_state->last_nontls_frame != 0 && pinfo->fd->num > session_state->last_nontls_frame) {
guint16 save_can_desegment;
guint32 save_last_nontls_frame;
/* This is TLS, not raw SMTP. TLS can desegment */
save_can_desegment = pinfo->can_desegment;
pinfo->can_desegment = pinfo->saved_can_desegment;
/* Make sure the SSL dissector will not be called again after decryption */
save_last_nontls_frame = session_state->last_nontls_frame;
session_state->last_nontls_frame = 0;
call_dissector(ssl_handle, tvb, pinfo, tree);
pinfo->can_desegment = save_can_desegment;
session_state->last_nontls_frame = save_last_nontls_frame;
return;
}
/* Is this a request or a response? */
request = pinfo->destport == pinfo->match_uint;
/*
* Is there any data attached to this frame?
*/
spd_frame_data = p_get_proto_data(pinfo->fd, proto_smtp);
if (!spd_frame_data) {
/*
* No frame data.
*/
if(request) {
/*
* Create a frame data structure and attach it to the packet.
*/
spd_frame_data = se_alloc0(sizeof(struct smtp_proto_data));
spd_frame_data->conversation_id = conversation->index;
spd_frame_data->more_frags = TRUE;
p_add_proto_data(pinfo->fd, proto_smtp, spd_frame_data);
}
/*
* Get the first line from the buffer.
*
* Note that "tvb_find_line_end()" will, if it doesn't return
* -1, return a value that is not longer than what's in the buffer,
* and "tvb_find_line_end()" will always return a value that is not
* longer than what's in the buffer, so the "tvb_get_ptr()" call
* won't throw an exception.
*/
loffset = offset;
while (tvb_offset_exists(tvb, loffset)) {
linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset,
smtp_desegment && pinfo->can_desegment);
if (linelen == -1) {
if (offset == loffset) {
/*
* We didn't find a line ending, and we're doing desegmentation;
* tell the TCP dissector where the data for this message starts
* in the data it handed us, and tell it we need more bytes
*/
pinfo->desegment_offset = loffset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return;
} else {
linelen = tvb_length_remaining(tvb, loffset);
next_offset = loffset + linelen;
}
}
line = tvb_get_ptr(tvb, loffset, linelen);
/*
* Check whether or not this packet is an end of message packet
* We should look for CRLF.CRLF and they may be split.
* We have to keep in mind that we may see what we want on
* two passes through here ...
*/
if (session_state->smtp_state == SMTP_STATE_READING_DATA) {
/*
* The order of these is important ... We want to avoid
* cases where there is a CRLF at the end of a packet and a
* .CRLF at the begining of the same packet.
*/
if ((session_state->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) ||
tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0)
eom_seen = TRUE;
length_remaining = tvb_length_remaining(tvb, loffset);
if (length_remaining == tvb_reported_length_remaining(tvb, loffset) &&
tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0)
session_state->crlf_seen = TRUE;
else
session_state->crlf_seen = FALSE;
}
/*
* OK, Check if we have seen a DATA request. We do it here for
* simplicity, but we have to be careful below.
*/
if (request) {
if (session_state->smtp_state == SMTP_STATE_READING_DATA) {
/*
* This is message data.
*/
if (eom_seen) { /* Seen the EOM */
/*
* EOM.
* Everything that comes after it is commands.
*/
spd_frame_data->pdu_type = SMTP_PDU_EOM;
session_state->smtp_state = SMTP_STATE_READING_CMDS;
break;
} else {
/*
* Message data with no EOM.
*/
spd_frame_data->pdu_type = SMTP_PDU_MESSAGE;
if (session_state->msg_tot_len > 0) {
/*
* We are handling a BDAT message.
* Check if we have reached end of the data chunk.
*/
session_state->msg_read_len += tvb_length_remaining(tvb, loffset);
if (session_state->msg_read_len == session_state->msg_tot_len) {
/*
* We have reached end of BDAT data chunk.
* Everything that comes after this is commands.
*/
session_state->smtp_state = SMTP_STATE_READING_CMDS;
if (session_state->msg_last) {
/*
* We have found the LAST data chunk.
* The message can now be reassembled.
*/
spd_frame_data->more_frags = FALSE;
}
break; /* no need to go through the remaining lines */
}
}
}
} else {
/*
* This is commands - unless the capture started in the
* middle of a session, and we're in the middle of data.
*
* Commands are not necessarily 4 characters; look
* for a space or the end of the line to see where
* the putative command ends.
*/
linep = line;
lineend = line + linelen;
while (linep < lineend && *linep != ' ')
linep++;
cmdlen = (int)(linep - line);
if (line_is_smtp_command(line, cmdlen)) {
if (g_ascii_strncasecmp(line, "DATA", 4) == 0) {
/*
* DATA command.
* This is a command, but everything that comes after it,
* until an EOM, is data.
*/
spd_frame_data->pdu_type = SMTP_PDU_CMD;
session_state->smtp_state = SMTP_STATE_READING_DATA;
session_state->data_seen = TRUE;
} else if (g_ascii_strncasecmp(line, "BDAT", 4) == 0) {
/*
* BDAT command.
* This is a command, but everything that comes after it,
* until given length is received, is data.
*/
guint32 msg_len;
msg_len = strtoul (line+5, NULL, 10);
spd_frame_data->pdu_type = SMTP_PDU_CMD;
session_state->data_seen = TRUE;
session_state->msg_tot_len += msg_len;
if (msg_len == 0) {
/* No data to read, next will be a command */
session_state->smtp_state = SMTP_STATE_READING_CMDS;
} else {
session_state->smtp_state = SMTP_STATE_READING_DATA;
}
if (g_ascii_strncasecmp(line+linelen-4, "LAST", 4) == 0) {
/*
* This is the last data chunk.
*/
session_state->msg_last = TRUE;
if (msg_len == 0) {
/*
* No more data to expect.
* The message can now be reassembled.
*/
spd_frame_data->more_frags = FALSE;
}
} else {
session_state->msg_last = FALSE;
}
} else if (g_ascii_strncasecmp(line, "STARTTLS", 8) == 0) {
/*
* STARTTLS command.
* This is a command, but if the response is 220,
* everything after the response is TLS.
*/
session_state->smtp_state = SMTP_STATE_AWAITING_STARTTLS_RESPONSE;
spd_frame_data->pdu_type = SMTP_PDU_CMD;
} else {
/*
* Regular command.
*/
spd_frame_data->pdu_type = SMTP_PDU_CMD;
}
} else {
/*
* Assume it's message data.
*/
spd_frame_data->pdu_type = session_state->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD;
}
}
}
/*
* Step past this line.
*/
loffset = next_offset;
}
}
/*
* From here, we simply add items to the tree and info to the info
* fields ...
*/
col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP");
if (check_col(pinfo->cinfo, COL_INFO)) { /* Add the appropriate type here */
col_clear(pinfo->cinfo, COL_INFO);
/*
* If it is a request, we have to look things up, otherwise, just
* display the right things
*/
if (request) {
/* We must have frame_data here ... */
switch (spd_frame_data->pdu_type) {
case SMTP_PDU_MESSAGE:
length_remaining = tvb_length_remaining(tvb, offset);
col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body");
col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining,
plurality (length_remaining, "", "s"));
break;
case SMTP_PDU_EOM:
col_set_str(pinfo->cinfo, COL_INFO, "C: .");
break;
case SMTP_PDU_CMD:
loffset = offset;
while (tvb_offset_exists(tvb, loffset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, loffset, linelen);
if(loffset == offset)
col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s",
format_text(line, linelen));
else {
col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
format_text(line, linelen));
}
loffset = next_offset;
}
break;
}
} else {
loffset = offset;
while (tvb_offset_exists(tvb, loffset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, loffset, linelen);
if (loffset == offset)
col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s",
format_text(line, linelen));
else {
col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
format_text(line, linelen));
}
loffset = next_offset;
}
}
}
if (tree) { /* Build the tree info ... */
ti = proto_tree_add_item(tree, proto_smtp, tvb, offset, -1, ENC_NA);
smtp_tree = proto_item_add_subtree(ti, ett_smtp);
}
if (request) {
/*
* Check out whether or not we can see a command in there ...
* What we are looking for is not data_seen and the word DATA
* and not eom_seen.
*
* We will see DATA and session_state->data_seen when we process the
* tree view after we have seen a DATA packet when processing
* the packet list pane.
*
* On the first pass, we will not have any info on the packets
* On second and subsequent passes, we will.
*/
switch (spd_frame_data->pdu_type) {
case SMTP_PDU_MESSAGE:
if (smtp_data_desegment) {
frag_msg = fragment_add_seq_next(tvb, 0, pinfo, spd_frame_data->conversation_id,
smtp_data_segment_table, smtp_data_reassembled_table,
tvb_length(tvb), spd_frame_data->more_frags);
} else {
/*
* Message body.
* Put its lines into the protocol tree, a line at a time.
*/
dissect_smtp_data(tvb, offset, smtp_tree);
}
break;
case SMTP_PDU_EOM:
/*
* End-of-message-body indicator.
*
* XXX - what about stuff after the first line?
* Unlikely, as the client should wait for a response to the
* DATA command this terminates before sending another
* request, but we should probably handle it.
*/
proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: .");
if (smtp_data_desegment) {
/* add final data segment */
if (loffset)
fragment_add_seq_next(tvb, 0, pinfo, spd_frame_data->conversation_id,
smtp_data_segment_table, smtp_data_reassembled_table,
loffset, spd_frame_data->more_frags);
/* terminate the desegmentation */
frag_msg = fragment_end_seq_next (pinfo, spd_frame_data->conversation_id, smtp_data_segment_table,
smtp_data_reassembled_table);
}
break;
case SMTP_PDU_CMD:
/*
* Command.
*
* XXX - what about stuff after the first line?
* Unlikely, as the client should wait for a response to the
* previous command before sending another request, but we
* should probably handle it.
*/
loffset = offset;
while (tvb_offset_exists(tvb, loffset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
if (linelen >= 4)
cmdlen = 4;
else
cmdlen = linelen;
hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_req, tvb,
0, 0, TRUE);
PROTO_ITEM_SET_HIDDEN(hidden_item);
/*
* Put the command line into the protocol tree.
