static void dissect_msnms(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_tree *msnms_tree; proto_item *ti; gint offset = 0; const guchar *line; gint next_offset; int linelen; /* int tokenlen; */ /* const guchar *next_token; */ col_set_str(pinfo->cinfo, COL_PROTOCOL, "MSNMS"); /* * Find the end of the first line. * * Note that "tvb_find_line_end()" will return a value that is * not longer than what's in the buffer, so the "tvb_get_ptr()" * call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); if (check_col(pinfo->cinfo, COL_INFO)) { /* * Put the first line from the buffer into the summary. */ col_add_str(pinfo->cinfo, COL_INFO, format_text(line, linelen)); } if (tree) { ti = proto_tree_add_item(tree, proto_msnms, tvb, offset, -1, FALSE); msnms_tree = proto_item_add_subtree(ti, ett_msnms); /* * Show the rest of the packet as text, * a line at a time. */ while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Put this line. */ proto_tree_add_text(msnms_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset)); offset = next_offset; } } }
static void dissect_rsh(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_tree *rsh_tree; proto_item *ti, *hidden_item; gint offset = 0; gint next_offset; int linelen; col_set_str(pinfo->cinfo, COL_PROTOCOL, "RSH"); if (check_col(pinfo->cinfo, COL_INFO)) { /* Put the first line from the buffer into the summary. */ tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); linelen = next_offset - offset; /* include the line terminator */ /* * Make sure the line terminator isn't past the end of * the captured data in the packet, so we don't throw * an exception in the "tvb_get_ptr()" call. */ if (linelen > (int) tvb_length(tvb)) linelen = tvb_length(tvb); col_add_str(pinfo->cinfo, COL_INFO, tvb_format_text(tvb, offset, linelen)); } if (tree) { ti = proto_tree_add_item(tree, proto_rsh, tvb, offset, -1, FALSE); rsh_tree = proto_item_add_subtree(ti, ett_rsh); /* * Process the packet data, a line at a time. */ while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Put this line. */ proto_tree_add_text(rsh_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset)); offset = next_offset; } if (pinfo->match_port == pinfo->destport) { hidden_item = proto_tree_add_boolean(rsh_tree, hf_rsh_request, tvb, 0, 0, 1); } else { hidden_item = proto_tree_add_boolean(rsh_tree, hf_rsh_response, tvb, 0, 0, 1); } PROTO_ITEM_SET_HIDDEN(hidden_item); } }
static int dissect_proxy_to_host(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { int offset = 0; gint next_offset; gint proxy_to_length; gchar *pmproxy_host_and_port_string; gchar **host_and_port; gchar *host; gchar *port; col_set_str(pinfo->cinfo, COL_INFO, "Proxy"); proxy_to_length = tvb_find_line_end(tvb, offset, tvb_ensure_captured_length_remaining(tvb, offset), &next_offset, FALSE); if(proxy_to_length != -1) { pmproxy_host_and_port_string = (gchar *) tvb_get_string_enc(wmem_packet_scope(), tvb, offset, proxy_to_length, ENC_ASCII); host_and_port = wmem_strsplit(wmem_packet_scope(), pmproxy_host_and_port_string, " ", -1); if(host_and_port != NULL) { host = host_and_port[0]; if (host) { proto_tree_add_string(tree, hf_pmproxy_host, tvb, offset, (guint32)strlen(host), host); offset += (int)strlen(host) + PMPROXY_HOST_AND_PORT_DELIMETER_LENGTH; port = host_and_port[1]; if (port) { proto_tree_add_string(tree, hf_pmproxy_port, tvb, offset, (guint32)strlen(port), port); } } else { port = NULL; } col_append_fstr(pinfo->cinfo, COL_INFO, " Host=%s, Port=%s", host ? host : "", port ? port : ""); } } return proxy_to_length; }
static void dissect_smtp_data(tvbuff_t *tvb, int offset, proto_tree *smtp_tree) { gint next_offset; if (smtp_tree) { while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Put this line. */ proto_tree_add_item(smtp_tree, hf_smtp_message, tvb, offset, next_offset - offset, ENC_ASCII|ENC_NA); /* * Step to the next line. */ offset = next_offset; } } }
static void dissect_smtp_data(tvbuff_t *tvb, int offset, proto_tree *smtp_tree) { gint next_offset; if (smtp_tree) { while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Put this line. */ proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset, "Message: %s", tvb_format_text(tvb, offset, next_offset - offset)); /* * Step to the next line. */ offset = next_offset; } } }
static gboolean find_dir_tokens(tvbuff_t *tvb, gint name_start, gint *sel_start, gint *host_start, gint *port_start, gint *line_len, gint *next_offset) { gint remain; if (tvb_length_remaining(tvb, name_start) < MIN_DIR_LINE_LEN) return FALSE; if (! (sel_start && host_start && port_start && line_len && next_offset) ) return FALSE; *line_len = tvb_find_line_end(tvb, name_start, MAX_DIR_LINE_LEN, next_offset, FALSE); if (*line_len < MIN_DIR_LINE_LEN) return FALSE; remain = *line_len; *sel_start = tvb_find_guint8(tvb, name_start, remain, '\t') + 1; if (*sel_start < name_start + 1) return FALSE; remain -= *sel_start - name_start; *host_start = tvb_find_guint8(tvb, *sel_start, remain, '\t') + 1; if (*host_start < *sel_start + 1) return FALSE; remain -= *host_start - *sel_start; *port_start = tvb_find_guint8(tvb, *host_start, remain, '\t') + 1; if (*port_start < *host_start + 1) return FALSE; return TRUE; }
/* * Unless the first boundary, subsequent boundaries include a line-end sequence * before the dashed boundary string. * * Return the offset to the 1st byte of the boundary delimiter line. * Set boundary_line_len to the length of the entire boundary delimiter. * Set last_boundary to TRUE if we've seen the last-boundary delimiter. */ static gint find_next_boundary(tvbuff_t *tvb, gint start, const guint8 *boundary, gint boundary_len, gint *boundary_line_len, gboolean *last_boundary) { gint offset = start, next_offset, line_len, boundary_start; while (tvb_offset_exists(tvb, offset + 2 + boundary_len)) { line_len = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); if (line_len == -1) { return -1; } boundary_start = offset + line_len; if (((tvb_strneql(tvb, next_offset, (const guint8 *)"--", 2) == 0) && (tvb_strneql(tvb, next_offset + 2, boundary, boundary_len) == 0))) { /* Boundary string; now check if last */ if ((tvb_reported_length_remaining(tvb, next_offset + 2 + boundary_len + 2) >= 0) && (tvb_strneql(tvb, next_offset + 2 + boundary_len, (const guint8 *)"--", 2) == 0)) { *last_boundary = TRUE; } else { *last_boundary = FALSE; } /* Look for line end of the boundary line */ line_len = tvb_find_line_end(tvb, next_offset, -1, &offset, FALSE); if (line_len == -1) { *boundary_line_len = -1; } else { *boundary_line_len = offset - boundary_start; } return boundary_start; /* check if last before CRLF; some ignore the standard, so there is no CRLF before the boundary */ } else if ((tvb_strneql(tvb, boundary_start - 2, (const guint8 *)"--", 2) == 0) && (tvb_strneql(tvb, boundary_start - (2 + boundary_len), boundary, boundary_len) == 0) && (tvb_strneql(tvb, boundary_start - (2 + boundary_len + 2), (const guint8 *)"--", 2) == 0)) { boundary_start -= 2 + boundary_len + 2; *boundary_line_len = next_offset - boundary_start; *last_boundary = TRUE; return boundary_start; } offset = next_offset; } return -1; }
static void dissect_jabber(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { gboolean is_request; proto_tree *jabber_tree = NULL; proto_item *ti, *hidden_item; gint offset = 0; const guchar *line; gint next_offset; int linelen; tvbuff_t *xmltvb; col_set_str(pinfo->cinfo, COL_PROTOCOL, "Jabber"); /* * Find the end of the first line. * * Note that "tvb_find_line_end()" will return a value that is * not longer than what's in the buffer, so the "tvb_get_ptr()" * call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); if (pinfo->match_uint == pinfo->destport) is_request = TRUE; else is_request = FALSE; if (check_col(pinfo->cinfo, COL_INFO)) { /* * Put the first line from the buffer into the summary * (but leave out the line terminator). */ col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "Request" : "Response", format_text(line, linelen)); } if (tree) { ti = proto_tree_add_item(tree, proto_jabber, tvb, offset, -1, FALSE); jabber_tree = proto_item_add_subtree(ti, ett_jabber); if (is_request) { hidden_item = proto_tree_add_boolean(jabber_tree, hf_jabber_request, tvb, 0, 0, TRUE); } else { hidden_item = proto_tree_add_boolean(jabber_tree, hf_jabber_response, tvb, 0, 0, TRUE); } PROTO_ITEM_SET_HIDDEN(hidden_item); } xmltvb = tvb_new_subset_remaining(tvb, offset); call_dissector(xml_handle, xmltvb, pinfo, jabber_tree); }
static void dissect_irc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_tree *irc_tree, *ti; gint offset = 0; gint next_offset; int linelen; col_set_str(pinfo->cinfo, COL_PROTOCOL, "IRC"); if (check_col(pinfo->cinfo, COL_INFO)) { col_set_str(pinfo->cinfo, COL_INFO, (pinfo->match_uint == pinfo->destport) ? "Request" : "Response"); } if (tree) { ti = proto_tree_add_item(tree, proto_irc, tvb, 0, -1, ENC_NA); irc_tree = proto_item_add_subtree(ti, ett_irc); /* * Process the packet data, a line at a time. */ while (tvb_reported_length_remaining(tvb, offset) > 0) { /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); if (next_offset == offset) { /* * XXX - we really want the "show data a * line at a time" loops in various * dissectors to do reassembly and to * throw an exception if there's no * line ending in the current packet * and we're not doing reassembly. */ break; } if (linelen != 0) { if (pinfo->match_uint == pinfo->destport) { dissect_irc_request(irc_tree, tvb, pinfo, offset, linelen); } else { dissect_irc_response(irc_tree, tvb, pinfo, offset, linelen); } } offset = next_offset; } } }
/* This code is modeled on the code in packet-sip.c * ABNF code for the MSRP header: * The following syntax specification uses the augmented Backus-Naur * Form (BNF) as described in RFC-2234 [6]. * * * msrp-req-or-resp = msrp-request / msrp-response * msrp-request = req-start headers [content-stuff] end-line * msrp-response = resp-start headers end-line * * req-start = pMSRP SP transact-id SP method CRLF * resp-start = pMSRP SP transact-id SP status-code [SP phrase] CRLF * phrase = utf8text * * pMSRP = %x4D.53.52.50 ; MSRP in caps * transact-id = ident * method = mSEND / mREPORT / other-method * mSEND = %x53.45.4e.44 ; SEND in caps * mREPORT = %x52.45.50.4f.52.54; REPORT in caps * other-method = 1*UPALPHA * Examples: * "MSRP 1234 SEND(CRLF)" * "MSRP 1234 200 OK(CRLF) */ static gboolean check_msrp_header(tvbuff_t *tvb) { gint offset = 0; gint linelen; gint space_offset; gint next_offset = 0; guint token_1_len; gint token_2_start; /* * Note that "tvb_find_line_end()" will return a value that * is not longer than what's in the buffer, so the * "tvb_get_ptr()" calls below won't throw exceptions. * */ offset = 0; if(tvb_length(tvb) < 4 || tvb_get_ntohl(tvb, 0) != 0x4d535250 /* MSRP */){ return FALSE; } linelen = tvb_find_line_end(tvb, 0, -1, &next_offset, FALSE); /* Find the first SP */ space_offset = tvb_find_guint8(tvb, 0, -1, ' '); if (space_offset <= 0) { /* * Either there's no space in the line (which means * the line is empty or doesn't have a token followed * by a space; neither is valid for a request or response), or * the first character in the line is a space ( which isn't valid * for a MSRP header.) */ return FALSE; } token_1_len = space_offset; token_2_start = space_offset + 1; space_offset = tvb_find_guint8(tvb, token_2_start, -1, ' '); if (space_offset == -1) { /* * There's no space after the second token, so we don't * have a third token. */ return FALSE; } /* * Is the first token "MSRP"? */ if (token_1_len == MSRP_HDR_LEN) { /* && tvb_strneql(tvb, 0, MSRP_HDR, MSRP_HDR_LEN) == 0){ */ /* This check can be made more strict but accept we do have MSRP for now */ return TRUE; } return FALSE; }
