2 * Routines for TCP packet disassembly
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
32 #include <epan/in_cksum.h>
34 #include <epan/packet.h>
35 #include <epan/addr_resolv.h>
36 #include <epan/ipproto.h>
37 #include <epan/ip_opts.h>
38 #include <epan/follow.h>
39 #include <epan/prefs.h>
40 #include <epan/emem.h>
41 #include "packet-tcp.h"
42 #include "packet-ip.h"
43 #include "packet-frame.h"
44 #include <epan/conversation.h>
45 #include <epan/strutil.h>
46 #include <epan/reassemble.h>
48 #include <epan/slab.h>
49 #include <epan/expert.h>
51 static int tcp_tap = -1;
53 /* Place TCP summary in proto tree */
54 static gboolean tcp_summary_in_tree = TRUE;
57 * Flag to control whether to check the TCP checksum.
59 * In at least some Solaris network traces, there are packets with bad
60 * TCP checksums, but the traffic appears to indicate that the packets
61 * *were* received; the packets were probably sent by the host on which
62 * the capture was being done, on a network interface to which
63 * checksumming was offloaded, so that DLPI supplied an un-checksummed
64 * packet to the capture program but a checksummed packet got put onto
67 static gboolean tcp_check_checksum = TRUE;
69 extern FILE* data_out_file;
71 static int proto_tcp = -1;
72 static int hf_tcp_srcport = -1;
73 static int hf_tcp_dstport = -1;
74 static int hf_tcp_port = -1;
75 static int hf_tcp_seq = -1;
76 static int hf_tcp_nxtseq = -1;
77 static int hf_tcp_ack = -1;
78 static int hf_tcp_hdr_len = -1;
79 static int hf_tcp_flags = -1;
80 static int hf_tcp_flags_cwr = -1;
81 static int hf_tcp_flags_ecn = -1;
82 static int hf_tcp_flags_urg = -1;
83 static int hf_tcp_flags_ack = -1;
84 static int hf_tcp_flags_push = -1;
85 static int hf_tcp_flags_reset = -1;
86 static int hf_tcp_flags_syn = -1;
87 static int hf_tcp_flags_fin = -1;
88 static int hf_tcp_window_size = -1;
89 static int hf_tcp_checksum = -1;
90 static int hf_tcp_checksum_bad = -1;
91 static int hf_tcp_checksum_good = -1;
92 static int hf_tcp_len = -1;
93 static int hf_tcp_urgent_pointer = -1;
94 static int hf_tcp_analysis_flags = -1;
95 static int hf_tcp_analysis_acks_frame = -1;
96 static int hf_tcp_analysis_ack_rtt = -1;
97 static int hf_tcp_analysis_rto = -1;
98 static int hf_tcp_analysis_rto_frame = -1;
99 static int hf_tcp_analysis_retransmission = -1;
100 static int hf_tcp_analysis_fast_retransmission = -1;
101 static int hf_tcp_analysis_out_of_order = -1;
102 static int hf_tcp_analysis_reused_ports = -1;
103 static int hf_tcp_analysis_lost_packet = -1;
104 static int hf_tcp_analysis_ack_lost_packet = -1;
105 static int hf_tcp_analysis_window_update = -1;
106 static int hf_tcp_analysis_window_full = -1;
107 static int hf_tcp_analysis_keep_alive = -1;
108 static int hf_tcp_analysis_keep_alive_ack = -1;
109 static int hf_tcp_analysis_duplicate_ack = -1;
110 static int hf_tcp_analysis_duplicate_ack_num = -1;
111 static int hf_tcp_analysis_duplicate_ack_frame = -1;
112 static int hf_tcp_analysis_zero_window = -1;
113 static int hf_tcp_analysis_zero_window_probe = -1;
114 static int hf_tcp_analysis_zero_window_probe_ack = -1;
115 static int hf_tcp_continuation_to = -1;
116 static int hf_tcp_pdu_time = -1;
117 static int hf_tcp_pdu_size = -1;
118 static int hf_tcp_pdu_last_frame = -1;
119 static int hf_tcp_reassembled_in = -1;
120 static int hf_tcp_segments = -1;
121 static int hf_tcp_segment = -1;
122 static int hf_tcp_segment_overlap = -1;
123 static int hf_tcp_segment_overlap_conflict = -1;
124 static int hf_tcp_segment_multiple_tails = -1;
125 static int hf_tcp_segment_too_long_fragment = -1;
126 static int hf_tcp_segment_error = -1;
127 static int hf_tcp_options = -1;
128 static int hf_tcp_option_mss = -1;
129 static int hf_tcp_option_mss_val = -1;
130 static int hf_tcp_option_wscale = -1;
131 static int hf_tcp_option_wscale_val = -1;
132 static int hf_tcp_option_sack_perm = -1;
133 static int hf_tcp_option_sack = -1;
134 static int hf_tcp_option_sack_sle = -1;
135 static int hf_tcp_option_sack_sre = -1;
136 static int hf_tcp_option_echo = -1;
137 static int hf_tcp_option_echo_reply = -1;
138 static int hf_tcp_option_time_stamp = -1;
139 static int hf_tcp_option_cc = -1;
140 static int hf_tcp_option_ccnew = -1;
141 static int hf_tcp_option_ccecho = -1;
142 static int hf_tcp_option_md5 = -1;
143 static int hf_tcp_option_qs = -1;
144 static int hf_tcp_ts_relative = -1;
145 static int hf_tcp_ts_delta = -1;
147 static gint ett_tcp = -1;
148 static gint ett_tcp_flags = -1;
149 static gint ett_tcp_options = -1;
150 static gint ett_tcp_option_sack = -1;
151 static gint ett_tcp_analysis = -1;
152 static gint ett_tcp_analysis_faults = -1;
153 static gint ett_tcp_timestamps = -1;
154 static gint ett_tcp_segments = -1;
155 static gint ett_tcp_segment = -1;
156 static gint ett_tcp_checksum = -1;
159 /* not all of the hf_fields below make sense for TCP but we have to provide
160 them anyways to comply with the api (which was aimed for ip fragment
162 static const fragment_items tcp_segment_items = {
167 &hf_tcp_segment_overlap,
168 &hf_tcp_segment_overlap_conflict,
169 &hf_tcp_segment_multiple_tails,
170 &hf_tcp_segment_too_long_fragment,
171 &hf_tcp_segment_error,
172 &hf_tcp_reassembled_in,
176 static dissector_table_t subdissector_table;
177 static heur_dissector_list_t heur_subdissector_list;
178 static dissector_handle_t data_handle;
180 /* TCP structs and definitions */
182 /* **************************************************************************
184 * RTT and reltive sequence numbers.
185 * **************************************************************************/
186 static gboolean tcp_analyze_seq = TRUE;
187 static gboolean tcp_relative_seq = TRUE;
188 static gboolean tcp_calculate_ts = FALSE;
190 /* SLAB allocator for tcp_unacked structures
192 SLAB_ITEM_TYPE_DEFINE(tcp_unacked_t)
193 static SLAB_FREE_LIST_DEFINE(tcp_unacked_t)
194 #define TCP_UNACKED_NEW(fi) \
195 SLAB_ALLOC(fi, tcp_unacked_t)
196 #define TCP_UNACKED_FREE(fi) \
197 SLAB_FREE(fi, tcp_unacked_t)
200 #define TCP_A_RETRANSMISSION 0x0001
201 #define TCP_A_LOST_PACKET 0x0002
202 #define TCP_A_ACK_LOST_PACKET 0x0004
203 #define TCP_A_KEEP_ALIVE 0x0008
204 #define TCP_A_DUPLICATE_ACK 0x0010
205 #define TCP_A_ZERO_WINDOW 0x0020
206 #define TCP_A_ZERO_WINDOW_PROBE 0x0040
207 #define TCP_A_ZERO_WINDOW_PROBE_ACK 0x0080
208 #define TCP_A_KEEP_ALIVE_ACK 0x0100
209 #define TCP_A_OUT_OF_ORDER 0x0200
210 #define TCP_A_FAST_RETRANSMISSION 0x0400
211 #define TCP_A_WINDOW_UPDATE 0x0800
212 #define TCP_A_WINDOW_FULL 0x1000
213 #define TCP_A_REUSED_PORTS 0x2000
217 process_tcp_payload(tvbuff_t *tvb, volatile int offset, packet_info *pinfo,
218 proto_tree *tree, proto_tree *tcp_tree, int src_port, int dst_port,
219 guint32 seq, guint32 nxtseq, gboolean is_tcp_segment,
220 struct tcp_analysis *tcpd);
223 struct tcp_analysis *
224 new_tcp_conversation(packet_info *pinfo)
227 conversation_t *conv=NULL;
228 struct tcp_analysis *tcpd=NULL;
230 /* Create a new conversation. */
231 conv=conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
233 /* No no such data yet. Allocate and init it */
234 tcpd=se_alloc(sizeof(struct tcp_analysis));
235 tcpd->flow1.segments=NULL;
236 tcpd->flow1.base_seq=0;
237 tcpd->flow1.lastack=0;
238 tcpd->flow1.lastacktime.secs=0;
239 tcpd->flow1.lastacktime.nsecs=0;
240 tcpd->flow1.lastnondupack=0;
241 tcpd->flow1.nextseq=0;
242 tcpd->flow1.nextseqtime.secs=0;
243 tcpd->flow1.nextseqtime.nsecs=0;
244 tcpd->flow1.nextseqframe=0;
245 tcpd->flow1.window=0;
246 tcpd->flow1.win_scale=-1;
248 tcpd->flow1.multisegment_pdus=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "tcp_multisegment_pdus");
249 tcpd->flow2.segments=NULL;
250 tcpd->flow2.base_seq=0;
251 tcpd->flow2.lastack=0;
252 tcpd->flow2.lastacktime.secs=0;
253 tcpd->flow2.lastacktime.nsecs=0;
254 tcpd->flow2.lastnondupack=0;
255 tcpd->flow2.nextseq=0;
256 tcpd->flow2.nextseqtime.secs=0;
257 tcpd->flow2.nextseqtime.nsecs=0;
258 tcpd->flow2.nextseqframe=0;
259 tcpd->flow2.window=0;
260 tcpd->flow2.win_scale=-1;
262 tcpd->flow2.multisegment_pdus=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "tcp_multisegment_pdus");
263 tcpd->acked_table=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "tcp_analyze_acked_table");
264 tcpd->ts_first.secs=pinfo->fd->abs_ts.secs;
265 tcpd->ts_first.nsecs=pinfo->fd->abs_ts.nsecs;
266 tcpd->ts_prev.secs=pinfo->fd->abs_ts.secs;
267 tcpd->ts_prev.nsecs=pinfo->fd->abs_ts.nsecs;
270 conversation_add_proto_data(conv, proto_tcp, tcpd);
272 /* check direction and get ua lists */
273 direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
274 /* if the addresses are equal, match the ports instead */
276 direction= (pinfo->srcport > pinfo->destport)*2-1;
279 tcpd->fwd=&(tcpd->flow1);
280 tcpd->rev=&(tcpd->flow2);
282 tcpd->fwd=&(tcpd->flow2);
283 tcpd->rev=&(tcpd->flow1);
290 struct tcp_analysis *
291 get_tcp_conversation_data(packet_info *pinfo)
294 conversation_t *conv=NULL;
295 struct tcp_analysis *tcpd=NULL;
297 /* Have we seen this conversation before? */
298 if( (conv=find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0)) == NULL){
299 /* No this is a new conversation. */
300 tcpd=new_tcp_conversation(pinfo);
302 /* Get the data for this conversation */
303 tcpd=conversation_get_proto_data(conv, proto_tcp);
310 /* check direction and get ua lists */
311 direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
312 /* if the addresses are equal, match the ports instead */
314 direction= (pinfo->srcport > pinfo->destport)*2-1;
317 tcpd->fwd=&(tcpd->flow1);
318 tcpd->rev=&(tcpd->flow2);
320 tcpd->fwd=&(tcpd->flow2);
321 tcpd->rev=&(tcpd->flow1);
328 /* Calculate the timestamps relative to this conversation */
330 tcp_calculate_timestamps(packet_info *pinfo, struct tcp_analysis *tcpd,
331 struct tcp_per_packet_data_t *tcppd)
334 tcppd = p_get_proto_data(pinfo->fd, proto_tcp);
337 tcppd = se_alloc(sizeof(struct tcp_per_packet_data_t));
338 p_add_proto_data(pinfo->fd, proto_tcp, tcppd);
344 nstime_delta(&tcppd->ts_del, &pinfo->fd->abs_ts, &tcpd->ts_prev);
346 tcpd->ts_prev.secs=pinfo->fd->abs_ts.secs;
347 tcpd->ts_prev.nsecs=pinfo->fd->abs_ts.nsecs;
350 /* Add a subtree with the timestamps relative to this conversation */
352 tcp_print_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree, struct tcp_analysis *tcpd, struct tcp_per_packet_data_t *tcppd)
361 item=proto_tree_add_text(parent_tree, tvb, 0, 0, "Timestamps");
362 PROTO_ITEM_SET_GENERATED(item);
363 tree=proto_item_add_subtree(item, ett_tcp_timestamps);
365 nstime_delta(&ts, &pinfo->fd->abs_ts, &tcpd->ts_first);
366 item = proto_tree_add_time(tree, hf_tcp_ts_relative, tvb, 0, 0, &ts);
367 PROTO_ITEM_SET_GENERATED(item);
370 tcppd = p_get_proto_data(pinfo->fd, proto_tcp);
373 item = proto_tree_add_time(tree, hf_tcp_ts_delta, tvb, 0, 0,
375 PROTO_ITEM_SET_GENERATED(item);
380 print_pdu_tracking_data(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tcp_tree, struct tcp_multisegment_pdu *msp)
384 if (check_col(pinfo->cinfo, COL_INFO)){
385 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[Continuation to #%u] ", msp->first_frame);
387 item=proto_tree_add_uint(tcp_tree, hf_tcp_continuation_to,
388 tvb, 0, 0, msp->first_frame);
389 PROTO_ITEM_SET_GENERATED(item);
392 /* if we know that a PDU starts inside this segment, return the adjusted
393 offset to where that PDU starts or just return offset back
394 and let TCP try to find out what it can about this segment
397 scan_for_next_pdu(tvbuff_t *tvb, proto_tree *tcp_tree, packet_info *pinfo, int offset, guint32 seq, guint32 nxtseq, emem_tree_t *multisegment_pdus)
399 struct tcp_multisegment_pdu *msp=NULL;
401 if(!pinfo->fd->flags.visited){
402 msp=se_tree_lookup32_le(multisegment_pdus, seq-1);
404 /* If this is a continuation of a PDU started in a
405 * previous segment we need to update the last_frame
408 if(seq>msp->seq && seq<msp->nxtpdu){
409 msp->last_frame=pinfo->fd->num;
410 msp->last_frame_time=pinfo->fd->abs_ts;
411 print_pdu_tracking_data(pinfo, tvb, tcp_tree, msp);
414 /* If this segment is completely within a previous PDU
415 * then we just skip this packet
417 if(seq>msp->seq && nxtseq<=msp->nxtpdu){
420 if(seq<msp->nxtpdu && nxtseq>msp->nxtpdu){
421 offset+=msp->nxtpdu-seq;
427 /* First we try to find the start and transfer time for a PDU.
428 * We only print this for the very first segment of a PDU
429 * and only for PDUs spanning multiple segments.