*/
ti = proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb,
loffset, next_offset - loffset, ENC_ASCII|ENC_NA);
cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb,
loffset, cmdlen, ENC_ASCII|ENC_NA);
if (linelen > 5) {
proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
loffset + 5, linelen - 5, ENC_ASCII|ENC_NA);
}
if (smtp_data_desegment && !spd_frame_data->more_frags) {
/* terminate the desegmentation */
frag_msg = fragment_end_seq_next (pinfo, spd_frame_data->conversation_id, smtp_data_segment_table,
smtp_data_reassembled_table);
}
/*
* Step past this line.
*/
loffset = next_offset;
}
}
if (smtp_data_desegment) {
next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled SMTP",
frag_msg, &smtp_data_frag_items, NULL, smtp_tree);
if (next_tvb) {
/* XXX: this is presumptious - we may have negotiated something else */
if (imf_handle) {
call_dissector(imf_handle, next_tvb, pinfo, tree);
} else {
/*
* Message body.
* Put its lines into the protocol tree, a line at a time.
*/
dissect_smtp_data(tvb, offset, smtp_tree);
}
pinfo->fragmented = FALSE;
} else {
pinfo->fragmented = TRUE;
}
}
} else {
/*
* Process the response, a line at a time, until we hit a line
* that doesn't have a continuation indication on it.
*/
if (tree) {
hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_rsp, tvb,
0, 0, TRUE);
PROTO_ITEM_SET_HIDDEN(hidden_item);
}
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (tree) {
/*
* Put it into the protocol tree.
*/
ti = proto_tree_add_item(smtp_tree, hf_smtp_response, tvb,
offset, next_offset - offset, ENC_ASCII|ENC_NA);
cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
} else
cmdresp_tree = NULL;
line = tvb_get_ptr(tvb, offset, linelen);
if (linelen >= 3 && isdigit(line[0]) && isdigit(line[1])
&& isdigit(line[2])) {
/*
* We have a 3-digit response code.
*/
code = (line[0] - '0')*100 + (line[1] - '0')*10 + (line[2] - '0');
/*
* If we're awaiting the response to a STARTTLS code, this
* is it - if it's 220, all subsequent traffic will
* be TLS, otherwise we're back to boring old SMTP.
*/
if (session_state->smtp_state == SMTP_STATE_AWAITING_STARTTLS_RESPONSE) {
if (code == 220) {
/* This is the last non-TLS frame. */
session_state->last_nontls_frame = pinfo->fd->num;
}
session_state->smtp_state = SMTP_STATE_READING_CMDS;
}
if (tree) {
/*
* Put the response code and parameters into the protocol tree.
*/
proto_tree_add_uint(cmdresp_tree, hf_smtp_rsp_code, tvb, offset, 3,
code);
if (linelen >= 4) {
proto_tree_add_item(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
offset + 4, linelen - 4, ENC_ASCII|ENC_NA);
}
}
}
/*
* Step past this line.
*/
offset = next_offset;
}
}
}
static void
dissect_pop(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
struct pop_proto_data *frame_data_p;
gboolean is_request;
gboolean is_continuation;
proto_tree *pop_tree, *reqresp_tree;
proto_item *ti;
gint offset = 0;
const guchar *line;
gint next_offset;
int linelen;
int tokenlen;
const guchar *next_token;
fragment_data *frag_msg = NULL;
tvbuff_t *next_tvb = NULL;
conversation_t *conversation = NULL;
struct pop_data_val *data_val = NULL;
gint length_remaining;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "POP");
/*
* Find the end of the first line.
*
* Note that "tvb_find_line_end()" will return a value that is
* not longer than what's in the buffer, so the "tvb_get_ptr()"
* call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
if (pinfo->match_port == pinfo->destport) {
is_request = TRUE;
is_continuation = FALSE;
} else {
is_request = FALSE;
is_continuation = response_is_continuation(line);
}
frame_data_p = p_get_proto_data(pinfo->fd, proto_pop);
if (!frame_data_p) {
conversation = find_conversation(pinfo->fd->num,
&pinfo->src, &pinfo->dst,
pinfo->ptype,
pinfo->srcport, pinfo->destport, 0);
if (conversation == NULL) { /* No conversation, create one */
conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst,
pinfo->ptype, pinfo->srcport,
pinfo->destport, 0);
}
data_val = conversation_get_proto_data(conversation, proto_pop);
if (!data_val) {
/*
* No - create one and attach it.
*/
data_val = se_alloc0(sizeof(struct pop_data_val));
conversation_add_proto_data(conversation, proto_pop, data_val);
}
}
if (check_col(pinfo->cinfo, COL_INFO)) {
/*
* Put the first line from the buffer into the summary
* if it's a POP request or reply (but leave out the
* line terminator).
* Otherwise, just call it a continuation.
*/
if (is_continuation) {
length_remaining = tvb_length_remaining(tvb, offset);
col_add_fstr(pinfo->cinfo, COL_INFO, "S: DATA fragment, %d byte%s",
length_remaining, plurality (length_remaining, "", "s"));
}
else
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "C" : "S",
format_text(line, linelen));
}
ti = proto_tree_add_item(tree, proto_pop, tvb, offset, -1, FALSE);
pop_tree = proto_item_add_subtree(ti, ett_pop);
if (is_continuation) {
if (pop_data_desegment) {
if (!frame_data_p) {
data_val->msg_read_len += tvb_length(tvb);
frame_data_p = se_alloc(sizeof(struct pop_proto_data));
frame_data_p->conversation_id = conversation->index;
frame_data_p->more_frags = data_val->msg_read_len < data_val->msg_tot_len;
p_add_proto_data(pinfo->fd, proto_pop, frame_data_p);
}
frag_msg = fragment_add_seq_next(tvb, 0, pinfo,
frame_data_p->conversation_id,
pop_data_segment_table,
pop_data_reassembled_table,
tvb_length(tvb),
frame_data_p->more_frags);
next_tvb = process_reassembled_data(tvb, offset, pinfo,
"Reassembled DATA",
frag_msg, &pop_data_frag_items,
NULL, pop_tree);
if (next_tvb) {
if (imf_handle)
call_dissector(imf_handle, next_tvb, pinfo, tree);
if (data_val) {
/* we have read everything - reset */
data_val->msg_read_len = 0;
data_val->msg_tot_len = 0;
}
pinfo->fragmented = FALSE;
} else {
pinfo->fragmented = TRUE;
}
} else {
/*
* Put the whole packet into the tree as data.
*/
call_dissector(data_handle,tvb, pinfo, pop_tree);
}
return;
}
/*
* Put the line into the protocol tree.
*/
ti = proto_tree_add_string_format(pop_tree,
(is_request) ?
hf_pop_request :
hf_pop_response,
tvb, offset,
next_offset - offset,
"", "%s",
tvb_format_text(tvb, offset, next_offset - offset));
reqresp_tree = proto_item_add_subtree(ti, ett_pop_reqresp);
/*
* Extract the first token, and, if there is a first
* token, add it as the request or reply code.
*/
tokenlen = get_token_len(line, line + linelen, &next_token);
if (tokenlen != 0) {
proto_tree_add_item(reqresp_tree,
(is_request) ?
hf_pop_request_command :
hf_pop_response_indicator,
tvb, offset, tokenlen, FALSE);
if (data_val) {
if (is_request) {
/* see if this is RETR or TOP command */
if (g_ascii_strncasecmp(line, "RETR", 4) == 0 ||
g_ascii_strncasecmp(line, "TOP", 3) == 0)
/* the next response will tell us how many bytes */
data_val->msg_request = TRUE;
} else {
if (data_val->msg_request) {
/* this is a response to a RETR or TOP command */
if (g_ascii_strncasecmp(line, "+OK ", 4) == 0) {
/* the message will be sent - work out how many bytes */
data_val->msg_read_len = 0;
data_val->msg_tot_len = atoi(line + 4);
}
data_val->msg_request = FALSE;
}
}
}
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
}
if (tree) {
/*
* Add the rest of the first line as request or
* reply param/description.
*/
if (linelen != 0) {
proto_tree_add_item(reqresp_tree,
(is_request) ?
hf_pop_request_parameter :
hf_pop_response_description,
tvb, offset, linelen, FALSE);
}
offset = next_offset;
/*
* Show the rest of the request or response as text,
* a line at a time.
*/
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
/*
* Put this line.
*/
proto_tree_add_string_format(pop_tree,
(is_request) ?
hf_pop_request_data :
hf_pop_response_data,
tvb, offset,
next_offset - offset,
"", "%s",
tvb_format_text(tvb, offset, next_offset - offset));
offset = next_offset;
}
}
}
static void
dissect_icap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *icap_tree = NULL;
proto_item *ti = NULL;
proto_item *hidden_item;
gint offset = 0;
const guchar *line;
gint next_offset;
const guchar *linep, *lineend;
int linelen;
guchar c;
icap_type_t icap_type;
int datalen;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ICAP");
/*
* Put the first line from the buffer into the summary
* if it's an ICAP header (but leave out the
* line terminator).
* Otherwise, just call it a continuation.
*
* Note that "tvb_find_line_end()" will return a value that
* is not longer than what's in the buffer, so the
* "tvb_get_ptr()" call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
icap_type = ICAP_OTHER; /* type not known yet */
if (is_icap_message(line, linelen, &icap_type))
col_add_str(pinfo->cinfo, COL_INFO,
format_text(line, linelen));
else
col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
if (tree) {
ti = proto_tree_add_item(tree, proto_icap, tvb, offset, -1,
ENC_NA);
icap_tree = proto_item_add_subtree(ti, ett_icap);
}
/*
* Process the packet data, a line at a time.
*/
icap_type = ICAP_OTHER; /* type not known yet */
while (tvb_offset_exists(tvb, offset)) {
gboolean is_icap = FALSE;
gboolean loop_done = FALSE;
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
FALSE);
/*
* Get a buffer that refers to the line.
*/
line = tvb_get_ptr(tvb, offset, linelen);
lineend = line + linelen;
/*
* find header format
*/
if (is_icap_message(line, linelen, &icap_type)) {
goto is_icap_header;
}
/*
* if it looks like a blank line, end of header perhaps?
*/
if (linelen == 0) {
goto is_icap_header;
}
/*
* No. Does it look like a header?
*/
linep = line;
loop_done = FALSE;
while (linep < lineend && (!loop_done)) {
c = *linep++;
/*
* This must be a CHAR to be part of a token; that
* means it must be ASCII.
*/
if (!isascii(c)) {
is_icap = FALSE;
break; /* not ASCII, thus not a CHAR */
}
/*
* This mustn't be a CTL to be part of a token.