/* ---------------------------- */ static void dissect_nasdaq_soup(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_item *ti; proto_tree *nasdaq_soup_tree = NULL; guint8 nasdaq_soup_type; int linelen; gint next_offset; int offset = 0; gint col_info; gint counter = 0; col_info = check_col(pinfo->cinfo, COL_INFO); while (tvb_offset_exists(tvb, offset)) { /* there's only a \n no \r */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, nasdaq_soup_desegment && pinfo->can_desegment); if (linelen == -1) { /* * We didn't find a line ending, and we're doing desegmentation; * tell the TCP dissector where the data for this message starts * in the data it handed us, and tell it we need one more byte * (we may need more, but we'll try again if what we get next * isn't enough), and return. */ pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return; } nasdaq_soup_type = tvb_get_guint8(tvb, offset); if (counter == 0) { col_set_str(pinfo->cinfo, COL_PROTOCOL, "Nasdaq-SOUP"); if (col_info) col_clear(pinfo->cinfo, COL_INFO); } if (col_info ) { if (counter) { col_append_str(pinfo->cinfo, COL_INFO, "; "); col_set_fence(pinfo->cinfo, COL_INFO); } col_append_str(pinfo->cinfo, COL_INFO, val_to_str(nasdaq_soup_type, message_types_val, "Unknown packet type (0x%02x)")); } counter++; if (tree) { ti = proto_tree_add_item(tree, proto_nasdaq_soup, tvb, offset, linelen +1, ENC_NA); nasdaq_soup_tree = proto_item_add_subtree(ti, ett_nasdaq_soup); } dissect_nasdaq_soup_packet(tvb, pinfo, tree, nasdaq_soup_tree, offset, linelen); offset = next_offset; } }
/* * Unless the first boundary, subsequent boundaries include a line-end sequence * before the dashed boundary string. * * Return the offset to the 1st byte of the boundary delimiter line. * Set boundary_line_len to the length of the entire boundary delimiter. * Set last_boundary to TRUE if we've seen the last-boundary delimiter. */ static gint find_next_boundary(tvbuff_t *tvb, gint start, const guint8 *boundary, gint boundary_len, gint *boundary_line_len, gboolean *last_boundary) { gint offset = start, next_offset, line_len, boundary_start; while (tvb_length_remaining(tvb, offset + 2 + boundary_len) > 0) { line_len = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); if (line_len == -1) { return -1; } boundary_start = offset + line_len; if (((tvb_strneql(tvb, next_offset, (const guint8 *)"--", 2) == 0) && (tvb_strneql(tvb, next_offset + 2, boundary, boundary_len) == 0))) { /* Boundary string; now check if last */ if ((tvb_length_remaining(tvb, next_offset + 2 + boundary_len + 2) >= 0) && (tvb_strneql(tvb, next_offset + 2 + boundary_len, (const guint8 *)"--", 2) == 0)) { *last_boundary = TRUE; } else { *last_boundary = FALSE; } /* Look for line end of the boundary line */ line_len = tvb_find_line_end(tvb, next_offset, -1, &offset, FALSE); if (line_len == -1) { *boundary_line_len = -1; } else { *boundary_line_len = offset - boundary_start; } return boundary_start; } offset = next_offset; } return -1; }
/* * Display the entire message as raw text. */ static void tvb_raw_text_add(tvbuff_t *tvb, proto_tree *tree) { int offset, next_offset, linelen; offset = 0; while (tvb_offset_exists(tvb, offset)) { /* 'desegment' is FALSE so will set next_offset to beyond the end of the buffer if no line ending is found */ tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); linelen = next_offset - offset; if(tree) { proto_tree_add_text(tree, tvb, offset, linelen, "%s", tvb_format_text(tvb, offset, linelen)); } offset = next_offset; } }
/* ABNF of line-end: * end-line = "-------" transact-id continuation-flag CRLF * This code is modeled on the code in packet-multipart.c */ static int find_end_line(tvbuff_t *tvb, gint start) { gint offset = start, next_offset, linelen; while (tvb_length_remaining(tvb, offset) > 0) { /* 'desegment' is FALSE so will set next_offset to beyond the end of the buffer if no line ending is found */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); if (linelen == -1) { return -1; } if (tvb_strneql(tvb, next_offset, (const gchar *)"-------", 7) == 0) return next_offset; offset = next_offset; } return -1; }
static void dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { struct smtp_proto_data *spd_frame_data; proto_tree *smtp_tree = NULL; proto_tree *cmdresp_tree; proto_item *ti, *hidden_item; int offset = 0; int request = 0; conversation_t *conversation; struct smtp_session_state *session_state; const guchar *line, *linep, *lineend; guint32 code; int linelen = 0; gint length_remaining; gboolean eom_seen = FALSE; gint next_offset; gint loffset = 0; int cmdlen; fragment_data *frag_msg = NULL; tvbuff_t *next_tvb; /* As there is no guarantee that we will only see frames in the * the SMTP conversation once, and that we will see them in * order - in Wireshark, the user could randomly click on frames * in the conversation in any order in which they choose - we * have to store information with each frame indicating whether * it contains commands or data or an EOM indication. * * XXX - what about frames that contain *both*? TCP is a * byte-stream protocol, and there are no guarantees that * TCP segment boundaries will correspond to SMTP commands * or EOM indications. * * We only need that for the client->server stream; responses * are easy to manage. * * If we have per frame data, use that, else, we must be on the first * pass, so we figure it out on the first pass. */ /* * Find or create the conversation for this. */ conversation = find_or_create_conversation(pinfo); /* * Is there a request structure attached to this conversation? */ session_state = conversation_get_proto_data(conversation, proto_smtp); if (!session_state) { /* * No - create one and attach it. */ session_state = se_alloc(sizeof(struct smtp_session_state)); session_state->smtp_state = SMTP_STATE_READING_CMDS; session_state->crlf_seen = FALSE; session_state->data_seen = FALSE; session_state->msg_read_len = 0; session_state->msg_tot_len = 0; session_state->msg_last = TRUE; session_state->last_nontls_frame = 0; conversation_add_proto_data(conversation, proto_smtp, session_state); } /* Are we doing TLS? * FIXME In my understanding of RFC 2487 client and server can send SMTP cmds * after a rejected TLS negotiation */ if (session_state->last_nontls_frame != 0 && pinfo->fd->num > session_state->last_nontls_frame) { guint16 save_can_desegment; guint32 save_last_nontls_frame; /* This is TLS, not raw SMTP. TLS can desegment */ save_can_desegment = pinfo->can_desegment; pinfo->can_desegment = pinfo->saved_can_desegment; /* Make sure the SSL dissector will not be called again after decryption */ save_last_nontls_frame = session_state->last_nontls_frame; session_state->last_nontls_frame = 0; call_dissector(ssl_handle, tvb, pinfo, tree); pinfo->can_desegment = save_can_desegment; session_state->last_nontls_frame = save_last_nontls_frame; return; } /* Is this a request or a response? */ request = pinfo->destport == pinfo->match_uint; /* * Is there any data attached to this frame? */ spd_frame_data = p_get_proto_data(pinfo->fd, proto_smtp); if (!spd_frame_data) { /* * No frame data. */ if(request) { /* * Create a frame data structure and attach it to the packet. */ spd_frame_data = se_alloc0(sizeof(struct smtp_proto_data)); spd_frame_data->conversation_id = conversation->index; spd_frame_data->more_frags = TRUE; p_add_proto_data(pinfo->fd, proto_smtp, spd_frame_data); } /* * Get the first line from the buffer. * * Note that "tvb_find_line_end()" will, if it doesn't return * -1, return a value that is not longer than what's in the buffer, * and "tvb_find_line_end()" will always return a value that is not * longer than what's in the buffer, so the "tvb_get_ptr()" call * won't throw an exception. */ loffset = offset; while (tvb_offset_exists(tvb, loffset)) { linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, smtp_desegment && pinfo->can_desegment); if (linelen == -1) { if (offset == loffset) { /* * We didn't find a line ending, and we're doing desegmentation; * tell the TCP dissector where the data for this message starts * in the data it handed us, and tell it we need more bytes */ pinfo->desegment_offset = loffset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return; } else { linelen = tvb_length_remaining(tvb, loffset); next_offset = loffset + linelen; } } line = tvb_get_ptr(tvb, loffset, linelen); /* * Check whether or not this packet is an end of message packet * We should look for CRLF.CRLF and they may be split. * We have to keep in mind that we may see what we want on * two passes through here ... */ if (session_state->smtp_state == SMTP_STATE_READING_DATA) { /* * The order of these is important ... We want to avoid * cases where there is a CRLF at the end of a packet and a * .CRLF at the begining of the same packet. */ if ((session_state->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) || tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0) eom_seen = TRUE; length_remaining = tvb_length_remaining(tvb, loffset); if (length_remaining == tvb_reported_length_remaining(tvb, loffset) && tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0) session_state->crlf_seen = TRUE; else session_state->crlf_seen = FALSE; } /* * OK, Check if we have seen a DATA request. We do it here for * simplicity, but we have to be careful below. */ if (request) { if (session_state->smtp_state == SMTP_STATE_READING_DATA) { /* * This is message data. */ if (eom_seen) { /* Seen the EOM */ /* * EOM. * Everything that comes after it is commands. */ spd_frame_data->pdu_type = SMTP_PDU_EOM; session_state->smtp_state = SMTP_STATE_READING_CMDS; break; } else { /* * Message data with no EOM. */ spd_frame_data->pdu_type = SMTP_PDU_MESSAGE; if (session_state->msg_tot_len > 0) { /* * We are handling a BDAT message. * Check if we have reached end of the data chunk. */ session_state->msg_read_len += tvb_length_remaining(tvb, loffset); if (session_state->msg_read_len == session_state->msg_tot_len) { /* * We have reached end of BDAT data chunk. * Everything that comes after this is commands. */ session_state->smtp_state = SMTP_STATE_READING_CMDS; if (session_state->msg_last) { /* * We have found the LAST data chunk. * The message can now be reassembled. */ spd_frame_data->more_frags = FALSE; } break; /* no need to go through the remaining lines */ } } } } else { /* * This is commands - unless the capture started in the * middle of a session, and we're in the middle of data. * * Commands are not necessarily 4 characters; look * for a space or the end of the line to see where * the putative command ends. */ linep = line; lineend = line + linelen; while (linep < lineend && *linep != ' ') linep++; cmdlen = (int)(linep - line); if (line_is_smtp_command(line, cmdlen)) { if (g_ascii_strncasecmp(line, "DATA", 4) == 0) { /* * DATA command. * This is a command, but everything that comes after it, * until an EOM, is data. */ spd_frame_data->pdu_type = SMTP_PDU_CMD; session_state->smtp_state = SMTP_STATE_READING_DATA; session_state->data_seen = TRUE; } else if (g_ascii_strncasecmp(line, "BDAT", 4) == 0) { /* * BDAT command. * This is a command, but everything that comes after it, * until given length is received, is data. */ guint32 msg_len; msg_len = strtoul (line+5, NULL, 10); spd_frame_data->pdu_type = SMTP_PDU_CMD; session_state->data_seen = TRUE; session_state->msg_tot_len += msg_len; if (msg_len == 0) { /* No data to read, next will be a command */ session_state->smtp_state = SMTP_STATE_READING_CMDS; } else { session_state->smtp_state = SMTP_STATE_READING_DATA; } if (g_ascii_strncasecmp(line+linelen-4, "LAST", 4) == 0) { /* * This is the last data chunk. */ session_state->msg_last = TRUE; if (msg_len == 0) { /* * No more data to expect. * The message can now be reassembled. */ spd_frame_data->more_frags = FALSE; } } else { session_state->msg_last = FALSE; } } else if (g_ascii_strncasecmp(line, "STARTTLS", 8) == 0) { /* * STARTTLS command. * This is a command, but if the response is 220, * everything after the response is TLS. */ session_state->smtp_state = SMTP_STATE_AWAITING_STARTTLS_RESPONSE; spd_frame_data->pdu_type = SMTP_PDU_CMD; } else { /* * Regular command. */ spd_frame_data->pdu_type = SMTP_PDU_CMD; } } else { /* * Assume it's message data. */ spd_frame_data->pdu_type = session_state->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD; } } } /* * Step past this line. */ loffset = next_offset; } } /* * From here, we simply add items to the tree and info to the info * fields ... */ col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP"); if (check_col(pinfo->cinfo, COL_INFO)) { /* Add the appropriate type here */ col_clear(pinfo->cinfo, COL_INFO); /* * If it is a request, we have to look things up, otherwise, just * display the right things */ if (request) { /* We must have frame_data here ... */ switch (spd_frame_data->pdu_type) { case SMTP_PDU_MESSAGE: length_remaining = tvb_length_remaining(tvb, offset); col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body"); col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining, plurality (length_remaining, "", "s")); break; case SMTP_PDU_EOM: col_set_str(pinfo->cinfo, COL_INFO, "C: ."); break; case SMTP_PDU_CMD: loffset = offset; while (tvb_offset_exists(tvb, loffset)) { /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, loffset, linelen); if(loffset == offset) col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s", format_text(line, linelen)); else { col_append_fstr(pinfo->cinfo, COL_INFO, " | %s", format_text(line, linelen)); } loffset = next_offset; } break; } } else { loffset = offset; while (tvb_offset_exists(tvb, loffset)) { /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, loffset, linelen); if (loffset == offset) col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s", format_text(line, linelen)); else { col_append_fstr(pinfo->cinfo, COL_INFO, " | %s", format_text(line, linelen)); } loffset = next_offset; } } } if (tree) { /* Build the tree info ... */ ti = proto_tree_add_item(tree, proto_smtp, tvb, offset, -1, ENC_NA); smtp_tree = proto_item_add_subtree(ti, ett_smtp); } if (request) { /* * Check out whether or not we can see a command in there ... * What we are looking for is not data_seen and the word DATA * and not eom_seen. * * We will see DATA and session_state->data_seen when we process the * tree view after we have seen a DATA packet when processing * the packet list pane. * * On the first pass, we will not have any info on the packets * On second and subsequent passes, we will. */ switch (spd_frame_data->pdu_type) { case SMTP_PDU_MESSAGE: if (smtp_data_desegment) { frag_msg = fragment_add_seq_next(tvb, 0, pinfo, spd_frame_data->conversation_id, smtp_data_segment_table, smtp_data_reassembled_table, tvb_length(tvb), spd_frame_data->more_frags); } else { /* * Message body. * Put its lines into the protocol tree, a line at a time. */ dissect_smtp_data(tvb, offset, smtp_tree); } break; case SMTP_PDU_EOM: /* * End-of-message-body indicator. * * XXX - what about stuff after the first line? * Unlikely, as the client should wait for a response to the * DATA command this terminates before sending another * request, but we should probably handle it. */ proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: ."); if (smtp_data_desegment) { /* add final data segment */ if (loffset) fragment_add_seq_next(tvb, 0, pinfo, spd_frame_data->conversation_id, smtp_data_segment_table, smtp_data_reassembled_table, loffset, spd_frame_data->more_frags); /* terminate the desegmentation */ frag_msg = fragment_end_seq_next (pinfo, spd_frame_data->conversation_id, smtp_data_segment_table, smtp_data_reassembled_table); } break; case SMTP_PDU_CMD: /* * Command. * * XXX - what about stuff after the first line? * Unlikely, as the client should wait for a response to the * previous command before sending another request, but we * should probably handle it. */ loffset = offset; while (tvb_offset_exists(tvb, loffset)) { /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); if (linelen >= 4) cmdlen = 4; else cmdlen = linelen; hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_req, tvb, 0, 0, TRUE); PROTO_ITEM_SET_HIDDEN(hidden_item); /* * Put the command line into the protocol tree. */ ti = proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb, loffset, next_offset - loffset, ENC_ASCII|ENC_NA); cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp); proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb, loffset, cmdlen, ENC_ASCII|ENC_NA); if (linelen > 5) { proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, loffset + 5, linelen - 5, ENC_ASCII|ENC_NA); } if (smtp_data_desegment && !spd_frame_data->more_frags) { /* terminate the desegmentation */ frag_msg = fragment_end_seq_next (pinfo, spd_frame_data->conversation_id, smtp_data_segment_table, smtp_data_reassembled_table); } /* * Step past this line. */ loffset = next_offset; } } if (smtp_data_desegment) { next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled SMTP", frag_msg, &smtp_data_frag_items, NULL, smtp_tree); if (next_tvb) { /* XXX: this is presumptious - we may have negotiated something else */ if (imf_handle) { call_dissector(imf_handle, next_tvb, pinfo, tree); } else { /* * Message body. * Put its lines into the protocol tree, a line at a time. */ dissect_smtp_data(tvb, offset, smtp_tree); } pinfo->fragmented = FALSE; } else { pinfo->fragmented = TRUE; } } } else { /* * Process the response, a line at a time, until we hit a line * that doesn't have a continuation indication on it. */ if (tree) { hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_rsp, tvb, 0, 0, TRUE); PROTO_ITEM_SET_HIDDEN(hidden_item); } while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); if (tree) { /* * Put it into the protocol tree. */ ti = proto_tree_add_item(smtp_tree, hf_smtp_response, tvb, offset, next_offset - offset, ENC_ASCII|ENC_NA); cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp); } else cmdresp_tree = NULL; line = tvb_get_ptr(tvb, offset, linelen); if (linelen >= 3 && isdigit(line[0]) && isdigit(line[1]) && isdigit(line[2])) { /* * We have a 3-digit response code. */ code = (line[0] - '0')*100 + (line[1] - '0')*10 + (line[2] - '0'); /* * If we're awaiting the response to a STARTTLS code, this * is it - if it's 220, all subsequent traffic will * be TLS, otherwise we're back to boring old SMTP. */ if (session_state->smtp_state == SMTP_STATE_AWAITING_STARTTLS_RESPONSE) { if (code == 220) { /* This is the last non-TLS frame. */ session_state->last_nontls_frame = pinfo->fd->num; } session_state->smtp_state = SMTP_STATE_READING_CMDS; } if (tree) { /* * Put the response code and parameters into the protocol tree. */ proto_tree_add_uint(cmdresp_tree, hf_smtp_rsp_code, tvb, offset, 3, code); if (linelen >= 4) { proto_tree_add_item(cmdresp_tree, hf_smtp_rsp_parameter, tvb, offset + 4, linelen - 4, ENC_ASCII|ENC_NA); } } } /* * Step past this line. */ offset = next_offset; } } }
static void dissect_pop(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { struct pop_proto_data *frame_data_p; gboolean is_request; gboolean is_continuation; proto_tree *pop_tree, *reqresp_tree; proto_item *ti; gint offset = 0; const guchar *line; gint next_offset; int linelen; int tokenlen; const guchar *next_token; fragment_data *frag_msg = NULL; tvbuff_t *next_tvb = NULL; conversation_t *conversation = NULL; struct pop_data_val *data_val = NULL; gint length_remaining; col_set_str(pinfo->cinfo, COL_PROTOCOL, "POP"); /* * Find the end of the first line. * * Note that "tvb_find_line_end()" will return a value that is * not longer than what's in the buffer, so the "tvb_get_ptr()" * call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); if (pinfo->match_port == pinfo->destport) { is_request = TRUE; is_continuation = FALSE; } else { is_request = FALSE; is_continuation = response_is_continuation(line); } frame_data_p = p_get_proto_data(pinfo->fd, proto_pop); if (!frame_data_p) { conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0); if (conversation == NULL) { /* No conversation, create one */ conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0); } data_val = conversation_get_proto_data(conversation, proto_pop); if (!data_val) { /* * No - create one and attach it. */ data_val = se_alloc0(sizeof(struct pop_data_val)); conversation_add_proto_data(conversation, proto_pop, data_val); } } if (check_col(pinfo->cinfo, COL_INFO)) { /* * Put the first line from the buffer into the summary * if it's a POP request or reply (but leave out the * line terminator). * Otherwise, just call it a continuation. */ if (is_continuation) { length_remaining = tvb_length_remaining(tvb, offset); col_add_fstr(pinfo->cinfo, COL_INFO, "S: DATA fragment, %d byte%s", length_remaining, plurality (length_remaining, "", "s")); } else col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "C" : "S", format_text(line, linelen)); } ti = proto_tree_add_item(tree, proto_pop, tvb, offset, -1, FALSE); pop_tree = proto_item_add_subtree(ti, ett_pop); if (is_continuation) { if (pop_data_desegment) { if (!frame_data_p) { data_val->msg_read_len += tvb_length(tvb); frame_data_p = se_alloc(sizeof(struct pop_proto_data)); frame_data_p->conversation_id = conversation->index; frame_data_p->more_frags = data_val->msg_read_len < data_val->msg_tot_len; p_add_proto_data(pinfo->fd, proto_pop, frame_data_p); } frag_msg = fragment_add_seq_next(tvb, 0, pinfo, frame_data_p->conversation_id, pop_data_segment_table, pop_data_reassembled_table, tvb_length(tvb), frame_data_p->more_frags); next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled DATA", frag_msg, &pop_data_frag_items, NULL, pop_tree); if (next_tvb) { if (imf_handle) call_dissector(imf_handle, next_tvb, pinfo, tree); if (data_val) { /* we have read everything - reset */ data_val->msg_read_len = 0; data_val->msg_tot_len = 0; } pinfo->fragmented = FALSE; } else { pinfo->fragmented = TRUE; } } else { /* * Put the whole packet into the tree as data. */ call_dissector(data_handle,tvb, pinfo, pop_tree); } return; } /* * Put the line into the protocol tree. */ ti = proto_tree_add_string_format(pop_tree, (is_request) ? hf_pop_request : hf_pop_response, tvb, offset, next_offset - offset, "", "%s", tvb_format_text(tvb, offset, next_offset - offset)); reqresp_tree = proto_item_add_subtree(ti, ett_pop_reqresp); /* * Extract the first token, and, if there is a first * token, add it as the request or reply code. */ tokenlen = get_token_len(line, line + linelen, &next_token); if (tokenlen != 0) { proto_tree_add_item(reqresp_tree, (is_request) ? hf_pop_request_command : hf_pop_response_indicator, tvb, offset, tokenlen, FALSE); if (data_val) { if (is_request) { /* see if this is RETR or TOP command */ if (g_ascii_strncasecmp(line, "RETR", 4) == 0 || g_ascii_strncasecmp(line, "TOP", 3) == 0) /* the next response will tell us how many bytes */ data_val->msg_request = TRUE; } else { if (data_val->msg_request) { /* this is a response to a RETR or TOP command */ if (g_ascii_strncasecmp(line, "+OK ", 4) == 0) { /* the message will be sent - work out how many bytes */ data_val->msg_read_len = 0; data_val->msg_tot_len = atoi(line + 4); } data_val->msg_request = FALSE; } } } offset += (gint) (next_token - line); linelen -= (int) (next_token - line); } if (tree) { /* * Add the rest of the first line as request or * reply param/description. */ if (linelen != 0) { proto_tree_add_item(reqresp_tree, (is_request) ? hf_pop_request_parameter : hf_pop_response_description, tvb, offset, linelen, FALSE); } offset = next_offset; /* * Show the rest of the request or response as text, * a line at a time. */ while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Put this line. */ proto_tree_add_string_format(pop_tree, (is_request) ? hf_pop_request_data : hf_pop_response_data, tvb, offset, next_offset - offset, "", "%s", tvb_format_text(tvb, offset, next_offset - offset)); offset = next_offset; } } }
