static void dissect_user_info_2(tvbuff_t *tvb, int offset,
proto_tree *tree) {
/* decode the user, application, computer name */
int length;
if ( tree) {
length = tvb_strnlen( tvb, offset, 255);
if (length == -1)
return;
proto_tree_add_text( tree, tvb, offset, length + 1,
"User name: %.*s", length,
tvb_get_ephemeral_string( tvb, offset, length));
offset += length + 2;
length = tvb_strnlen( tvb, offset, 255);
if (length == -1)
return;
proto_tree_add_text( tree, tvb, offset, length + 1,
"Application name: %.*s", length,
tvb_get_ephemeral_string( tvb, offset, length));
offset += length + 1;
length = tvb_strnlen( tvb, offset, 255);
if (length == -1)
return;
proto_tree_add_text( tree, tvb, offset, length + 1,
"Client computer name: %.*s", length,
tvb_get_ephemeral_string( tvb, offset, length));
}
}
static int display_application_name(tvbuff_t *tvb, int offset,
proto_tree *tree) {
/* display the application name in the proto tree. */
/* NOTE: this routine assumes that the tree pointer is valid (not NULL) */
int length;
length = tvb_strnlen( tvb, offset, 255);
proto_tree_add_text( tree, tvb, offset, length, "Application: %.*s",
length, tvb_get_ephemeral_string( tvb, offset, length));
return length;
}
static void
dissect_sap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
int offset = 0;
int sap_version, is_ipv6, is_del, is_enc, is_comp, addr_len;
guint8 vers_flags;
guint8 auth_len;
guint16 tmp1;
guint8 auth_flags;
tvbuff_t *next_tvb;
proto_item *si, *sif;
proto_tree *sap_tree, *sap_flags_tree;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "SAP");
col_clear(pinfo->cinfo, COL_INFO);
vers_flags = tvb_get_guint8(tvb, offset);
is_ipv6 = vers_flags&MCAST_SAP_BIT_A;
is_del = vers_flags&MCAST_SAP_BIT_T;
is_enc = vers_flags&MCAST_SAP_BIT_E;
is_comp = vers_flags&MCAST_SAP_BIT_C;
sap_version = (vers_flags&MCAST_SAP_VERSION_MASK)>>MCAST_SAP_VERSION_SHIFT;
addr_len = (is_ipv6) ? sizeof(struct e_in6_addr) : 4;
if (check_col(pinfo->cinfo, COL_INFO)) {
col_add_fstr(pinfo->cinfo, COL_INFO, "%s (v%u)",
(is_del) ? "Deletion" : "Announcement", sap_version);
}
if (tree) {
si = proto_tree_add_item(tree, proto_sap, tvb, offset, -1, ENC_NA);
sap_tree = proto_item_add_subtree(si, ett_sap);
sif = proto_tree_add_uint(sap_tree, hf_sap_flags, tvb, offset, 1, vers_flags);
sap_flags_tree = proto_item_add_subtree(sif, ett_sap_flags);
proto_tree_add_uint(sap_flags_tree, hf_sap_flags_v, tvb, offset, 1, vers_flags);
proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_a, tvb, offset, 1, vers_flags);
proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_r, tvb, offset, 1, vers_flags);
proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_t, tvb, offset, 1, vers_flags);
proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_e, tvb, offset, 1, vers_flags);
proto_tree_add_boolean(sap_flags_tree, hf_sap_flags_c, tvb, offset, 1, vers_flags);
offset++;
auth_len = tvb_get_guint8(tvb, offset);
proto_tree_add_text(sap_tree, tvb, offset, 1, "Authentication Length: %u", auth_len);
offset++;
tmp1 = tvb_get_ntohs(tvb, offset);
proto_tree_add_text(sap_tree, tvb, offset, 2, "Message Identifier Hash: 0x%x", tmp1);
offset +=2;
proto_tree_add_text(sap_tree, tvb, offset, addr_len, "Originating Source: %s",