*
* XXX - what about leading LWS on continuation
* lines of a header?
*/
if (iscntrl(c)) {
is_icap = FALSE;
break; /* CTL, not part of a header */
}
switch (c) {
case '(':
case ')':
case '<':
case '>':
case '@':
case ',':
case ';':
case '\\':
case '"':
case '/':
case '[':
case ']':
case '?':
case '=':
case '{':
case '}':
/*
* It's a separator, so it's not part of a
* token, so it's not a field name for the
* beginning of a header.
*
* (We don't have to check for HT; that's
* already been ruled out by "iscntrl()".)
*
* XXX - what about ' '? HTTP's checks
* check for that.
*/
is_icap = FALSE;
loop_done = TRUE;
break;
case ':':
/*
* This ends the token; we consider this
* to be a header.
*/
goto is_icap_header;
}
}
/*
* We don't consider this part of an ICAP message,
* so we don't display it.
* (Yeah, that means we don't display, say, a text/icap
* page, but you can get that from the data pane.)
*/
if (!is_icap)
break;
is_icap_header:
if (tree) {
proto_tree_add_text(icap_tree, tvb, offset,
next_offset - offset, "%s",
tvb_format_text(tvb, offset,
next_offset - offset)
);
}
offset = next_offset;
}
if (tree) {
switch (icap_type) {
case ICAP_OPTIONS:
hidden_item = proto_tree_add_boolean(icap_tree,
hf_icap_options, tvb, 0, 0, 1);
PROTO_ITEM_SET_HIDDEN(hidden_item);
break;
case ICAP_REQMOD:
hidden_item = proto_tree_add_boolean(icap_tree,
hf_icap_reqmod, tvb, 0, 0, 1);
PROTO_ITEM_SET_HIDDEN(hidden_item);
break;
case ICAP_RESPMOD:
hidden_item = proto_tree_add_boolean(icap_tree,
hf_icap_respmod, tvb, 0, 0, 1);
PROTO_ITEM_SET_HIDDEN(hidden_item);
break;
case ICAP_RESPONSE:
hidden_item = proto_tree_add_boolean(icap_tree,
hf_icap_response, tvb, 0, 0, 1);
PROTO_ITEM_SET_HIDDEN(hidden_item);
break;
case ICAP_OTHER:
default:
break;
}
}
datalen = tvb_length_remaining(tvb, offset);
if (datalen > 0) {
call_dissector(data_handle,
tvb_new_subset_remaining(tvb, offset), pinfo, icap_tree);
}
}
/* Transfers happen in response to broadcasts, they are always TCP and are
* used to send the file to the port mentioned in the broadcast. There are
* 2 types of transfers: Pushes, which are direct responses to searches,
* in which the peer that has the file connects to the peer that doesn't and
* sends it, then disconnects. The other type of transfer is a pull, where
* the peer that doesn't have the file connects to the peer that does and
* requests it be sent.
*
* Pulls have a file request which identifies the desired file,
* while pushes simply send the file. In practice this works because every
* file the implementation sends searches for is on a different TCP port
* on the searcher's machine. */
static int
dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
{
conversation_t *transfer_conv;
ldss_transfer_info_t *transfer_info;
struct tcpinfo *transfer_tcpinfo;
proto_tree *ti, *line_tree = NULL, *ldss_tree = NULL;
nstime_t broadcast_response_time;
/* Reject the packet if data is NULL */
if (data == NULL)
return 0;
transfer_tcpinfo = (struct tcpinfo *)data;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "LDSS");
/* Look for the transfer conversation; this was created during
* earlier broadcast dissection (see prepare_ldss_transfer_conv) */
transfer_conv = find_conversation (pinfo->num, &pinfo->src, &pinfo->dst,
PT_TCP, pinfo->srcport, pinfo->destport, 0);
transfer_info = (ldss_transfer_info_t *)conversation_get_proto_data(transfer_conv, proto_ldss);
/* For a pull, the first packet in the TCP connection is the file request.
* First packet is identified by relative seq/ack numbers of 1.
* File request only appears on a pull (triggered by an offer - see above
* about broadcasts) */
if (transfer_tcpinfo->seq == 1 &&
transfer_tcpinfo->lastackseq == 1 &&
transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND) {
/* LDSS pull transfers look a lot like HTTP.
* Sample request:
* md5:01234567890123...
* Size: 2550
* Start: 0
* Compression: 0
* (remote end sends the file identified by the digest) */
guint offset = 0;
gboolean already_dissected = TRUE;
col_set_str(pinfo->cinfo, COL_INFO, "LDSS File Transfer (Requesting file - pull)");
if (highest_num_seen == 0 ||
highest_num_seen < pinfo->num) {
already_dissected = FALSE;
transfer_info->req = wmem_new0(wmem_file_scope(), ldss_file_request_t);
transfer_info->req->file = wmem_new0(wmem_file_scope(), ldss_file_t);
highest_num_seen = pinfo->num;
}
if (tree) {
ti = proto_tree_add_item(tree, proto_ldss,
tvb, 0, tvb_reported_length(tvb), ENC_NA);
ldss_tree = proto_item_add_subtree(ti, ett_ldss_transfer);
}
/* Populate digest data into the file struct in the request */
transfer_info->file = transfer_info->req->file;
/* Grab each line from the packet, there should be 4 but lets
* not walk off the end looking for more. */
while (tvb_offset_exists(tvb, offset)) {
gint next_offset;
const guint8 *line;
int linelen;
gboolean is_digest_line;
guint digest_type_len;
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
/* Include new-line in line */
line = (guint8 *)tvb_memdup(NULL, tvb, offset, linelen+1); /* XXX - memory leak? */
line_tree = proto_tree_add_subtree(ldss_tree, tvb, offset, linelen,
ett_ldss_transfer_req, NULL,
tvb_format_text(tvb, offset, next_offset-offset));
/* Reduce code duplication processing digest lines.
* There are too many locals to pass to a function - the signature
* looked pretty ugly when I tried! */
is_digest_line = FALSE;
if (strncmp(line,"md5:",4)==0) {
is_digest_line = TRUE;
digest_type_len = 4;
transfer_info->file->digest_type = DIGEST_TYPE_MD5;
}
else if (strncmp(line, "sha1:", 5)==0) {
is_digest_line = TRUE;
digest_type_len = 5;
transfer_info->file->digest_type = DIGEST_TYPE_SHA1;
}
else if (strncmp(line, "sha256:", 7)==0) {
is_digest_line = TRUE;
digest_type_len = 7;
transfer_info->file->digest_type = DIGEST_TYPE_SHA256;
}
else if (strncmp(line, "unknown:", 8)==0) {
is_digest_line = TRUE;
digest_type_len = 8;
transfer_info->file->digest_type = DIGEST_TYPE_UNKNOWN;
}
else if (strncmp(line, "Size: ", 6)==0) {
/* Sample size line:
* Size: 2550\n */
transfer_info->req->size = g_ascii_strtoull(line+6, NULL, 10);
if (tree) {
ti = proto_tree_add_uint64(line_tree, hf_ldss_size,
tvb, offset+6, linelen-6, transfer_info->req->size);
PROTO_ITEM_SET_GENERATED(ti);
}
}
else if (strncmp(line, "Start: ", 7)==0) {
/* Sample offset line:
* Start: 0\n */
transfer_info->req->offset = g_ascii_strtoull(line+7, NULL, 10);
if (tree) {
ti = proto_tree_add_uint64(line_tree, hf_ldss_offset,
tvb, offset+7, linelen-7, transfer_info->req->offset);
PROTO_ITEM_SET_GENERATED(ti);
}
}
else if (strncmp(line, "Compression: ", 13)==0) {
/* Sample compression line:
* Compression: 0\n */
transfer_info->req->compression = (gint8)strtol(line+13, NULL, 10); /* XXX - bad cast */
if (tree) {
ti = proto_tree_add_uint(line_tree, hf_ldss_compression,
tvb, offset+13, linelen-13, transfer_info->req->compression);
PROTO_ITEM_SET_GENERATED(ti);
}
}
else {
proto_tree_add_expert(line_tree, pinfo, &ei_ldss_unrecognized_line, tvb, offset, linelen);
}
if (is_digest_line) {
/* Sample digest-type/digest line:
* md5:0123456789ABCDEF\n */
if (!already_dissected) {
GByteArray *digest_bytes;
digest_bytes = g_byte_array_new();
hex_str_to_bytes(
tvb_get_ptr(tvb, offset+digest_type_len, linelen-digest_type_len),
digest_bytes, FALSE);
if(digest_bytes->len >= DIGEST_LEN)
digest_bytes->len = (DIGEST_LEN-1);
/* Ensure the digest is zero-padded */
transfer_info->file->digest = (guint8 *)wmem_alloc0(wmem_file_scope(), DIGEST_LEN);
memcpy(transfer_info->file->digest, digest_bytes->data, digest_bytes->len);
g_byte_array_free(digest_bytes, TRUE);
}
if (tree) {
proto_item *tii = NULL;
tii = proto_tree_add_uint(line_tree, hf_ldss_digest_type,
tvb, offset, digest_type_len, transfer_info->file->digest_type);
PROTO_ITEM_SET_GENERATED(tii);
tii = proto_tree_add_bytes(line_tree, hf_ldss_digest,
tvb, offset+digest_type_len, MIN(linelen-digest_type_len, DIGEST_LEN),
transfer_info->file->digest);
PROTO_ITEM_SET_GENERATED(tii);
}
}
offset = next_offset;
}
/* Link forwards to the response for this pull. */
if (tree && transfer_info->resp_num != 0) {
ti = proto_tree_add_uint(ldss_tree, hf_ldss_response_in,
tvb, 0, 0, transfer_info->resp_num);
PROTO_ITEM_SET_GENERATED(ti);
}
transfer_info->req->num = pinfo->num;
transfer_info->req->ts = pinfo->abs_ts;
}
/* Remaining packets are the file response */
else {
guint64 size;
guint64 offset;
guint8 compression;
/* size, digest, compression come from the file request for a pull but
* they come from the broadcast for a push. Pushes don't bother
* with a file request - they just send the data. We have to get file
* info from the offer broadcast which triggered this transfer.