static void dissect_icap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_tree *icap_tree = NULL; proto_item *ti = NULL; proto_item *hidden_item; gint offset = 0; const guchar *line; gint next_offset; const guchar *linep, *lineend; int linelen; guchar c; icap_type_t icap_type; int datalen; col_set_str(pinfo->cinfo, COL_PROTOCOL, "ICAP"); /* * Put the first line from the buffer into the summary * if it's an ICAP header (but leave out the * line terminator). * Otherwise, just call it a continuation. * * Note that "tvb_find_line_end()" will return a value that * is not longer than what's in the buffer, so the * "tvb_get_ptr()" call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); icap_type = ICAP_OTHER; /* type not known yet */ if (is_icap_message(line, linelen, &icap_type)) col_add_str(pinfo->cinfo, COL_INFO, format_text(line, linelen)); else col_set_str(pinfo->cinfo, COL_INFO, "Continuation"); if (tree) { ti = proto_tree_add_item(tree, proto_icap, tvb, offset, -1, ENC_NA); icap_tree = proto_item_add_subtree(ti, ett_icap); } /* * Process the packet data, a line at a time. */ icap_type = ICAP_OTHER; /* type not known yet */ while (tvb_offset_exists(tvb, offset)) { gboolean is_icap = FALSE; gboolean loop_done = FALSE; /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Get a buffer that refers to the line. */ line = tvb_get_ptr(tvb, offset, linelen); lineend = line + linelen; /* * find header format */ if (is_icap_message(line, linelen, &icap_type)) { goto is_icap_header; } /* * if it looks like a blank line, end of header perhaps? */ if (linelen == 0) { goto is_icap_header; } /* * No. Does it look like a header? */ linep = line; loop_done = FALSE; while (linep < lineend && (!loop_done)) { c = *linep++; /* * This must be a CHAR to be part of a token; that * means it must be ASCII. */ if (!isascii(c)) { is_icap = FALSE; break; /* not ASCII, thus not a CHAR */ } /* * This mustn't be a CTL to be part of a token. * * XXX - what about leading LWS on continuation * lines of a header? */ if (iscntrl(c)) { is_icap = FALSE; break; /* CTL, not part of a header */ } switch (c) { case '(': case ')': case '<': case '>': case '@': case ',': case ';': case '\\': case '"': case '/': case '[': case ']': case '?': case '=': case '{': case '}': /* * It's a separator, so it's not part of a * token, so it's not a field name for the * beginning of a header. * * (We don't have to check for HT; that's * already been ruled out by "iscntrl()".) * * XXX - what about ' '? HTTP's checks * check for that. */ is_icap = FALSE; loop_done = TRUE; break; case ':': /* * This ends the token; we consider this * to be a header. */ goto is_icap_header; } } /* * We don't consider this part of an ICAP message, * so we don't display it. * (Yeah, that means we don't display, say, a text/icap * page, but you can get that from the data pane.) */ if (!is_icap) break; is_icap_header: if (tree) { proto_tree_add_text(icap_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset) ); } offset = next_offset; } if (tree) { switch (icap_type) { case ICAP_OPTIONS: hidden_item = proto_tree_add_boolean(icap_tree, hf_icap_options, tvb, 0, 0, 1); PROTO_ITEM_SET_HIDDEN(hidden_item); break; case ICAP_REQMOD: hidden_item = proto_tree_add_boolean(icap_tree, hf_icap_reqmod, tvb, 0, 0, 1); PROTO_ITEM_SET_HIDDEN(hidden_item); break; case ICAP_RESPMOD: hidden_item = proto_tree_add_boolean(icap_tree, hf_icap_respmod, tvb, 0, 0, 1); PROTO_ITEM_SET_HIDDEN(hidden_item); break; case ICAP_RESPONSE: hidden_item = proto_tree_add_boolean(icap_tree, hf_icap_response, tvb, 0, 0, 1); PROTO_ITEM_SET_HIDDEN(hidden_item); break; case ICAP_OTHER: default: break; } } datalen = tvb_length_remaining(tvb, offset); if (datalen > 0) { call_dissector(data_handle, tvb_new_subset_remaining(tvb, offset), pinfo, icap_tree); } }
/* Transfers happen in response to broadcasts, they are always TCP and are * used to send the file to the port mentioned in the broadcast. There are * 2 types of transfers: Pushes, which are direct responses to searches, * in which the peer that has the file connects to the peer that doesn't and * sends it, then disconnects. The other type of transfer is a pull, where * the peer that doesn't have the file connects to the peer that does and * requests it be sent. * * Pulls have a file request which identifies the desired file, * while pushes simply send the file. In practice this works because every * file the implementation sends searches for is on a different TCP port * on the searcher's machine. */ static int dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data) { conversation_t *transfer_conv; ldss_transfer_info_t *transfer_info; struct tcpinfo *transfer_tcpinfo; proto_tree *ti, *line_tree = NULL, *ldss_tree = NULL; nstime_t broadcast_response_time; /* Reject the packet if data is NULL */ if (data == NULL) return 0; transfer_tcpinfo = (struct tcpinfo *)data; col_set_str(pinfo->cinfo, COL_PROTOCOL, "LDSS"); /* Look for the transfer conversation; this was created during * earlier broadcast dissection (see prepare_ldss_transfer_conv) */ transfer_conv = find_conversation (pinfo->num, &pinfo->src, &pinfo->dst, PT_TCP, pinfo->srcport, pinfo->destport, 0); transfer_info = (ldss_transfer_info_t *)conversation_get_proto_data(transfer_conv, proto_ldss); /* For a pull, the first packet in the TCP connection is the file request. * First packet is identified by relative seq/ack numbers of 1. * File request only appears on a pull (triggered by an offer - see above * about broadcasts) */ if (transfer_tcpinfo->seq == 1 && transfer_tcpinfo->lastackseq == 1 && transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND) { /* LDSS pull transfers look a lot like HTTP. * Sample request: * md5:01234567890123... * Size: 2550 * Start: 0 * Compression: 0 * (remote end sends the file identified by the digest) */ guint offset = 0; gboolean already_dissected = TRUE; col_set_str(pinfo->cinfo, COL_INFO, "LDSS File Transfer (Requesting file - pull)"); if (highest_num_seen == 0 || highest_num_seen < pinfo->num) { already_dissected = FALSE; transfer_info->req = wmem_new0(wmem_file_scope(), ldss_file_request_t); transfer_info->req->file = wmem_new0(wmem_file_scope(), ldss_file_t); highest_num_seen = pinfo->num; } if (tree) { ti = proto_tree_add_item(tree, proto_ldss, tvb, 0, tvb_reported_length(tvb), ENC_NA); ldss_tree = proto_item_add_subtree(ti, ett_ldss_transfer); } /* Populate digest data into the file struct in the request */ transfer_info->file = transfer_info->req->file; /* Grab each line from the packet, there should be 4 but lets * not walk off the end looking for more. */ while (tvb_offset_exists(tvb, offset)) { gint next_offset; const guint8 *line; int linelen; gboolean is_digest_line; guint digest_type_len; linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* Include new-line in line */ line = (guint8 *)tvb_memdup(NULL, tvb, offset, linelen+1); /* XXX - memory leak? */ line_tree = proto_tree_add_subtree(ldss_tree, tvb, offset, linelen, ett_ldss_transfer_req, NULL, tvb_format_text(tvb, offset, next_offset-offset)); /* Reduce code duplication processing digest lines. * There are too many locals to pass to a function - the signature * looked pretty ugly when I tried! */ is_digest_line = FALSE; if (strncmp(line,"md5:",4)==0) { is_digest_line = TRUE; digest_type_len = 4; transfer_info->file->digest_type = DIGEST_TYPE_MD5; } else if (strncmp(line, "sha1:", 5)==0) { is_digest_line = TRUE; digest_type_len = 5; transfer_info->file->digest_type = DIGEST_TYPE_SHA1; } else if (strncmp(line, "sha256:", 7)==0) { is_digest_line = TRUE; digest_type_len = 7; transfer_info->file->digest_type = DIGEST_TYPE_SHA256; } else if (strncmp(line, "unknown:", 8)==0) { is_digest_line = TRUE; digest_type_len = 8; transfer_info->file->digest_type = DIGEST_TYPE_UNKNOWN; } else if (strncmp(line, "Size: ", 6)==0) { /* Sample size line: * Size: 2550\n */ transfer_info->req->size = g_ascii_strtoull(line+6, NULL, 10); if (tree) { ti = proto_tree_add_uint64(line_tree, hf_ldss_size, tvb, offset+6, linelen-6, transfer_info->req->size); PROTO_ITEM_SET_GENERATED(ti); } } else if (strncmp(line, "Start: ", 7)==0) { /* Sample offset line: * Start: 0\n */ transfer_info->req->offset = g_ascii_strtoull(line+7, NULL, 10); if (tree) { ti = proto_tree_add_uint64(line_tree, hf_ldss_offset, tvb, offset+7, linelen-7, transfer_info->req->offset); PROTO_ITEM_SET_GENERATED(ti); } } else if (strncmp(line, "Compression: ", 13)==0) { /* Sample compression line: * Compression: 0\n */ transfer_info->req->compression = (gint8)strtol(line+13, NULL, 10); /* XXX - bad cast */ if (tree) { ti = proto_tree_add_uint(line_tree, hf_ldss_compression, tvb, offset+13, linelen-13, transfer_info->req->compression); PROTO_ITEM_SET_GENERATED(ti); } } else { proto_tree_add_expert(line_tree, pinfo, &ei_ldss_unrecognized_line, tvb, offset, linelen); } if (is_digest_line) { /* Sample digest-type/digest line: * md5:0123456789ABCDEF\n */ if (!already_dissected) { GByteArray *digest_bytes; digest_bytes = g_byte_array_new(); hex_str_to_bytes( tvb_get_ptr(tvb, offset+digest_type_len, linelen-digest_type_len), digest_bytes, FALSE); if(digest_bytes->len >= DIGEST_LEN) digest_bytes->len = (DIGEST_LEN-1); /* Ensure the digest is zero-padded */ transfer_info->file->digest = (guint8 *)wmem_alloc0(wmem_file_scope(), DIGEST_LEN); memcpy(transfer_info->file->digest, digest_bytes->data, digest_bytes->len); g_byte_array_free(digest_bytes, TRUE); } if (tree) { proto_item *tii = NULL; tii = proto_tree_add_uint(line_tree, hf_ldss_digest_type, tvb, offset, digest_type_len, transfer_info->file->digest_type); PROTO_ITEM_SET_GENERATED(tii); tii = proto_tree_add_bytes(line_tree, hf_ldss_digest, tvb, offset+digest_type_len, MIN(linelen-digest_type_len, DIGEST_LEN), transfer_info->file->digest); PROTO_ITEM_SET_GENERATED(tii); } } offset = next_offset; } /* Link forwards to the response for this pull. */ if (tree && transfer_info->resp_num != 0) { ti = proto_tree_add_uint(ldss_tree, hf_ldss_response_in, tvb, 0, 0, transfer_info->resp_num); PROTO_ITEM_SET_GENERATED(ti); } transfer_info->req->num = pinfo->num; transfer_info->req->ts = pinfo->abs_ts; } /* Remaining packets are the file response */ else { guint64 size; guint64 offset; guint8 compression; /* size, digest, compression come from the file request for a pull but * they come from the broadcast for a push. Pushes don't bother * with a file request - they just send the data. We have to get file * info from the offer broadcast which triggered this transfer. * If we cannot find the file request, default to the broadcast. */ if (transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND && transfer_info->req != NULL) { transfer_info->file = transfer_info->req->file; size = transfer_info->req->size; offset = transfer_info->req->offset; compression = transfer_info->req->compression; } else { transfer_info->file = transfer_info->broadcast->file; size = transfer_info->broadcast->size; offset = transfer_info->broadcast->offset; compression = transfer_info->broadcast->compression; } /* Remaining data in this TCP connection is all file data. * Always desegment if the size is 0 (ie. unknown) */ if (pinfo->can_desegment) { if (size == 0 || tvb_captured_length(tvb) < size) { pinfo->desegment_offset = 0; pinfo->desegment_len = DESEGMENT_UNTIL_FIN; return 0; } } /* OK. Now we have the whole file that was transferred. */ transfer_info->resp_num = pinfo->num; transfer_info->resp_ts = pinfo->abs_ts; col_add_fstr(pinfo->cinfo, COL_INFO, "LDSS File Transfer (Sending file - %s)", transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND ? "pull" : "push"); if (tree) { ti = proto_tree_add_item(tree, proto_ldss, tvb, 0, tvb_reported_length(tvb), ENC_NA); ldss_tree = proto_item_add_subtree(ti, ett_ldss_transfer); proto_tree_add_bytes_format(ldss_tree, hf_ldss_file_data, tvb, 0, tvb_captured_length(tvb), NULL, compression == COMPRESSION_GZIP ? "Gzip compressed data: %d bytes" : "File data: %d bytes", tvb_captured_length(tvb)); #ifdef HAVE_ZLIB /* Be nice and uncompress the file data. */ if (compression == COMPRESSION_GZIP) { tvbuff_t *uncomp_tvb; uncomp_tvb = tvb_child_uncompress(tvb, tvb, 0, tvb_captured_length(tvb)); if (uncomp_tvb != NULL) { /* XXX: Maybe not a good idea to add a data_source for what may very well be a large buffer since then the full uncompressed buffer will be shown in a tab in the hex bytes pane ? However, if we don't, bytes in an unrelated tab will be highlighted. */ add_new_data_source(pinfo, uncomp_tvb, "Uncompressed Data"); proto_tree_add_bytes_format_value(ldss_tree, hf_ldss_file_data, uncomp_tvb, 0, tvb_captured_length(uncomp_tvb), NULL, "Uncompressed data: %d bytes", tvb_captured_length(uncomp_tvb)); } } #endif ti = proto_tree_add_uint(ldss_tree, hf_ldss_digest_type, tvb, 0, 0, transfer_info->file->digest_type); PROTO_ITEM_SET_GENERATED(ti); if (transfer_info->file->digest != NULL) { /* This is ugly. You can't add bytes of nonzero length and have * filtering work correctly unless you give a valid location in * the packet. This hack pretends the first 32 bytes of the packet * are the digest, which they aren't: they're actually the first 32 * bytes of the file that was sent. */ ti = proto_tree_add_bytes(ldss_tree, hf_ldss_digest, tvb, 0, DIGEST_LEN, transfer_info->file->digest); } PROTO_ITEM_SET_GENERATED(ti); ti = proto_tree_add_uint64(ldss_tree, hf_ldss_size, tvb, 0, 0, size); PROTO_ITEM_SET_GENERATED(ti); ti = proto_tree_add_uint64(ldss_tree, hf_ldss_offset, tvb, 0, 0, offset); PROTO_ITEM_SET_GENERATED(ti); ti = proto_tree_add_uint(ldss_tree, hf_ldss_compression, tvb, 0, 0, compression); PROTO_ITEM_SET_GENERATED(ti); /* Link to the request for a pull. */ if (transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND && transfer_info->req != NULL && transfer_info->req->num != 0) { ti = proto_tree_add_uint(ldss_tree, hf_ldss_response_to, tvb, 0, 0, transfer_info->req->num); PROTO_ITEM_SET_GENERATED(ti); } } } /* Print the pull response time */ if (transfer_info->broadcast->message_id == MESSAGE_ID_WILLSEND && transfer_info->req != NULL && transfer_info->resp_num != 0) { nstime_t pull_response_time; nstime_delta(&pull_response_time, &transfer_info->resp_ts, &transfer_info->req->ts); ti = proto_tree_add_time(ldss_tree, hf_ldss_transfer_response_time, tvb, 0, 0, &pull_response_time); PROTO_ITEM_SET_GENERATED(ti); } /* Link the transfer back to the initiating broadcast. Response time is * calculated as the time from broadcast to completed transfer. */ ti = proto_tree_add_uint(ldss_tree, hf_ldss_initiated_by, tvb, 0, 0, transfer_info->broadcast->num); PROTO_ITEM_SET_GENERATED(ti); if (transfer_info->resp_num != 0) { nstime_delta(&broadcast_response_time, &transfer_info->resp_ts, &transfer_info->broadcast->ts); ti = proto_tree_add_time(ldss_tree, hf_ldss_transfer_completed_in, tvb, 0, 0, &broadcast_response_time); PROTO_ITEM_SET_GENERATED(ti); } /* This conv got its addr2/port2 set by the TCP dissector because a TCP * connection was established. Make a new one to handle future connections * to the addr/port mentioned in the broadcast, because that socket is * still open. */ if (transfer_tcpinfo->seq == 1 && transfer_tcpinfo->lastackseq == 1) { prepare_ldss_transfer_conv(transfer_info->broadcast); } return tvb_captured_length(tvb); }
static void dissect_ftp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { gboolean is_request; proto_tree *ftp_tree = NULL; proto_tree *reqresp_tree = NULL; proto_item *ti, *hidden_item; gint offset = 0; const guchar *line; guint32 code; gchar code_str[4]; gboolean is_port_request = FALSE; gboolean is_pasv_response = FALSE; gboolean is_epasv_response = FALSE; gint next_offset; int linelen; int tokenlen; const guchar *next_token; guint32 pasv_ip; guint32 ftp_ip; guint16 ftp_port; address ftp_ip_address; gboolean ftp_nat; conversation_t *conversation; ftp_ip_address = pinfo->src; if (pinfo->match_uint == pinfo->destport) is_request = TRUE; else is_request = FALSE; col_set_str(pinfo->cinfo, COL_PROTOCOL, "FTP"); /* * Find the end of the first line. * * Note that "tvb_find_line_end()" will return a value that is * not longer than what's in the buffer, so the "tvb_get_ptr()" * call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); /* * Put the first line from the buffer into the summary * (but leave out the line terminator). */ col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "Request" : "Response", format_text(line, linelen)); if (tree) { ti = proto_tree_add_item(tree, proto_ftp, tvb, offset, -1, ENC_NA); ftp_tree = proto_item_add_subtree(ti, ett_ftp); if (is_request) { hidden_item = proto_tree_add_boolean(ftp_tree, hf_ftp_request, tvb, 0, 0, TRUE); PROTO_ITEM_SET_HIDDEN(hidden_item); hidden_item = proto_tree_add_boolean(ftp_tree, hf_ftp_response, tvb, 0, 0, FALSE); PROTO_ITEM_SET_HIDDEN(hidden_item); } else { hidden_item = proto_tree_add_boolean(ftp_tree, hf_ftp_request, tvb, 0, 0, FALSE); PROTO_ITEM_SET_HIDDEN(hidden_item); hidden_item = proto_tree_add_boolean(ftp_tree, hf_ftp_response, tvb, 0, 0, TRUE); PROTO_ITEM_SET_HIDDEN(hidden_item); } /* * Put the line into the protocol tree. */ ti = proto_tree_add_text(ftp_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset)); reqresp_tree = proto_item_add_subtree(ti, ett_ftp_reqresp); } if (is_request) { /* * Extract the first token, and, if there is a first * token, add it as the request. */ tokenlen = get_token_len(line, line + linelen, &next_token); if (tokenlen != 0) { if (tree) { proto_tree_add_item(reqresp_tree, hf_ftp_request_command, tvb, offset, tokenlen, ENC_ASCII|ENC_NA); } if (strncmp(line, "PORT", tokenlen) == 0) is_port_request = TRUE; } } else { /* * This is a response; the response code is 3 digits, * followed by a space or hyphen, possibly followed by * text. * * If the line doesn't start with 3 digits, it's part of * a continuation. * * XXX - keep track of state in the first pass, and * treat non-continuation lines not beginning with digits * as errors? */ if (linelen >= 3 && isdigit(line[0]) && isdigit(line[1]) && isdigit(line[2])) { /* * One-line reply, or first or last line * of a multi-line reply. */ tvb_get_nstringz0(tvb, offset, sizeof(code_str), code_str); code = strtoul(code_str, NULL, 10); if (tree) { proto_tree_add_uint(reqresp_tree, hf_ftp_response_code, tvb, offset, 3, code); } /* * See if it's a passive-mode response. * * XXX - does anybody do FOOBAR, as per RFC * 1639, or has that been supplanted by RFC 2428? */ if (code == 227) is_pasv_response = TRUE; /* * Responses to EPSV command, as per RFC 2428 * XXX - handle IPv6? */ if (code == 229) is_epasv_response = TRUE; /* * Skip the 3 digits and, if present, the * space or hyphen. */ if (linelen >= 4) next_token = line + 4; else next_token = line + linelen; } else { /* * Line doesn't start with 3 digits; assume it's * a line in the middle of a multi-line reply. */ next_token = line; } } offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; if (tree) { /* * Add the rest of the first line as request or * reply data. */ if (linelen != 0) { if (is_request) { proto_tree_add_item(reqresp_tree, hf_ftp_request_arg, tvb, offset, linelen, ENC_ASCII|ENC_NA); } else { proto_tree_add_item(reqresp_tree, hf_ftp_response_arg, tvb, offset, linelen, ENC_ASCII|ENC_NA); } } offset = next_offset; } /* * If this is a PORT request or a PASV response, handle it. */ if (is_port_request) { if (parse_port_pasv(line, linelen, &ftp_ip, &ftp_port)) { if (tree) { proto_tree_add_ipv4(reqresp_tree, hf_ftp_active_ip, tvb, 0, 0, ftp_ip); proto_tree_add_uint(reqresp_tree, hf_ftp_active_port, tvb, 0, 0, ftp_port); } SET_ADDRESS(&ftp_ip_address, AT_IPv4, 4, (const guint8 *)&ftp_ip); ftp_nat = !ADDRESSES_EQUAL(&pinfo->src, &ftp_ip_address); if (ftp_nat) { if (tree) { proto_tree_add_boolean( reqresp_tree, hf_ftp_active_nat, tvb, 0, 0, ftp_nat); } } } } if (is_pasv_response) { if (linelen != 0) { /* * This frame contains a PASV response; set up a * conversation for the data. */ if (parse_port_pasv(line, linelen, &pasv_ip, &ftp_port)) { if (tree) { proto_tree_add_ipv4(reqresp_tree, hf_ftp_pasv_ip, tvb, 0, 0, pasv_ip); proto_tree_add_uint(reqresp_tree, hf_ftp_pasv_port, tvb, 0, 0, ftp_port); } SET_ADDRESS(&ftp_ip_address, AT_IPv4, 4, (const guint8 *)&pasv_ip); ftp_nat = !ADDRESSES_EQUAL(&pinfo->src, &ftp_ip_address); if (ftp_nat) { if (tree) { proto_tree_add_boolean(reqresp_tree, hf_ftp_pasv_nat, tvb, 0, 0, ftp_nat); } } /* * We use "ftp_ip_address", so that if * we're NAT'd we look for the un-NAT'd * connection. * * XXX - should this call to * "find_conversation()" just use * "ftp_ip_address" and "server_port", and * wildcard everything else? */ conversation = find_conversation(pinfo->fd->num, &ftp_ip_address, &pinfo->dst, PT_TCP, ftp_port, 0, NO_PORT_B); if (conversation == NULL) { /* * XXX - should this call to "conversation_new()" * just use "ftp_ip_address" and "server_port", * and wildcard everything else? * * XXX - what if we did find a conversation? As * we create it only on the first pass through the * packets, if we find one, it's presumably an * unrelated conversation. Should we remove the * old one from the hash table and put this one in * its place? Can the conversation code handle * conversations not in the hash table? Or should * we make conversations support start and end * frames, as circuits do, and treat this as an * indication that one conversation was closed and * a new one was opened? */ conversation = conversation_new( pinfo->fd->num, &ftp_ip_address, &pinfo->dst, PT_TCP, ftp_port, 0, NO_PORT2); conversation_set_dissector(conversation, ftpdata_handle); } } } } if (is_epasv_response) { if (linelen != 0) { /* * This frame contains an EPSV response; set up a * conversation for the data. */ if (parse_extended_pasv_response(line, linelen, &ftp_port)) { /* Add port number to tree */ if (tree) { proto_tree_add_uint(reqresp_tree, hf_ftp_pasv_port, tvb, 0, 0, ftp_port); } /* Find/create conversation for data */ conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, PT_TCP, ftp_port, 0, NO_PORT_B); if (conversation == NULL) { conversation = conversation_new( pinfo->fd->num, &pinfo->src, &pinfo->dst, PT_TCP, ftp_port, 0, NO_PORT2); conversation_set_dissector(conversation, ftpdata_handle); } } } } if (tree) { /* * Show the rest of the request or response as text, * a line at a time. * XXX - only if there's a continuation indicator? */ while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Put this line. */ proto_tree_add_text(ftp_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset)); offset = next_offset; } } }