(is_ipv6) ? tvb_ip6_to_str(tvb, offset) : tvb_ip_to_str(tvb, offset));
offset += addr_len;
/* Authentication data lives in its own subtree */
if (auth_len > 0) {
guint32 auth_data_len;
proto_item *sdi, *sai;
proto_tree *sa_tree, *saf_tree;
int has_pad;
guint8 pad_len = 0;
auth_data_len = auth_len * sizeof(guint32);
sdi = proto_tree_add_item(sap_tree, hf_auth_data, tvb, offset, auth_data_len, ENC_NA);
sa_tree = proto_item_add_subtree(sdi, ett_sap_auth);
auth_flags = tvb_get_guint8(tvb, offset);
sai = proto_tree_add_uint(sa_tree, hf_auth_flags, tvb, offset, 1, auth_flags);
saf_tree = proto_item_add_subtree(sai, ett_sap_authf);
proto_tree_add_uint(saf_tree, hf_auth_flags_v, tvb, offset, 1, auth_flags);
proto_tree_add_boolean(saf_tree, hf_auth_flags_p, tvb, offset, 1, auth_flags);
proto_tree_add_uint(saf_tree, hf_auth_flags_t, tvb, offset, 1, auth_flags);
has_pad = auth_flags&MCAST_SAP_AUTH_BIT_P;
if (has_pad)
pad_len = tvb_get_guint8(tvb, offset+auth_data_len-1);
if ((int) auth_data_len - pad_len - 1 < 0) {
proto_tree_add_text(sa_tree, tvb, 0, 0,
"Bogus authentication length (%d) or pad length (%d)",
auth_len, pad_len);
return;
}
proto_tree_add_text(sa_tree, tvb, offset+1, auth_data_len-pad_len-1,
"Authentication subheader: (%u byte%s)",
auth_data_len-1, plurality(auth_data_len-1, "", "s"));
if (has_pad) {
proto_tree_add_text(sa_tree, tvb, offset+auth_data_len-pad_len, pad_len,
"Authentication data padding: (%u byte%s)",
pad_len, plurality(pad_len, "", "s"));
proto_tree_add_text(sa_tree, tvb, offset+auth_data_len-1, 1,
"Authentication data pad count: %u byte%s",
pad_len, plurality(pad_len, "", "s"));
}
offset += auth_data_len;
}
if (is_enc || is_comp) {
const char *mangle;
if (is_enc && is_comp) mangle = "compressed and encrypted";
else if (is_enc) mangle = "encrypted";
else mangle = "compressed";
proto_tree_add_text(sap_tree, tvb, offset, -1,
"The rest of the packet is %s", mangle);
return;
}
/* Do we have the optional payload type aka. MIME content specifier */
if (tvb_strneql(tvb, offset, "v=", strlen("v="))) {
gint remaining_len;
guint32 pt_len;
int pt_string_len;
remaining_len = tvb_length_remaining(tvb, offset);
if (remaining_len == 0) {
/*
* "tvb_strneql()" failed because there was no
* data left in the packet.
*
* Set the remaining length to 1, so that
* we throw the appropriate exception in
* "tvb_get_ptr()", rather than displaying
* the payload type.
*/
remaining_len = 1;
}
pt_string_len = tvb_strnlen(tvb, offset, remaining_len);
if (pt_string_len == -1) {
/*
* We didn't find a terminating '\0'; run to the
* end of the buffer.
*/
pt_string_len = remaining_len;
pt_len = pt_string_len;
} else {
/*
* Include the '\0' in the total item length.
*/
pt_len = pt_string_len + 1;
}
proto_tree_add_text(sap_tree, tvb, offset, pt_len,
"Payload type: %.*s", pt_string_len,
tvb_get_ephemeral_string(tvb, offset, pt_string_len));
offset += pt_len;
}
}
/* Done with SAP */
next_tvb = tvb_new_subset_remaining(tvb, offset);
call_dissector(sdp_handle, next_tvb, pinfo, tree);
return;
}
/* Decoder State Machine. Currently only used to snoop on
client-user-name as sent by the client up connection establishment.
