static void dissect_user_info_2(tvbuff_t *tvb, int offset, proto_tree *tree) { /* decode the user, application, computer name */ int length; if ( tree) { length = tvb_strnlen( tvb, offset, 255); if (length == -1) return; proto_tree_add_text( tree, tvb, offset, length + 1, "User name: %.*s", length, tvb_get_ephemeral_string( tvb, offset, length)); offset += length + 2; length = tvb_strnlen( tvb, offset, 255); if (length == -1) return; proto_tree_add_text( tree, tvb, offset, length + 1, "Application name: %.*s", length, tvb_get_ephemeral_string( tvb, offset, length)); offset += length + 1; length = tvb_strnlen( tvb, offset, 255); if (length == -1) return; proto_tree_add_text( tree, tvb, offset, length + 1, "Client computer name: %.*s", length, tvb_get_ephemeral_string( tvb, offset, length)); } }
static int display_application_name(tvbuff_t *tvb, int offset, proto_tree *tree) { /* display the application name in the proto tree. */ /* NOTE: this routine assumes that the tree pointer is valid (not NULL) */ int length; length = tvb_strnlen( tvb, offset, 255); proto_tree_add_text( tree, tvb, offset, length, "Application: %.*s", length, tvb_get_ephemeral_string( tvb, offset, length)); return length; }
static void dissect_sap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { int offset = 0; int sap_version, is_ipv6, is_del, is_enc, is_comp, addr_len; guint8 vers_flags; guint8 auth_len; guint16 tmp1; guint8 auth_flags; tvbuff_t *next_tvb; proto_item *si, *sif; proto_tree *sap_tree, *sap_flags_tree; col_set_str(pinfo->cinfo, COL_PROTOCOL, "SAP"); col_clear(pinfo->cinfo, COL_INFO); vers_flags = tvb_get_guint8(tvb, offset); is_ipv6 = vers_flags&MCAST_SAP_BIT_A; is_del = vers_flags&MCAST_SAP_BIT_T; is_enc = vers_flags&MCAST_SAP_BIT_E; is_comp = vers_flags&MCAST_SAP_BIT_C; sap_version = (vers_flags&MCAST_SAP_VERSION_MASK)>>MCAST_SAP_VERSION_SHIFT; addr_len = (is_ipv6) ? sizeof(struct e_in6_addr) : 4; if (check_col(pinfo->cinfo, COL_INFO)) { col_add_fstr(pinfo->cinfo, COL_INFO, "%s (v%u)", (is_del) ? "Deletion" : "Announcement", sap_version); } if (tree) { si = proto_tree_add_item(tree, proto_sap, tvb, offset, -1, ENC_NA); sap_tree = proto_item_add_subtree(si, ett_sap); sif = proto_tree_add_uint(sap_tree, hf_sap_flags, tvb, offset, 1, vers_flags); sap_flags_tree = proto_item_add_subtree(sif, ett_sap_flags); proto_tree_add_uint(sap_flags_tree, hf_sap_flags_v, tvb, offset, 1, vers_flags); proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_a, tvb, offset, 1, vers_flags); proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_r, tvb, offset, 1, vers_flags); proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_t, tvb, offset, 1, vers_flags); proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_e, tvb, offset, 1, vers_flags); proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_c, tvb, offset, 1, vers_flags); offset++; auth_len = tvb_get_guint8(tvb, offset); proto_tree_add_text(sap_tree, tvb, offset, 1, "Authentication Length: %u", auth_len); offset++; tmp1 = tvb_get_ntohs(tvb, offset); proto_tree_add_text(sap_tree, tvb, offset, 2, "Message Identifier Hash: 0x%x", tmp1); offset +=2; proto_tree_add_text(sap_tree, tvb, offset, addr_len, "Originating Source: %s", (is_ipv6) ? tvb_ip6_to_str(tvb, offset) : tvb_ip_to_str(tvb, offset)); offset += addr_len; /* Authentication data lives in its own subtree */ if (auth_len > 0) { guint32 auth_data_len; proto_item *sdi, *sai; proto_tree *sa_tree, *saf_tree; int has_pad; guint8 pad_len = 0; auth_data_len = auth_len * sizeof(guint32); sdi = proto_tree_add_item(sap_tree, hf_auth_data, tvb, offset, auth_data_len, ENC_NA); sa_tree = proto_item_add_subtree(sdi, ett_sap_auth); auth_flags = tvb_get_guint8(tvb, offset); sai = proto_tree_add_uint(sa_tree, hf_auth_flags, tvb, offset, 1, auth_flags); saf_tree = proto_item_add_subtree(sai, ett_sap_authf); proto_tree_add_uint(saf_tree, hf_auth_flags_v, tvb, offset, 1, auth_flags); proto_tree_add_boolean(saf_tree, hf_auth_flags_p, tvb, offset, 1, auth_flags); proto_tree_add_uint(saf_tree, hf_auth_flags_t, tvb, offset, 1, auth_flags); has_pad = auth_flags&MCAST_SAP_AUTH_BIT_P; if (has_pad) pad_len = tvb_get_guint8(tvb, offset+auth_data_len-1); if ((int) auth_data_len - pad_len - 1 < 0) { proto_tree_add_text(sa_tree, tvb, 0, 0, "Bogus authentication length (%d) or pad length (%d)", auth_len, pad_len); return; } proto_tree_add_text(sa_tree, tvb, offset+1, auth_data_len-pad_len-1, "Authentication subheader: (%u byte%s)", auth_data_len-1, plurality(auth_data_len-1, "", "s")); if (has_pad) { proto_tree_add_text(sa_tree, tvb, offset+auth_data_len-pad_len, pad_len, "Authentication data padding: (%u byte%s)", pad_len, plurality(pad_len, "", "s")); proto_tree_add_text(sa_tree, tvb, offset+auth_data_len-1, 1, "Authentication data pad count: %u byte%s", pad_len, plurality(pad_len, "", "s")); } offset += auth_data_len; } if (is_enc || is_comp) { const char *mangle; if (is_enc && is_comp) mangle = "compressed and encrypted"; else if (is_enc) mangle = "encrypted"; else mangle = "compressed"; proto_tree_add_text(sap_tree, tvb, offset, -1, "The rest of the packet is %s", mangle); return; } /* Do we have the optional payload type aka. MIME content specifier */ if (tvb_strneql(tvb, offset, "v=", strlen("v="))) { gint remaining_len; guint32 pt_len; int pt_string_len; remaining_len = tvb_length_remaining(tvb, offset); if (remaining_len == 0) { /* * "tvb_strneql()" failed because there was no * data left in the packet. * * Set the remaining length to 1, so that * we throw the appropriate exception in * "tvb_get_ptr()", rather than displaying * the payload type. */ remaining_len = 1; } pt_string_len = tvb_strnlen(tvb, offset, remaining_len); if (pt_string_len == -1) { /* * We didn't find a terminating '\0'; run to the * end of the buffer. */ pt_string_len = remaining_len; pt_len = pt_string_len; } else { /* * Include the '\0' in the total item length. */ pt_len = pt_string_len + 1; } proto_tree_add_text(sap_tree, tvb, offset, pt_len, "Payload type: %.*s", pt_string_len, tvb_get_ephemeral_string(tvb, offset, pt_string_len)); offset += pt_len; } } /* Done with SAP */ next_tvb = tvb_new_subset_remaining(tvb, offset); call_dissector(sdp_handle, next_tvb, pinfo, tree); return; }
/* Decoder State Machine. Currently only used to snoop on client-user-name as sent by the client up connection establishment. */ static void rlogin_state_machine(rlogin_hash_entry_t *hash_info, tvbuff_t *tvb, packet_info *pinfo) { guint length; gint stringlen; /* Won't change state if already seen this packet */ if (pinfo->fd->flags.visited) { return; } /* rlogin stream decoder */ /* Just watch for the second packet from client with the user name and */ /* terminal type information. */ if (pinfo->destport != RLOGIN_PORT) { return; } /* exit if already passed username in conversation */ if (hash_info->state == DONE) { return; } /* exit if no data */ length = tvb_captured_length(tvb); if (length == 0) { return; } if (hash_info->state == NONE) { /* new connection*/ if (tvb_get_guint8(tvb, 0) != '\0') { /* We expected a null, but didn't get one; quit. */ hash_info->state = DONE; return; } else { if (length <= 1) { /* Still waiting for data */ hash_info->state = USER_INFO_WAIT; } else { /* Have info, store frame number */ hash_info->state = DONE; hash_info->info_framenum = pinfo->num; } } } /* expect user data here */ /* TODO: may need to do more checking here? */ else if (hash_info->state == USER_INFO_WAIT) { /* Store frame number here */ hash_info->state = DONE; hash_info->info_framenum = pinfo->num; /* Work out length of string to copy */ stringlen = tvb_strnlen(tvb, 0, NAME_LEN); if (stringlen == -1) stringlen = NAME_LEN - 1; /* no '\0' found */ else if (stringlen > NAME_LEN - 1) stringlen = NAME_LEN - 1; /* name too long */ /* Copy and terminate string into hash name */ tvb_memcpy(tvb, (guint8 *)hash_info->user_name, 0, stringlen); hash_info->user_name[stringlen] = '\0'; col_append_str(pinfo->cinfo, COL_INFO, ", (User information)"); } }