static void dissect_imap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { gboolean is_request; proto_tree *imap_tree, *reqresp_tree; proto_item *ti, *hidden_item; gint offset = 0; const guchar *line; gint next_offset; int linelen; int tokenlen; const guchar *next_token; col_set_str(pinfo->cinfo, COL_PROTOCOL, "IMAP"); if (pinfo->match_uint == pinfo->destport) is_request = TRUE; else is_request = FALSE; if (check_col(pinfo->cinfo, COL_INFO)) { /* * Put the first line from the buffer into the summary * (but leave out the line terminator). */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "Request" : "Response", format_text(line, linelen)); } if (tree) { ti = proto_tree_add_item(tree, proto_imap, tvb, offset, -1, ENC_NA); imap_tree = proto_item_add_subtree(ti, ett_imap); hidden_item = proto_tree_add_boolean(imap_tree, hf_imap_isrequest, tvb, 0, 0, is_request); PROTO_ITEM_SET_HIDDEN(hidden_item); while(tvb_length_remaining(tvb, offset) > 2) { /* * Find the end of each line * * Note that "tvb_find_line_end()" will return a value that is * not longer than what's in the buffer, so the "tvb_get_ptr()" * call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); /* * Put the line into the protocol tree. */ ti = proto_tree_add_item(imap_tree, hf_imap_line, tvb, offset, next_offset - offset, ENC_ASCII|ENC_NA); reqresp_tree = proto_item_add_subtree(ti, ett_imap_reqresp); /* * Show each line as tags + requests or replies. */ /* * Extract the first token, and, if there is a first * token, add it as the request or reply tag. */ tokenlen = get_token_len(line, line + linelen, &next_token); if (tokenlen != 0) { proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request_tag : hf_imap_response_tag, tvb, offset, tokenlen, ENC_ASCII|ENC_NA); offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; } /* * Add the rest of the line as request or reply data. */ if (linelen != 0) { proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request : hf_imap_response, tvb, offset, linelen, ENC_ASCII|ENC_NA); } offset += linelen+2; /* Skip over last line and \r\n at the end of it */ } } }
static void dissect_x29(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { int offset = 0; proto_tree *x29_tree = NULL; proto_item *ti; gboolean *q_bit_set = pinfo->private_data; guint8 msg_code; guint8 error_type; guint8 type_ref; gint next_offset; int linelen; col_set_str(pinfo->cinfo, COL_PROTOCOL, "X.29"); col_clear(pinfo->cinfo, COL_INFO); if (tree) { ti = proto_tree_add_item(tree, proto_x29, tvb, offset, -1, ENC_NA); x29_tree = proto_item_add_subtree(ti, ett_x29); } if (*q_bit_set) { /* * Q bit set - this is a PAD message. */ msg_code = tvb_get_guint8(tvb, offset); if (check_col(pinfo->cinfo, COL_INFO)) { col_add_fstr(pinfo->cinfo, COL_INFO, "%s PAD message", val_to_str(msg_code, message_code_vals, "Unknown (0x%02x)")); } proto_tree_add_uint(x29_tree, hf_msg_code, tvb, offset, 1, msg_code); offset++; switch (msg_code) { case SET_MSG: case READ_MSG: case SET_AND_READ_MSG: case PARAMETER_IND_MSG: /* * XXX - dissect the references as per X.3. */ while (tvb_reported_length_remaining(tvb, offset) > 0) { proto_tree_add_text(x29_tree, tvb, offset, 2, "Parameter %u, value %u", tvb_get_guint8(tvb, offset), tvb_get_guint8(tvb, offset + 1)); offset += 2; } break; case INV_TO_CLEAR_MSG: /* * No data for this message. */ break; case ERROR_MSG: error_type = tvb_get_guint8(tvb, offset); proto_tree_add_uint(x29_tree, hf_error_type, tvb, offset, 1, error_type); offset++; if (error_type != 0) { proto_tree_add_item(x29_tree, hf_inv_msg_code, tvb, offset, 1, ENC_BIG_ENDIAN); } break; case BREAK_IND_MSG: if (tvb_reported_length_remaining(tvb, offset) > 0) { type_ref = tvb_get_guint8(tvb, offset); switch (type_ref) { case 0x01: /* change in PAD Aspect */ /* * XXX - dissect as per X.28. */ proto_tree_add_text(x29_tree, tvb, offset, 1, "Type reference: Change in PAD Aspect"); offset++; proto_tree_add_text(x29_tree, tvb, offset, 1, "Type of aspect: 0x%02x", type_ref); offset++; break; case 0x08: /* break */ proto_tree_add_text(x29_tree, tvb, offset, 1, "Type reference: Break"); offset++; proto_tree_add_text(x29_tree, tvb, offset, 1, "Break value: 0x%02x", type_ref); offset++; break; default: proto_tree_add_text(x29_tree, tvb, offset, 1, "Unknown type reference (0x%02x)", type_ref); offset++; proto_tree_add_text(x29_tree, tvb, offset, 1, "Type value: 0x%02x", type_ref); offset++; break; } } break; case RESELECTION_MSG: /* * XXX - dissect me. */ proto_tree_add_text(x29_tree, tvb, offset, -1, "Reselection message data"); break; case RESEL_WITH_TOA_NPI_MSG: /* * XXX - dissect me. */ proto_tree_add_text(x29_tree, tvb, offset, -1, "Reselection message data"); break; default: proto_tree_add_text(x29_tree, tvb, offset, -1, "PAD message data"); break; } } else { /* * Q bit not set - this is data. */ col_set_str(pinfo->cinfo, COL_INFO, "Data ..."); if (tree) { while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Now compute the length of the line * *including* the end-of-line indication, * if any; we display it all. */ linelen = next_offset - offset; proto_tree_add_text(x29_tree, tvb, offset, linelen, "Data: %s", tvb_format_text(tvb, offset, linelen)); offset = next_offset; } } } }
static void dissect_gift(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_item *ti, *hidden_item; proto_tree *gift_tree, *cmd_tree; gboolean is_request; gint offset = 0; const guchar *line; gint next_offset; int linelen; int tokenlen; const guchar *next_token; /* set "Protocol" column text */ col_set_str(pinfo->cinfo, COL_PROTOCOL, "giFT"); /* determine whether it is a request to or response from the server */ if (pinfo->match_uint == pinfo->destport) is_request = TRUE; else is_request = FALSE; linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); /* set "Info" column text */ if (check_col(pinfo->cinfo, COL_INFO)) col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "Request" : "Response", format_text(line, linelen)); /* if tree != NULL, build protocol tree */ if (tree) { ti = proto_tree_add_item(tree, proto_gift, tvb, 0, -1, ENC_NA); gift_tree = proto_item_add_subtree(ti, ett_gift); if (is_request) { hidden_item = proto_tree_add_boolean(gift_tree, hf_gift_request, tvb, 0, 0, TRUE); } else { hidden_item = proto_tree_add_boolean(gift_tree, hf_gift_response, tvb, 0, 0, TRUE); } PROTO_ITEM_SET_HIDDEN(hidden_item); ti = proto_tree_add_text(gift_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset)); cmd_tree = proto_item_add_subtree(ti, ett_gift_cmd); tokenlen = get_token_len(line, line + linelen, &next_token); if (tokenlen != 0) { if (is_request) { proto_tree_add_text(cmd_tree, tvb, offset, tokenlen, "Request Command: %s", format_text(line, tokenlen)); } else { proto_tree_add_text(cmd_tree, tvb, offset, tokenlen, "Response Command: %s", format_text(line, tokenlen)); } offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; } if (linelen != 0) { if (is_request) { proto_tree_add_text(cmd_tree, tvb, offset, linelen, "Request Arg: %s", format_text(line, linelen)); } else { proto_tree_add_text(cmd_tree, tvb, offset, linelen, "Response Arg: %s", format_text(line, linelen)); } } } }
icap_type_t icap_type; int datalen; col_set_str(pinfo->cinfo, COL_PROTOCOL, "ICAP"); /* * Put the first line from the buffer into the summary * if it's an ICAP header (but leave out the * line terminator). * Otherwise, just call it a continuation. * * Note that "tvb_find_line_end()" will return a value that * is not longer than what's in the buffer, so the * "tvb_get_ptr()" call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); icap_type = ICAP_OTHER; /* type not known yet */ if (is_icap_message(line, linelen, &icap_type)) col_add_str(pinfo->cinfo, COL_INFO, format_text(line, linelen)); else col_set_str(pinfo->cinfo, COL_INFO, "Continuation"); if (tree) { ti = proto_tree_add_item(tree, proto_icap, tvb, offset, -1, ENC_NA); icap_tree = proto_item_add_subtree(ti, ett_icap); } /*
static gboolean dissect_kismet(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree) { gboolean is_request; gboolean is_continuation; proto_tree *kismet_tree=NULL, *reqresp_tree=NULL; proto_item *ti; proto_item *tmp_item; gint offset = 0; const guchar *line; gint next_offset; int linelen; int tokenlen; int i; const guchar *next_token; /* * Find the end of the first line. * * Note that "tvb_find_line_end()" will return a value that is * not longer than what's in the buffer, so the "tvb_get_ptr()" * call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); /* * Check if it is an ASCII based protocol with reasonable length * packets, if not return, and try annother dissector. */ if (linelen < 8) { /* * Packet is too short */ return FALSE; } else { for (i = 0; i < 8; ++i) { /* * Packet contains non-ASCII data */ if (line[i] < 32 || line[i] > 128) return FALSE; } } /* * If it is Kismet traffic set COL_PROTOCOL. */ col_set_str(pinfo->cinfo, COL_PROTOCOL, "kismet"); /* * Check if it is request, reply or continuation. */ if (pinfo->match_port == pinfo->destport) { is_request = TRUE; is_continuation = FALSE; } else { is_request = FALSE; is_continuation = response_is_continuation (line); } if (check_col(pinfo->cinfo, COL_INFO)) { /* * Put the first line from the buffer into the summary * if it's a kismet request or reply (but leave out the * line terminator). * Otherwise, just call it a continuation. */ if (is_continuation) col_set_str(pinfo->cinfo, COL_INFO, "Continuation"); else col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "Request" : "Response", format_text(line, linelen)); } if (tree) { ti = proto_tree_add_item(tree, proto_kismet, tvb, offset, -1, FALSE); kismet_tree = proto_item_add_subtree(ti, ett_kismet); } if (is_continuation) { /* * Put the whole packet into the tree as data. */ call_dissector(data_handle, tvb, pinfo, kismet_tree); return TRUE; } if (is_request) { tmp_item = proto_tree_add_boolean(kismet_tree, hf_kismet_request, tvb, 0, 0, TRUE); } else { tmp_item = proto_tree_add_boolean(kismet_tree, hf_kismet_response, tvb, 0, 0, TRUE); } PROTO_ITEM_SET_GENERATED (tmp_item); while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); if (linelen) { /* * Put this line. */ ti = proto_tree_add_text(kismet_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset - 1)); reqresp_tree = proto_item_add_subtree(ti, ett_kismet_reqresp); tokenlen = get_token_len(line, line + linelen, &next_token); if (tokenlen != 0) { guint8 *reqresp; reqresp = tvb_get_ephemeral_string(tvb, offset, tokenlen); if (is_request) { /* * No request dissection */ } else { /* * *KISMET: {Version} {Start time} \001{Server name}\001 {Build Revision} * two fields left undocumented: {???} {?ExtendedVersion?} */ if (!strncmp(reqresp, "*KISMET", 7)) { offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; tokenlen = get_token_len(line, line + linelen, &next_token); proto_tree_add_text(reqresp_tree, tvb, offset, tokenlen, "Kismet version: %s", format_text(line, tokenlen)); offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; tokenlen = get_token_len(line, line + linelen, &next_token); proto_tree_add_text(reqresp_tree, tvb, offset, tokenlen, "Start time: %s", format_text(line, tokenlen)); offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; tokenlen = get_token_len(line, line + linelen, &next_token); proto_tree_add_text(reqresp_tree, tvb, offset, tokenlen, "Server name: %s", format_text(line + 1, tokenlen - 2)); offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; tokenlen = get_token_len(line, line + linelen, &next_token); proto_tree_add_text(reqresp_tree, tvb, offset, tokenlen, "Build revision: %s", format_text(line, tokenlen)); offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; tokenlen = get_token_len(line, line + linelen, &next_token); proto_tree_add_text(reqresp_tree, tvb, offset, tokenlen, "Unknown field: %s", format_text(line, tokenlen)); offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; tokenlen = get_token_len(line, line + linelen, &next_token); proto_tree_add_text(reqresp_tree, tvb, offset, tokenlen, "Extended version string: %s", format_text(line, tokenlen)); } /* * *TIME: {Time} */ if (!strncmp(reqresp, "*TIME", 5)) { time_t t; char *ptr; offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; tokenlen = get_token_len(line, line + linelen, &next_token); /* * Convert form ascii to time_t */ t = atoi(format_text (line, tokenlen)); /* * Format ascii representaion of time */ ptr = abs_time_secs_to_str(t, ABSOLUTE_TIME_LOCAL, TRUE); proto_tree_add_text(reqresp_tree, tvb, offset, tokenlen, "Time: %s", ptr); } } offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; } } offset = next_offset; } return TRUE; }