430 * Se we look for if there was any multisegment PDU started
431 * just BEFORE the end of this segment. I.e. either inside this
432 * segment or in a previous segment.
433 * Since this might also match PDUs that are completely within
434 * this segment we also verify that the found PDU does span
435 * beyond the end of this segment.
437 msp=se_tree_lookup32_le(multisegment_pdus, nxtseq-1);
439 if( (pinfo->fd->num==msp->first_frame)
444 item=proto_tree_add_uint(tcp_tree, hf_tcp_pdu_last_frame, tvb, 0, 0, msp->last_frame);
445 PROTO_ITEM_SET_GENERATED(item);
447 nstime_delta(&ns, &msp->last_frame_time, &pinfo->fd->abs_ts);
448 item = proto_tree_add_time(tcp_tree, hf_tcp_pdu_time,
450 PROTO_ITEM_SET_GENERATED(item);
454 /* Second we check if this segment is part of a PDU started
455 * prior to the segment (seq-1)
457 msp=se_tree_lookup32_le(multisegment_pdus, seq-1);
459 /* If this segment is completely within a previous PDU
460 * then we just skip this packet
462 if(seq>msp->seq && nxtseq<=msp->nxtpdu){
463 print_pdu_tracking_data(pinfo, tvb, tcp_tree, msp);
467 if(seq<msp->nxtpdu && nxtseq>msp->nxtpdu){
468 offset+=msp->nxtpdu-seq;
477 /* if we saw a PDU that extended beyond the end of the segment,
478 use this function to remember where the next pdu starts
480 struct tcp_multisegment_pdu *
481 pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, guint32 seq, guint32 nxtpdu, emem_tree_t *multisegment_pdus)
483 struct tcp_multisegment_pdu *msp;
485 msp=se_alloc(sizeof(struct tcp_multisegment_pdu));
488 msp->first_frame=pinfo->fd->num;
489 msp->last_frame=pinfo->fd->num;
490 msp->last_frame_time=pinfo->fd->abs_ts;
492 se_tree_insert32(multisegment_pdus, seq, (void *)msp);
496 /* This is called for SYN+ACK packets and the purpose is to verify that we
497 * have seen window scaling in both directions.
498 * If we cant find window scaling being set in both directions
499 * that means it was present in the SYN but not in the SYN+ACK
500 * (or the SYN was missing) and then we disable the window scaling
501 * for this tcp session.
504 verify_tcp_window_scaling(struct tcp_analysis *tcpd)
506 if( tcpd && ((tcpd->flow1.win_scale==-1) || (tcpd->flow2.win_scale==-1)) ){
507 tcpd->flow1.win_scale=-1;
508 tcpd->flow2.win_scale=-1;
512 /* if we saw a window scaling option, store it for future reference
515 pdu_store_window_scale_option(guint8 ws, struct tcp_analysis *tcpd)
518 tcpd->fwd->win_scale=ws;
522 tcp_get_relative_seq_ack(guint32 *seq, guint32 *ack, guint32 *win, struct tcp_analysis *tcpd)
524 if (tcpd && tcp_relative_seq) {
525 (*seq) -= tcpd->fwd->base_seq;
526 (*ack) -= tcpd->rev->base_seq;
527 if(tcpd->fwd->win_scale!=-1){
528 (*win)<<=tcpd->fwd->win_scale;
534 /* when this function returns, it will (if createflag) populate the ta pointer.
537 tcp_analyze_get_acked_struct(guint32 frame, gboolean createflag, struct tcp_analysis *tcpd)
542 tcpd->ta=se_tree_lookup32(tcpd->acked_table, frame);
543 if((!tcpd->ta) && createflag){
544 tcpd->ta=se_alloc(sizeof(struct tcp_acked));
545 tcpd->ta->frame_acked=0;
547 tcpd->ta->ts.nsecs=0;
549 tcpd->ta->dupack_num=0;
550 tcpd->ta->dupack_frame=0;
551 se_tree_insert32(tcpd->acked_table, frame, (void *)tcpd->ta);
556 /* fwd contains a list of all segments processed but not yet ACKed in the
557 * same direction as the current segment.
558 * rev contains a list of all segments received but not yet ACKed in the
559 * opposite direction to the current segment.
561 * New segments are always added to the head of the fwd/rev lists.
565 tcp_analyze_sequence_number(packet_info *pinfo, guint32 seq, guint32 ack, guint32 seglen, guint8 flags, guint32 window, struct tcp_analysis *tcpd)
567 tcp_unacked_t *ual=NULL;
571 printf("analyze_sequence numbers frame:%u direction:%s\n",pinfo->fd->num,direction>=0?"FWD":"REW");
572 printf("FWD list lastflags:0x%04x base_seq:0x%08x:\n",tcpd->fwd->lastsegmentflags,tcpd->fwd->base_seq);for(ual=tcpd->fwd->segments;ual;ual=ual->next)printf("Frame:%d Seq:%d Nextseq:%d\n",ual->frame,ual->seq,ual->nextseq);
573 printf("REV list lastflags:0x%04x base_seq:0x%08x:\n",tcpd->rev->lastsegmentflags,tcpd->rev->base_seq);for(ual=tcpd->rev->segments;ual;ual=ual->next)printf("Frame:%d Seq:%d Nextseq:%d\n",ual->frame,ual->seq,ual->nextseq);
580 /* if this is the first segment for this list we need to store the
583 * Start relative seq and ack numbers at 1 if this
584 * is not a SYN packet. This makes the relative
585 * seq/ack numbers to be displayed correctly in the
586 * event that the SYN or SYN/ACK packet is not seen
587 * (this solves bug 1542)
589 if(tcpd->fwd->base_seq==0){
590 tcpd->fwd->base_seq = (flags & TH_SYN) ? seq : seq-1;
593 /* Only store reverse sequence if this isn't the SYN
594 * There's no guarantee that the ACK field of a SYN
595 * contains zeros; get the ISN from the first segment
596 * with the ACK bit set instead (usually the SYN/ACK).
598 if( (tcpd->rev->base_seq==0) && (flags & TH_ACK) ){
599 tcpd->rev->base_seq = (flags & TH_SYN) ? ack : ack-1;
604 * it is a zero window probe if
605 * the sequnece number is the next expected one
606 * the window in the other direction is 0
607 * the segment is exactly 1 byte
611 && seq==tcpd->fwd->nextseq
612 && tcpd->rev->window==0 ){
614 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
616 tcpd->ta->flags|=TCP_A_ZERO_WINDOW_PROBE;
622 * a zero window packet has window == 0 but none of the SYN/FIN/RST set
626 && (flags&(TH_RST|TH_FIN|TH_SYN))==0 ){
628 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
630 tcpd->ta->flags|=TCP_A_ZERO_WINDOW;
635 * If this segment is beyond the last seen nextseq we must
636 * have missed some previous segment
638 * We only check for this if we have actually seen segments prior to this
640 * RST packets are not checked for this.
642 if( tcpd->fwd->nextseq
643 && GT_SEQ(seq, tcpd->fwd->nextseq)
644 && (flags&(TH_RST))==0 ){
646 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
648 tcpd->ta->flags|=TCP_A_LOST_PACKET;
653 * a keepalive contains 0 or 1 bytes of data and starts one byte prior
654 * to what should be the next sequence number.
655 * SYN/FIN/RST segments are never keepalives
658 if( (seglen==0||seglen==1)
659 && seq==(tcpd->fwd->nextseq-1)
660 && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){
662 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
664 tcpd->ta->flags|=TCP_A_KEEP_ALIVE;
668 * A window update is a 0 byte segment with the same SEQ/ACK numbers as
669 * the previous seen segment and with a new window value
673 && window!=tcpd->fwd->window
674 && seq==tcpd->fwd->nextseq
675 && ack==tcpd->fwd->lastack
676 && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){
678 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
680 tcpd->ta->flags|=TCP_A_WINDOW_UPDATE;
685 * If we know the window scaling
686 * and if this segment contains data ang goes all the way to the
687 * edge of the advertized window
688 * then we mark it as WINDOW FULL
689 * SYN/RST/FIN packets are never WINDOW FULL
693 && tcpd->fwd->win_scale!=-1
694 && tcpd->rev->win_scale!=-1
695 && (seq+seglen)==(tcpd->rev->lastack+(tcpd->rev->window<<tcpd->rev->win_scale))
696 && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){
698 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
700 tcpd->ta->flags|=TCP_A_WINDOW_FULL;
705 * It is a keepalive ack if it repeats the previous ACK and if
706 * the last segment in the reverse direction was a keepalive
711 && window==tcpd->fwd->window
712 && seq==tcpd->fwd->nextseq
713 && ack==tcpd->fwd->lastack
714 && (tcpd->rev->lastsegmentflags&TCP_A_KEEP_ALIVE)
715 && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){
717 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
719 tcpd->ta->flags|=TCP_A_KEEP_ALIVE_ACK;
724 /* ZERO WINDOW PROBE ACK
725 * It is a zerowindowprobe ack if it repeats the previous ACK and if
726 * the last segment in the reverse direction was a zerowindowprobe
727 * It also repeats the previous zero window indication
732 && window==tcpd->fwd->window
733 && seq==tcpd->fwd->nextseq
734 && ack==tcpd->fwd->lastack
735 && (tcpd->rev->lastsegmentflags&TCP_A_ZERO_WINDOW_PROBE)
736 && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){
738 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
740 tcpd->ta->flags|=TCP_A_ZERO_WINDOW_PROBE_ACK;
746 * It is a duplicate ack if window/seq/ack is the same as the previous
747 * segment and if the segment length is 0
751 && window==tcpd->fwd->window
752 && seq==tcpd->fwd->nextseq
753 && ack==tcpd->fwd->lastack
754 && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){
755 tcpd->fwd->dupacknum++;
757 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
759 tcpd->ta->flags|=TCP_A_DUPLICATE_ACK;
760 tcpd->ta->dupack_num=tcpd->fwd->dupacknum;
761 tcpd->ta->dupack_frame=tcpd->fwd->lastnondupack;
766 /* If this was NOT a dupack we must reset the dupack counters */
767 if( (!tcpd->ta) || !(tcpd->ta->flags&TCP_A_DUPLICATE_ACK) ){
768 tcpd->fwd->lastnondupack=pinfo->fd->num;
769 tcpd->fwd->dupacknum=0;
774 * If this segment acks beyond the nextseqnum in the other direction
775 * then that means we have missed packets going in the
778 * We only check this if we have actually seen some seq numbers
779 * in the other direction.
781 if( tcpd->rev->nextseq
782 && GT_SEQ(ack, tcpd->rev->nextseq )
783 && (flags&(TH_ACK))!=0 ){
786 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
788 tcpd->ta->flags|=TCP_A_ACK_LOST_PACKET;
789 /* update nextseq in the other direction so we dont get
790 * this indication again.
792 tcpd->rev->nextseq=ack;
796 /* RETRANSMISSION/FAST RETRANSMISSION/OUT-OF-ORDER
797 * If the segments contains data and if it does not advance
798 * sequence number it must be either of these three.
799 * Only test for this if we know what the seq number should be
800 * (tcpd->fwd->nextseq)
802 * Note that a simple KeepAlive is not a retransmission
805 && tcpd->fwd->nextseq
806 && (LT_SEQ(seq, tcpd->fwd->nextseq)) ){
809 if(tcpd->ta && (tcpd->ta->flags&TCP_A_KEEP_ALIVE) ){
810 goto finished_checking_retransmission_type;
813 /* If there were >=2 duplicate ACKs in the reverse direction
814 * (there might be duplicate acks missing from the trace)
815 * and if this sequence number matches those ACKs
816 * and if the packet occurs within 20ms of the last
818 * then this is a fast retransmission
820 t=(pinfo->fd->abs_ts.secs-tcpd->rev->lastacktime.secs)*1000000000;
821 t=t+(pinfo->fd->abs_ts.nsecs)-tcpd->rev->lastacktime.nsecs;
822 if( tcpd->rev->dupacknum>=2
823 && tcpd->rev->lastack==seq
826 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
828 tcpd->ta->flags|=TCP_A_FAST_RETRANSMISSION;
829 goto finished_checking_retransmission_type;
832 /* If the segment came <3ms since the segment with the highest
833 * seen sequence number, then it is an OUT-OF-ORDER segment.
834 * (3ms is an arbitrary number)
836 t=(pinfo->fd->abs_ts.secs-tcpd->fwd->nextseqtime.secs)*1000000000;
837 t=t+(pinfo->fd->abs_ts.nsecs)-tcpd->fwd->nextseqtime.nsecs;
840 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
842 tcpd->ta->flags|=TCP_A_OUT_OF_ORDER;
843 goto finished_checking_retransmission_type;
846 /* Then it has to be a generic retransmission */
848 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
850 tcpd->ta->flags|=TCP_A_RETRANSMISSION;
851 nstime_delta(&tcpd->ta->rto_ts, &pinfo->fd->abs_ts, &tcpd->fwd->nextseqtime);
852 tcpd->ta->rto_frame=tcpd->fwd->nextseqframe;
854 finished_checking_retransmission_type:
857 /* add this new sequence number to the fwd list */
858 TCP_UNACKED_NEW(ual);
859 ual->next=tcpd->fwd->segments;
860 tcpd->fwd->segments=ual;
861 ual->frame=pinfo->fd->num;
863 ual->ts=pinfo->fd->abs_ts;
865 /* next sequence number is seglen bytes away, plus SYN/FIN which counts as one byte */
866 ual->nextseq=seq+seglen;
867 if( flags&(TH_SYN|TH_FIN) ){
871 /* Store the highest number seen so far for nextseq so we can detect
872 * when we receive segments that arrive with a "hole"
873 * If we dont have anything since before, just store what we got.
874 * ZeroWindowProbes are special and dont really advance the nextseq
876 if(GT_SEQ(ual->nextseq, tcpd->fwd->nextseq) || !tcpd->fwd->nextseq) {
877 if( !tcpd->ta || !(tcpd->ta->flags&TCP_A_ZERO_WINDOW_PROBE) ){
878 tcpd->fwd->nextseq=ual->nextseq;
879 tcpd->fwd->nextseqframe=pinfo->fd->num;
880 tcpd->fwd->nextseqtime.secs=pinfo->fd->abs_ts.secs;
881 tcpd->fwd->nextseqtime.nsecs=pinfo->fd->abs_ts.nsecs;
886 /* remember what the ack/window is so we can track window updates and retransmissions */
887 tcpd->fwd->window=window;
888 tcpd->fwd->lastack=ack;
889 tcpd->fwd->lastacktime.secs=pinfo->fd->abs_ts.secs;
890 tcpd->fwd->lastacktime.nsecs=pinfo->fd->abs_ts.nsecs;
893 /* if there were any flags set for this segment we need to remember them
894 * we only remember the flags for the very last segment though.