* If we cannot find the file request, default to the broadcast. */
if (transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND &&
transfer_info->req != NULL) {
transfer_info->file = transfer_info->req->file;
size = transfer_info->req->size;
offset = transfer_info->req->offset;
compression = transfer_info->req->compression;
}
else {
transfer_info->file = transfer_info->broadcast->file;
size = transfer_info->broadcast->size;
offset = transfer_info->broadcast->offset;
compression = transfer_info->broadcast->compression;
}
/* Remaining data in this TCP connection is all file data.
* Always desegment if the size is 0 (ie. unknown)
*/
if (pinfo->can_desegment) {
if (size == 0 || tvb_captured_length(tvb) < size) {
pinfo->desegment_offset = 0;
pinfo->desegment_len = DESEGMENT_UNTIL_FIN;
return 0;
}
}
/* OK. Now we have the whole file that was transferred. */
transfer_info->resp_num = pinfo->num;
transfer_info->resp_ts = pinfo->abs_ts;
col_add_fstr(pinfo->cinfo, COL_INFO, "LDSS File Transfer (Sending file - %s)",
transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND
? "pull"
: "push");
if (tree) {
ti = proto_tree_add_item(tree, proto_ldss,
tvb, 0, tvb_reported_length(tvb), ENC_NA);
ldss_tree = proto_item_add_subtree(ti, ett_ldss_transfer);
proto_tree_add_bytes_format(ldss_tree, hf_ldss_file_data,
tvb, 0, tvb_captured_length(tvb), NULL,
compression == COMPRESSION_GZIP
? "Gzip compressed data: %d bytes"
: "File data: %d bytes",
tvb_captured_length(tvb));
#ifdef HAVE_ZLIB
/* Be nice and uncompress the file data. */
if (compression == COMPRESSION_GZIP) {
tvbuff_t *uncomp_tvb;
uncomp_tvb = tvb_child_uncompress(tvb, tvb, 0, tvb_captured_length(tvb));
if (uncomp_tvb != NULL) {
/* XXX: Maybe not a good idea to add a data_source for
what may very well be a large buffer since then
the full uncompressed buffer will be shown in a tab
in the hex bytes pane ?
However, if we don't, bytes in an unrelated tab will
be highlighted.
*/
add_new_data_source(pinfo, uncomp_tvb, "Uncompressed Data");
proto_tree_add_bytes_format_value(ldss_tree, hf_ldss_file_data,
uncomp_tvb, 0, tvb_captured_length(uncomp_tvb),
NULL, "Uncompressed data: %d bytes",
tvb_captured_length(uncomp_tvb));
}
}
#endif
ti = proto_tree_add_uint(ldss_tree, hf_ldss_digest_type,
tvb, 0, 0, transfer_info->file->digest_type);
PROTO_ITEM_SET_GENERATED(ti);
if (transfer_info->file->digest != NULL) {
/* This is ugly. You can't add bytes of nonzero length and have
* filtering work correctly unless you give a valid location in
* the packet. This hack pretends the first 32 bytes of the packet
* are the digest, which they aren't: they're actually the first 32
* bytes of the file that was sent. */
ti = proto_tree_add_bytes(ldss_tree, hf_ldss_digest,
tvb, 0, DIGEST_LEN, transfer_info->file->digest);
}
PROTO_ITEM_SET_GENERATED(ti);
ti = proto_tree_add_uint64(ldss_tree, hf_ldss_size,
tvb, 0, 0, size);
PROTO_ITEM_SET_GENERATED(ti);
ti = proto_tree_add_uint64(ldss_tree, hf_ldss_offset,
tvb, 0, 0, offset);
PROTO_ITEM_SET_GENERATED(ti);
ti = proto_tree_add_uint(ldss_tree, hf_ldss_compression,
tvb, 0, 0, compression);
PROTO_ITEM_SET_GENERATED(ti);
/* Link to the request for a pull. */
if (transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND &&
transfer_info->req != NULL &&
transfer_info->req->num != 0) {
ti = proto_tree_add_uint(ldss_tree, hf_ldss_response_to,
tvb, 0, 0, transfer_info->req->num);
PROTO_ITEM_SET_GENERATED(ti);
}
}
}
/* Print the pull response time */
if (transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND &&
transfer_info->req != NULL &&
transfer_info->resp_num != 0) {
nstime_t pull_response_time;
nstime_delta(&pull_response_time, &transfer_info->resp_ts,
&transfer_info->req->ts);
ti = proto_tree_add_time(ldss_tree, hf_ldss_transfer_response_time,
tvb, 0, 0, &pull_response_time);
PROTO_ITEM_SET_GENERATED(ti);
}
/* Link the transfer back to the initiating broadcast. Response time is
* calculated as the time from broadcast to completed transfer. */
ti = proto_tree_add_uint(ldss_tree, hf_ldss_initiated_by,
tvb, 0, 0, transfer_info->broadcast->num);
PROTO_ITEM_SET_GENERATED(ti);
if (transfer_info->resp_num != 0) {
nstime_delta(&broadcast_response_time, &transfer_info->resp_ts,
&transfer_info->broadcast->ts);
ti = proto_tree_add_time(ldss_tree, hf_ldss_transfer_completed_in,
tvb, 0, 0, &broadcast_response_time);
PROTO_ITEM_SET_GENERATED(ti);
}
/* This conv got its addr2/port2 set by the TCP dissector because a TCP
* connection was established. Make a new one to handle future connections
* to the addr/port mentioned in the broadcast, because that socket is
* still open. */
if (transfer_tcpinfo->seq == 1 &&
transfer_tcpinfo->lastackseq == 1) {
prepare_ldss_transfer_conv(transfer_info->broadcast);
}
return tvb_captured_length(tvb);
}
static void
dissect_ftp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
gboolean is_request;
proto_tree *ftp_tree = NULL;
proto_tree *reqresp_tree = NULL;
proto_item *ti, *hidden_item;
gint offset = 0;
const guchar *line;
guint32 code;
gchar code_str[4];
gboolean is_port_request = FALSE;
gboolean is_pasv_response = FALSE;
gboolean is_epasv_response = FALSE;
gint next_offset;
int linelen;
int tokenlen;
const guchar *next_token;
guint32 pasv_ip;
guint32 ftp_ip;
guint16 ftp_port;
address ftp_ip_address;
gboolean ftp_nat;
conversation_t *conversation;
ftp_ip_address = pinfo->src;
if (pinfo->match_uint == pinfo->destport)
is_request = TRUE;
else
is_request = FALSE;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "FTP");
/*
* Find the end of the first line.
*
* Note that "tvb_find_line_end()" will return a value that is
* not longer than what's in the buffer, so the "tvb_get_ptr()"
* call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
/*
* Put the first line from the buffer into the summary
* (but leave out the line terminator).
*/
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
is_request ? "Request" : "Response",
format_text(line, linelen));
if (tree) {
ti = proto_tree_add_item(tree, proto_ftp, tvb, offset, -1, ENC_NA);
ftp_tree = proto_item_add_subtree(ti, ett_ftp);
if (is_request) {
hidden_item = proto_tree_add_boolean(ftp_tree,
hf_ftp_request, tvb, 0, 0, TRUE);
PROTO_ITEM_SET_HIDDEN(hidden_item);
hidden_item = proto_tree_add_boolean(ftp_tree,
hf_ftp_response, tvb, 0, 0, FALSE);
PROTO_ITEM_SET_HIDDEN(hidden_item);
} else {
hidden_item = proto_tree_add_boolean(ftp_tree,
hf_ftp_request, tvb, 0, 0, FALSE);
PROTO_ITEM_SET_HIDDEN(hidden_item);
hidden_item = proto_tree_add_boolean(ftp_tree,
hf_ftp_response, tvb, 0, 0, TRUE);
PROTO_ITEM_SET_HIDDEN(hidden_item);
}
/*
* Put the line into the protocol tree.
*/
ti = proto_tree_add_text(ftp_tree, tvb, offset,
next_offset - offset, "%s",
tvb_format_text(tvb, offset, next_offset - offset));
reqresp_tree = proto_item_add_subtree(ti, ett_ftp_reqresp);
}
if (is_request) {
/*
* Extract the first token, and, if there is a first
* token, add it as the request.
*/
tokenlen = get_token_len(line, line + linelen, &next_token);
if (tokenlen != 0) {
if (tree) {
proto_tree_add_item(reqresp_tree,
hf_ftp_request_command, tvb, offset,
tokenlen, ENC_ASCII|ENC_NA);
}
if (strncmp(line, "PORT", tokenlen) == 0)
is_port_request = TRUE;
}
} else {
/*
* This is a response; the response code is 3 digits,
* followed by a space or hyphen, possibly followed by
* text.
*
* If the line doesn't start with 3 digits, it's part of
* a continuation.
*
* XXX - keep track of state in the first pass, and
* treat non-continuation lines not beginning with digits
* as errors?
*/
if (linelen >= 3 && isdigit(line[0]) && isdigit(line[1])
&& isdigit(line[2])) {
/*
* One-line reply, or first or last line
* of a multi-line reply.
*/
tvb_get_nstringz0(tvb, offset, sizeof(code_str), code_str);
code = strtoul(code_str, NULL, 10);
if (tree) {
proto_tree_add_uint(reqresp_tree,
hf_ftp_response_code, tvb, offset, 3, code);
}
/*
* See if it's a passive-mode response.
*
* XXX - does anybody do FOOBAR, as per RFC
* 1639, or has that been supplanted by RFC 2428?
*/
if (code == 227)
is_pasv_response = TRUE;
/*
* Responses to EPSV command, as per RFC 2428
* XXX - handle IPv6?
*/
if (code == 229)
is_epasv_response = TRUE;
/*
* Skip the 3 digits and, if present, the
* space or hyphen.
*/
if (linelen >= 4)
next_token = line + 4;
else
next_token = line + linelen;
} else {
/*
* Line doesn't start with 3 digits; assume it's
* a line in the middle of a multi-line reply.
*/
next_token = line;
}
}
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
if (tree) {
/*
* Add the rest of the first line as request or
* reply data.
*/
if (linelen != 0) {
if (is_request) {
proto_tree_add_item(reqresp_tree,
hf_ftp_request_arg, tvb, offset,
linelen, ENC_ASCII|ENC_NA);
} else {
proto_tree_add_item(reqresp_tree,
hf_ftp_response_arg, tvb, offset,
linelen, ENC_ASCII|ENC_NA);
}
}
offset = next_offset;
}
/*
* If this is a PORT request or a PASV response, handle it.
