2 * Routines for pop packet dissection
4 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-tftp.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
37 #include <epan/packet.h>
38 #include <epan/strutil.h>
39 #include <epan/conversation.h>
40 #include <epan/prefs.h>
41 #include <epan/reassemble.h>
42 #include "packet-ssl.h"
44 static int proto_pop = -1;
46 static int hf_pop_response = -1;
47 static int hf_pop_response_indicator = -1;
48 static int hf_pop_response_description = -1;
49 static int hf_pop_response_data = -1;
51 static int hf_pop_request = -1;
52 static int hf_pop_request_command = -1;
53 static int hf_pop_request_parameter = -1;
54 static int hf_pop_request_data = -1;
56 static int hf_pop_data_fragments = -1;
57 static int hf_pop_data_fragment = -1;
58 static int hf_pop_data_fragment_overlap = -1;
59 static int hf_pop_data_fragment_overlap_conflicts = -1;
60 static int hf_pop_data_fragment_multiple_tails = -1;
61 static int hf_pop_data_fragment_too_long_fragment = -1;
62 static int hf_pop_data_fragment_error = -1;
63 static int hf_pop_data_fragment_count = -1;
64 static int hf_pop_data_reassembled_in = -1;
65 static int hf_pop_data_reassembled_length = -1;
67 static gint ett_pop = -1;
68 static gint ett_pop_reqresp = -1;
70 static gint ett_pop_data_fragment = -1;
71 static gint ett_pop_data_fragments = -1;
73 static dissector_handle_t data_handle;
74 static dissector_handle_t imf_handle = NULL;
76 #define TCP_PORT_POP 110
77 #define TCP_PORT_SSL_POP 995
79 /* desegmentation of POP command and response lines */
80 static gboolean pop_data_desegment = TRUE;
82 static GHashTable *pop_data_segment_table = NULL;
83 static GHashTable *pop_data_reassembled_table = NULL;
85 static const fragment_items pop_data_frag_items = {
86 /* Fragment subtrees */
87 &ett_pop_data_fragment,
88 &ett_pop_data_fragments,
90 &hf_pop_data_fragments,
91 &hf_pop_data_fragment,
92 &hf_pop_data_fragment_overlap,
93 &hf_pop_data_fragment_overlap_conflicts,
94 &hf_pop_data_fragment_multiple_tails,
95 &hf_pop_data_fragment_too_long_fragment,
96 &hf_pop_data_fragment_error,
97 &hf_pop_data_fragment_count,
98 /* Reassembled in field */
99 &hf_pop_data_reassembled_in,
100 /* Reassembled length field */
101 &hf_pop_data_reassembled_length,
106 struct pop_proto_data {
107 guint16 conversation_id;
111 struct pop_data_val {
112 gboolean msg_request;
113 guint32 msg_read_len; /* Length of RETR message read so far */
114 guint32 msg_tot_len; /* Total length of RETR message */
119 static gboolean response_is_continuation(const guchar *data);
122 dissect_pop(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
124 struct pop_proto_data *frame_data_p;
126 gboolean is_continuation;
127 proto_tree *pop_tree, *reqresp_tree;
134 const guchar *next_token;
135 fragment_data *frag_msg = NULL;
136 tvbuff_t *next_tvb = NULL;
137 conversation_t *conversation = NULL;
138 struct pop_data_val *data_val = NULL;
139 gint length_remaining;
141 col_set_str(pinfo->cinfo, COL_PROTOCOL, "POP");
144 * Find the end of the first line.
146 * Note that "tvb_find_line_end()" will return a value that is
147 * not longer than what's in the buffer, so the "tvb_get_ptr()"
148 * call won't throw an exception.
150 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
151 line = tvb_get_ptr(tvb, offset, linelen);
153 if (pinfo->match_uint == pinfo->destport) {
155 is_continuation = FALSE;
158 is_continuation = response_is_continuation(line);
161 frame_data_p = p_get_proto_data(pinfo->fd, proto_pop);
165 conversation = find_or_create_conversation(pinfo);
167 data_val = conversation_get_proto_data(conversation, proto_pop);
172 * No - create one and attach it.
174 data_val = se_alloc0(sizeof(struct pop_data_val));
176 conversation_add_proto_data(conversation, proto_pop, data_val);
180 if (check_col(pinfo->cinfo, COL_INFO)) {
182 * Put the first line from the buffer into the summary
183 * if it's a POP request or reply (but leave out the
185 * Otherwise, just call it a continuation.