/* dissect_sebek - dissects sebek packet data * tvb - tvbuff for packet data (IN) * pinfo - packet info * proto_tree - resolved protocol tree */ static void dissect_sebek(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_tree *sebek_tree; proto_item *ti; int offset = 0; int datalen = 0; nstime_t ts; int sebek_ver = 0; int sebek_type = 0; int cmd_len = 0; col_set_str(pinfo->cinfo, COL_PROTOCOL, "SEBEK"); if (check_col(pinfo->cinfo, COL_INFO)) { col_set_str(pinfo->cinfo, COL_INFO, "SEBEK - "); if (tvb->length<6) sebek_ver = 0; else sebek_ver = tvb_get_ntohs(tvb, 4); switch (sebek_ver) { case 2: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 20)); col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 24)); col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 28)); col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 32, 12)); break; case 3: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 24)); col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 28)); col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 32)); cmd_len = tvb_strnlen(tvb, 40, 12); if (cmd_len<0) cmd_len = 0; col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 40, cmd_len)); break; default: break; } } if (tree) { /* Adding Sebek item and subtree */ ti = proto_tree_add_item(tree, proto_sebek, tvb, 0, -1, FALSE); sebek_tree = proto_item_add_subtree(ti, ett_sebek); /* check for minimum length before deciding where to go*/ if (tvb->length<6) sebek_ver = 0; else sebek_ver = tvb_get_ntohs(tvb, 4); switch (sebek_ver) { case 2: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE); offset += 2; proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE); offset += 2; proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE); offset += 4; ts.secs = tvb_get_ntohl(tvb, offset); ts.nsecs = tvb_get_ntohl(tvb, offset+4); proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts); offset += 8; proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE); offset += 12; datalen = tvb_get_letohl(tvb, offset); proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE); break; case 3: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE); offset += 2; sebek_type=tvb_get_ntohs(tvb, offset); proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE); offset += 2; proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE); offset += 4; ts.secs = tvb_get_ntohl(tvb, offset); ts.nsecs = tvb_get_ntohl(tvb, offset+4); proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts); offset += 8; proto_tree_add_item(sebek_tree, hf_sebek_ppid, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_inode, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE); offset += 12; datalen = tvb_get_ntohl(tvb, offset); proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE); offset += 4; if (sebek_type == 2) { /*data is socket data, process accordingly*/ proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_ip, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_port, tvb, offset, 2, FALSE); offset += 2; proto_tree_add_item(sebek_tree, hf_sebek_socket_src_ip, tvb, offset, 4, FALSE); offset += 4; proto_tree_add_item(sebek_tree, hf_sebek_socket_src_port, tvb, offset, 2, FALSE); offset += 2; proto_tree_add_item(sebek_tree, hf_sebek_socket_call, tvb, offset, 2, FALSE); offset += 2; proto_tree_add_item(sebek_tree, hf_sebek_socket_proto, tvb, offset, 1, FALSE); offset += 1; } else { proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE); } break; default: break; } } }
static void dissect_sap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { int offset = 0; int sap_version, is_ipv6, is_del, is_enc, is_comp, addr_len; guint8 vers_flags; guint8 auth_len; guint8 auth_flags; tvbuff_t *next_tvb; proto_item *si, *sif; proto_tree *sap_tree = NULL, *sap_flags_tree; col_set_str(pinfo->cinfo, COL_PROTOCOL, "SAP"); col_clear(pinfo->cinfo, COL_INFO); vers_flags = tvb_get_guint8(tvb, offset); is_ipv6 = vers_flags&MCAST_SAP_BIT_A; is_del = vers_flags&MCAST_SAP_BIT_T; is_enc = vers_flags&MCAST_SAP_BIT_E; is_comp = vers_flags&MCAST_SAP_BIT_C; sap_version = (vers_flags&MCAST_SAP_VERSION_MASK)>>MCAST_SAP_VERSION_SHIFT; addr_len = (is_ipv6) ? (int)sizeof(struct e_in6_addr) : 4; col_add_fstr(pinfo->cinfo, COL_INFO, "%s (v%u)", (is_del) ? "Deletion" : "Announcement", sap_version); if (tree) { si = proto_tree_add_item(tree, proto_sap, tvb, offset, -1, ENC_NA); sap_tree = proto_item_add_subtree(si, ett_sap); sif = proto_tree_add_item(sap_tree, hf_sap_flags, tvb, offset, 1, ENC_NA); sap_flags_tree = proto_item_add_subtree(sif, ett_sap_flags); proto_tree_add_item(sap_flags_tree, hf_sap_flags_v, tvb, offset, 1, ENC_NA); proto_tree_add_item(sap_flags_tree, hf_sap_flags_a, tvb, offset, 1, ENC_NA); proto_tree_add_item(sap_flags_tree, hf_sap_flags_r, tvb, offset, 1, ENC_NA); proto_tree_add_item(sap_flags_tree, hf_sap_flags_t, tvb, offset, 1, ENC_NA); proto_tree_add_item(sap_flags_tree, hf_sap_flags_e, tvb, offset, 1, ENC_NA); proto_tree_add_item(sap_flags_tree, hf_sap_flags_c, tvb, offset, 1, ENC_NA); } offset++; auth_len = tvb_get_guint8(tvb, offset); proto_tree_add_item(sap_tree, hf_sap_auth_len, tvb, offset, 1, ENC_NA); offset++; proto_tree_add_item(sap_tree, hf_sap_message_identifier_hash, tvb, offset, 2, ENC_BIG_ENDIAN); offset +=2; if (is_ipv6) proto_tree_add_item(sap_tree, hf_sap_originating_source_ipv6, tvb, offset, addr_len, ENC_NA); else proto_tree_add_item(sap_tree, hf_sap_originating_source_ipv4, tvb, offset, addr_len, ENC_BIG_ENDIAN); offset += addr_len; /* Authentication data lives in its own subtree */ if (auth_len > 0) { guint32 auth_data_len; proto_item *sdi, *sai; proto_tree *sa_tree, *saf_tree; int has_pad; guint8 pad_len = 0; auth_data_len = (guint32)(auth_len * sizeof(guint32)); sdi = proto_tree_add_item(sap_tree, hf_auth_data, tvb, offset, auth_data_len, ENC_NA); sa_tree = proto_item_add_subtree(sdi, ett_sap_auth); auth_flags = tvb_get_guint8(tvb, offset); sai = proto_tree_add_item(sa_tree, hf_auth_flags, tvb, offset, 1, ENC_NA); saf_tree = proto_item_add_subtree(sai, ett_sap_authf); proto_tree_add_item(saf_tree, hf_auth_flags_v, tvb, offset, 1, ENC_NA); proto_tree_add_item(saf_tree, hf_auth_flags_p, tvb, offset, 1, ENC_NA); proto_tree_add_item(saf_tree, hf_auth_flags_t, tvb, offset, 1, ENC_NA); has_pad = auth_flags&MCAST_SAP_AUTH_BIT_P; if (has_pad) { pad_len = tvb_get_guint8(tvb, offset+auth_data_len-1); } if ((int) auth_data_len - pad_len - 1 < 0) { expert_add_info_format(pinfo, sai, &ei_sap_bogus_authentication_or_pad_length, "Bogus authentication length (%d) or pad length (%d)", auth_len, pad_len); return; } proto_tree_add_item(sa_tree, hf_sap_auth_subheader, tvb, offset+1, auth_data_len-pad_len-1, ENC_NA); if (has_pad) { proto_tree_add_item(sa_tree, hf_sap_auth_data_padding_len, tvb, offset+auth_data_len-1, 1, ENC_NA); proto_tree_add_item(sa_tree, hf_sap_auth_data_padding, tvb, offset+auth_data_len-pad_len, pad_len, ENC_NA); } offset += auth_data_len; } if (is_enc || is_comp) { expert_field *mangle; if (is_enc && is_comp) mangle = &ei_sap_compressed_and_encrypted; else if (is_enc) mangle = &ei_sap_encrypted; else mangle = &ei_sap_compressed; proto_tree_add_expert(sap_tree, pinfo, mangle, tvb, offset, -1); return; } if (tree) { /* Do we have the optional payload type aka. MIME content specifier */ if (tvb_strneql(tvb, offset, "v=", strlen("v="))) { gint remaining_len; guint32 pt_len; int pt_string_len; guint8* pt_str; remaining_len = tvb_captured_length_remaining(tvb, offset); if (remaining_len == 0) { /* * "tvb_strneql()" failed because there was no * data left in the packet. * * Set the remaining length to 1, so that * we throw the appropriate exception in * "tvb_get_ptr()", rather than displaying * the payload type. */ remaining_len = 1; } pt_string_len = tvb_strnlen(tvb, offset, remaining_len); if (pt_string_len == -1) { /* * We didn't find a terminating '\0'; run to the * end of the buffer. */ pt_string_len = remaining_len; pt_len = pt_string_len; } else { /* * Include the '\0' in the total item length. */ pt_len = pt_string_len + 1; } pt_str = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, pt_string_len, ENC_ASCII); proto_tree_add_string_format_value(sap_tree, hf_sap_payload_type, tvb, offset, pt_len, pt_str, "%.*s", pt_string_len, pt_str); offset += pt_len; } } /* Done with SAP */ next_tvb = tvb_new_subset_remaining(tvb, offset); call_dissector(sdp_handle, next_tvb, pinfo, tree); }