*/
if (is_port_request) {
if (parse_port_pasv(line, linelen, &ftp_ip, &ftp_port)) {
if (tree) {
proto_tree_add_ipv4(reqresp_tree,
hf_ftp_active_ip, tvb, 0, 0,
ftp_ip);
proto_tree_add_uint(reqresp_tree,
hf_ftp_active_port, tvb, 0, 0,
ftp_port);
}
SET_ADDRESS(&ftp_ip_address, AT_IPv4, 4, (const guint8 *)&ftp_ip);
ftp_nat = !ADDRESSES_EQUAL(&pinfo->src, &ftp_ip_address);
if (ftp_nat) {
if (tree) {
proto_tree_add_boolean(
reqresp_tree,
hf_ftp_active_nat, tvb,
0, 0, ftp_nat);
}
}
}
}
if (is_pasv_response) {
if (linelen != 0) {
/*
* This frame contains a PASV response; set up a
* conversation for the data.
*/
if (parse_port_pasv(line, linelen, &pasv_ip, &ftp_port)) {
if (tree) {
proto_tree_add_ipv4(reqresp_tree,
hf_ftp_pasv_ip, tvb, 0, 0, pasv_ip);
proto_tree_add_uint(reqresp_tree,
hf_ftp_pasv_port, tvb, 0, 0,
ftp_port);
}
SET_ADDRESS(&ftp_ip_address, AT_IPv4, 4,
(const guint8 *)&pasv_ip);
ftp_nat = !ADDRESSES_EQUAL(&pinfo->src, &ftp_ip_address);
if (ftp_nat) {
if (tree) {
proto_tree_add_boolean(reqresp_tree,
hf_ftp_pasv_nat, tvb, 0, 0,
ftp_nat);
}
}
/*
* We use "ftp_ip_address", so that if
* we're NAT'd we look for the un-NAT'd
* connection.
*
* XXX - should this call to
* "find_conversation()" just use
* "ftp_ip_address" and "server_port", and
* wildcard everything else?
*/
conversation = find_conversation(pinfo->fd->num, &ftp_ip_address,
&pinfo->dst, PT_TCP, ftp_port, 0,
NO_PORT_B);
if (conversation == NULL) {
/*
* XXX - should this call to "conversation_new()"
* just use "ftp_ip_address" and "server_port",
* and wildcard everything else?
*
* XXX - what if we did find a conversation? As
* we create it only on the first pass through the
* packets, if we find one, it's presumably an
* unrelated conversation. Should we remove the
* old one from the hash table and put this one in
* its place? Can the conversation code handle
* conversations not in the hash table? Or should
* we make conversations support start and end
* frames, as circuits do, and treat this as an
* indication that one conversation was closed and
* a new one was opened?
*/
conversation = conversation_new(
pinfo->fd->num, &ftp_ip_address, &pinfo->dst,
PT_TCP, ftp_port, 0, NO_PORT2);
conversation_set_dissector(conversation, ftpdata_handle);
}
}
}
}
if (is_epasv_response) {
if (linelen != 0) {
/*
* This frame contains an EPSV response; set up a
* conversation for the data.
*/
if (parse_extended_pasv_response(line, linelen, &ftp_port)) {
/* Add port number to tree */
if (tree) {
proto_tree_add_uint(reqresp_tree,
hf_ftp_pasv_port, tvb, 0, 0,
ftp_port);
}
/* Find/create conversation for data */
conversation = find_conversation(pinfo->fd->num, &pinfo->src,
&pinfo->dst, PT_TCP, ftp_port, 0,
NO_PORT_B);
if (conversation == NULL) {
conversation = conversation_new(
pinfo->fd->num, &pinfo->src, &pinfo->dst,
PT_TCP, ftp_port, 0, NO_PORT2);
conversation_set_dissector(conversation,
ftpdata_handle);
}
}
}
}
if (tree) {
/*
* Show the rest of the request or response as text,
* a line at a time.
* XXX - only if there's a continuation indicator?
*/
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
/*
* Put this line.
*/
proto_tree_add_text(ftp_tree, tvb, offset,
next_offset - offset, "%s",
tvb_format_text(tvb, offset, next_offset - offset));
offset = next_offset;
}
}
}
static void
dissect_imap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
gboolean is_request;
proto_tree *imap_tree, *reqresp_tree;
proto_item *ti, *hidden_item;
gint offset = 0;
const guchar *line;
gint next_offset;
int linelen;
int tokenlen;
const guchar *next_token;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "IMAP");
if (pinfo->match_uint == pinfo->destport)
is_request = TRUE;
else
is_request = FALSE;
if (check_col(pinfo->cinfo, COL_INFO)) {
/*
* Put the first line from the buffer into the summary
* (but leave out the line terminator).
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
is_request ? "Request" : "Response",
format_text(line, linelen));
}
if (tree) {
ti = proto_tree_add_item(tree, proto_imap, tvb, offset, -1, ENC_NA);
imap_tree = proto_item_add_subtree(ti, ett_imap);
hidden_item = proto_tree_add_boolean(imap_tree, hf_imap_isrequest, tvb, 0, 0, is_request);
PROTO_ITEM_SET_HIDDEN(hidden_item);
while(tvb_length_remaining(tvb, offset) > 2) {
/*
* Find the end of each line
*
* Note that "tvb_find_line_end()" will return a value that is
* not longer than what's in the buffer, so the "tvb_get_ptr()"
* call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
/*
* Put the line into the protocol tree.
*/
ti = proto_tree_add_item(imap_tree, hf_imap_line, tvb, offset,
next_offset - offset, ENC_ASCII|ENC_NA);
reqresp_tree = proto_item_add_subtree(ti, ett_imap_reqresp);
/*
* Show each line as tags + requests or replies.
*/
/*
* Extract the first token, and, if there is a first
* token, add it as the request or reply tag.
*/
tokenlen = get_token_len(line, line + linelen, &next_token);
if (tokenlen != 0) {
proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request_tag : hf_imap_response_tag,
tvb, offset, tokenlen, ENC_ASCII|ENC_NA);
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
}
/*
* Add the rest of the line as request or reply data.
*/
if (linelen != 0) {
proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request : hf_imap_response,
tvb, offset, linelen, ENC_ASCII|ENC_NA);
}
offset += linelen+2; /* Skip over last line and \r\n at the end of it */
}
}
}
static void
dissect_x29(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
int offset = 0;
proto_tree *x29_tree = NULL;
proto_item *ti;
gboolean *q_bit_set = pinfo->private_data;
guint8 msg_code;
guint8 error_type;
guint8 type_ref;
gint next_offset;
int linelen;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "X.29");
col_clear(pinfo->cinfo, COL_INFO);
if (tree) {
ti = proto_tree_add_item(tree, proto_x29, tvb, offset, -1,
ENC_NA);
x29_tree = proto_item_add_subtree(ti, ett_x29);
}
if (*q_bit_set) {
/*
* Q bit set - this is a PAD message.
*/
msg_code = tvb_get_guint8(tvb, offset);
if (check_col(pinfo->cinfo, COL_INFO)) {
col_add_fstr(pinfo->cinfo, COL_INFO, "%s PAD message",
val_to_str(msg_code, message_code_vals,
"Unknown (0x%02x)"));
}
proto_tree_add_uint(x29_tree, hf_msg_code, tvb,
offset, 1, msg_code);
offset++;
switch (msg_code) {
case SET_MSG:
case READ_MSG:
case SET_AND_READ_MSG:
case PARAMETER_IND_MSG:
/*
* XXX - dissect the references as per X.3.
*/
while (tvb_reported_length_remaining(tvb, offset) > 0) {
proto_tree_add_text(x29_tree, tvb, offset, 2,
"Parameter %u, value %u",
tvb_get_guint8(tvb, offset),
tvb_get_guint8(tvb, offset + 1));
offset += 2;
}
break;
case INV_TO_CLEAR_MSG:
/*
* No data for this message.
*/
break;
case ERROR_MSG:
error_type = tvb_get_guint8(tvb, offset);
proto_tree_add_uint(x29_tree, hf_error_type, tvb,
offset, 1, error_type);
offset++;
if (error_type != 0) {
proto_tree_add_item(x29_tree, hf_inv_msg_code,
tvb, offset, 1, ENC_BIG_ENDIAN);
}
break;
case BREAK_IND_MSG:
if (tvb_reported_length_remaining(tvb, offset) > 0) {
type_ref = tvb_get_guint8(tvb, offset);
switch (type_ref) {
case 0x01: /* change in PAD Aspect */
/*
* XXX - dissect as per X.28.
*/
proto_tree_add_text(x29_tree, tvb,
offset, 1, "Type reference: Change in PAD Aspect");
offset++;
proto_tree_add_text(x29_tree, tvb,
offset, 1, "Type of aspect: 0x%02x",
type_ref);
offset++;
break;
case 0x08: /* break */
proto_tree_add_text(x29_tree, tvb,
offset, 1, "Type reference: Break");
offset++;
proto_tree_add_text(x29_tree, tvb,
offset, 1, "Break value: 0x%02x",
type_ref);
offset++;
break;
default:
proto_tree_add_text(x29_tree, tvb,
offset, 1, "Unknown type reference (0x%02x)",
type_ref);
offset++;
proto_tree_add_text(x29_tree, tvb,
offset, 1, "Type value: 0x%02x",
type_ref);
offset++;
break;
}
}
break;
case RESELECTION_MSG:
/*
* XXX - dissect me.
*/
proto_tree_add_text(x29_tree, tvb, offset, -1,
"Reselection message data");
break;
case RESEL_WITH_TOA_NPI_MSG:
/*
* XXX - dissect me.
*/
proto_tree_add_text(x29_tree, tvb, offset, -1,
"Reselection message data");
break;
default:
proto_tree_add_text(x29_tree, tvb, offset, -1,
"PAD message data");
break;
}
} else {
/*
* Q bit not set - this is data.
*/
col_set_str(pinfo->cinfo, COL_INFO, "Data ...");
if (tree) {
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, offset, -1,
&next_offset, FALSE);
/*
* Now compute the length of the line
* *including* the end-of-line indication,
* if any; we display it all.