897 tcpd->fwd->lastsegmentflags=tcpd->ta->flags;
899 tcpd->fwd->lastsegmentflags=0;
903 /* remove all segments this ACKs and we dont need to keep around any more
906 /* first we remove all such segments at the head of the list */
907 while((ual=tcpd->rev->segments)){
908 tcp_unacked_t *tmpual;
909 if(ack==ual->nextseq){
910 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
911 tcpd->ta->frame_acked=ual->frame;
912 nstime_delta(&tcpd->ta->ts, &pinfo->fd->abs_ts, &ual->ts);
914 if(GT_SEQ(ual->nextseq,ack)){
918 /*qqq do the ACKs segment x delta y */
921 tmpual=tcpd->rev->segments->next;
922 TCP_UNACKED_FREE(ual);
923 tcpd->rev->segments=tmpual;
925 /* now we remove all such segments that are NOT at the head of the list */
926 ual=tcpd->rev->segments;
927 while(ual && ual->next){
928 tcp_unacked_t *tmpual;
929 if(GT_SEQ(ual->next->nextseq,ack)){
934 /*qqq do the ACKs segment x delta y */
937 tmpual=ual->next->next;
938 TCP_UNACKED_FREE(ual->next);
946 * Prints results of the sequence number analysis concerning tcp segments
947 * retransmitted or out-of-order
950 tcp_sequence_number_analysis_print_retransmission(packet_info * pinfo,
952 proto_tree * flags_tree,
956 proto_item * flags_item;
958 /* TCP Rentransmission */
959 if (ta->flags & TCP_A_RETRANSMISSION) {
960 flags_item=proto_tree_add_none_format(flags_tree,
961 hf_tcp_analysis_retransmission,
963 "This frame is a (suspected) "
966 PROTO_ITEM_SET_GENERATED(flags_item);
967 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
968 "Retransmission (suspected)");
970 if (check_col(pinfo->cinfo, COL_INFO)) {
971 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Retransmission] ");
973 if (ta->rto_ts.secs || ta->rto_ts.nsecs) {
974 flags_item = proto_tree_add_time(flags_tree, hf_tcp_analysis_rto,
975 tvb, 0, 0, &ta->rto_ts);
976 PROTO_ITEM_SET_GENERATED(flags_item);
977 flags_item=proto_tree_add_uint(flags_tree, hf_tcp_analysis_rto_frame,
978 tvb, 0, 0, ta->rto_frame);
979 PROTO_ITEM_SET_GENERATED(flags_item);
982 /* TCP Fast Rentransmission */
983 if (ta->flags & TCP_A_FAST_RETRANSMISSION) {
984 flags_item=proto_tree_add_none_format(flags_tree,
985 hf_tcp_analysis_fast_retransmission,
987 "This frame is a (suspected) fast"
990 PROTO_ITEM_SET_GENERATED(flags_item);
991 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_WARN,
992 "Fast retransmission (suspected)");
993 flags_item=proto_tree_add_none_format(flags_tree,
994 hf_tcp_analysis_retransmission,
996 "This frame is a (suspected) "
999 PROTO_ITEM_SET_GENERATED(flags_item);
1000 if (check_col(pinfo->cinfo, COL_INFO)) {
1001 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
1002 "[TCP Fast Retransmission] ");
1005 /* TCP Out-Of-Order */
1006 if (ta->flags & TCP_A_OUT_OF_ORDER) {
1007 flags_item=proto_tree_add_none_format(flags_tree,
1008 hf_tcp_analysis_out_of_order,
1010 "This frame is a (suspected) "
1011 "out-of-order segment"
1013 PROTO_ITEM_SET_GENERATED(flags_item);
1014 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_WARN,
1015 "Out-Of-Order segment");
1016 if (check_col(pinfo->cinfo, COL_INFO)) {
1017 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Out-Of-Order] ");
1022 /* Prints results of the sequence number analysis concerning reused ports */
1024 tcp_sequence_number_analysis_print_reused(packet_info * pinfo,
1026 proto_tree * flags_tree,
1027 struct tcp_acked *ta
1030 proto_item * flags_item;
1032 /* TCP Ports Reused */
1033 if (ta->flags & TCP_A_REUSED_PORTS) {
1034 flags_item=proto_tree_add_none_format(flags_tree,
1035 hf_tcp_analysis_reused_ports,
1037 "A new tcp session is started with the same "
1038 "ports as an earlier session in this trace"
1040 PROTO_ITEM_SET_GENERATED(flags_item);
1041 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
1042 "TCP Port numbers reused for new session");
1043 if(check_col(pinfo->cinfo, COL_INFO)){
1044 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
1045 "[TCP Port numbers reused] ");
1050 /* Prints results of the sequence number analysis concerning lost tcp segments */
1052 tcp_sequence_number_analysis_print_lost(packet_info * pinfo,
1054 proto_tree * flags_tree,
1055 struct tcp_acked *ta
1058 proto_item * flags_item;
1060 /* TCP Lost Segment */
1061 if (ta->flags & TCP_A_LOST_PACKET) {
1062 flags_item=proto_tree_add_none_format(flags_tree,
1063 hf_tcp_analysis_lost_packet,
1065 "A segment before this frame was "
1068 PROTO_ITEM_SET_GENERATED(flags_item);
1069 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_WARN,
1070 "Previous segment lost (common at capture start)");
1071 if(check_col(pinfo->cinfo, COL_INFO)){
1072 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
1073 "[TCP Previous segment lost] ");
1076 /* TCP Ack lost segment */
1077 if (ta->flags & TCP_A_ACK_LOST_PACKET) {
1078 flags_item=proto_tree_add_none_format(flags_tree,
1079 hf_tcp_analysis_ack_lost_packet,
1081 "This frame ACKs a segment we have "
1084 PROTO_ITEM_SET_GENERATED(flags_item);
1085 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_WARN,
1086 "ACKed lost segment (common at capture start)");
1087 if(check_col(pinfo->cinfo, COL_INFO)){
1088 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
1089 "[TCP ACKed lost segment] ");
1094 /* Prints results of the sequence number analysis concerning tcp window */
1096 tcp_sequence_number_analysis_print_window(packet_info * pinfo,
1098 proto_tree * flags_tree,
1099 struct tcp_acked *ta
1102 proto_item * flags_item;
1104 /* TCP Window Update */
1105 if (ta->flags & TCP_A_WINDOW_UPDATE) {
1106 flags_item=proto_tree_add_none_format(flags_tree,
1107 hf_tcp_analysis_window_update,
1109 "This is a tcp window update"
1111 PROTO_ITEM_SET_GENERATED(flags_item);
1112 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
1114 if (check_col(pinfo->cinfo, COL_INFO)) {
1115 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Window Update] ");
1118 /* TCP Full Window */
1119 if (ta->flags & TCP_A_WINDOW_FULL) {
1120 flags_item=proto_tree_add_none_format(flags_tree,
1121 hf_tcp_analysis_window_full,
1123 "The transmission window is now "
1126 PROTO_ITEM_SET_GENERATED(flags_item);
1127 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
1129 if (check_col(pinfo->cinfo, COL_INFO)) {
1130 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Window Full] ");
1135 /* Prints results of the sequence number analysis concerning tcp keepalive */
1137 tcp_sequence_number_analysis_print_keepalive(packet_info * pinfo,
1139 proto_tree * flags_tree,
1140 struct tcp_acked *ta
1143 proto_item * flags_item;
1146 if (ta->flags & TCP_A_KEEP_ALIVE){
1147 flags_item=proto_tree_add_none_format(flags_tree,
1148 hf_tcp_analysis_keep_alive,
1150 "This is a TCP keep-alive segment"
1152 PROTO_ITEM_SET_GENERATED(flags_item);
1153 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
1155 if (check_col(pinfo->cinfo, COL_INFO)) {
1156 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive] ");
1159 /* TCP Ack Keep Alive */
1160 if (ta->flags & TCP_A_KEEP_ALIVE_ACK) {
1161 flags_item=proto_tree_add_none_format(flags_tree,
1162 hf_tcp_analysis_keep_alive_ack,
1164 "This is an ACK to a TCP keep-alive "
1167 PROTO_ITEM_SET_GENERATED(flags_item);
1168 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
1170 if (check_col(pinfo->cinfo, COL_INFO)) {
1171 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive ACK] ");
1176 /* Prints results of the sequence number analysis concerning tcp duplicate ack */
1178 tcp_sequence_number_analysis_print_duplicate(packet_info * pinfo,
1180 proto_tree * flags_tree,
1181 struct tcp_acked *ta,
1185 proto_item * flags_item;
1187 /* TCP Duplicate ACK */
1188 if (ta->dupack_num) {
1189 if (ta->flags & TCP_A_DUPLICATE_ACK ) {
1190 flags_item=proto_tree_add_none_format(flags_tree,
1191 hf_tcp_analysis_duplicate_ack,
1193 "This is a TCP duplicate ack"
1195 PROTO_ITEM_SET_GENERATED(flags_item);
1196 if (check_col(pinfo->cinfo, COL_INFO)) {
1197 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
1198 "[TCP Dup ACK %u#%u] ",
1204 flags_item=proto_tree_add_uint(tree, hf_tcp_analysis_duplicate_ack_num,
1205 tvb, 0, 0, ta->dupack_num);
1206 PROTO_ITEM_SET_GENERATED(flags_item);
1207 flags_item=proto_tree_add_uint(tree, hf_tcp_analysis_duplicate_ack_frame,
1208 tvb, 0, 0, ta->dupack_frame);
1209 PROTO_ITEM_SET_GENERATED(flags_item);
1210 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
1211 "Duplicate ACK (#%u)",
1217 /* Prints results of the sequence number analysis concerning tcp zero window */
1219 tcp_sequence_number_analysis_print_zero_window(packet_info * pinfo,
1221 proto_tree * flags_tree,
1222 struct tcp_acked *ta
1225 proto_item * flags_item;
1227 /* TCP Zeor Window Probe */
1228 if (ta->flags & TCP_A_ZERO_WINDOW_PROBE) {
1229 flags_item=proto_tree_add_none_format(flags_tree,
1230 hf_tcp_analysis_zero_window_probe,
1232 "This is a TCP zero-window-probe"
1234 PROTO_ITEM_SET_GENERATED(flags_item);
1235 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
1236 "Zero window probe");
1237 if (check_col(pinfo->cinfo, COL_INFO)) {
1238 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindowProbe] ");
1241 /* TCP Zero Window */
1242 if (ta->flags&TCP_A_ZERO_WINDOW) {
1243 flags_item=proto_tree_add_none_format(flags_tree,
1244 hf_tcp_analysis_zero_window,
1246 "This is a ZeroWindow segment"
1248 PROTO_ITEM_SET_GENERATED(flags_item);
1249 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
1251 if (check_col(pinfo->cinfo, COL_INFO)) {
1252 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindow] ");
1255 /* TCP Zero Window Probe Ack */
1256 if (ta->flags & TCP_A_ZERO_WINDOW_PROBE_ACK) {
1257 flags_item=proto_tree_add_none_format(flags_tree,
1258 hf_tcp_analysis_zero_window_probe_ack,
1260 "This is an ACK to a TCP zero-window-probe"
1262 PROTO_ITEM_SET_GENERATED(flags_item);
1263 expert_add_info_format(pinfo, flags_item, PI_SEQUENCE, PI_NOTE,
1264 "Zero window probe ACK");
1265 if (check_col(pinfo->cinfo, COL_INFO)) {
1266 col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
1267 "[TCP ZeroWindowProbeAck] ");
1274 tcp_print_sequence_number_analysis(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree, struct tcp_analysis *tcpd)
1276 struct tcp_acked *ta = NULL;
1279 proto_tree *flags_tree=NULL;
1285 tcp_analyze_get_acked_struct(pinfo->fd->num, FALSE, tcpd);
1292 item=proto_tree_add_text(parent_tree, tvb, 0, 0, "SEQ/ACK analysis");
1293 PROTO_ITEM_SET_GENERATED(item);
1294 tree=proto_item_add_subtree(item, ett_tcp_analysis);
1296 /* encapsulate all proto_tree_add_xxx in ifs so we only print what
1297 data we actually have */
1298 if(ta->frame_acked){
1299 item = proto_tree_add_uint(tree, hf_tcp_analysis_acks_frame,
1300 tvb, 0, 0, ta->frame_acked);
1301 PROTO_ITEM_SET_GENERATED(item);
1303 /* only display RTT if we actually have something we are acking */
1304 if( ta->ts.secs || ta->ts.nsecs ){
1305 item = proto_tree_add_time(tree, hf_tcp_analysis_ack_rtt,
1306 tvb, 0, 0, &ta->ts);
1307 PROTO_ITEM_SET_GENERATED(item);
1312 item = proto_tree_add_item(tree, hf_tcp_analysis_flags, tvb, 0, -1, FALSE);
1313 PROTO_ITEM_SET_GENERATED(item);
1314 flags_tree=proto_item_add_subtree(item, ett_tcp_analysis);
1316 /* print results for reused tcp ports */
1317 tcp_sequence_number_analysis_print_reused(pinfo, tvb, flags_tree, ta);
1319 /* print results for retransmission and out-of-order segments */
1320 tcp_sequence_number_analysis_print_retransmission(pinfo, tvb, flags_tree, ta);
1322 /* print results for lost tcp segments */
1323 tcp_sequence_number_analysis_print_lost(pinfo, tvb, flags_tree, ta);
1325 /* print results for tcp window information */
1326 tcp_sequence_number_analysis_print_window(pinfo, tvb, flags_tree, ta);
1328 /* print results for tcp keep alive information */
1329 tcp_sequence_number_analysis_print_keepalive(pinfo, tvb, flags_tree, ta);
1331 /* print results for tcp duplicate acks */
1332 tcp_sequence_number_analysis_print_duplicate(pinfo, tvb, flags_tree, ta, tree);
1334 /* print results for tcp zero window */
1335 tcp_sequence_number_analysis_print_zero_window(pinfo, tvb, flags_tree, ta);
1341 /* **************************************************************************
1342 * End of tcp sequence number analysis
1343 * **************************************************************************/
1346 /* Minimum TCP header length. */
1347 #define TCPH_MIN_LEN 20
1353 #define TCPOPT_NOP 1 /* Padding */
1354 #define TCPOPT_EOL 0 /* End of options */
1355 #define TCPOPT_MSS 2 /* Segment size negotiating */
1356 #define TCPOPT_WINDOW 3 /* Window scaling */
1357 #define TCPOPT_SACK_PERM 4 /* SACK Permitted */
1358 #define TCPOPT_SACK 5 /* SACK Block */
1359 #define TCPOPT_ECHO 6
1360 #define TCPOPT_ECHOREPLY 7
1361 #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
1362 #define TCPOPT_CC 11
1363 #define TCPOPT_CCNEW 12
1364 #define TCPOPT_CCECHO 13
1365 #define TCPOPT_MD5 19 /* RFC2385 */
1366 #define TCPOPT_QS 27 /* RFC4782 */
1369 * TCP option lengths
1372 #define TCPOLEN_MSS 4
1373 #define TCPOLEN_WINDOW 3
1374 #define TCPOLEN_SACK_PERM 2
1375 #define TCPOLEN_SACK_MIN 2
1376 #define TCPOLEN_ECHO 6
1377 #define TCPOLEN_ECHOREPLY 6
1378 #define TCPOLEN_TIMESTAMP 10
1379 #define TCPOLEN_CC 6
1380 #define TCPOLEN_CCNEW 6
1381 #define TCPOLEN_CCECHO 6
1382 #define TCPOLEN_MD5 18
1383 #define TCPOLEN_QS 8
1387 /* Desegmentation of TCP streams */
1388 /* table to hold defragmented TCP streams */
1389 static GHashTable *tcp_fragment_table = NULL;
1391 tcp_fragment_init(void)
1393 fragment_table_init(&tcp_fragment_table);
1396 /* functions to trace tcp segments */
1397 /* Enable desegmenting of TCP streams */
1398 static gboolean tcp_desegment = TRUE;
1401 desegment_tcp(tvbuff_t *tvb, packet_info *pinfo, int offset,
1402 guint32 seq, guint32 nxtseq,
1403 guint32 sport, guint32 dport,
1404 proto_tree *tree, proto_tree *tcp_tree,
1405 struct tcp_analysis *tcpd)
1407 struct tcpinfo *tcpinfo = pinfo->private_data;
1408 fragment_data *ipfd_head;
1409 gboolean must_desegment;
1410 gboolean called_dissector;
1411 int another_pdu_follows;
1416 proto_item *frag_tree_item;
1417 proto_item *tcp_tree_item;
1418 struct tcp_multisegment_pdu *msp;
1422 must_desegment = FALSE;
1423 called_dissector = FALSE;
1424 another_pdu_follows = 0;
1428 * Initialize these to assume no desegmentation.