187 if (is_continuation) {
188 length_remaining = tvb_length_remaining(tvb, offset);
189 col_add_fstr(pinfo->cinfo, COL_INFO, "S: DATA fragment, %d byte%s",
190 length_remaining, plurality (length_remaining, "", "s"));
193 col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "C" : "S",
194 format_text(line, linelen));
197 ti = proto_tree_add_item(tree, proto_pop, tvb, offset, -1, ENC_NA);
198 pop_tree = proto_item_add_subtree(ti, ett_pop);
200 if (is_continuation) {
202 if (pop_data_desegment) {
206 data_val->msg_read_len += tvb_length(tvb);
208 frame_data_p = se_alloc(sizeof(struct pop_proto_data));
210 frame_data_p->conversation_id = conversation->index;
211 frame_data_p->more_frags = data_val->msg_read_len < data_val->msg_tot_len;
213 p_add_proto_data(pinfo->fd, proto_pop, frame_data_p);
216 frag_msg = fragment_add_seq_next(tvb, 0, pinfo,
217 frame_data_p->conversation_id,
218 pop_data_segment_table,
219 pop_data_reassembled_table,
221 frame_data_p->more_frags);
223 next_tvb = process_reassembled_data(tvb, offset, pinfo,
225 frag_msg, &pop_data_frag_items,
231 call_dissector(imf_handle, next_tvb, pinfo, tree);
234 /* we have read everything - reset */
236 data_val->msg_read_len = 0;
237 data_val->msg_tot_len = 0;
239 pinfo->fragmented = FALSE;
241 pinfo->fragmented = TRUE;
247 * Put the whole packet into the tree as data.
249 call_dissector(data_handle,tvb, pinfo, pop_tree);
256 * Put the line into the protocol tree.
258 ti = proto_tree_add_string_format(pop_tree,
263 next_offset - offset,
265 tvb_format_text(tvb, offset, next_offset - offset));
266 reqresp_tree = proto_item_add_subtree(ti, ett_pop_reqresp);
269 * Extract the first token, and, if there is a first
270 * token, add it as the request or reply code.
272 tokenlen = get_token_len(line, line + linelen, &next_token);
274 proto_tree_add_item(reqresp_tree,
276 hf_pop_request_command :
277 hf_pop_response_indicator,
278 tvb, offset, tokenlen, FALSE);
282 /* see if this is RETR or TOP command */
283 if (g_ascii_strncasecmp(line, "RETR", 4) == 0 ||
284 g_ascii_strncasecmp(line, "TOP", 3) == 0)
285 /* the next response will tell us how many bytes */
286 data_val->msg_request = TRUE;
288 if (data_val->msg_request) {
289 /* this is a response to a RETR or TOP command */
291 if (g_ascii_strncasecmp(line, "+OK ", 4) == 0) {
292 /* the message will be sent - work out how many bytes */
293 data_val->msg_read_len = 0;
294 data_val->msg_tot_len = atoi(line + 4);
296 data_val->msg_request = FALSE;
301 offset += (gint) (next_token - line);
302 linelen -= (int) (next_token - line);
308 * Add the rest of the first line as request or
309 * reply param/description.
312 proto_tree_add_item(reqresp_tree,
314 hf_pop_request_parameter :
315 hf_pop_response_description,
316 tvb, offset, linelen, FALSE);
318 offset = next_offset;
321 * Show the rest of the request or response as text,
324 while (tvb_offset_exists(tvb, offset)) {
326 * Find the end of the line.