static void dissect_nntp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { const gchar *type; proto_tree *nntp_tree; proto_item *ti; gint offset = 0; gint next_offset; int linelen; if (pinfo->match_uint == pinfo->destport) type = "Request"; else type = "Response"; col_set_str(pinfo->cinfo, COL_PROTOCOL, "NNTP"); /* * Put the first line from the buffer into the summary * (but leave out the line terminator). * * Note that "tvb_find_line_end()" will return a value that * is not longer than what's in the buffer, so the * "tvb_get_ptr()" call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", type, tvb_format_text(tvb, offset, linelen)); if (tree) { ti = proto_tree_add_item(tree, proto_nntp, tvb, offset, -1, ENC_NA); nntp_tree = proto_item_add_subtree(ti, ett_nntp); if (pinfo->match_uint == pinfo->destport) { ti = proto_tree_add_boolean(nntp_tree, hf_nntp_request, tvb, 0, 0, TRUE); } else { ti = proto_tree_add_boolean(nntp_tree, hf_nntp_response, tvb, 0, 0, TRUE); } PROTO_ITEM_SET_HIDDEN(ti); /* * Show the request or response as text, a line at a time. * XXX - for requests, we could display the stuff after the * first line, if any, based on what the request was, and * for responses, we could display it based on what the * matching request was, although the latter requires us to * know what the matching request was.... */ while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Put this line. */ proto_tree_add_text(nntp_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset)); offset = next_offset; } } }
static void dissect_text_lines(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_tree *subtree; proto_item *ti; gint offset = 0, next_offset; gint len; const char *data_name; data_name = pinfo->match_string; if (! (data_name && data_name[0])) { /* * No information from "match_string" */ data_name = (char *)(pinfo->private_data); if (! (data_name && data_name[0])) { /* * No information from "private_data" */ data_name = NULL; } } if (data_name && check_col(pinfo->cinfo, COL_INFO)) col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "(%s)", data_name); if (tree) { ti = proto_tree_add_item(tree, proto_text_lines, tvb, 0, -1, FALSE); if (data_name) proto_item_append_text(ti, ": %s", data_name); subtree = proto_item_add_subtree(ti, ett_text_lines); /* Read the media line by line */ while (tvb_reported_length_remaining(tvb, offset) != 0) { /* * XXX - we need to be passed the parameters * of the content type via "pinfo->private_data", * so that we know the character set. We'd * have to handle that character set, which * might be a multibyte character set such * as "iso-10646-ucs-2", or might require other * special processing. */ len = tvb_find_line_end(tvb, offset, tvb_ensure_length_remaining(tvb, offset), &next_offset, FALSE); if (len == -1) break; /* We use next_offset - offset instead of len in the * call to tvb_format_text() so it will include the * line terminator(s) (\r and/or \n) in the display. */ proto_tree_add_text(subtree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset)); offset = next_offset; } } }
/* Subtrees */ static gint ett_l1_events = -1; static int dissect_l1_events(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) { proto_tree *subtree; proto_item *ti; gint offset = 0, next_offset; gint len; col_set_str(pinfo->cinfo, COL_PROTOCOL, "Layer1"); col_set_str(pinfo->cinfo, COL_DEF_SRC, pinfo->pseudo_header->l1event.uton? "TE" : "NT"); len = tvb_find_line_end(tvb, 0, tvb_ensure_length_remaining(tvb, 0), &next_offset, FALSE); if(len>0) col_add_str(pinfo->cinfo, COL_INFO, tvb_format_text(tvb, 0, len)); if (tree) { ti = proto_tree_add_item(tree, proto_l1_events, tvb, 0, -1, ENC_NA); subtree = proto_item_add_subtree(ti, ett_l1_events); /* Read the media line by line */ while (tvb_offset_exists(tvb, offset)) { /* * XXX - we need to be passed the parameters * of the content type via data parameter, * so that we know the character set. We'd * have to handle that character set, which * might be a multibyte character set such
/* * Optionally do reassembly of the request/response line, headers, and body. */ gboolean req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo, const gboolean desegment_headers, const gboolean desegment_body) { gint next_offset; gint next_offset_sav; gint length_remaining, reported_length_remaining; int linelen; gchar *header_val; long int content_length; gboolean content_length_found = FALSE; gboolean content_type_found = FALSE; gboolean chunked_encoding = FALSE; gboolean keepalive_found = FALSE; gchar *line; gchar *content_type = NULL; /* * Do header desegmentation if we've been told to. * * RFC 2616 defines HTTP messages as being either of the * Request or the Response type * (HTTP-message = Request | Response). * Request and Response are defined as: * Request = Request-Line * *(( general-header * | request-header * | entity-header ) CRLF) * CRLF * [ message-body ] * Response = Status-Line * *(( general-header * | response-header * | entity-header ) CRLF) * CRLF * [ message-body ] * that's why we can always assume two consecutive line * endings (we allow CR, LF, or CRLF, as some clients * or servers might not use a full CRLF) to mark the end * of the headers. The worst thing that would happen * otherwise would be the packet not being desegmented * or being interpreted as only headers. * * RFC 2326 says RTSP works the same way; RFC 3261 says SIP * works the same way. */ /* * If header desegmentation is activated, check that all * headers are in this tvbuff (search for an empty line * marking end of headers) or request one more byte (we * don't know how many bytes we'll need, so we just ask * for one). */ if (desegment_headers && pinfo->can_desegment) { next_offset = offset; for (;;) { next_offset_sav = next_offset; reported_length_remaining = tvb_reported_length_remaining(tvb, next_offset); /* * Request one more byte if there're no * bytes left in the reported data (if there're * bytes left in the reported data, but not in * the available data, requesting more bytes * won't help, as those bytes weren't captured). */ if (reported_length_remaining < 1) { pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return FALSE; } length_remaining = tvb_length_remaining(tvb, next_offset); /* * Request one more byte if we cannot find a * header (i.e. a line end). */ linelen = tvb_find_line_end(tvb, next_offset, -1, &next_offset, TRUE); if (linelen == -1 && length_remaining >= reported_length_remaining) { /* * Not enough data; ask for one more * byte. */ pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return FALSE; } if (linelen == 0) { /* * We found the end of the headers. */ break; } /* * Is this a Content-Length or Transfer-Encoding * header? If not, it either means that we are in * a different header line, or that we are * at the end of the headers, or that there * isn't enough data; the two latter cases * have already been handled above. */ if (desegment_body) { /* * Check if we've found Content-Length. */ line = tvb_get_ephemeral_string(tvb, next_offset_sav, linelen); if (g_ascii_strncasecmp(line, "Content-Length:", 15) == 0) { if (sscanf(line+15,"%li", &content_length) == 1) content_length_found = TRUE; } else if (g_ascii_strncasecmp(line, "Content-Type:", 13) == 0) { content_type_found = TRUE; content_type = line+13; while (*content_type == ' ') { content_type++; } } else if (g_ascii_strncasecmp(line, "Connection:", 11) == 0) { /* Check for keep-alive */ header_val = line+11; if(header_val){ while(*header_val==' '){ header_val++; } if(!g_ascii_strncasecmp(header_val, "Keep-Alive", 10)){ keepalive_found = TRUE; } } } else if (g_ascii_strncasecmp( line, "Transfer-Encoding:", 18) == 0) { /* * Find out if this Transfer-Encoding is * chunked. It should be, since there * really aren't any other types, but * RFC 2616 allows for them. */ gchar *p; guint len; header_val = line+18; p = header_val; len = (guint) strlen(header_val); /* Skip white space */ while (p < header_val + len && (*p == ' ' || *p == '\t')) p++; if (p <= header_val + len) { if (g_ascii_strncasecmp(p, "chunked", 7) == 0) { /* * Don't bother looking * for extensions; * since we don't * understand them, * they should be * ignored. */ chunked_encoding = TRUE; } } } } } } /* * The above loop ends when we reached the end of the headers, so * there should be content_length bytes after the 4 terminating bytes * and next_offset points to after the end of the headers. */ if (desegment_body) { if (content_length_found) { if (content_length >= 128*1024) { /* MS-RPCH stipulate that the content-length must be between 128K and 2G */ gchar *tmp; if (content_type_found && strncmp(content_type, "application/rpc", 15) == 0) { /* It looks like a RPC_IN_DATA request or a RPC_OUT_DATA response * in which the content-length is meaningless */ return TRUE; } /* Following sizeof will return the length of the string + \0 we need to not count it*/ tmp = tvb_get_ephemeral_string(tvb, 0, sizeof("RPC_OUT_DATA") - 1); if ((strncmp(tmp, "RPC_IN_DATA", sizeof("RPC_IN_DATA") - 1) == 0) || (strncmp(tmp, "RPC_OUT_DATA", sizeof("RPC_OUT_DATA") - 1) == 0)) { return TRUE; } } /* next_offset has been set to the end of the headers */ if (!tvb_bytes_exist(tvb, next_offset, content_length)) { length_remaining = tvb_length_remaining(tvb, next_offset); reported_length_remaining = tvb_reported_length_remaining(tvb, next_offset); if (length_remaining < reported_length_remaining) { /* * It's a waste of time asking for more * data, because that data wasn't captured. */ return TRUE; } if (length_remaining == -1) length_remaining = 0; pinfo->desegment_offset = offset; pinfo->desegment_len = content_length - length_remaining; return FALSE; } } else if (chunked_encoding) { /* * This data is chunked, so we need to keep pulling * data until we reach the end of the stream, or a * zero sized chunk. * * XXX * This doesn't bother with trailing headers; I don't * think they are really used, and we'd have to use * is_http_request_or_reply() to determine if it was * a trailing header, or the start of a new response. */ gboolean done_chunking = FALSE; while (!done_chunking) { guint chunk_size = 0; gint chunk_offset = 0; gchar *chunk_string = NULL; gchar *c = NULL; reported_length_remaining = tvb_reported_length_remaining(tvb, next_offset); if (reported_length_remaining < 1) { pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return FALSE; } length_remaining = tvb_length_remaining(tvb, next_offset); linelen = tvb_find_line_end(tvb, next_offset, -1, &chunk_offset, TRUE); if (linelen == -1 && length_remaining >= reported_length_remaining) { pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return FALSE; } /* We have a line with the chunk size in it.