1429 * If that's not the case, these will be set appropriately
1430 * by the subdissector.
1432 pinfo->desegment_offset = 0;
1433 pinfo->desegment_len = 0;
1436 * Initialize this to assume that this segment will just be
1437 * added to the middle of a desegmented chunk of data, so
1438 * that we should show it all as data.
1439 * If that's not the case, it will be set appropriately.
1441 deseg_offset = offset;
1443 /* find the most previous PDU starting before this sequence number */
1445 msp = se_tree_lookup32_le(tcpd->fwd->multisegment_pdus, seq-1);
1447 if(msp && msp->seq<=seq && msp->nxtpdu>seq){
1450 if(!pinfo->fd->flags.visited){
1451 msp->last_frame=pinfo->fd->num;
1452 msp->last_frame_time=pinfo->fd->abs_ts;
1455 /* OK, this PDU was found, which means the segment continues
1456 a higher-level PDU and that we must desegment it.
1458 if(msp->flags&MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT){
1459 /* The dissector asked for the entire segment */
1460 len=tvb_length_remaining(tvb, offset);
1462 len=MIN(nxtseq, msp->nxtpdu) - seq;
1465 ipfd_head = fragment_add(tvb, offset, pinfo, msp->first_frame,
1469 (LT_SEQ (nxtseq,msp->nxtpdu)) );
1471 if(msp->flags&MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT){
1472 msp->flags&=(~MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT);
1474 /* If we consumed the entire segment there is no
1475 * other pdu starting anywhere inside this segment.
1476 * So update nxtpdu to point at least to the start
1477 * of the next segment.
1478 * (If the subdissector asks for even more data we
1479 * will advance nxtpdu even furhter later down in
1485 if( (msp->nxtpdu<nxtseq)
1486 && (msp->nxtpdu>=seq)
1488 another_pdu_follows=msp->nxtpdu-seq;
1491 /* This segment was not found in our table, so it doesn't
1492 contain a continuation of a higher-level PDU.
1493 Call the normal subdissector.
1495 process_tcp_payload(tvb, offset, pinfo, tree, tcp_tree,
1496 sport, dport, 0, 0, FALSE, tcpd);
1497 called_dissector = TRUE;
1499 /* Did the subdissector ask us to desegment some more data
1500 before it could handle the packet?
1501 If so we have to create some structures in our table but
1502 this is something we only do the first time we see this
1505 if(pinfo->desegment_len) {
1506 if (!pinfo->fd->flags.visited)
1507 must_desegment = TRUE;
1510 * Set "deseg_offset" to the offset in "tvb"
1511 * of the first byte of data that the
1512 * subdissector didn't process.
1514 deseg_offset = offset + pinfo->desegment_offset;
1517 /* Either no desegmentation is necessary, or this is
1518 segment contains the beginning but not the end of
1519 a higher-level PDU and thus isn't completely
1526 /* is it completely desegmented? */
1529 * Yes, we think it is.
1530 * We only call subdissector for the last segment.
1531 * Note that the last segment may include more than what
1534 if(ipfd_head->reassembled_in==pinfo->fd->num){
1536 * OK, this is the last segment.
1537 * Let's call the subdissector with the desegmented
1543 /* create a new TVB structure for desegmented data */
1544 next_tvb = tvb_new_real_data(ipfd_head->data,
1545 ipfd_head->datalen, ipfd_head->datalen);
1547 /* add this tvb as a child to the original one */
1548 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1550 /* add desegmented data to the data source list */
1551 add_new_data_source(pinfo, next_tvb, "Reassembled TCP");
1554 * Supply the sequence number of the first of the
1555 * reassembled bytes.
1557 tcpinfo->seq = msp->seq;
1559 /* indicate that this is reassembled data */
1560 tcpinfo->is_reassembled = TRUE;
1562 /* call subdissector */
1563 process_tcp_payload(next_tvb, 0, pinfo, tree,
1564 tcp_tree, sport, dport, 0, 0, FALSE, tcpd);
1565 called_dissector = TRUE;
1568 * OK, did the subdissector think it was completely
1569 * desegmented, or does it think we need even more
1572 old_len=(int)(tvb_reported_length(next_tvb)-tvb_reported_length_remaining(tvb, offset));
1573 if(pinfo->desegment_len &&
1574 pinfo->desegment_offset<=old_len){
1576 * "desegment_len" isn't 0, so it needs more
1577 * data for something - and "desegment_offset"
1578 * is before "old_len", so it needs more data
1579 * to dissect the stuff we thought was
1580 * completely desegmented (as opposed to the
1581 * stuff at the beginning being completely
1582 * desegmented, but the stuff at the end
1583 * being a new higher-level PDU that also
1584 * needs desegmentation).
1586 fragment_set_partial_reassembly(pinfo,msp->first_frame,tcp_fragment_table);
1587 /* Update msp->nxtpdu to point to the new next
1590 if(pinfo->desegment_len==DESEGMENT_ONE_MORE_SEGMENT){
1591 /* We want reassembly of at least one
1592 * more segment so set the nxtpdu
1593 * boundary to one byte into the next
1595 * This means that the next segment
1596 * will complete reassembly even if it
1597 * is only one single byte in length.
1599 msp->nxtpdu=seq+tvb_reported_length_remaining(tvb, offset) + 1;
1600 msp->flags|=MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT;
1602 msp->nxtpdu=seq+tvb_reported_length_remaining(tvb, offset) + pinfo->desegment_len;
1604 /* Since we need at least some more data
1605 * there can be no pdu following in the
1606 * tail of this segment.
1608 another_pdu_follows=0;
1611 * Show the stuff in this TCP segment as
1612 * just raw TCP segment data.
1614 nbytes = another_pdu_follows > 0
1615 ? another_pdu_follows
1616 : tvb_reported_length_remaining(tvb, offset);
1617 proto_tree_add_text(tcp_tree, tvb, offset, nbytes,
1618 "TCP segment data (%u byte%s)", nbytes,
1619 plurality(nbytes, "", "s"));
1622 * The subdissector thought it was completely
1623 * desegmented (although the stuff at the
1624 * end may, in turn, require desegmentation),
1625 * so we show a tree with all segments.
1627 show_fragment_tree(ipfd_head, &tcp_segment_items,
1628 tree, pinfo, next_tvb, &frag_tree_item);
1630 * The toplevel fragment subtree is now
1631 * behind all desegmented data; move it
1632 * right behind the TCP tree.
1634 tcp_tree_item = proto_tree_get_parent(tcp_tree);
1635 if(frag_tree_item && tcp_tree_item) {
1636 proto_tree_move_item(tree, tcp_tree_item, frag_tree_item);
1639 /* Did the subdissector ask us to desegment
1640 some more data? This means that the data
1641 at the beginning of this segment completed
1642 a higher-level PDU, but the data at the
1643 end of this segment started a higher-level
1644 PDU but didn't complete it.
1646 If so, we have to create some structures
1647 in our table, but this is something we
1648 only do the first time we see this packet.
1650 if(pinfo->desegment_len) {
1651 if (!pinfo->fd->flags.visited)
1652 must_desegment = TRUE;
1654 /* The stuff we couldn't dissect
1655 must have come from this segment,
1656 so it's all in "tvb".
1658 "pinfo->desegment_offset" is
1659 relative to the beginning of
1660 "next_tvb"; we want an offset
1661 relative to the beginning of "tvb".
1663 First, compute the offset relative
1664 to the *end* of "next_tvb" - i.e.,
1665 the number of bytes before the end
1666 of "next_tvb" at which the
1667 subdissector stopped. That's the
1668 length of "next_tvb" minus the
1669 offset, relative to the beginning
1670 of "next_tvb, at which the
1671 subdissector stopped.
1674 ipfd_head->datalen - pinfo->desegment_offset;
1676 /* "tvb" and "next_tvb" end at the
1677 same byte of data, so the offset
1678 relative to the end of "next_tvb"
1679 of the byte at which we stopped
1680 is also the offset relative to
1681 the end of "tvb" of the byte at
1684 Convert that back into an offset
1685 relative to the beginninng of
1686 "tvb", by taking the length of
1687 "tvb" and subtracting the offset
1688 relative to the end.
1690 deseg_offset=tvb_reported_length(tvb) - deseg_offset;
1696 if (must_desegment) {
1697 /* If the dissector requested "reassemble until FIN"
1698 * just set this flag for the flow and let reassembly
1699 * proceed at normal. We will check/pick up these
1700 * reassembled PDUs later down in dissect_tcp() when checking
1703 if(tcpd && pinfo->desegment_len==DESEGMENT_UNTIL_FIN) {
1704 tcpd->fwd->flags|=TCP_FLOW_REASSEMBLE_UNTIL_FIN;
1707 * The sequence number at which the stuff to be desegmented
1708 * starts is the sequence number of the byte at an offset
1709 * of "deseg_offset" into "tvb".
1711 * The sequence number of the byte at an offset of "offset"
1712 * is "seq", i.e. the starting sequence number of this
1713 * segment, so the sequence number of the byte at
1714 * "deseg_offset" is "seq + (deseg_offset - offset)".
1716 deseg_seq = seq + (deseg_offset - offset);
1718 if(tcpd && ((nxtseq - deseg_seq) <= 1024*1024)
1719 && (!pinfo->fd->flags.visited) ){
1720 if(pinfo->desegment_len==DESEGMENT_ONE_MORE_SEGMENT){
1721 /* The subdissector asked to reassemble using the
1722 * entire next segment.
1723 * Just ask reassembly for one more byte
1724 * but set this msp flag so we can pick it up
1727 msp = pdu_store_sequencenumber_of_next_pdu(pinfo,
1728 deseg_seq, nxtseq+1, tcpd->fwd->multisegment_pdus);
1729 msp->flags|=MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT;
1731 msp = pdu_store_sequencenumber_of_next_pdu(pinfo,
1732 deseg_seq, nxtseq+pinfo->desegment_len, tcpd->fwd->multisegment_pdus);
1735 /* add this segment as the first one for this new pdu */
1736 fragment_add(tvb, deseg_offset, pinfo, msp->first_frame,
1740 LT_SEQ(nxtseq, msp->nxtpdu));
1744 if (!called_dissector || pinfo->desegment_len != 0) {
1745 if (ipfd_head != NULL && ipfd_head->reassembled_in != 0 &&
1746 !(ipfd_head->flags & FD_PARTIAL_REASSEMBLY)) {
1748 * We know what frame this PDU is reassembled in;
1749 * let the user know.
1751 item=proto_tree_add_uint(tcp_tree, hf_tcp_reassembled_in,
1752 tvb, 0, 0, ipfd_head->reassembled_in);
1753 PROTO_ITEM_SET_GENERATED(item);
1757 * Either we didn't call the subdissector at all (i.e.,
1758 * this is a segment that contains the middle of a
1759 * higher-level PDU, but contains neither the beginning
1760 * nor the end), or the subdissector couldn't dissect it
1761 * all, as some data was missing (i.e., it set
1762 * "pinfo->desegment_len" to the amount of additional
1765 if (pinfo->desegment_offset == 0) {
1767 * It couldn't, in fact, dissect any of it (the
1768 * first byte it couldn't dissect is at an offset
1769 * of "pinfo->desegment_offset" from the beginning
1770 * of the payload, and that's 0).
1771 * Just mark this as TCP.
1773 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
1774 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
1776 if (check_col(pinfo->cinfo, COL_INFO)){
1777 col_set_str(pinfo->cinfo, COL_INFO, "[TCP segment of a reassembled PDU]");
1782 * Show what's left in the packet as just raw TCP segment
1784 * XXX - remember what protocol the last subdissector
1785 * was, and report it as a continuation of that, instead?
1787 nbytes = tvb_reported_length_remaining(tvb, deseg_offset);
1788 proto_tree_add_text(tcp_tree, tvb, deseg_offset, -1,
1789 "TCP segment data (%u byte%s)", nbytes,
1790 plurality(nbytes, "", "s"));
1792 pinfo->can_desegment=0;
1793 pinfo->desegment_offset = 0;
1794 pinfo->desegment_len = 0;
1796 if(another_pdu_follows){
1797 /* there was another pdu following this one. */
1798 pinfo->can_desegment=2;
1799 /* we also have to prevent the dissector from changing the
1800 * PROTOCOL and INFO colums since what follows may be an
1801 * incomplete PDU and we dont want it be changed back from
1802 * <Protocol> to <TCP>
1803 * XXX There is no good way to block the PROTOCOL column
1804 * from being changed yet so we set the entire row unwritable.
1806 col_set_fence(pinfo->cinfo, COL_INFO);
1807 col_set_writable(pinfo->cinfo, FALSE);
1808 offset += another_pdu_follows;
1809 seq += another_pdu_follows;
1815 * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
1816 * consists of a fixed-length chunk of data that contains enough information
1817 * to determine the length of the PDU, followed by rest of the PDU.
1819 * The first three arguments are the arguments passed to the dissector
1820 * that calls this routine.
1822 * "proto_desegment" is the dissector's flag controlling whether it should
1823 * desegment PDUs that cross TCP segment boundaries.
1825 * "fixed_len" is the length of the fixed-length part of the PDU.
1827 * "get_pdu_len()" is a routine called to get the length of the PDU from
1828 * the fixed-length part of the PDU; it's passed "pinfo", "tvb" and "offset".
1830 * "dissect_pdu()" is the routine to dissect a PDU.
1833 tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
1834 gboolean proto_desegment, guint fixed_len,
1835 guint (*get_pdu_len)(packet_info *, tvbuff_t *, int),
1836 dissector_t dissect_pdu)
1838 volatile int offset = 0;
1840 guint length_remaining;
1844 proto_item *item=NULL;
1846 while (tvb_reported_length_remaining(tvb, offset) != 0) {
1848 * We use "tvb_ensure_length_remaining()" to make sure there actually
1849 * *is* data remaining. The protocol we're handling could conceivably
1850 * consists of a sequence of fixed-length PDUs, and therefore the
1851 * "get_pdu_len" routine might not actually fetch anything from
1852 * the tvbuff, and thus might not cause an exception to be thrown if
1853 * we've run past the end of the tvbuff.
1855 * This means we're guaranteed that "length_remaining" is positive.
1857 length_remaining = tvb_ensure_length_remaining(tvb, offset);
1860 * Can we do reassembly?
1862 if (proto_desegment && pinfo->can_desegment) {
1864 * Yes - is the fixed-length part of the PDU split across segment
1867 if (length_remaining < fixed_len) {
1869 * Yes. Tell the TCP dissector where the data for this message
1870 * starts in the data it handed us, and how many more bytes we
1873 pinfo->desegment_offset = offset;
1874 pinfo->desegment_len = fixed_len - length_remaining;
1880 * Get the length of the PDU.