*/
linelen = next_offset - offset;
proto_tree_add_text(x29_tree, tvb, offset,
linelen, "Data: %s",
tvb_format_text(tvb, offset, linelen));
offset = next_offset;
}
}
}
}
static void
dissect_gift(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_item *ti, *hidden_item;
proto_tree *gift_tree, *cmd_tree;
gboolean is_request;
gint offset = 0;
const guchar *line;
gint next_offset;
int linelen;
int tokenlen;
const guchar *next_token;
/* set "Protocol" column text */
col_set_str(pinfo->cinfo, COL_PROTOCOL, "giFT");
/* determine whether it is a request to or response from the server */
if (pinfo->match_uint == pinfo->destport)
is_request = TRUE;
else
is_request = FALSE;
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
/* set "Info" column text */
if (check_col(pinfo->cinfo, COL_INFO))
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
is_request ? "Request" : "Response",
format_text(line, linelen));
/* if tree != NULL, build protocol tree */
if (tree) {
ti = proto_tree_add_item(tree, proto_gift, tvb, 0, -1, ENC_NA);
gift_tree = proto_item_add_subtree(ti, ett_gift);
if (is_request) {
hidden_item = proto_tree_add_boolean(gift_tree, hf_gift_request, tvb, 0, 0, TRUE);
} else {
hidden_item = proto_tree_add_boolean(gift_tree, hf_gift_response, tvb, 0, 0, TRUE);
}
PROTO_ITEM_SET_HIDDEN(hidden_item);
ti = proto_tree_add_text(gift_tree, tvb, offset, next_offset - offset, "%s",
tvb_format_text(tvb, offset, next_offset - offset));
cmd_tree = proto_item_add_subtree(ti, ett_gift_cmd);
tokenlen = get_token_len(line, line + linelen, &next_token);
if (tokenlen != 0) {
if (is_request) {
proto_tree_add_text(cmd_tree, tvb, offset,
tokenlen, "Request Command: %s",
format_text(line, tokenlen));
} else {
proto_tree_add_text(cmd_tree, tvb, offset,
tokenlen, "Response Command: %s",
format_text(line, tokenlen));
}
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
}
if (linelen != 0) {
if (is_request) {
proto_tree_add_text(cmd_tree, tvb, offset,
linelen, "Request Arg: %s",
format_text(line, linelen));
} else {
proto_tree_add_text(cmd_tree, tvb, offset,
linelen, "Response Arg: %s",
format_text(line, linelen));
}
}
}
}
icap_type_t icap_type;
int datalen;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ICAP");
/*
* Put the first line from the buffer into the summary
* if it's an ICAP header (but leave out the
* line terminator).
* Otherwise, just call it a continuation.
*
* Note that "tvb_find_line_end()" will return a value that
* is not longer than what's in the buffer, so the
* "tvb_get_ptr()" call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
icap_type = ICAP_OTHER; /* type not known yet */
if (is_icap_message(line, linelen, &icap_type))
col_add_str(pinfo->cinfo, COL_INFO,
format_text(line, linelen));
else
col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
if (tree) {
ti = proto_tree_add_item(tree, proto_icap, tvb, offset, -1,
ENC_NA);
icap_tree = proto_item_add_subtree(ti, ett_icap);
}
/*
static gboolean
dissect_kismet(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree)
{
gboolean is_request;
gboolean is_continuation;
proto_tree *kismet_tree=NULL, *reqresp_tree=NULL;
proto_item *ti;
proto_item *tmp_item;
gint offset = 0;
const guchar *line;
gint next_offset;
int linelen;
int tokenlen;
int i;
const guchar *next_token;
/*
* Find the end of the first line.
*
* Note that "tvb_find_line_end()" will return a value that is
* not longer than what's in the buffer, so the "tvb_get_ptr()"
* call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
/*
* Check if it is an ASCII based protocol with reasonable length
* packets, if not return, and try annother dissector.
*/
if (linelen < 8) {
/*
* Packet is too short
*/
return FALSE;
} else {
for (i = 0; i < 8; ++i) {
/*
* Packet contains non-ASCII data
*/
if (line[i] < 32 || line[i] > 128)
return FALSE;
}
}
/*
* If it is Kismet traffic set COL_PROTOCOL.
*/
col_set_str(pinfo->cinfo, COL_PROTOCOL, "kismet");
/*
* Check if it is request, reply or continuation.
*/
if (pinfo->match_port == pinfo->destport) {
is_request = TRUE;
is_continuation = FALSE;
} else {
is_request = FALSE;
is_continuation = response_is_continuation (line);
}
if (check_col(pinfo->cinfo, COL_INFO)) {
/*
* Put the first line from the buffer into the summary
* if it's a kismet request or reply (but leave out the
* line terminator).
* Otherwise, just call it a continuation.
*/
if (is_continuation)
col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
else
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
is_request ? "Request" : "Response",
format_text(line, linelen));
}
if (tree) {
ti = proto_tree_add_item(tree, proto_kismet, tvb, offset, -1, FALSE);
kismet_tree = proto_item_add_subtree(ti, ett_kismet);
}
if (is_continuation) {
/*
* Put the whole packet into the tree as data.
*/
call_dissector(data_handle, tvb, pinfo, kismet_tree);
return TRUE;
}
if (is_request) {
tmp_item = proto_tree_add_boolean(kismet_tree,
hf_kismet_request, tvb, 0, 0, TRUE);
} else {
tmp_item = proto_tree_add_boolean(kismet_tree,
hf_kismet_response, tvb, 0, 0, TRUE);
}
PROTO_ITEM_SET_GENERATED (tmp_item);
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (linelen) {
/*
* Put this line.
*/
ti = proto_tree_add_text(kismet_tree, tvb, offset,
next_offset - offset, "%s",
tvb_format_text(tvb, offset,
next_offset - offset - 1));
reqresp_tree = proto_item_add_subtree(ti, ett_kismet_reqresp);
tokenlen = get_token_len(line, line + linelen, &next_token);
if (tokenlen != 0) {
guint8 *reqresp;
reqresp = tvb_get_ephemeral_string(tvb, offset, tokenlen);
if (is_request) {
/*
* No request dissection
*/
} else {
/*
* *KISMET: {Version} {Start time} \001{Server name}\001 {Build Revision}
* two fields left undocumented: {???} {?ExtendedVersion?}
*/
if (!strncmp(reqresp, "*KISMET", 7)) {
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
tokenlen = get_token_len(line, line + linelen, &next_token);
proto_tree_add_text(reqresp_tree, tvb, offset,
tokenlen, "Kismet version: %s",
format_text(line, tokenlen));
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
tokenlen = get_token_len(line, line + linelen, &next_token);
proto_tree_add_text(reqresp_tree, tvb, offset,
tokenlen, "Start time: %s",
format_text(line, tokenlen));
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
tokenlen = get_token_len(line, line + linelen, &next_token);
proto_tree_add_text(reqresp_tree, tvb, offset,
tokenlen, "Server name: %s",
format_text(line + 1, tokenlen - 2));
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
tokenlen = get_token_len(line, line + linelen, &next_token);
proto_tree_add_text(reqresp_tree, tvb, offset,
tokenlen, "Build revision: %s",
format_text(line, tokenlen));
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
tokenlen = get_token_len(line, line + linelen, &next_token);
proto_tree_add_text(reqresp_tree, tvb, offset,
tokenlen, "Unknown field: %s",
format_text(line, tokenlen));
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
tokenlen = get_token_len(line, line + linelen, &next_token);
proto_tree_add_text(reqresp_tree, tvb, offset,
tokenlen,
"Extended version string: %s",
format_text(line, tokenlen));
}
/*
* *TIME: {Time}
*/
if (!strncmp(reqresp, "*TIME", 5)) {
time_t t;
char *ptr;
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
tokenlen = get_token_len(line, line + linelen, &next_token);
/*
* Convert form ascii to time_t
*/
t = atoi(format_text (line, tokenlen));
/*
* Format ascii representaion of time
*/
ptr = abs_time_secs_to_str(t, ABSOLUTE_TIME_LOCAL, TRUE);
proto_tree_add_text(reqresp_tree, tvb, offset,
tokenlen, "Time: %s", ptr);
}
}
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
}
}
offset = next_offset;
}
return TRUE;
}
static void
dissect_nntp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
const gchar *type;
proto_tree *nntp_tree;
proto_item *ti;
gint offset = 0;
gint next_offset;
int linelen;
if (pinfo->match_uint == pinfo->destport)
type = "Request";
else
type = "Response";
col_set_str(pinfo->cinfo, COL_PROTOCOL, "NNTP");
/*
* Put the first line from the buffer into the summary
* (but leave out the line terminator).
*
* Note that "tvb_find_line_end()" will return a value that
* is not longer than what's in the buffer, so the
* "tvb_get_ptr()" call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", type,
tvb_format_text(tvb, offset, linelen));
if (tree) {
ti = proto_tree_add_item(tree, proto_nntp, tvb, offset, -1,
ENC_NA);
nntp_tree = proto_item_add_subtree(ti, ett_nntp);
if (pinfo->match_uint == pinfo->destport) {
ti = proto_tree_add_boolean(nntp_tree,
hf_nntp_request, tvb, 0, 0, TRUE);
} else {
ti = proto_tree_add_boolean(nntp_tree,
hf_nntp_response, tvb, 0, 0, TRUE);
}
PROTO_ITEM_SET_HIDDEN(ti);
/*
* Show the request or response as text, a line at a time.
* XXX - for requests, we could display the stuff after the
* first line, if any, based on what the request was, and
* for responses, we could display it based on what the
* matching request was, although the latter requires us to
* know what the matching request was....
*/
while (tvb_offset_exists(tvb, offset)) {
/*
* Find the end of the line.
*/
tvb_find_line_end(tvb, offset, -1, &next_offset,
FALSE);
/*
* Put this line.
*/
proto_tree_add_text(nntp_tree, tvb, offset,
next_offset - offset, "%s",
tvb_format_text(tvb, offset, next_offset - offset));
offset = next_offset;
}
}
}
static void
dissect_text_lines(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *subtree;
proto_item *ti;
gint offset = 0, next_offset;
gint len;
const char *data_name;
data_name = pinfo->match_string;
if (! (data_name && data_name[0])) {
/*
* No information from "match_string"
*/
data_name = (char *)(pinfo->private_data);
if (! (data_name && data_name[0])) {
/*
* No information from "private_data"
*/
data_name = NULL;
}
}
if (data_name && check_col(pinfo->cinfo, COL_INFO))
col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "(%s)",
data_name);
if (tree) {
ti = proto_tree_add_item(tree, proto_text_lines,
tvb, 0, -1, FALSE);
if (data_name)
proto_item_append_text(ti, ": %s", data_name);
subtree = proto_item_add_subtree(ti, ett_text_lines);
/* Read the media line by line */
while (tvb_reported_length_remaining(tvb, offset) != 0) {
/*
* XXX - we need to be passed the parameters
* of the content type via "pinfo->private_data",
* so that we know the character set. We'd
* have to handle that character set, which
* might be a multibyte character set such
* as "iso-10646-ucs-2", or might require other
* special processing.