*/
static void
rlogin_state_machine(rlogin_hash_entry_t *hash_info, tvbuff_t *tvb, packet_info *pinfo)
{
guint length;
gint stringlen;
/* Won't change state if already seen this packet */
if (pinfo->fd->flags.visited)
{
return;
}
/* rlogin stream decoder */
/* Just watch for the second packet from client with the user name and */
/* terminal type information. */
if (pinfo->destport != RLOGIN_PORT)
{
return;
}
/* exit if already passed username in conversation */
if (hash_info->state == DONE)
{
return;
}
/* exit if no data */
length = tvb_captured_length(tvb);
if (length == 0)
{
return;
}
if (hash_info->state == NONE)
{
/* new connection*/
if (tvb_get_guint8(tvb, 0) != '\0')
{
/* We expected a null, but didn't get one; quit. */
hash_info->state = DONE;
return;
}
else
{
if (length <= 1)
{
/* Still waiting for data */
hash_info->state = USER_INFO_WAIT;
}
else
{
/* Have info, store frame number */
hash_info->state = DONE;
hash_info->info_framenum = pinfo->num;
}
}
}
/* expect user data here */
/* TODO: may need to do more checking here? */
else
if (hash_info->state == USER_INFO_WAIT)
{
/* Store frame number here */
hash_info->state = DONE;
hash_info->info_framenum = pinfo->num;
/* Work out length of string to copy */
stringlen = tvb_strnlen(tvb, 0, NAME_LEN);
if (stringlen == -1)
stringlen = NAME_LEN - 1; /* no '\0' found */
else if (stringlen > NAME_LEN - 1)
stringlen = NAME_LEN - 1; /* name too long */
/* Copy and terminate string into hash name */
tvb_memcpy(tvb, (guint8 *)hash_info->user_name, 0, stringlen);
hash_info->user_name[stringlen] = '\0';
col_append_str(pinfo->cinfo, COL_INFO, ", (User information)");
}
}
/* dissect_sebek - dissects sebek packet data
* tvb - tvbuff for packet data (IN)
* pinfo - packet info
* proto_tree - resolved protocol tree
*/
static void
dissect_sebek(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *sebek_tree;
proto_item *ti;
int offset = 0;
int datalen = 0;
nstime_t ts;
int sebek_ver = 0;
int sebek_type = 0;
int cmd_len = 0;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "SEBEK");
if (check_col(pinfo->cinfo, COL_INFO))
{
col_set_str(pinfo->cinfo, COL_INFO, "SEBEK - ");
if (tvb->length<6)
sebek_ver = 0;
else
sebek_ver = tvb_get_ntohs(tvb, 4);
switch (sebek_ver) {
case 2: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 20));
col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 24));
col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 28));
col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 32, 12));
break;
case 3: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 24));
col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 28));
col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 32));
cmd_len = tvb_strnlen(tvb, 40, 12);
if (cmd_len<0)
cmd_len = 0;
col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 40, cmd_len));
break;
default:
break;
}
}
if (tree) {
/* Adding Sebek item and subtree */
ti = proto_tree_add_item(tree, proto_sebek, tvb, 0, -1, FALSE);
sebek_tree = proto_item_add_subtree(ti, ett_sebek);
/* check for minimum length before deciding where to go*/
if (tvb->length<6)
sebek_ver = 0;
else
sebek_ver = tvb_get_ntohs(tvb, 4);
switch (sebek_ver) {
case 2: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE);
offset += 2;
proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE);
offset += 2;
proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE);
offset += 4;
ts.secs = tvb_get_ntohl(tvb, offset);
ts.nsecs = tvb_get_ntohl(tvb, offset+4);
proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
offset += 8;
proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE);
offset += 12;
datalen = tvb_get_letohl(tvb, offset);
proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE);
break;
case 3: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE);
offset += 2;
sebek_type=tvb_get_ntohs(tvb, offset);
proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE);
offset += 2;
proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE);
offset += 4;
ts.secs = tvb_get_ntohl(tvb, offset);
ts.nsecs = tvb_get_ntohl(tvb, offset+4);
proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
offset += 8;
proto_tree_add_item(sebek_tree, hf_sebek_ppid, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_inode, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE);
offset += 12;
datalen = tvb_get_ntohl(tvb, offset);
proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE);
offset += 4;
if (sebek_type == 2) {
/*data is socket data, process accordingly*/
proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_ip, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_port, tvb, offset, 2, FALSE);
offset += 2;
proto_tree_add_item(sebek_tree, hf_sebek_socket_src_ip, tvb, offset, 4, FALSE);
offset += 4;
proto_tree_add_item(sebek_tree, hf_sebek_socket_src_port, tvb, offset, 2, FALSE);
offset += 2;
proto_tree_add_item(sebek_tree, hf_sebek_socket_call, tvb, offset, 2, FALSE);
offset += 2;
proto_tree_add_item(sebek_tree, hf_sebek_socket_proto, tvb, offset, 1, FALSE);
offset += 1;
} else {
proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE);
}
break;
default:
break;
}
}
}
static void
dissect_sap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
int offset = 0;
int sap_version, is_ipv6, is_del, is_enc, is_comp, addr_len;
guint8 vers_flags;
guint8 auth_len;
guint8 auth_flags;
tvbuff_t *next_tvb;
proto_item *si, *sif;
proto_tree *sap_tree = NULL, *sap_flags_tree;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "SAP");
col_clear(pinfo->cinfo, COL_INFO);
vers_flags = tvb_get_guint8(tvb, offset);
is_ipv6 = vers_flags&MCAST_SAP_BIT_A;
is_del = vers_flags&MCAST_SAP_BIT_T;
is_enc = vers_flags&MCAST_SAP_BIT_E;
is_comp = vers_flags&MCAST_SAP_BIT_C;
sap_version = (vers_flags&MCAST_SAP_VERSION_MASK)>>MCAST_SAP_VERSION_SHIFT;
addr_len = (is_ipv6) ? (int)sizeof(struct e_in6_addr) : 4;
col_add_fstr(pinfo->cinfo, COL_INFO, "%s (v%u)",
(is_del) ? "Deletion" : "Announcement", sap_version);
if (tree) {
si = proto_tree_add_item(tree, proto_sap, tvb, offset, -1, ENC_NA);
sap_tree = proto_item_add_subtree(si, ett_sap);
sif = proto_tree_add_item(sap_tree, hf_sap_flags, tvb, offset, 1, ENC_NA);
sap_flags_tree = proto_item_add_subtree(sif, ett_sap_flags);
proto_tree_add_item(sap_flags_tree, hf_sap_flags_v, tvb, offset, 1, ENC_NA);
proto_tree_add_item(sap_flags_tree, hf_sap_flags_a, tvb, offset, 1, ENC_NA);
proto_tree_add_item(sap_flags_tree, hf_sap_flags_r, tvb, offset, 1, ENC_NA);
proto_tree_add_item(sap_flags_tree, hf_sap_flags_t, tvb, offset, 1, ENC_NA);
proto_tree_add_item(sap_flags_tree, hf_sap_flags_e, tvb, offset, 1, ENC_NA);
proto_tree_add_item(sap_flags_tree, hf_sap_flags_c, tvb, offset, 1, ENC_NA);
}
offset++;