1882 plen = (*get_pdu_len)(pinfo, tvb, offset);
1883 if (plen < fixed_len) {
1887 * 1) the length value extracted from the fixed-length portion
1888 * doesn't include the fixed-length portion's length, and
1889 * was so large that, when the fixed-length portion's
1890 * length was added to it, the total length overflowed;
1892 * 2) the length value extracted from the fixed-length portion
1893 * includes the fixed-length portion's length, and the value
1894 * was less than the fixed-length portion's length, i.e. it
1897 * Report this as a bounds error.
1899 show_reported_bounds_error(tvb, pinfo, tree);
1903 * Display the PDU length as a field
1905 item=proto_tree_add_uint(pinfo->tcp_tree, hf_tcp_pdu_size, tvb, 0, 0, plen);
1906 PROTO_ITEM_SET_GENERATED(item);
1910 /* give a hint to TCP where the next PDU starts
1911 * so that it can attempt to find it in case it starts
1912 * somewhere in the middle of a segment.
1914 if(!pinfo->fd->flags.visited && tcp_analyze_seq){
1915 guint remaining_bytes;
1916 remaining_bytes=tvb_reported_length_remaining(tvb, offset);
1917 if(plen>remaining_bytes){
1918 pinfo->want_pdu_tracking=2;
1919 pinfo->bytes_until_next_pdu=plen-remaining_bytes;
1924 * Can we do reassembly?
1926 if (proto_desegment && pinfo->can_desegment) {
1928 * Yes - is the PDU split across segment boundaries?
1930 if (length_remaining < plen) {
1932 * Yes. Tell the TCP dissector where the data for this message
1933 * starts in the data it handed us, and how many more bytes we
1936 pinfo->desegment_offset = offset;
1937 pinfo->desegment_len = plen - length_remaining;
1943 * Construct a tvbuff containing the amount of the payload we have
1944 * available. Make its reported length the amount of data in the PDU.
1946 * XXX - if reassembly isn't enabled. the subdissector will throw a
1947 * BoundsError exception, rather than a ReportedBoundsError exception.
1948 * We really want a tvbuff where the length is "length", the reported
1949 * length is "plen", and the "if the snapshot length were infinite"
1950 * length is the minimum of the reported length of the tvbuff handed
1951 * to us and "plen", with a new type of exception thrown if the offset
1952 * is within the reported length but beyond that third length, with
1953 * that exception getting the "Unreassembled Packet" error.
1955 length = length_remaining;
1958 next_tvb = tvb_new_subset(tvb, offset, length, plen);
1963 * Catch the ReportedBoundsError exception; if this particular message
1964 * happens to get a ReportedBoundsError exception, that doesn't mean
1965 * that we should stop dissecting PDUs within this frame or chunk of
1968 * If it gets a BoundsError, we can stop, as there's nothing more to
1969 * see, so we just re-throw it.
1972 (*dissect_pdu)(next_tvb, pinfo, tree);
1974 CATCH(BoundsError) {
1977 CATCH(ReportedBoundsError) {
1978 show_reported_bounds_error(tvb, pinfo, tree);
1983 * Step to the next PDU.
1984 * Make sure we don't overflow.
1986 offset_before = offset;
1988 if (offset <= offset_before)
1994 tcp_info_append_uint(packet_info *pinfo, const char *abbrev, guint32 val)
1996 if (check_col(pinfo->cinfo, COL_INFO))
1997 col_append_fstr(pinfo->cinfo, COL_INFO, " %s=%u", abbrev, val);
2001 dissect_tcpopt_maxseg(const ip_tcp_opt *optp, tvbuff_t *tvb,
2002 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
2006 mss = tvb_get_ntohs(tvb, offset + 2);
2007 proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_mss, tvb, offset,
2009 proto_tree_add_uint_format(opt_tree, hf_tcp_option_mss_val, tvb, offset,
2010 optlen, mss, "%s: %u bytes", optp->name, mss);
2011 tcp_info_append_uint(pinfo, "MSS", mss);
2015 dissect_tcpopt_wscale(const ip_tcp_opt *optp, tvbuff_t *tvb,
2016 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
2019 struct tcp_analysis *tcpd=NULL;
2021 tcpd=get_tcp_conversation_data(pinfo);
2023 ws = tvb_get_guint8(tvb, offset + 2);
2024 proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_wscale, tvb,
2025 offset, optlen, TRUE);
2026 proto_tree_add_uint_format(opt_tree, hf_tcp_option_wscale_val, tvb,
2027 offset, optlen, ws, "%s: %u (multiply by %u)",
2028 optp->name, ws, 1 << ws);
2029 tcp_info_append_uint(pinfo, "WS", ws);
2030 if(!pinfo->fd->flags.visited && tcp_analyze_seq && tcp_relative_seq){
2031 pdu_store_window_scale_option(ws, tcpd);
2036 dissect_tcpopt_sack(const ip_tcp_opt *optp, tvbuff_t *tvb,
2037 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
2039 proto_tree *field_tree = NULL;
2040 proto_item *tf=NULL;
2041 guint32 leftedge, rightedge;
2042 struct tcp_analysis *tcpd=NULL;
2045 if(tcp_analyze_seq && tcp_relative_seq){
2046 /* find(or create if needed) the conversation for this tcp session */
2047 tcpd=get_tcp_conversation_data(pinfo);
2050 base_ack=tcpd->rev->base_seq;
2054 tf = proto_tree_add_text(opt_tree, tvb, offset, optlen, "%s:", optp->name);
2055 offset += 2; /* skip past type and length */
2056 optlen -= 2; /* subtract size of type and length */
2057 while (optlen > 0) {
2058 if (field_tree == NULL) {
2059 /* Haven't yet made a subtree out of this option. Do so. */
2060 field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
2061 proto_tree_add_boolean_hidden(field_tree, hf_tcp_option_sack, tvb,
2062 offset, optlen, TRUE);
2065 proto_tree_add_text(field_tree, tvb, offset, optlen,
2066 "(suboption would go past end of option)");
2069 leftedge = tvb_get_ntohl(tvb, offset)-base_ack;
2070 proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_sle, tvb,
2071 offset, 4, leftedge,
2072 "left edge = %u%s", leftedge,
2073 tcp_relative_seq ? " (relative)" : "");
2077 proto_tree_add_text(field_tree, tvb, offset, optlen,
2078 "(suboption would go past end of option)");
2081 /* XXX - check whether it goes past end of packet */
2082 rightedge = tvb_get_ntohl(tvb, offset + 4)-base_ack;
2084 proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_sre, tvb,
2085 offset+4, 4, rightedge,
2086 "right edge = %u%s", rightedge,
2087 tcp_relative_seq ? " (relative)" : "");
2088 tcp_info_append_uint(pinfo, "SLE", leftedge);
2089 tcp_info_append_uint(pinfo, "SRE", rightedge);
2090 proto_item_append_text(field_tree, " %u-%u", leftedge, rightedge);
2096 dissect_tcpopt_echo(const ip_tcp_opt *optp, tvbuff_t *tvb,
2097 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
2101 echo = tvb_get_ntohl(tvb, offset + 2);
2102 proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_echo, tvb, offset,
2104 proto_tree_add_text(opt_tree, tvb, offset, optlen,
2105 "%s: %u", optp->name, echo);
2106 tcp_info_append_uint(pinfo, "ECHO", echo);
2110 dissect_tcpopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
2111 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
2115 tsv = tvb_get_ntohl(tvb, offset + 2);
2116 tser = tvb_get_ntohl(tvb, offset + 6);
2117 proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_time_stamp, tvb,
2118 offset, optlen, TRUE);
2119 proto_tree_add_text(opt_tree, tvb, offset, optlen,
2120 "%s: TSval %u, TSecr %u", optp->name, tsv, tser);
2121 tcp_info_append_uint(pinfo, "TSV", tsv);
2122 tcp_info_append_uint(pinfo, "TSER", tser);
2126 dissect_tcpopt_cc(const ip_tcp_opt *optp, tvbuff_t *tvb,
2127 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
2131 cc = tvb_get_ntohl(tvb, offset + 2);
2132 proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_cc, tvb, offset,
2134 proto_tree_add_text(opt_tree, tvb, offset, optlen,
2135 "%s: %u", optp->name, cc);
2136 tcp_info_append_uint(pinfo, "CC", cc);
2140 dissect_tcpopt_qs(const ip_tcp_opt *optp, tvbuff_t *tvb,
2141 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
2143 /* Quick-Start TCP option, as defined by RFC4782 */
2144 static const value_string qs_rates[] = {
2150 { 5, "1.28 Mbit/s"},
2151 { 6, "2.56 Mbit/s"},
2152 { 7, "5.12 Mbit/s"},
2153 { 8, "10.24 Mbit/s"},
2154 { 9, "20.48 Mbit/s"},
2155 {10, "40.96 Mbit/s"},
2156 {11, "81.92 Mbit/s"},
2157 {12, "163.84 Mbit/s"},
2158 {13, "327.68 Mbit/s"},
2159 {14, "655.36 Mbit/s"},
2160 {15, "1.31072 Gbit/s"},
2164 guint8 rate = tvb_get_guint8(tvb, offset + 2) & 0x0f;
2166 proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_qs, tvb, offset,
2168 proto_tree_add_text(opt_tree, tvb, offset, optlen,
2169 "%s: Rate response, %s, TTL diff %u ", optp->name,
2170 val_to_str(rate, qs_rates, "Unknown"),
2171 tvb_get_guint8(tvb, offset + 3));
2172 if (check_col(pinfo->cinfo, COL_INFO))
2173 col_append_fstr(pinfo->cinfo, COL_INFO, " QSresp=%s", val_to_str(rate, qs_rates, "Unknown"));
2176 static const ip_tcp_opt tcpopts[] = {
2195 "Maximum segment size",
2199 dissect_tcpopt_maxseg
2207 dissect_tcpopt_wscale
2220 &ett_tcp_option_sack,
2247 dissect_tcpopt_timestamp
2275 "TCP MD5 signature",
2291 #define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
2293 /* Determine if there is a sub-dissector and call it; return TRUE
2294 if there was a sub-dissector, FALSE otherwise.
2296 This has been separated into a stand alone routine to other protocol
2297 dissectors can call to it, e.g., SOCKS. */
2299 static gboolean try_heuristic_first = FALSE;
2302 /* this function can be called with tcpd==NULL as from the msproxy dissector */
2304 decode_tcp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
2305 proto_tree *tree, int src_port, int dst_port,
2306 struct tcp_analysis *tcpd)
2309 int low_port, high_port;
2310 int save_desegment_offset;
2311 guint32 save_desegment_len;
2313 /* dont call subdissectors for keepalive or zerowindowprobes
2314 * even though they do contain payload "data"
2315 * keeaplives just contain garbage and zwp contain too little data (1 byte)
2318 if(tcpd && tcpd->ta){
2319 if(tcpd->ta->flags&(TCP_A_ZERO_WINDOW_PROBE|TCP_A_KEEP_ALIVE)){
2324 next_tvb = tvb_new_subset(tvb, offset, -1, -1);
2326 /* determine if this packet is part of a conversation and call dissector */
2327 /* for the conversation if available */
2329 if (try_conversation_dissector(&pinfo->src, &pinfo->dst, PT_TCP,
2330 src_port, dst_port, next_tvb, pinfo, tree)){
2331 pinfo->want_pdu_tracking -= !!(pinfo->want_pdu_tracking);
2335 if (try_heuristic_first) {
2336 /* do lookup with the heuristic subdissector table */
2337 save_desegment_offset = pinfo->desegment_offset;
2338 save_desegment_len = pinfo->desegment_len;
2339 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree)){
2340 pinfo->want_pdu_tracking -= !!(pinfo->want_pdu_tracking);
2344 * They rejected the packet; make sure they didn't also request
2345 * desegmentation (we could just override the request, but
2346 * rejecting a packet *and* requesting desegmentation is a sign
2347 * of the dissector's code needing clearer thought, so we fail
2348 * so that the problem is made more obvious).
2350 DISSECTOR_ASSERT(save_desegment_offset == pinfo->desegment_offset &&
2351 save_desegment_len == pinfo->desegment_len);
2354 /* Do lookups with the subdissector table.
2355 We try the port number with the lower value first, followed by the
2356 port number with the higher value. This means that, for packets
2357 where a dissector is registered for *both* port numbers:
2359 1) we pick the same dissector for traffic going in both directions;
2361 2) we prefer the port number that's more likely to be the right
2362 one (as that prefers well-known ports to reserved ports);
2364 although there is, of course, no guarantee that any such strategy
2365 will always pick the right port number.
2367 XXX - we ignore port numbers of 0, as some dissectors use a port
2368 number of 0 to disable the port. */
2369 if (src_port > dst_port) {
2370 low_port = dst_port;
2371 high_port = src_port;
2373 low_port = src_port;
2374 high_port = dst_port;
2376 if (low_port != 0 &&
2377 dissector_try_port(subdissector_table, low_port, next_tvb, pinfo, tree)){
2378 pinfo->want_pdu_tracking -= !!(pinfo->want_pdu_tracking);
2381 if (high_port != 0 &&
2382 dissector_try_port(subdissector_table, high_port, next_tvb, pinfo, tree)){
2383 pinfo->want_pdu_tracking -= !!(pinfo->want_pdu_tracking);
2387 if (!try_heuristic_first) {
2388 /* do lookup with the heuristic subdissector table */
2389 save_desegment_offset = pinfo->desegment_offset;
2390 save_desegment_len = pinfo->desegment_len;
2391 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree)){
2392 pinfo->want_pdu_tracking -= !!(pinfo->want_pdu_tracking);
2396 * They rejected the packet; make sure they didn't also request
2397 * desegmentation (we could just override the request, but
2398 * rejecting a packet *and* requesting desegmentation is a sign
2399 * of the dissector's code needing clearer thought, so we fail
2400 * so that the problem is made more obvious).
2402 DISSECTOR_ASSERT(save_desegment_offset == pinfo->desegment_offset &&
2403 save_desegment_len == pinfo->desegment_len);
2406 /* Oh, well, we don't know this; dissect it as data. */
2407 call_dissector(data_handle,next_tvb, pinfo, tree);
2409 pinfo->want_pdu_tracking -= !!(pinfo->want_pdu_tracking);
2414 process_tcp_payload(tvbuff_t *tvb, volatile int offset, packet_info *pinfo,
2415 proto_tree *tree, proto_tree *tcp_tree, int src_port, int dst_port,
2416 guint32 seq, guint32 nxtseq, gboolean is_tcp_segment,
2417 struct tcp_analysis *tcpd)
2419 pinfo->want_pdu_tracking=0;
2423 /*qqq see if it is an unaligned PDU */
2424 if(tcpd && tcp_analyze_seq && (!tcp_desegment)){
2426 offset=scan_for_next_pdu(tvb, tcp_tree, pinfo, offset,
2427 seq, nxtseq, tcpd->fwd->multisegment_pdus);
2431 /* if offset is -1 this means that this segment is known
2432 * to be fully inside a previously detected pdu
2433 * so we dont even need to try to dissect it either.
2436 decode_tcp_ports(tvb, offset, pinfo, tree, src_port,
2439 * We succeeded in handing off to a subdissector.
2441 * Is this a TCP segment or a reassembled chunk of
2445 /* if !visited, check want_pdu_tracking and
2446 store it in table */
2447 if(tcpd && (!pinfo->fd->flags.visited) &&
2448 tcp_analyze_seq && pinfo->want_pdu_tracking){
2450 pdu_store_sequencenumber_of_next_pdu(
2453 nxtseq+pinfo->bytes_until_next_pdu,
2454 tcpd->fwd->multisegment_pdus);
2461 /* We got an exception. At this point the dissection is
2462 * completely aborted and execution will be transfered back
2463 * to (probably) the frame dissector.