*/
len = tvb_find_line_end(tvb, offset,
tvb_ensure_length_remaining(tvb, offset),
&next_offset, FALSE);
if (len == -1)
break;
/* We use next_offset - offset instead of len in the
* call to tvb_format_text() so it will include the
* line terminator(s) (\r and/or \n) in the display.
*/
proto_tree_add_text(subtree, tvb, offset, next_offset - offset,
"%s", tvb_format_text(tvb, offset,
next_offset - offset));
offset = next_offset;
}
}
}
/* Subtrees */
static gint ett_l1_events = -1;
static int
dissect_l1_events(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
{
proto_tree *subtree;
proto_item *ti;
gint offset = 0, next_offset;
gint len;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "Layer1");
col_set_str(pinfo->cinfo, COL_DEF_SRC,
pinfo->pseudo_header->l1event.uton? "TE" : "NT");
len = tvb_find_line_end(tvb, 0, tvb_ensure_length_remaining(tvb, 0),
&next_offset, FALSE);
if(len>0)
col_add_str(pinfo->cinfo, COL_INFO, tvb_format_text(tvb, 0, len));
if (tree) {
ti = proto_tree_add_item(tree, proto_l1_events,
tvb, 0, -1, ENC_NA);
subtree = proto_item_add_subtree(ti, ett_l1_events);
/* Read the media line by line */
while (tvb_offset_exists(tvb, offset)) {
/*
* XXX - we need to be passed the parameters
* of the content type via data parameter,
* so that we know the character set. We'd
* have to handle that character set, which
* might be a multibyte character set such
/*
* Optionally do reassembly of the request/response line, headers, and body.
*/
gboolean
req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo,
const gboolean desegment_headers, const gboolean desegment_body)
{
gint next_offset;
gint next_offset_sav;
gint length_remaining, reported_length_remaining;
int linelen;
gchar *header_val;
long int content_length;
gboolean content_length_found = FALSE;
gboolean content_type_found = FALSE;
gboolean chunked_encoding = FALSE;
gboolean keepalive_found = FALSE;
gchar *line;
gchar *content_type = NULL;
/*
* Do header desegmentation if we've been told to.
*
* RFC 2616 defines HTTP messages as being either of the
* Request or the Response type
* (HTTP-message = Request | Response).
* Request and Response are defined as:
* Request = Request-Line
* *(( general-header
* | request-header
* | entity-header ) CRLF)
* CRLF
* [ message-body ]
* Response = Status-Line
* *(( general-header
* | response-header
* | entity-header ) CRLF)
* CRLF
* [ message-body ]
* that's why we can always assume two consecutive line
* endings (we allow CR, LF, or CRLF, as some clients
* or servers might not use a full CRLF) to mark the end
* of the headers. The worst thing that would happen
* otherwise would be the packet not being desegmented
* or being interpreted as only headers.
*
* RFC 2326 says RTSP works the same way; RFC 3261 says SIP
* works the same way.
*/
/*
* If header desegmentation is activated, check that all
* headers are in this tvbuff (search for an empty line
* marking end of headers) or request one more byte (we
* don't know how many bytes we'll need, so we just ask
* for one).
*/
if (desegment_headers && pinfo->can_desegment) {
next_offset = offset;
for (;;) {
next_offset_sav = next_offset;
reported_length_remaining =
tvb_reported_length_remaining(tvb, next_offset);
/*
* Request one more byte if there're no
* bytes left in the reported data (if there're
* bytes left in the reported data, but not in
* the available data, requesting more bytes
* won't help, as those bytes weren't captured).
*/
if (reported_length_remaining < 1) {
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
length_remaining = tvb_length_remaining(tvb,
next_offset);
/*
* Request one more byte if we cannot find a
* header (i.e. a line end).
*/
linelen = tvb_find_line_end(tvb, next_offset,
-1, &next_offset, TRUE);
if (linelen == -1 &&
length_remaining >= reported_length_remaining) {
/*
* Not enough data; ask for one more
* byte.
*/
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
if (linelen == 0) {
/*
* We found the end of the headers.
*/
break;
}
/*
* Is this a Content-Length or Transfer-Encoding
* header? If not, it either means that we are in
* a different header line, or that we are
* at the end of the headers, or that there
* isn't enough data; the two latter cases
* have already been handled above.
*/
if (desegment_body) {
/*
* Check if we've found Content-Length.
*/
line = tvb_get_ephemeral_string(tvb, next_offset_sav, linelen);
if (g_ascii_strncasecmp(line, "Content-Length:", 15) == 0) {
if (sscanf(line+15,"%li", &content_length) == 1)
content_length_found = TRUE;
} else if (g_ascii_strncasecmp(line, "Content-Type:", 13) == 0) {
content_type_found = TRUE;
content_type = line+13;
while (*content_type == ' ') {
content_type++;
}
} else if (g_ascii_strncasecmp(line, "Connection:", 11) == 0) {
/* Check for keep-alive */
header_val = line+11;
if(header_val){
while(*header_val==' '){
header_val++;
}
if(!g_ascii_strncasecmp(header_val, "Keep-Alive", 10)){
keepalive_found = TRUE;
}
}
} else if (g_ascii_strncasecmp( line, "Transfer-Encoding:", 18) == 0) {
/*
* Find out if this Transfer-Encoding is
* chunked. It should be, since there
* really aren't any other types, but
* RFC 2616 allows for them.
*/
gchar *p;
guint len;
header_val = line+18;
p = header_val;
len = (guint) strlen(header_val);
/* Skip white space */
while (p < header_val + len &&
(*p == ' ' || *p == '\t'))
p++;
if (p <= header_val + len) {
if (g_ascii_strncasecmp(p, "chunked", 7)
== 0) {
/*
* Don't bother looking
* for extensions;
* since we don't
* understand them,
* they should be
* ignored.
*/
chunked_encoding = TRUE;
}
}
}
}
}
}
/*
* The above loop ends when we reached the end of the headers, so
* there should be content_length bytes after the 4 terminating bytes
* and next_offset points to after the end of the headers.
*/
if (desegment_body) {
if (content_length_found) {
if (content_length >= 128*1024) { /* MS-RPCH stipulate that the content-length must be between 128K and 2G */
gchar *tmp;
if (content_type_found &&
strncmp(content_type, "application/rpc", 15) == 0) {
/* It looks like a RPC_IN_DATA request or a RPC_OUT_DATA response
* in which the content-length is meaningless
*/
return TRUE;
}
/* Following sizeof will return the length of the string + \0 we need to not count it*/
tmp = tvb_get_ephemeral_string(tvb, 0, sizeof("RPC_OUT_DATA") - 1);
if ((strncmp(tmp, "RPC_IN_DATA", sizeof("RPC_IN_DATA") - 1) == 0) ||
(strncmp(tmp, "RPC_OUT_DATA", sizeof("RPC_OUT_DATA") - 1) == 0)) {
return TRUE;
}
}
/* next_offset has been set to the end of the headers */
if (!tvb_bytes_exist(tvb, next_offset, content_length)) {
length_remaining = tvb_length_remaining(tvb,
next_offset);
reported_length_remaining =
tvb_reported_length_remaining(tvb, next_offset);
if (length_remaining < reported_length_remaining) {
/*
* It's a waste of time asking for more
* data, because that data wasn't captured.
*/
return TRUE;
}
if (length_remaining == -1)
length_remaining = 0;
pinfo->desegment_offset = offset;
pinfo->desegment_len =
content_length - length_remaining;
return FALSE;
}
} else if (chunked_encoding) {
/*
* This data is chunked, so we need to keep pulling
* data until we reach the end of the stream, or a
* zero sized chunk.
*
* XXX
* This doesn't bother with trailing headers; I don't
* think they are really used, and we'd have to use
* is_http_request_or_reply() to determine if it was
* a trailing header, or the start of a new response.
*/
gboolean done_chunking = FALSE;
while (!done_chunking) {
guint chunk_size = 0;
gint chunk_offset = 0;
gchar *chunk_string = NULL;
gchar *c = NULL;
reported_length_remaining =
tvb_reported_length_remaining(tvb,
next_offset);
if (reported_length_remaining < 1) {
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
length_remaining = tvb_length_remaining(tvb,
next_offset);
linelen = tvb_find_line_end(tvb, next_offset,
-1, &chunk_offset, TRUE);
if (linelen == -1 &&
length_remaining >=
reported_length_remaining) {
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
/* We have a line with the chunk size in it.*/
chunk_string = tvb_get_ephemeral_string(tvb, next_offset,
linelen);
c = chunk_string;
/*
* We don't care about the extensions.
*/
if ((c = strchr(c, ';'))) {
*c = '\0';
}
if (sscanf(chunk_string, "%x", &chunk_size) < 1) {
/* We couldn't get the chunk size,
* so stop trying.
*/
return TRUE;
}
if (chunk_size > (guint)1<<31) {
/* Chunk size is unreasonable. */
/* XXX What /is/ reasonable? */
return TRUE;
}
if (chunk_size == 0) {
/*
* This is the last chunk. Let's pull in the
* trailing CRLF.
*/
linelen = tvb_find_line_end(tvb,
chunk_offset, -1, &chunk_offset, TRUE);
if (linelen == -1 &&
length_remaining >=
reported_length_remaining) {
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
pinfo->desegment_offset = chunk_offset;
pinfo->desegment_len = 0;
done_chunking = TRUE;
} else {
/*
* Skip to the next chunk if we
* already have it
*/
if (reported_length_remaining >
(gint) chunk_size) {
next_offset = chunk_offset
+ chunk_size + 2;
} else {
/*
* Fetch this chunk, plus the
* trailing CRLF.
*/
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return FALSE;
}
}
}
} else if (content_type_found && pinfo->can_desegment) {
/* We found a content-type but no content-length.
* This is probably a HTTP header for a session with
* only one HTTP PDU and where the content spans
* until the end of the tcp session, unless there
* is a keepalive header present in which case we
* assume there is no message body at all and thus
* we wont do any reassembly.