auth_len = tvb_get_guint8(tvb, offset);
proto_tree_add_item(sap_tree, hf_sap_auth_len, tvb, offset, 1, ENC_NA);
offset++;
proto_tree_add_item(sap_tree, hf_sap_message_identifier_hash, tvb, offset, 2, ENC_BIG_ENDIAN);
offset +=2;
if (is_ipv6)
proto_tree_add_item(sap_tree, hf_sap_originating_source_ipv6, tvb, offset, addr_len, ENC_NA);
else
proto_tree_add_item(sap_tree, hf_sap_originating_source_ipv4, tvb, offset, addr_len, ENC_BIG_ENDIAN);
offset += addr_len;
/* Authentication data lives in its own subtree */
if (auth_len > 0) {
guint32 auth_data_len;
proto_item *sdi, *sai;
proto_tree *sa_tree, *saf_tree;
int has_pad;
guint8 pad_len = 0;
auth_data_len = (guint32)(auth_len * sizeof(guint32));
sdi = proto_tree_add_item(sap_tree, hf_auth_data, tvb, offset, auth_data_len, ENC_NA);
sa_tree = proto_item_add_subtree(sdi, ett_sap_auth);
auth_flags = tvb_get_guint8(tvb, offset);
sai = proto_tree_add_item(sa_tree, hf_auth_flags, tvb, offset, 1, ENC_NA);
saf_tree = proto_item_add_subtree(sai, ett_sap_authf);
proto_tree_add_item(saf_tree, hf_auth_flags_v, tvb, offset, 1, ENC_NA);
proto_tree_add_item(saf_tree, hf_auth_flags_p, tvb, offset, 1, ENC_NA);
proto_tree_add_item(saf_tree, hf_auth_flags_t, tvb, offset, 1, ENC_NA);
has_pad = auth_flags&MCAST_SAP_AUTH_BIT_P;
if (has_pad) {
pad_len = tvb_get_guint8(tvb, offset+auth_data_len-1);
}
if ((int) auth_data_len - pad_len - 1 < 0) {
expert_add_info_format(pinfo, sai, &ei_sap_bogus_authentication_or_pad_length,
"Bogus authentication length (%d) or pad length (%d)", auth_len, pad_len);
return;
}
proto_tree_add_item(sa_tree, hf_sap_auth_subheader, tvb, offset+1, auth_data_len-pad_len-1, ENC_NA);
if (has_pad) {
proto_tree_add_item(sa_tree, hf_sap_auth_data_padding_len, tvb, offset+auth_data_len-1, 1, ENC_NA);
proto_tree_add_item(sa_tree, hf_sap_auth_data_padding, tvb, offset+auth_data_len-pad_len, pad_len, ENC_NA);
}
offset += auth_data_len;
}
if (is_enc || is_comp) {
expert_field *mangle;
if (is_enc && is_comp)
mangle = &ei_sap_compressed_and_encrypted;
else if (is_enc)
mangle = &ei_sap_encrypted;
else
mangle = &ei_sap_compressed;
proto_tree_add_expert(sap_tree, pinfo, mangle, tvb, offset, -1);
return;
}
if (tree) {
/* Do we have the optional payload type aka. MIME content specifier */
if (tvb_strneql(tvb, offset, "v=", strlen("v="))) {
gint remaining_len;
guint32 pt_len;
int pt_string_len;
guint8* pt_str;
remaining_len = tvb_captured_length_remaining(tvb, offset);
if (remaining_len == 0) {
/*
* "tvb_strneql()" failed because there was no
* data left in the packet.
*
* Set the remaining length to 1, so that
* we throw the appropriate exception in
* "tvb_get_ptr()", rather than displaying
* the payload type.
*/
remaining_len = 1;
}
pt_string_len = tvb_strnlen(tvb, offset, remaining_len);
if (pt_string_len == -1) {
/*
* We didn't find a terminating '\0'; run to the
* end of the buffer.
*/
pt_string_len = remaining_len;
pt_len = pt_string_len;
} else {
/*
* Include the '\0' in the total item length.
*/
pt_len = pt_string_len + 1;
}
pt_str = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, pt_string_len, ENC_ASCII);
proto_tree_add_string_format_value(sap_tree, hf_sap_payload_type, tvb, offset, pt_len,
pt_str, "%.*s", pt_string_len, pt_str);
offset += pt_len;
}
}
/* Done with SAP */
next_tvb = tvb_new_subset_remaining(tvb, offset);
call_dissector(sdp_handle, next_tvb, pinfo, tree);
}