2464 * Here we have to place whatever we want the dissector
2465 * to do before aborting the tcp dissection.
2468 * Is this a TCP segment or a reassembled chunk of TCP
2473 * It's from a TCP segment.
2475 * if !visited, check want_pdu_tracking and store it
2478 if(tcpd && (!pinfo->fd->flags.visited) && tcp_analyze_seq && pinfo->want_pdu_tracking){
2480 pdu_store_sequencenumber_of_next_pdu(pinfo,
2482 nxtseq+pinfo->bytes_until_next_pdu,
2483 tcpd->fwd->multisegment_pdus);
2493 dissect_tcp_payload(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 seq,
2494 guint32 nxtseq, guint32 sport, guint32 dport,
2495 proto_tree *tree, proto_tree *tcp_tree,
2496 struct tcp_analysis *tcpd)
2498 gboolean save_fragmented;
2500 /* Can we desegment this segment? */
2501 if (pinfo->can_desegment) {
2503 desegment_tcp(tvb, pinfo, offset, seq, nxtseq, sport, dport, tree,
2506 /* No - just call the subdissector.
2507 Mark this as fragmented, so if somebody throws an exception,
2508 we don't report it as a malformed frame. */
2509 save_fragmented = pinfo->fragmented;
2510 pinfo->fragmented = TRUE;
2511 process_tcp_payload(tvb, offset, pinfo, tree, tcp_tree, sport, dport,
2512 seq, nxtseq, TRUE, tcpd);
2513 pinfo->fragmented = save_fragmented;
2518 dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
2520 guint8 th_off_x2; /* combines th_off and th_x2 */
2523 proto_tree *tcp_tree = NULL, *field_tree = NULL;
2524 proto_item *ti = NULL, *tf;
2526 gchar *flags = "<None>";
2527 const gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECN", "CWR" };
2528 size_t fpos = 0, returned_length;
2536 guint16 computed_cksum;
2537 guint16 real_window;
2538 guint length_remaining;
2539 gboolean desegment_ok;
2540 struct tcpinfo tcpinfo;
2541 struct tcpheader *tcph;
2542 proto_item *tf_syn = NULL, *tf_fin = NULL, *tf_rst = NULL;
2543 struct tcp_analysis *tcpd=NULL;
2544 struct tcp_per_packet_data_t *tcppd=NULL;
2546 proto_tree *checksum_tree;
2550 tcph=ep_alloc(sizeof(struct tcpheader));
2551 SET_ADDRESS(&tcph->ip_src, pinfo->src.type, pinfo->src.len, pinfo->src.data);
2552 SET_ADDRESS(&tcph->ip_dst, pinfo->dst.type, pinfo->dst.len, pinfo->dst.data);
2554 if (check_col(pinfo->cinfo, COL_PROTOCOL))
2555 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
2557 /* Clear out the Info column. */
2558 if (check_col(pinfo->cinfo, COL_INFO))
2559 col_clear(pinfo->cinfo, COL_INFO);
2561 tcph->th_sport = tvb_get_ntohs(tvb, offset);
2562 tcph->th_dport = tvb_get_ntohs(tvb, offset + 2);
2563 if (check_col(pinfo->cinfo, COL_INFO)) {
2564 col_append_fstr(pinfo->cinfo, COL_INFO, "%s > %s",
2565 get_tcp_port(tcph->th_sport), get_tcp_port(tcph->th_dport));
2568 if (tcp_summary_in_tree) {
2569 ti = proto_tree_add_protocol_format(tree, proto_tcp, tvb, 0, -1,
2570 "Transmission Control Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
2571 get_tcp_port(tcph->th_sport), tcph->th_sport,
2572 get_tcp_port(tcph->th_dport), tcph->th_dport);
2575 ti = proto_tree_add_item(tree, proto_tcp, tvb, 0, -1, FALSE);
2577 tcp_tree = proto_item_add_subtree(ti, ett_tcp);
2578 pinfo->tcp_tree=tcp_tree;
2580 proto_tree_add_uint_format(tcp_tree, hf_tcp_srcport, tvb, offset, 2, tcph->th_sport,
2581 "Source port: %s (%u)", get_tcp_port(tcph->th_sport), tcph->th_sport);
2582 proto_tree_add_uint_format(tcp_tree, hf_tcp_dstport, tvb, offset + 2, 2, tcph->th_dport,
2583 "Destination port: %s (%u)", get_tcp_port(tcph->th_dport), tcph->th_dport);
2584 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset, 2, tcph->th_sport);
2585 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset + 2, 2, tcph->th_dport);
2587 /* If we're dissecting the headers of a TCP packet in an ICMP packet
2588 * then go ahead and put the sequence numbers in the tree now (because
2589 * they won't be put in later because the ICMP packet only contains up
2590 * to the sequence number).
2591 * We should only need to do this for IPv4 since IPv6 will hopefully
2592 * carry enough TCP payload for this dissector to put the sequence
2593 * numbers in via the regular code path.
2595 if (pinfo->layer_names != NULL && pinfo->layer_names->str != NULL) {
2596 /* use strstr because g_strrstr is only present in glib2.0 and
2597 * g_str_has_suffix in glib2.2
2599 if (strstr(pinfo->layer_names->str, "icmp:ip") != NULL)
2600 proto_tree_add_item(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, FALSE);
2604 /* Set the source and destination port numbers as soon as we get them,
2605 so that they're available to the "Follow TCP Stream" code even if
2606 we throw an exception dissecting the rest of the TCP header. */
2607 pinfo->ptype = PT_TCP;
2608 pinfo->srcport = tcph->th_sport;
2609 pinfo->destport = tcph->th_dport;
2611 tcph->th_seq = tvb_get_ntohl(tvb, offset + 4);
2612 tcph->th_ack = tvb_get_ntohl(tvb, offset + 8);
2613 th_off_x2 = tvb_get_guint8(tvb, offset + 12);
2614 tcph->th_flags = tvb_get_guint8(tvb, offset + 13);
2615 tcph->th_win = tvb_get_ntohs(tvb, offset + 14);
2616 real_window = tcph->th_win;
2617 tcph->th_hlen = hi_nibble(th_off_x2) * 4; /* TCP header length, in bytes */
2619 /* find(or create if needed) the conversation for this tcp session */
2620 tcpd=get_tcp_conversation_data(pinfo);
2622 /* If this is a SYN packet, then check if it's seq-nr is different
2623 * from the base_seq of the retrieved conversation. If this is the
2624 * case, create a new conversation with the same addresses and ports
2625 * and set the TA_PORTS_REUSED flag. If the seq-nr is the same as
2626 * the base_seq, then do nothing so it will be marked as a retrans-
2629 if(tcpd && ((tcph->th_flags&(TH_SYN|TH_ACK))==TH_SYN) &&
2630 (tcpd->fwd->base_seq!=0) &&
2631 (tcph->th_seq!=tcpd->fwd->base_seq) ) {
2632 if (!(pinfo->fd->flags.visited))
2633 tcpd=new_tcp_conversation(pinfo);
2635 tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
2636 tcpd->ta->flags|=TCP_A_REUSED_PORTS;
2640 /* Do we need to calculate timestamps relative to the tcp-stream? */
2641 if (tcp_calculate_ts) {
2644 * Calculate the timestamps relative to this conversation (but only on the
2645 * first run when frames are accessed sequentially)
2647 if (!(pinfo->fd->flags.visited))
2648 tcp_calculate_timestamps(pinfo, tcpd, tcppd);
2651 /* Fill the conversation timestamp columns */
2652 if (tcpd && check_col(pinfo->cinfo, COL_REL_CONV_TIME)) {
2653 nstime_delta(&ts, &pinfo->fd->abs_ts, &tcpd->ts_first);
2654 col_set_time(pinfo->cinfo, COL_REL_CONV_TIME, &ts, "tcp.time_relative");
2657 if (check_col(pinfo->cinfo, COL_DELTA_CONV_TIME)) {
2659 tcppd = p_get_proto_data(pinfo->fd, proto_tcp);
2662 col_set_time(pinfo->cinfo, COL_DELTA_CONV_TIME, &tcppd->ts_del, "tcp.time_delta");
2668 * If we've been handed an IP fragment, we don't know how big the TCP
2669 * segment is, so don't do anything that requires that we know that.
2671 * The same applies if we're part of an error packet. (XXX - if the
2672 * ICMP and ICMPv6 dissectors could set a "this is how big the IP
2673 * header says it is" length in the tvbuff, we could use that; such
2674 * a length might also be useful for handling packets where the IP
2675 * length is bigger than the actual data available in the frame; the
2676 * dissectors should trust that length, and then throw a
2677 * ReportedBoundsError exception when they go past the end of the frame.)
2679 * We also can't determine the segment length if the reported length
2680 * of the TCP packet is less than the TCP header length.
2682 reported_len = tvb_reported_length(tvb);
2684 if (!pinfo->fragmented && !pinfo->in_error_pkt) {
2685 if (reported_len < tcph->th_hlen) {
2687 pi = proto_tree_add_text(tcp_tree, tvb, offset, 0,
2688 "Short segment. Segment/fragment does not contain a full TCP header"
2689 " (might be NMAP or someone else deliberately sending unusual packets)");
2690 PROTO_ITEM_SET_GENERATED(pi);
2691 expert_add_info_format(pinfo, pi, PI_MALFORMED, PI_WARN, "Short segment");
2692 tcph->th_have_seglen = FALSE;
2694 /* Compute the length of data in this segment. */
2695 tcph->th_seglen = reported_len - tcph->th_hlen;
2696 tcph->th_have_seglen = TRUE;
2698 if (tree) { /* Add the seglen as an invisible field */
2700 proto_tree_add_uint_hidden(ti, hf_tcp_len, tvb, offset, 4, tcph->th_seglen);
2705 /* handle TCP seq# analysis parse all new segments we see */
2706 if(tcp_analyze_seq){
2707 if(!(pinfo->fd->flags.visited)){
2708 tcp_analyze_sequence_number(pinfo, tcph->th_seq, tcph->th_ack, tcph->th_seglen, tcph->th_flags, tcph->th_win, tcpd);
2710 if(tcp_relative_seq){
2711 tcp_get_relative_seq_ack(&(tcph->th_seq), &(tcph->th_ack), &(tcph->th_win), tcpd);
2715 /* Compute the sequence number of next octet after this segment. */
2716 nxtseq = tcph->th_seq + tcph->th_seglen;
2719 tcph->th_have_seglen = FALSE;
2721 if (check_col(pinfo->cinfo, COL_INFO) || tree) {
2722 #define MAX_FLAGS_LEN 64
2723 flags=ep_alloc(MAX_FLAGS_LEN);
2725 for (i = 0; i < 8; i++) {
2727 if (tcph->th_flags & bpos) {
2728 returned_length = g_snprintf(&flags[fpos], MAX_FLAGS_LEN-fpos, "%s%s",
2731 fpos += MIN(returned_length, MAX_FLAGS_LEN-fpos);
2736 if (check_col(pinfo->cinfo, COL_INFO)) {
2737 col_append_fstr(pinfo->cinfo, COL_INFO, " [%s] Seq=%u", flags, tcph->th_seq);
2738 if (tcph->th_flags&TH_ACK) {
2739 col_append_fstr(pinfo->cinfo, COL_INFO, " Ack=%u", tcph->th_ack);
2741 if (tcph->th_flags&TH_SYN) { /* SYNs are never scaled */
2742 col_append_fstr(pinfo->cinfo, COL_INFO, " Win=%u", real_window);
2744 col_append_fstr(pinfo->cinfo, COL_INFO, " Win=%u", tcph->th_win);
2749 if (tcp_summary_in_tree) {
2750 proto_item_append_text(ti, ", Seq: %u", tcph->th_seq);
2752 if(tcp_relative_seq){
2753 proto_tree_add_uint_format(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq, "Sequence number: %u (relative sequence number)", tcph->th_seq);
2755 proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq);
2759 if (tcph->th_hlen < TCPH_MIN_LEN) {
2760 /* Give up at this point; we put the source and destination port in
2761 the tree, before fetching the header length, so that they'll
2762 show up if this is in the failing packet in an ICMP error packet,
2763 but it's now time to give up if the header length is bogus. */
2764 if (check_col(pinfo->cinfo, COL_INFO))
2765 col_append_fstr(pinfo->cinfo, COL_INFO, ", bogus TCP header length (%u, must be at least %u)",
2766 tcph->th_hlen, TCPH_MIN_LEN);
2768 proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, tcph->th_hlen,
2769 "Header length: %u bytes (bogus, must be at least %u)", tcph->th_hlen,
2776 if (tcp_summary_in_tree) {
2777 if(tcph->th_flags&TH_ACK){
2778 proto_item_append_text(ti, ", Ack: %u", tcph->th_ack);
2780 if (tcph->th_have_seglen)
2781 proto_item_append_text(ti, ", Len: %u", tcph->th_seglen);
2783 proto_item_set_len(ti, tcph->th_hlen);
2784 if (tcph->th_have_seglen) {
2785 if (nxtseq != tcph->th_seq) {
2786 if(tcp_relative_seq){
2787 tf=proto_tree_add_uint_format(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq, "Next sequence number: %u (relative sequence number)", nxtseq);
2789 tf=proto_tree_add_uint(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq);
2791 PROTO_ITEM_SET_GENERATED(tf);
2794 if (tcph->th_flags & TH_ACK) {
2795 if(tcp_relative_seq){
2796 proto_tree_add_uint_format(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, tcph->th_ack, "Acknowledgement number: %u (relative ack number)", tcph->th_ack);
2798 proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, tcph->th_ack);
2801 /* Verify that the ACK field is zero */
2802 if(tvb_get_ntohl(tvb, offset+8) != 0){
2803 proto_tree_add_text(tcp_tree, tvb, offset+8, 4,"Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set");
2806 proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, tcph->th_hlen,
2807 "Header length: %u bytes", tcph->th_hlen);
2808 tf = proto_tree_add_uint_format(tcp_tree, hf_tcp_flags, tvb, offset + 13, 1,
2809 tcph->th_flags, "Flags: 0x%02x (%s)", tcph->th_flags, flags);
2810 field_tree = proto_item_add_subtree(tf, ett_tcp_flags);
2811 proto_tree_add_boolean(field_tree, hf_tcp_flags_cwr, tvb, offset + 13, 1, tcph->th_flags);
2812 proto_tree_add_boolean(field_tree, hf_tcp_flags_ecn, tvb, offset + 13, 1, tcph->th_flags);
2813 proto_tree_add_boolean(field_tree, hf_tcp_flags_urg, tvb, offset + 13, 1, tcph->th_flags);
2814 proto_tree_add_boolean(field_tree, hf_tcp_flags_ack, tvb, offset + 13, 1, tcph->th_flags);
2815 proto_tree_add_boolean(field_tree, hf_tcp_flags_push, tvb, offset + 13, 1, tcph->th_flags);
2816 tf_rst = proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, tcph->th_flags);
2817 tf_syn = proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, tcph->th_flags);
2818 tf_fin = proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, tcph->th_flags);
2820 && (tcph->th_win!=real_window)
2821 && !(tcph->th_flags&TH_SYN) ){ /* SYNs are never scaled */
2822 proto_tree_add_uint_format(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, tcph->th_win, "Window size: %u (scaled)", tcph->th_win);
2824 proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, real_window);
2828 if(tcph->th_flags & TH_SYN) {
2829 if(tcph->th_flags & TH_ACK)
2830 expert_add_info_format(pinfo, tf_syn, PI_SEQUENCE, PI_CHAT, "Connection establish acknowledge (SYN+ACK): server port %s",
2831 get_tcp_port(tcph->th_sport));
2833 expert_add_info_format(pinfo, tf_syn, PI_SEQUENCE, PI_CHAT, "Connection establish request (SYN): server port %s",
2834 get_tcp_port(tcph->th_dport));
2836 if(tcph->th_flags & TH_FIN)
2837 /* XXX - find a way to know the server port and output only that one */
2838 expert_add_info_format(pinfo, tf_fin, PI_SEQUENCE, PI_CHAT, "Connection finish (FIN)");
2839 if(tcph->th_flags & TH_RST)
2840 /* XXX - find a way to know the server port and output only that one */
2841 expert_add_info_format(pinfo, tf_rst, PI_SEQUENCE, PI_CHAT, "Connection reset (RST)");
2843 /* Supply the sequence number of the first byte and of the first byte
2844 after the segment. */
2845 tcpinfo.seq = tcph->th_seq;
2846 tcpinfo.nxtseq = nxtseq;
2847 tcpinfo.lastackseq = tcph->th_ack;
2849 /* Assume we'll pass un-reassembled data to subdissectors. */
2850 tcpinfo.is_reassembled = FALSE;
2852 pinfo->private_data = &tcpinfo;
2855 * Assume, initially, that we can't desegment.