*/ chunk_string = tvb_get_ephemeral_string(tvb, next_offset, linelen); c = chunk_string; /* * We don't care about the extensions. */ if ((c = strchr(c, ';'))) { *c = '\0'; } if (sscanf(chunk_string, "%x", &chunk_size) < 1) { /* We couldn't get the chunk size, * so stop trying. */ return TRUE; } if (chunk_size > (guint)1<<31) { /* Chunk size is unreasonable. */ /* XXX What /is/ reasonable? */ return TRUE; } if (chunk_size == 0) { /* * This is the last chunk. Let's pull in the * trailing CRLF. */ linelen = tvb_find_line_end(tvb, chunk_offset, -1, &chunk_offset, TRUE); if (linelen == -1 && length_remaining >= reported_length_remaining) { pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return FALSE; } pinfo->desegment_offset = chunk_offset; pinfo->desegment_len = 0; done_chunking = TRUE; } else { /* * Skip to the next chunk if we * already have it */ if (reported_length_remaining > (gint) chunk_size) { next_offset = chunk_offset + chunk_size + 2; } else { /* * Fetch this chunk, plus the * trailing CRLF. */ pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return FALSE; } } } } else if (content_type_found && pinfo->can_desegment) { /* We found a content-type but no content-length. * This is probably a HTTP header for a session with * only one HTTP PDU and where the content spans * until the end of the tcp session, unless there * is a keepalive header present in which case we * assume there is no message body at all and thus * we wont do any reassembly. * Set up tcp reassembly until the end of this session. */ length_remaining = tvb_length_remaining(tvb, next_offset); reported_length_remaining = tvb_reported_length_remaining(tvb, next_offset); if (length_remaining < reported_length_remaining) { /* * It's a waste of time asking for more * data, because that data wasn't captured. */ return TRUE; } if (keepalive_found) { /* We have a keep-alive but no content-length. * Assume there is no message body and dont * do any reassembly. */ return TRUE; } pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_UNTIL_FIN; return FALSE; } } /* * No further desegmentation needed. */ return TRUE; }
static int dissect_text_lines(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data) { proto_tree *subtree; proto_item *ti; gint offset = 0, next_offset; gint len; http_message_info_t *message_info; const char *data_name; int length = tvb_captured_length(tvb); /* Check if this is actually xml * If there is less than 38 characters this is not XML * <?xml version="1.0" encoding="UTF-8"?> */ if(length > 38){ if (tvb_strncaseeql(tvb, 0, "<?xml", 5) == 0){ call_dissector(xml_handle, tvb, pinfo, tree); return length; } } data_name = pinfo->match_string; if (! (data_name && data_name[0])) { /* * No information from "match_string" */ message_info = (http_message_info_t *)data; if (message_info == NULL) { /* * No information from dissector data */ data_name = NULL; } else { data_name = message_info->media_str; if (! (data_name && data_name[0])) { /* * No information from dissector data */ data_name = NULL; } } } if (data_name) col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "(%s)", data_name); if (tree) { guint lines_read = 0; ti = proto_tree_add_item(tree, proto_text_lines, tvb, 0, -1, ENC_NA); if (data_name) proto_item_append_text(ti, ": %s", data_name); subtree = proto_item_add_subtree(ti, ett_text_lines); /* Read the media line by line */ while (tvb_offset_exists(tvb, offset)) { /* * XXX - we need to be passed the parameters * of the content type via data parameter, * so that we know the character set. We'd * have to handle that character set, which * might be a multibyte character set such * as "iso-10646-ucs-2", or might require other * special processing. */ len = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); if (len == -1) break; /* We use next_offset - offset instead of len in the * call to proto_tree_add_format_text() so it will include the * line terminator(s) (\r and/or \n) in the display. */ proto_tree_add_format_text(subtree, tvb, offset, next_offset - offset); lines_read++; offset = next_offset; } proto_item_append_text(subtree, " (%u lines)", lines_read); } return length; }
static void dissect_imap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { gboolean is_request; proto_tree *imap_tree, *reqresp_tree; proto_item *ti, *hidden_item; gint offset = 0; gint uid_offset = 0; gint folder_offset = 0; const guchar *line; const guchar *uid_line; const guchar *folder_line; gint next_offset; int linelen; int tokenlen; int uid_tokenlen; int folder_tokenlen; const guchar *next_token; const guchar *uid_next_token; const guchar *folder_next_token; guchar *tokenbuf; guchar *command_token; int iter; int commandlen; conversation_t *conversation; imap_state_t *session_state; conversation = find_or_create_conversation(pinfo); session_state = (imap_state_t *)conversation_get_proto_data(conversation, proto_imap); if (!session_state) { session_state = wmem_new0(wmem_file_scope(), imap_state_t); session_state->ssl_requested = FALSE; conversation_add_proto_data(conversation, proto_imap, session_state); } tokenbuf = (guchar *)wmem_alloc0(wmem_packet_scope(), MAX_BUFFER); command_token = (guchar *)wmem_alloc0(wmem_packet_scope(), MAX_BUFFER); commandlen = 0; folder_offset = 0; folder_tokenlen = 0; folder_line = NULL; col_set_str(pinfo->cinfo, COL_PROTOCOL, "IMAP"); if (pinfo->match_uint == pinfo->destport) is_request = TRUE; else is_request = FALSE; /* * Put the first line from the buffer into the summary * (but leave out the line terminator). */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "Request" : "Response", format_text(line, linelen)); { ti = proto_tree_add_item(tree, proto_imap, tvb, offset, -1, ENC_NA); imap_tree = proto_item_add_subtree(ti, ett_imap); hidden_item = proto_tree_add_boolean(imap_tree, hf_imap_isrequest, tvb, 0, 0, is_request); PROTO_ITEM_SET_HIDDEN(hidden_item); while(tvb_offset_exists(tvb, offset)) { /* * Find the end of each line * * Note that "tvb_find_line_end()" will return a value that is * not longer than what's in the buffer, so the "tvb_get_ptr()" * call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); /* * Put the line into the protocol tree. */ ti = proto_tree_add_item(imap_tree, hf_imap_line, tvb, offset, next_offset - offset, ENC_ASCII|ENC_NA); reqresp_tree = proto_item_add_subtree(ti, ett_imap_reqresp); /* * Check that the line doesn't begin with '*', because that's a continuation line. * Otherwise if a tag is present then extract tokens. */ if ( (line) && ((line[0] != '*') || (TRUE == is_request)) ) { /* * Show each line as tags + requests or replies. */ /* * Extract the first token, and, if there is a first * token, add it as the request or reply tag. */ tokenlen = get_token_len(line, line + linelen, &next_token); if (tokenlen != 0) { proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request_tag : hf_imap_response_tag, tvb, offset, tokenlen, ENC_ASCII|ENC_NA); offset += (gint) (next_token - line); linelen -= (int) (next_token - line); line = next_token; } /* * Extract second token, and, if there is a second * token, and it's not uid, add it as the request or reply command. */ tokenlen = get_token_len(line, line + linelen, &next_token); if (tokenlen != 0) { for (iter = 0; iter < tokenlen && iter < MAX_BUFFER-1; iter++) { tokenbuf[iter] = g_ascii_tolower(line[iter]); } if (tree && is_request && strncmp(tokenbuf, "uid", tokenlen) == 0) { proto_tree_add_item(reqresp_tree, hf_imap_request_uid, tvb, offset, tokenlen, ENC_ASCII|ENC_NA); /* * UID is a precursor to a command, if following the tag, * so move to next token to grab the actual command. */ uid_offset = offset; uid_offset += (gint) (next_token - line); uid_line = next_token; uid_tokenlen = get_token_len(uid_line, uid_line + (linelen - tokenlen), &uid_next_token); if (tokenlen != 0) { proto_tree_add_item(reqresp_tree, hf_imap_request_command, tvb, uid_offset, uid_tokenlen, ENC_ASCII|ENC_NA); /* * Save command string to do specialized processing. */ for (iter = 0; iter < uid_tokenlen && iter < MAX_BUFFER-1; iter++) { command_token[iter] = g_ascii_tolower(uid_line[iter]); } commandlen = uid_tokenlen; folder_offset = uid_offset; folder_offset += (gint) (uid_next_token - uid_line); folder_line = uid_next_token; folder_tokenlen = get_token_len(folder_line, folder_line + (linelen - tokenlen - uid_tokenlen), &folder_next_token); } } else { /* * Not a UID request so perform normal parsing. */ proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request_command : hf_imap_response_status, tvb, offset, tokenlen, ENC_ASCII|ENC_NA); if (is_request) { /* * Save command string to do specialized processing. */ for (iter = 0; iter < tokenlen && iter < 256; iter++) { command_token[iter] = g_ascii_tolower(line[iter]); } commandlen = tokenlen; folder_offset = offset; folder_offset += (gint) (next_token - line); folder_line = next_token; folder_tokenlen = get_token_len(folder_line, folder_line + (linelen - tokenlen - 1), &folder_next_token); } } if (tree && commandlen > 0 && ( strncmp(command_token, "select", commandlen) == 0 || strncmp(command_token, "examine", commandlen) == 0 || strncmp(command_token, "create", commandlen) == 0 || strncmp(command_token, "delete", commandlen) == 0 || strncmp(command_token, "rename", commandlen) == 0 || strncmp(command_token, "subscribe", commandlen) == 0 || strncmp(command_token, "unsubscribe", commandlen) == 0 || strncmp(command_token, "status", commandlen) == 0 || strncmp(command_token, "append", commandlen) == 0 || strncmp(command_token, "search", commandlen) == 0)) { /* * These commands support folder as an argument, * so parse out the folder name. */ if (folder_tokenlen != 0) proto_tree_add_item(reqresp_tree, hf_imap_request_folder, tvb, folder_offset, folder_tokenlen, ENC_ASCII|ENC_NA); } if (tree && is_request && (NULL != folder_line) && strncmp(command_token, "copy", commandlen) == 0) { /* * Handle the copy command separately since folder * is the second argument for this command. */ folder_offset += (gint) (folder_next_token - folder_line); folder_line = folder_next_token; folder_tokenlen = get_token_len(folder_line, folder_line + (linelen - tokenlen), &folder_next_token); if (folder_tokenlen != 0) proto_tree_add_item(reqresp_tree, hf_imap_request_folder, tvb, folder_offset, folder_tokenlen, ENC_ASCII|ENC_NA); } /* If not yet switched to TLS, check for STARTTLS. */ if (session_state->ssl_requested) { if (!is_request && session_state->ssl_requested && strncmp(tokenbuf, "ok", tokenlen) == 0) { /* STARTTLS accepted, next reply will be TLS. */ ssl_starttls_ack(ssl_handle, pinfo, imap_handle); } session_state->ssl_requested = FALSE; } if (is_request && commandlen > 0 && strncmp(command_token, "starttls", commandlen) == 0) { /* If next response is OK, then TLS should be commenced. */ session_state->ssl_requested = TRUE; } } /* * Add the rest of the line as request or reply data. */ if (linelen != 0) { proto_tree_add_item(reqresp_tree, (is_request) ? hf_imap_request : hf_imap_response, tvb, offset, linelen, ENC_ASCII|ENC_NA); } } offset = next_offset; /* Skip over last line and \r\n at the end of it */ } } }