328 tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
333 proto_tree_add_string_format(pop_tree,
335 hf_pop_request_data :
336 hf_pop_response_data,
338 next_offset - offset,
340 tvb_format_text(tvb, offset, next_offset - offset));
341 offset = next_offset;
346 static gboolean response_is_continuation(const guchar *data)
348 if (strncmp(data, "+OK", strlen("+OK")) == 0)
351 if (strncmp(data, "-ERR", strlen("-ERR")) == 0)
357 static void pop_data_reassemble_init (void)
359 fragment_table_init (&pop_data_segment_table);
360 reassembled_table_init (&pop_data_reassembled_table);
364 proto_register_pop(void)
366 static hf_register_info hf[] = {
368 { "Response", "pop.response",
369 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
370 { &hf_pop_response_indicator,
371 { "Response indicator", "pop.response.indicator",
372 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
373 { &hf_pop_response_description,
374 { "Response description", "pop.response.description",
375 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
376 { &hf_pop_response_data,
377 { "Data", "pop.response.data",
378 FT_STRING, BASE_NONE, NULL, 0x0, "Response Data", HFILL }},
380 { "Request", "pop.request",
381 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
382 { &hf_pop_request_command,
383 { "Request command", "pop.request.command",
384 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
385 { &hf_pop_request_parameter,
386 { "Request parameter", "pop.request.parameter",
387 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
388 { &hf_pop_request_data,
389 { "Data", "pop.request.data",
390 FT_STRING, BASE_NONE, NULL, 0x0, "Request data", HFILL }},
391 /* Fragment entries */
392 { &hf_pop_data_fragments,
393 { "DATA fragments", "pop.data.fragments", FT_NONE, BASE_NONE,
394 NULL, 0x00, "Message fragments", HFILL } },
395 { &hf_pop_data_fragment,
396 { "DATA fragment", "pop.data.fragment", FT_FRAMENUM, BASE_NONE,
397 NULL, 0x00, "Message fragment", HFILL } },
398 { &hf_pop_data_fragment_overlap,
399 { "DATA fragment overlap", "pop.data.fragment.overlap", FT_BOOLEAN,
400 BASE_NONE, NULL, 0x0, "Message fragment overlap", HFILL } },
401 { &hf_pop_data_fragment_overlap_conflicts,
402 { "DATA fragment overlapping with conflicting data",
403 "pop.data.fragment.overlap.conflicts", FT_BOOLEAN, BASE_NONE, NULL,
404 0x0, "Message fragment overlapping with conflicting data", HFILL } },
405 { &hf_pop_data_fragment_multiple_tails,
406 { "DATA has multiple tail fragments",
407 "pop.data.fragment.multiple_tails", FT_BOOLEAN, BASE_NONE,
408 NULL, 0x0, "Message has multiple tail fragments", HFILL } },
409 { &hf_pop_data_fragment_too_long_fragment,
410 { "DATA fragment too long", "pop.data.fragment.too_long_fragment",
411 FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Message fragment too long",
413 { &hf_pop_data_fragment_error,
414 { "DATA defragmentation error", "pop.data.fragment.error", FT_FRAMENUM,
415 BASE_NONE, NULL, 0x00, "Message defragmentation error", HFILL } },
416 { &hf_pop_data_fragment_count,
417 { "DATA fragment count", "pop.data.fragment.count", FT_UINT32, BASE_DEC,
418 NULL, 0x00, NULL, HFILL } },
419 { &hf_pop_data_reassembled_in,
420 { "Reassembled DATA in frame", "pop.data.reassembled.in", FT_FRAMENUM, BASE_NONE,
421 NULL, 0x00, "This DATA fragment is reassembled in this frame", HFILL } },
422 { &hf_pop_data_reassembled_length,
423 { "Reassembled DATA length", "pop.data.reassembled.length", FT_UINT32, BASE_DEC,
424 NULL, 0x00, "The total length of the reassembled payload", HFILL } },
427 static gint *ett[] = {
430 &ett_pop_data_fragment,
431 &ett_pop_data_fragments
433 module_t *pop_module;
436 proto_pop = proto_register_protocol("Post Office Protocol", "POP", "pop");
437 register_dissector("pop", dissect_pop, proto_pop);
438 proto_register_field_array(proto_pop, hf, array_length(hf));
439 proto_register_subtree_array(ett, array_length(ett));
440 register_init_routine (&pop_data_reassemble_init);
443 pop_module = prefs_register_protocol(proto_pop, NULL);
445 prefs_register_bool_preference(pop_module, "desegment_data",
446 "Reassemble POP RETR and TOP responses spanning multiple TCP segments",
447 "Whether the POP dissector should reassemble RETR and TOP responses and spanning multiple TCP segments."
448 " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
449 &pop_data_desegment);
453 proto_reg_handoff_pop(void)
455 dissector_handle_t pop_handle;
457 pop_handle = find_dissector("pop");
458 dissector_add_uint("tcp.port", TCP_PORT_POP, pop_handle);
459 ssl_dissector_add(TCP_PORT_SSL_POP, "pop", TRUE);
460 data_handle = find_dissector("data");
462 /* find the IMF dissector */
463 imf_handle = find_dissector("imf");