2857 pinfo->can_desegment = 0;
2858 th_sum = tvb_get_ntohs(tvb, offset + 16);
2859 if (!pinfo->fragmented && tvb_bytes_exist(tvb, 0, reported_len)) {
2860 /* The packet isn't part of an un-reassembled fragmented datagram
2861 and isn't truncated. This means we have all the data, and thus
2862 can checksum it and, unless it's being returned in an error
2863 packet, are willing to allow subdissectors to request reassembly
2866 if (tcp_check_checksum) {
2867 /* We haven't turned checksum checking off; checksum it. */
2869 /* Set up the fields of the pseudo-header. */
2870 cksum_vec[0].ptr = pinfo->src.data;
2871 cksum_vec[0].len = pinfo->src.len;
2872 cksum_vec[1].ptr = pinfo->dst.data;
2873 cksum_vec[1].len = pinfo->dst.len;
2874 cksum_vec[2].ptr = (const guint8 *)&phdr;
2875 switch (pinfo->src.type) {
2878 phdr[0] = g_htonl((IP_PROTO_TCP<<16) + reported_len);
2879 cksum_vec[2].len = 4;
2883 phdr[0] = g_htonl(reported_len);
2884 phdr[1] = g_htonl(IP_PROTO_TCP);
2885 cksum_vec[2].len = 8;
2889 /* TCP runs only atop IPv4 and IPv6.... */
2890 DISSECTOR_ASSERT_NOT_REACHED();
2893 cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, reported_len);
2894 cksum_vec[3].len = reported_len;
2895 computed_cksum = in_cksum(&cksum_vec[0], 4);
2896 if (computed_cksum == 0 && th_sum == 0xffff) {
2897 item = proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2898 offset + 16, 2, th_sum,
2899 "Checksum: 0x%04x [should be 0x0000 (see RFC 1624)]", th_sum);
2901 checksum_tree = proto_item_add_subtree(item, ett_tcp_checksum);
2902 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_good, tvb,
2903 offset + 16, 2, FALSE);
2904 PROTO_ITEM_SET_GENERATED(item);
2905 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_bad, tvb,
2906 offset + 16, 2, FALSE);
2907 PROTO_ITEM_SET_GENERATED(item);
2908 expert_add_info_format(pinfo, item, PI_CHECKSUM, PI_WARN, "TCP Checksum 0xffff instead of 0x0000 (see RFC 1624)");
2910 if (check_col(pinfo->cinfo, COL_INFO))
2911 col_append_str(pinfo->cinfo, COL_INFO, " [TCP CHECKSUM 0xFFFF]");
2913 /* Checksum is treated as valid on most systems, so we're willing to desegment it. */
2914 desegment_ok = TRUE;
2915 } else if (computed_cksum == 0) {
2916 item = proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2917 offset + 16, 2, th_sum, "Checksum: 0x%04x [correct]", th_sum);
2919 checksum_tree = proto_item_add_subtree(item, ett_tcp_checksum);
2920 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_good, tvb,
2921 offset + 16, 2, TRUE);
2922 PROTO_ITEM_SET_GENERATED(item);
2923 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_bad, tvb,
2924 offset + 16, 2, FALSE);
2925 PROTO_ITEM_SET_GENERATED(item);
2927 /* Checksum is valid, so we're willing to desegment it. */
2928 desegment_ok = TRUE;
2929 } else if (th_sum == 0) {
2930 /* checksum is probably fine but checksum offload is used */
2931 item = proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2932 offset + 16, 2, th_sum, "Checksum: 0x%04x [Checksum Offloaded]", th_sum);
2934 checksum_tree = proto_item_add_subtree(item, ett_tcp_checksum);
2935 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_good, tvb,
2936 offset + 16, 2, FALSE);
2937 PROTO_ITEM_SET_GENERATED(item);
2938 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_bad, tvb,
2939 offset + 16, 2, FALSE);
2940 PROTO_ITEM_SET_GENERATED(item);
2942 /* Checksum is (probably) valid, so we're willing to desegment it. */
2943 desegment_ok = TRUE;
2945 item = proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2946 offset + 16, 2, th_sum,
2947 "Checksum: 0x%04x [incorrect, should be 0x%04x (maybe caused by \"TCP checksum offload\"?)]", th_sum,
2948 in_cksum_shouldbe(th_sum, computed_cksum));
2950 checksum_tree = proto_item_add_subtree(item, ett_tcp_checksum);
2951 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_good, tvb,
2952 offset + 16, 2, FALSE);
2953 PROTO_ITEM_SET_GENERATED(item);
2954 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_bad, tvb,
2955 offset + 16, 2, TRUE);
2956 PROTO_ITEM_SET_GENERATED(item);
2957 expert_add_info_format(pinfo, item, PI_CHECKSUM, PI_ERROR, "Bad checksum");
2959 if (check_col(pinfo->cinfo, COL_INFO))
2960 col_append_str(pinfo->cinfo, COL_INFO, " [TCP CHECKSUM INCORRECT]");
2962 /* Checksum is invalid, so we're not willing to desegment it. */
2963 desegment_ok = FALSE;
2964 pinfo->noreassembly_reason = " [incorrect TCP checksum]";
2967 item = proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2968 offset + 16, 2, th_sum, "Checksum: 0x%04x [validation disabled]", th_sum);
2970 checksum_tree = proto_item_add_subtree(item, ett_tcp_checksum);
2971 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_good, tvb,
2972 offset + 16, 2, FALSE);
2973 PROTO_ITEM_SET_GENERATED(item);
2974 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_bad, tvb,
2975 offset + 16, 2, FALSE);
2976 PROTO_ITEM_SET_GENERATED(item);
2978 /* We didn't check the checksum, and don't care if it's valid,
2979 so we're willing to desegment it. */
2980 desegment_ok = TRUE;
2983 /* We don't have all the packet data, so we can't checksum it... */
2984 item = proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2985 offset + 16, 2, th_sum, "Checksum: 0x%04x [unchecked, not all data available]", th_sum);
2987 checksum_tree = proto_item_add_subtree(item, ett_tcp_checksum);
2988 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_good, tvb,
2989 offset + 16, 2, FALSE);
2990 PROTO_ITEM_SET_GENERATED(item);
2991 item = proto_tree_add_boolean(checksum_tree, hf_tcp_checksum_bad, tvb,
2992 offset + 16, 2, FALSE);
2993 PROTO_ITEM_SET_GENERATED(item);
2995 /* ...and aren't willing to desegment it. */
2996 desegment_ok = FALSE;
3000 /* We're willing to desegment this. Is desegmentation enabled? */
3001 if (tcp_desegment) {
3002 /* Yes - is this segment being returned in an error packet? */
3003 if (!pinfo->in_error_pkt) {
3004 /* No - indicate that we will desegment.
3005 We do NOT want to desegment segments returned in error
3006 packets, as they're not part of a TCP connection. */
3007 pinfo->can_desegment = 2;
3012 if (tcph->th_flags & TH_URG) {
3013 th_urp = tvb_get_ntohs(tvb, offset + 18);
3014 /* Export the urgent pointer, for the benefit of protocols such as
3016 tcpinfo.urgent = TRUE;
3017 tcpinfo.urgent_pointer = th_urp;
3018 if (check_col(pinfo->cinfo, COL_INFO))
3019 col_append_fstr(pinfo->cinfo, COL_INFO, " Urg=%u", th_urp);
3020 if (tcp_tree != NULL)
3021 proto_tree_add_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, th_urp);
3023 tcpinfo.urgent = FALSE;
3025 if (tcph->th_have_seglen) {
3026 if (check_col(pinfo->cinfo, COL_INFO))
3027 col_append_fstr(pinfo->cinfo, COL_INFO, " Len=%u", tcph->th_seglen);
3030 /* Decode TCP options, if any. */
3031 if (tcph->th_hlen > TCPH_MIN_LEN) {
3032 /* There's more than just the fixed-length header. Decode the
3034 optlen = tcph->th_hlen - TCPH_MIN_LEN; /* length of options, in bytes */
3035 tvb_ensure_bytes_exist(tvb, offset + 20, optlen);
3036 if (tcp_tree != NULL) {
3037 guint8 *p_options = ep_tvb_memdup(tvb, offset + 20, optlen);
3038 tf = proto_tree_add_bytes_format(tcp_tree, hf_tcp_options, tvb, offset + 20,
3039 optlen, p_options, "Options: (%u bytes)", optlen);
3040 field_tree = proto_item_add_subtree(tf, ett_tcp_options);
3043 dissect_ip_tcp_options(tvb, offset + 20, optlen,
3044 tcpopts, N_TCP_OPTS, TCPOPT_EOL, pinfo, field_tree);
3047 /* If there was window scaling in the SYN packet but none in the SYN+ACK
3048 * then we should just forget about the windowscaling completely.
3050 if(!pinfo->fd->flags.visited){
3051 if(tcp_analyze_seq && tcp_relative_seq){
3052 if((tcph->th_flags & (TH_SYN|TH_ACK))==(TH_SYN|TH_ACK)) {
3053 verify_tcp_window_scaling(tcpd);
3058 /* Skip over header + options */
3059 offset += tcph->th_hlen;
3061 /* Check the packet length to see if there's more data
3062 (it could be an ACK-only packet) */
3063 length_remaining = tvb_length_remaining(tvb, offset);
3065 if (tcph->th_have_seglen) {
3066 if( data_out_file ) {
3067 reassemble_tcp( tcph->th_seq, /* sequence number */
3068 tcph->th_ack, /* acknowledgement number */
3069 tcph->th_seglen, /* data length */
3070 (gchar*)tvb_get_ptr(tvb, offset, length_remaining), /* data */
3071 length_remaining, /* captured data length */
3072 ( tcph->th_flags & TH_SYN ), /* is syn set? */
3080 /* handle TCP seq# analysis, print any extra SEQ/ACK data for this segment*/
3081 if(tcp_analyze_seq){
3082 tcp_print_sequence_number_analysis(pinfo, tvb, tcp_tree, tcpd);
3085 /* handle conversation timestamps */
3086 if(tcp_calculate_ts){
3087 tcp_print_timestamps(pinfo, tvb, tcp_tree, tcpd, tcppd);
3090 tap_queue_packet(tcp_tap, pinfo, tcph);
3093 /* A FIN packet might complete reassembly so we need to explicitly
3094 * check for this here.
3096 if(tcpd && (tcph->th_flags & TH_FIN)
3097 && (tcpd->fwd->flags&TCP_FLOW_REASSEMBLE_UNTIL_FIN) ){
3098 struct tcp_multisegment_pdu *msp;
3100 /* find the most previous PDU starting before this sequence number */
3101 msp=se_tree_lookup32_le(tcpd->fwd->multisegment_pdus, tcph->th_seq-1);
3103 fragment_data *ipfd_head;
3105 ipfd_head = fragment_add(tvb, offset, pinfo, msp->first_frame,
3107 tcph->th_seq - msp->seq,
3113 /* create a new TVB structure for desegmented data */
3114 next_tvb = tvb_new_real_data(ipfd_head->data, ipfd_head->datalen, ipfd_head->datalen);
3116 /* add this tvb as a child to the original one */
3117 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
3119 /* add desegmented data to the data source list */
3120 add_new_data_source(pinfo, next_tvb, "Reassembled TCP");
3122 /* call the payload dissector
3123 * but make sure we don't offer desegmentation any more
3125 pinfo->can_desegment = 0;
3127 process_tcp_payload(next_tvb, 0, pinfo, tree, tcp_tree, tcph->th_sport, tcph->th_dport, tcph->th_seq, nxtseq, FALSE, tcpd);
3135 * XXX - what, if any, of this should we do if this is included in an
3136 * error packet? It might be nice to see the details of the packet
3137 * that caused the ICMP error, but it might not be nice to have the
3138 * dissector update state based on it.
3139 * Also, we probably don't want to run TCP taps on those packets.
3141 if (length_remaining != 0) {
3142 if (tcph->th_flags & TH_RST) {
3146 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
3148 * A TCP SHOULD allow a received RST segment to include data.
3151 * It has been suggested that a RST segment could contain
3152 * ASCII text that encoded and explained the cause of the
3153 * RST. No standard has yet been established for such
3156 * so for segments with RST we just display the data as text.