* Set up tcp reassembly until the end of this session.
*/
length_remaining = tvb_length_remaining(tvb, next_offset);
reported_length_remaining = tvb_reported_length_remaining(tvb, next_offset);
if (length_remaining < reported_length_remaining) {
/*
* It's a waste of time asking for more
* data, because that data wasn't captured.
*/
return TRUE;
}
if (keepalive_found) {
/* We have a keep-alive but no content-length.
* Assume there is no message body and dont
* do any reassembly.
*/
return TRUE;
}
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_UNTIL_FIN;
return FALSE;
}
}
/*
* No further desegmentation needed.
*/
return TRUE;
}
static int
dissect_text_lines(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
{
proto_tree *subtree;
proto_item *ti;
gint offset = 0, next_offset;
gint len;
http_message_info_t *message_info;
const char *data_name;
int length = tvb_captured_length(tvb);
/* Check if this is actually xml
* If there is less than 38 characters this is not XML
* <?xml version="1.0" encoding="UTF-8"?>
*/
if(length > 38){
if (tvb_strncaseeql(tvb, 0, "<?xml", 5) == 0){
call_dissector(xml_handle, tvb, pinfo, tree);
return length;
}
}
data_name = pinfo->match_string;
if (! (data_name && data_name[0])) {
/*
* No information from "match_string"
*/
message_info = (http_message_info_t *)data;
if (message_info == NULL) {
/*
* No information from dissector data
*/
data_name = NULL;
} else {
data_name = message_info->media_str;
if (! (data_name && data_name[0])) {
/*
* No information from dissector data
*/
data_name = NULL;
}
}
}
if (data_name)
col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "(%s)",
data_name);
if (tree) {
guint lines_read = 0;
ti = proto_tree_add_item(tree, proto_text_lines,
tvb, 0, -1, ENC_NA);
if (data_name)
proto_item_append_text(ti, ": %s", data_name);
subtree = proto_item_add_subtree(ti, ett_text_lines);
/* Read the media line by line */
while (tvb_offset_exists(tvb, offset)) {
/*
* XXX - we need to be passed the parameters
* of the content type via data parameter,
* so that we know the character set. We'd
* have to handle that character set, which
* might be a multibyte character set such
* as "iso-10646-ucs-2", or might require other
* special processing.
*/
len = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (len == -1)
break;
/* We use next_offset - offset instead of len in the
* call to proto_tree_add_format_text() so it will include the
* line terminator(s) (\r and/or \n) in the display.
*/
proto_tree_add_format_text(subtree, tvb, offset, next_offset - offset);
lines_read++;
offset = next_offset;
}
proto_item_append_text(subtree, " (%u lines)", lines_read);
}
return length;
}
static void
dissect_imap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
gboolean is_request;
proto_tree *imap_tree, *reqresp_tree;
proto_item *ti, *hidden_item;
gint offset = 0;
gint uid_offset = 0;
gint folder_offset = 0;
const guchar *line;
const guchar *uid_line;
const guchar *folder_line;
gint next_offset;
int linelen;
int tokenlen;
int uid_tokenlen;
int folder_tokenlen;
const guchar *next_token;
const guchar *uid_next_token;
const guchar *folder_next_token;
guchar *tokenbuf;
guchar *command_token;
int iter;
int commandlen;
conversation_t *conversation;
imap_state_t *session_state;
conversation = find_or_create_conversation(pinfo);
session_state = (imap_state_t *)conversation_get_proto_data(conversation, proto_imap);
if (!session_state) {
session_state = wmem_new0(wmem_file_scope(), imap_state_t);
session_state->ssl_requested = FALSE;
conversation_add_proto_data(conversation, proto_imap, session_state);
}
tokenbuf = (guchar *)wmem_alloc0(wmem_packet_scope(), MAX_BUFFER);
command_token = (guchar *)wmem_alloc0(wmem_packet_scope(), MAX_BUFFER);
commandlen = 0;
folder_offset = 0;
folder_tokenlen = 0;
folder_line = NULL;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "IMAP");
if (pinfo->match_uint == pinfo->destport)
is_request = TRUE;
else
is_request = FALSE;
/*
* Put the first line from the buffer into the summary
* (but leave out the line terminator).
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "Request" : "Response", format_text(line, linelen));
{
ti = proto_tree_add_item(tree, proto_imap, tvb, offset, -1, ENC_NA);
imap_tree = proto_item_add_subtree(ti, ett_imap);
hidden_item = proto_tree_add_boolean(imap_tree, hf_imap_isrequest, tvb, 0, 0, is_request);
PROTO_ITEM_SET_HIDDEN(hidden_item);
while(tvb_offset_exists(tvb, offset)) {
/*
* Find the end of each line
*
* Note that "tvb_find_line_end()" will return a value that is
* not longer than what's in the buffer, so the "tvb_get_ptr()"
* call won't throw an exception.
*/
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
/*
* Put the line into the protocol tree.
*/
ti = proto_tree_add_item(imap_tree, hf_imap_line, tvb, offset, next_offset - offset, ENC_ASCII|ENC_NA);
reqresp_tree = proto_item_add_subtree(ti, ett_imap_reqresp);
/*
* Check that the line doesn't begin with '*', because that's a continuation line.
* Otherwise if a tag is present then extract tokens.
*/
if ( (line) && ((line[0] != '*') || (TRUE == is_request)) ) {
/*
* Show each line as tags + requests or replies.
*/
/*
* Extract the first token, and, if there is a first
* token, add it as the request or reply tag.
*/
tokenlen = get_token_len(line, line + linelen, &next_token);
if (tokenlen != 0) {
proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request_tag : hf_imap_response_tag, tvb, offset, tokenlen, ENC_ASCII|ENC_NA);
offset += (gint) (next_token - line);
linelen -= (int) (next_token - line);
line = next_token;
}
/*
* Extract second token, and, if there is a second
* token, and it's not uid, add it as the request or reply command.
*/
tokenlen = get_token_len(line, line + linelen, &next_token);
if (tokenlen != 0) {
for (iter = 0; iter < tokenlen && iter < MAX_BUFFER-1; iter++) {
tokenbuf[iter] = g_ascii_tolower(line[iter]);
}
if (tree && is_request && strncmp(tokenbuf, "uid", tokenlen) == 0) {
proto_tree_add_item(reqresp_tree, hf_imap_request_uid, tvb, offset, tokenlen, ENC_ASCII|ENC_NA);
/*
* UID is a precursor to a command, if following the tag,
* so move to next token to grab the actual command.
*/
uid_offset = offset;
uid_offset += (gint) (next_token - line);
uid_line = next_token;
uid_tokenlen = get_token_len(uid_line, uid_line + (linelen - tokenlen), &uid_next_token);
if (tokenlen != 0) {
proto_tree_add_item(reqresp_tree, hf_imap_request_command, tvb, uid_offset, uid_tokenlen, ENC_ASCII|ENC_NA);
/*
* Save command string to do specialized processing.
*/
for (iter = 0; iter < uid_tokenlen && iter < MAX_BUFFER-1; iter++) {
command_token[iter] = g_ascii_tolower(uid_line[iter]);
}
commandlen = uid_tokenlen;
folder_offset = uid_offset;
folder_offset += (gint) (uid_next_token - uid_line);
folder_line = uid_next_token;
folder_tokenlen = get_token_len(folder_line, folder_line + (linelen - tokenlen - uid_tokenlen), &folder_next_token);
}
} else {
/*
* Not a UID request so perform normal parsing.
*/
proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request_command : hf_imap_response_status, tvb, offset, tokenlen, ENC_ASCII|ENC_NA);
if (is_request) {
/*
* Save command string to do specialized processing.
*/
for (iter = 0; iter < tokenlen && iter < 256; iter++) {
command_token[iter] = g_ascii_tolower(line[iter]);
}
commandlen = tokenlen;
folder_offset = offset;
folder_offset += (gint) (next_token - line);
folder_line = next_token;
folder_tokenlen = get_token_len(folder_line, folder_line + (linelen - tokenlen - 1), &folder_next_token);
}
}
if (tree && commandlen > 0 && (
strncmp(command_token, "select", commandlen) == 0 ||
strncmp(command_token, "examine", commandlen) == 0 ||
strncmp(command_token, "create", commandlen) == 0 ||
strncmp(command_token, "delete", commandlen) == 0 ||
strncmp(command_token, "rename", commandlen) == 0 ||
strncmp(command_token, "subscribe", commandlen) == 0 ||
strncmp(command_token, "unsubscribe", commandlen) == 0 ||
strncmp(command_token, "status", commandlen) == 0 ||
strncmp(command_token, "append", commandlen) == 0 ||
strncmp(command_token, "search", commandlen) == 0)) {
/*
* These commands support folder as an argument,
* so parse out the folder name.
*/
if (folder_tokenlen != 0)
proto_tree_add_item(reqresp_tree, hf_imap_request_folder, tvb, folder_offset, folder_tokenlen, ENC_ASCII|ENC_NA);
}
if (tree && is_request && (NULL != folder_line) && strncmp(command_token, "copy", commandlen) == 0) {
/*
* Handle the copy command separately since folder
* is the second argument for this command.
*/
folder_offset += (gint) (folder_next_token - folder_line);
folder_line = folder_next_token;
folder_tokenlen = get_token_len(folder_line, folder_line + (linelen - tokenlen), &folder_next_token);
if (folder_tokenlen != 0)
proto_tree_add_item(reqresp_tree, hf_imap_request_folder, tvb, folder_offset, folder_tokenlen, ENC_ASCII|ENC_NA);
}
/* If not yet switched to TLS, check for STARTTLS. */
if (session_state->ssl_requested) {
if (!is_request && session_state->ssl_requested &&
strncmp(tokenbuf, "ok", tokenlen) == 0) {
/* STARTTLS accepted, next reply will be TLS. */
ssl_starttls_ack(ssl_handle, pinfo, imap_handle);
}
session_state->ssl_requested = FALSE;
}
if (is_request && commandlen > 0 &&
strncmp(command_token, "starttls", commandlen) == 0) {
/* If next response is OK, then TLS should be commenced. */
session_state->ssl_requested = TRUE;
}
}
/*
* Add the rest of the line as request or reply data.
*/
if (linelen != 0) {
proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request : hf_imap_response, tvb, offset, linelen, ENC_ASCII|ENC_NA);
}
}
offset = next_offset; /* Skip over last line and \r\n at the end of it */
}
}
}