3158 proto_tree_add_text(tcp_tree, tvb, offset, length_remaining,
3160 tvb_format_text(tvb, offset, length_remaining));
3162 dissect_tcp_payload(tvb, pinfo, offset, tcph->th_seq, nxtseq,
3163 tcph->th_sport, tcph->th_dport, tree, tcp_tree, tcpd);
3169 proto_register_tcp(void)
3171 static hf_register_info hf[] = {
3174 { "Source Port", "tcp.srcport", FT_UINT16, BASE_DEC, NULL, 0x0,
3178 { "Destination Port", "tcp.dstport", FT_UINT16, BASE_DEC, NULL, 0x0,
3182 { "Source or Destination Port", "tcp.port", FT_UINT16, BASE_DEC, NULL, 0x0,
3186 { "Sequence number", "tcp.seq", FT_UINT32, BASE_DEC, NULL, 0x0,
3190 { "Next sequence number", "tcp.nxtseq", FT_UINT32, BASE_DEC, NULL, 0x0,
3194 { "Acknowledgement number", "tcp.ack", FT_UINT32, BASE_DEC, NULL, 0x0,
3198 { "Header Length", "tcp.hdr_len", FT_UINT8, BASE_DEC, NULL, 0x0,
3202 { "Flags", "tcp.flags", FT_UINT8, BASE_HEX, NULL, 0x0,
3205 { &hf_tcp_flags_cwr,
3206 { "Congestion Window Reduced (CWR)", "tcp.flags.cwr", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_CWR,
3209 { &hf_tcp_flags_ecn,
3210 { "ECN-Echo", "tcp.flags.ecn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ECN,
3213 { &hf_tcp_flags_urg,
3214 { "Urgent", "tcp.flags.urg", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_URG,
3217 { &hf_tcp_flags_ack,
3218 { "Acknowledgment", "tcp.flags.ack", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ACK,
3221 { &hf_tcp_flags_push,
3222 { "Push", "tcp.flags.push", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_PUSH,
3225 { &hf_tcp_flags_reset,
3226 { "Reset", "tcp.flags.reset", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_RST,
3229 { &hf_tcp_flags_syn,
3230 { "Syn", "tcp.flags.syn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_SYN,
3233 { &hf_tcp_flags_fin,
3234 { "Fin", "tcp.flags.fin", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_FIN,
3237 /* 32 bits so we can present some values adjusted to window scaling */
3238 { &hf_tcp_window_size,
3239 { "Window size", "tcp.window_size", FT_UINT32, BASE_DEC, NULL, 0x0,
3243 { "Checksum", "tcp.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
3244 "Details at: http://www.wireshark.org/docs/wsug_html_chunked/ChAdvChecksums.html", HFILL }},
3246 { &hf_tcp_checksum_good,
3247 { "Good Checksum", "tcp.checksum_good", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
3248 "True: checksum matches packet content; False: doesn't match content or not checked", HFILL }},
3250 { &hf_tcp_checksum_bad,
3251 { "Bad Checksum", "tcp.checksum_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
3252 "True: checksum doesn't match packet content; False: matches content or not checked", HFILL }},
3254 { &hf_tcp_analysis_flags,
3255 { "TCP Analysis Flags", "tcp.analysis.flags", FT_NONE, BASE_NONE, NULL, 0x0,
3256 "This frame has some of the TCP analysis flags set", HFILL }},
3258 { &hf_tcp_analysis_retransmission,
3259 { "Retransmission", "tcp.analysis.retransmission", FT_NONE, BASE_NONE, NULL, 0x0,
3260 "This frame is a suspected TCP retransmission", HFILL }},
3262 { &hf_tcp_analysis_fast_retransmission,
3263 { "Fast Retransmission", "tcp.analysis.fast_retransmission", FT_NONE, BASE_NONE, NULL, 0x0,
3264 "This frame is a suspected TCP fast retransmission", HFILL }},
3266 { &hf_tcp_analysis_out_of_order,
3267 { "Out Of Order", "tcp.analysis.out_of_order", FT_NONE, BASE_NONE, NULL, 0x0,
3268 "This frame is a suspected Out-Of-Order segment", HFILL }},
3270 { &hf_tcp_analysis_reused_ports,
3271 { "TCP Port numbers reused", "tcp.analysis.reused_ports", FT_NONE, BASE_NONE, NULL, 0x0,
3272 "A new tcp session has started with previously used port numbers", HFILL }},
3274 { &hf_tcp_analysis_lost_packet,
3275 { "Previous Segment Lost", "tcp.analysis.lost_segment", FT_NONE, BASE_NONE, NULL, 0x0,
3276 "A segment before this one was lost from the capture", HFILL }},
3278 { &hf_tcp_analysis_ack_lost_packet,
3279 { "ACKed Lost Packet", "tcp.analysis.ack_lost_segment", FT_NONE, BASE_NONE, NULL, 0x0,
3280 "This frame ACKs a lost segment", HFILL }},
3282 { &hf_tcp_analysis_window_update,
3283 { "Window update", "tcp.analysis.window_update", FT_NONE, BASE_NONE, NULL, 0x0,
3284 "This frame is a tcp window update", HFILL }},
3286 { &hf_tcp_analysis_window_full,
3287 { "Window full", "tcp.analysis.window_full", FT_NONE, BASE_NONE, NULL, 0x0,
3288 "This segment has caused the allowed window to become 100% full", HFILL }},
3290 { &hf_tcp_analysis_keep_alive,
3291 { "Keep Alive", "tcp.analysis.keep_alive", FT_NONE, BASE_NONE, NULL, 0x0,
3292 "This is a keep-alive segment", HFILL }},
3294 { &hf_tcp_analysis_keep_alive_ack,
3295 { "Keep Alive ACK", "tcp.analysis.keep_alive_ack", FT_NONE, BASE_NONE, NULL, 0x0,
3296 "This is an ACK to a keep-alive segment", HFILL }},
3298 { &hf_tcp_analysis_duplicate_ack,
3299 { "Duplicate ACK", "tcp.analysis.duplicate_ack", FT_NONE, BASE_NONE, NULL, 0x0,
3300 "This is a duplicate ACK", HFILL }},
3302 { &hf_tcp_analysis_duplicate_ack_num,
3303 { "Duplicate ACK #", "tcp.analysis.duplicate_ack_num", FT_UINT32, BASE_DEC, NULL, 0x0,
3304 "This is duplicate ACK number #", HFILL }},
3306 { &hf_tcp_analysis_duplicate_ack_frame,
3307 { "Duplicate to the ACK in frame", "tcp.analysis.duplicate_ack_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
3308 "This is a duplicate to the ACK in frame #", HFILL }},
3310 { &hf_tcp_continuation_to,
3311 { "This is a continuation to the PDU in frame", "tcp.continuation_to", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
3312 "This is a continuation to the PDU in frame #", HFILL }},
3314 { &hf_tcp_analysis_zero_window_probe,
3315 { "Zero Window Probe", "tcp.analysis.zero_window_probe", FT_NONE, BASE_NONE, NULL, 0x0,
3316 "This is a zero-window-probe", HFILL }},
3318 { &hf_tcp_analysis_zero_window_probe_ack,
3319 { "Zero Window Probe Ack", "tcp.analysis.zero_window_probe_ack", FT_NONE, BASE_NONE, NULL, 0x0,
3320 "This is an ACK to a zero-window-probe", HFILL }},
3322 { &hf_tcp_analysis_zero_window,
3323 { "Zero Window", "tcp.analysis.zero_window", FT_NONE, BASE_NONE, NULL, 0x0,
3324 "This is a zero-window", HFILL }},
3327 { "TCP Segment Len", "tcp.len", FT_UINT32, BASE_DEC, NULL, 0x0,
3330 { &hf_tcp_analysis_acks_frame,
3331 { "This is an ACK to the segment in frame", "tcp.analysis.acks_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
3332 "Which previous segment is this an ACK for", HFILL}},
3334 { &hf_tcp_analysis_ack_rtt,
3335 { "The RTT to ACK the segment was", "tcp.analysis.ack_rtt", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
3336 "How long time it took to ACK the segment (RTT)", HFILL}},
3338 { &hf_tcp_analysis_rto,
3339 { "The RTO for this segment was", "tcp.analysis.rto", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
3340 "How long transmission was delayed before this segment was retransmitted (RTO)", HFILL}},
3342 { &hf_tcp_analysis_rto_frame,
3343 { "RTO based on delta from frame", "tcp.analysis.rto_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
3344 "This is the frame we measure the RTO from", HFILL }},
3346 { &hf_tcp_urgent_pointer,
3347 { "Urgent pointer", "tcp.urgent_pointer", FT_UINT16, BASE_DEC, NULL, 0x0,
3350 { &hf_tcp_segment_overlap,
3351 { "Segment overlap", "tcp.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
3352 "Segment overlaps with other segments", HFILL }},
3354 { &hf_tcp_segment_overlap_conflict,
3355 { "Conflicting data in segment overlap", "tcp.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
3356 "Overlapping segments contained conflicting data", HFILL }},
3358 { &hf_tcp_segment_multiple_tails,
3359 { "Multiple tail segments found", "tcp.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
3360 "Several tails were found when reassembling the pdu", HFILL }},
3362 { &hf_tcp_segment_too_long_fragment,
3363 { "Segment too long", "tcp.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
3364 "Segment contained data past end of the pdu", HFILL }},
3366 { &hf_tcp_segment_error,
3367 { "Reassembling error", "tcp.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
3368 "Reassembling error due to illegal segments", HFILL }},
3371 { "TCP Segment", "tcp.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
3372 "TCP Segment", HFILL }},
3375 { "Reassembled TCP Segments", "tcp.segments", FT_NONE, BASE_NONE, NULL, 0x0,
3376 "TCP Segments", HFILL }},
3378 { &hf_tcp_reassembled_in,
3379 { "Reassembled PDU in frame", "tcp.reassembled_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
3380 "The PDU that doesn't end in this segment is reassembled in this frame", HFILL }},
3383 { "TCP Options", "tcp.options", FT_BYTES,
3384 BASE_HEX, NULL, 0x0, "TCP Options", HFILL }},
3386 { &hf_tcp_option_mss,
3387 { "TCP MSS Option", "tcp.options.mss", FT_BOOLEAN,
3388 BASE_NONE, NULL, 0x0, "TCP MSS Option", HFILL }},
3390 { &hf_tcp_option_mss_val,
3391 { "TCP MSS Option Value", "tcp.options.mss_val", FT_UINT16,
3392 BASE_DEC, NULL, 0x0, "TCP MSS Option Value", HFILL}},
3394 { &hf_tcp_option_wscale,
3395 { "TCP Window Scale Option", "tcp.options.wscale",
3397 BASE_NONE, NULL, 0x0, "TCP Window Option", HFILL}},
3399 { &hf_tcp_option_wscale_val,
3400 { "TCP Windows Scale Option Value", "tcp.options.wscale_val",
3401 FT_UINT8, BASE_DEC, NULL, 0x0, "TCP Window Scale Value",
3404 { &hf_tcp_option_sack_perm,
3405 { "TCP Sack Perm Option", "tcp.options.sack_perm",
3407 BASE_NONE, NULL, 0x0, "TCP Sack Perm Option", HFILL}},
3409 { &hf_tcp_option_sack,
3410 { "TCP Sack Option", "tcp.options.sack", FT_BOOLEAN,
3411 BASE_NONE, NULL, 0x0, "TCP Sack Option", HFILL}},
3413 { &hf_tcp_option_sack_sle,
3414 {"TCP Sack Left Edge", "tcp.options.sack_le", FT_UINT32,
3415 BASE_DEC, NULL, 0x0, "TCP Sack Left Edge", HFILL}},
3417 { &hf_tcp_option_sack_sre,
3418 {"TCP Sack Right Edge", "tcp.options.sack_re", FT_UINT32,
3419 BASE_DEC, NULL, 0x0, "TCP Sack Right Edge", HFILL}},
3421 { &hf_tcp_option_echo,
3422 { "TCP Echo Option", "tcp.options.echo", FT_BOOLEAN,
3423 BASE_NONE, NULL, 0x0, "TCP Sack Echo", HFILL}},
3425 { &hf_tcp_option_echo_reply,
3426 { "TCP Echo Reply Option", "tcp.options.echo_reply",
3428 BASE_NONE, NULL, 0x0, "TCP Echo Reply Option", HFILL}},
3430 { &hf_tcp_option_time_stamp,
3431 { "TCP Time Stamp Option", "tcp.options.time_stamp",
3433 BASE_NONE, NULL, 0x0, "TCP Time Stamp Option", HFILL}},
3435 { &hf_tcp_option_cc,
3436 { "TCP CC Option", "tcp.options.cc", FT_BOOLEAN, BASE_NONE,
3437 NULL, 0x0, "TCP CC Option", HFILL}},
3439 { &hf_tcp_option_ccnew,
3440 { "TCP CC New Option", "tcp.options.ccnew", FT_BOOLEAN,
3441 BASE_NONE, NULL, 0x0, "TCP CC New Option", HFILL}},
3443 { &hf_tcp_option_ccecho,
3444 { "TCP CC Echo Option", "tcp.options.ccecho", FT_BOOLEAN,
3445 BASE_NONE, NULL, 0x0, "TCP CC Echo Option", HFILL}},
3447 { &hf_tcp_option_md5,
3448 { "TCP MD5 Option", "tcp.options.md5", FT_BOOLEAN, BASE_NONE,
3449 NULL, 0x0, "TCP MD5 Option", HFILL}},
3451 { &hf_tcp_option_qs,
3452 { "TCP QS Option", "tcp.options.qs", FT_BOOLEAN, BASE_NONE,
3453 NULL, 0x0, "TCP QS Option", HFILL}},
3456 { "Time until the last segment of this PDU", "tcp.pdu.time", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
3457 "How long time has passed until the last frame of this PDU", HFILL}},
3460 { "PDU Size", "tcp.pdu.size", FT_UINT32, BASE_DEC, NULL, 0x0,
3461 "The size of this PDU", HFILL}},
3463 { &hf_tcp_pdu_last_frame,
3464 { "Last frame of this PDU", "tcp.pdu.last_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
3465 "This is the last frame of the PDU starting in this segment", HFILL }},
3467 { &hf_tcp_ts_relative,
3468 { "Time since first frame in this TCP stream", "tcp.time_relative", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
3469 "Time relative to first frame in this TCP stream", HFILL}},
3472 { "Time since previous frame in this TCP stream", "tcp.time_delta", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
3473 "Time delta from previous frame in this TCP stream", HFILL}},
3476 static gint *ett[] = {
3480 &ett_tcp_option_sack,
3481 &ett_tcp_analysis_faults,
3483 &ett_tcp_timestamps,
3488 module_t *tcp_module;
3490 proto_tcp = proto_register_protocol("Transmission Control Protocol",
3492 proto_register_field_array(proto_tcp, hf, array_length(hf));
3493 proto_register_subtree_array(ett, array_length(ett));
3495 /* subdissector code */
3496 subdissector_table = register_dissector_table("tcp.port",
3497 "TCP port", FT_UINT16, BASE_DEC);
3498 register_heur_dissector_list("tcp", &heur_subdissector_list);
3500 /* Register configuration preferences */
3501 tcp_module = prefs_register_protocol(proto_tcp, NULL);
3502 prefs_register_bool_preference(tcp_module, "summary_in_tree",
3503 "Show TCP summary in protocol tree",
3504 "Whether the TCP summary line should be shown in the protocol tree",
3505 &tcp_summary_in_tree);
3506 prefs_register_bool_preference(tcp_module, "check_checksum",
3507 "Validate the TCP checksum if possible",
3508 "Whether to validate the TCP checksum",
3509 &tcp_check_checksum);
3510 prefs_register_bool_preference(tcp_module, "desegment_tcp_streams",
3511 "Allow subdissector to reassemble TCP streams",
3512 "Whether subdissector can request TCP streams to be reassembled",
3514 prefs_register_bool_preference(tcp_module, "analyze_sequence_numbers",
3515 "Analyze TCP sequence numbers",
3516 "Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT",
3518 prefs_register_bool_preference(tcp_module, "relative_sequence_numbers",
3519 "Relative sequence numbers and window scaling",
3520 "Make the TCP dissector use relative sequence numbers instead of absolute ones. "
3521 "To use this option you must also enable \"Analyze TCP sequence numbers\". "
3522 "This option will also try to track and adjust the window field according to any TCP window scaling options seen.",
3524 prefs_register_bool_preference(tcp_module, "calculate_timestamps",
3525 "Calculate conversation timestamps",
3526 "Calculate timestamps relative to the first frame and the previous frame in the tcp conversation",
3528 prefs_register_bool_preference(tcp_module, "try_heuristic_first",
3529 "Try heuristic sub-dissectors first",
3530 "Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",
3531 &try_heuristic_first);
3533 register_init_routine(tcp_fragment_init);
3537 proto_reg_handoff_tcp(void)
3539 dissector_handle_t tcp_handle;
3541 tcp_handle = create_dissector_handle(dissect_tcp, proto_tcp);
3542 dissector_add("ip.proto", IP_PROTO_TCP, tcp_handle);
3543 data_handle = find_dissector("data");
3544 tcp_tap = register_tap("tcp");