2 * Routines for Microsoft Proxy packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
5 * $Id: packet-msproxy.c,v 1.11 2000/08/21 18:36:34 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 * This was derived from the dante socks implimentation source code.
28 * Most of the information came from common.h and msproxy_clientprotocol.c
30 * See http://www.inet.no/dante for more information
34 /************************************************************************
36 * Notes: These are possible command values. User input is welcome *
38 * Command = 0x040a - Remote host closed connection (maybe ?? ) *
39 * Command = 0x0411 - Remote host closed connection *
40 * Command = 0x0413 - Local host closed connection or SYN worked *
42 ************************************************************************/
51 #ifdef HAVE_SYS_TYPES_H
52 # include <sys/types.h>
55 #ifdef HAVE_NETINET_IN_H
56 # include <netinet/in.h>
63 #ifdef NEED_SNPRINTF_H
64 # include "snprintf.h"
70 #include "alignment.h"
71 #include "conversation.h"
73 #include "packet-tcp.h"
74 #include "packet-udp.h"
76 #define CHECK_PACKET_LENGTH(X) if (!BYTES_ARE_IN_FRAME(offset, X)){ \
77 proto_tree_add_text(tree, NullTVB, offset, 0, "****FRAME TOO SHORT***"); return;}
79 extern void udp_hash_add(guint16 proto,
80 void (*dissect)(const u_char *, int, frame_data *, proto_tree *));
83 static int proto_msproxy = -1;
85 static int ett_msproxy = -1;
86 static int ett_msproxy_name = -1;
88 static int hf_msproxy_cmd = -1;
89 static int hf_msproxy_clntport = -1;
91 static int hf_msproxy_dstaddr = -1;
93 static int hf_msproxy_srcport = -1;
94 static int hf_msproxy_dstport = -1;
95 static int hf_msproxy_serverport = -1;
96 static int hf_msproxy_serveraddr = -1;
97 static int hf_msproxy_bindport = -1;
98 static int hf_msproxy_bindaddr = -1;
99 static int hf_msproxy_boundport = -1;
100 static int hf_msproxy_bind_id = -1;
101 static int hf_msproxy_resolvaddr = -1;
103 static int hf_msproxy_server_int_addr = -1;
104 static int hf_msproxy_server_int_port = -1;
105 static int hf_msproxy_server_ext_addr = -1;
106 static int hf_msproxy_server_ext_port = -1;
109 #define UDP_PORT_MSPROXY 1745
111 #define N_MSPROXY_HELLO 0x05 /* packet 1 from client */
112 #define N_MSPROXY_ACK 0x10 /* packet 1 from server */
113 #define N_MSPROXY_USERINFO_ACK 0x04 /* packet 2 from server */
114 #define N_MSPROXY_AUTH 0x47 /* packet 3 from client */
115 #define N_MSPROXY_RESOLVE 0x07 /* Resolve request */
118 /*$$$ 0x0500 was dante value, I see 0x05ff and 0x0500 */
120 #define MSPROXY_HELLO 0x0500
121 #define MSPROXY_HELLO_2 0x05ff
123 #define MSPROXY_HELLO_ACK 0x1000
125 #define MSPROXY_USERINFO 0x1000
126 #define MSPROXY_USERINFO_ACK 0x0400
128 #define MSPROXY_AUTH 0x4700
129 #define MSPROXY_AUTH_1_ACK 0x4714
130 #define MSPROXY_AUTH_2 0x4701
131 #define MSPROXY_AUTH_2_ACK 0x4715
132 #define MSPROXY_AUTH_2_ACK2 0x4716
134 #define MSPROXY_RESOLVE 0x070d
135 #define MSPROXY_RESOLVE_ACK 0x070f
137 #define MSPROXY_BIND 0x0704
138 #define MSPROXY_BIND_ACK 0x0706
140 #define MSPROXY_TCP_BIND 0x0707
141 #define MSPROXY_TCP_BIND_ACK 0x0708
143 #define MSPROXY_LISTEN 0x0406
145 #define MSPROXY_BINDINFO 0x0709
147 #define MSPROXY_BINDINFO_ACK 0x070a
149 #define MSPROXY_CONNECT 0x071e
150 #define MSPROXY_CONNECT_ACK 0x0703
152 #define MSPROXY_UDPASSOCIATE 0x0705
153 #define MSPROXY_UDPASSOCIATE_ACK 0x0706
155 #define MSPROXY_UDP_BIND_REQ 0x070b
157 #define MSPROXY_CONNECTED 0x042c
158 #define MSPROXY_SESSIONEND 0x251e
160 #define MSPROXY_BIND_AUTHFAILED 0x0804
161 #define MSPROXY_CONNECT_AUTHFAILED 0x081e
162 #define MSPROXY_CONNREFUSED 0x4 /* low 12 bits seem to vary. */
164 #define FROM_SERVER 1 /* direction of packet data for get_msproxy_cmd_name */
165 #define FROM_CLIENT 0
170 /*$$$ should this be the same as redirect_entry_t ?? */
171 /* then the add_conversation could just copy the structure */
172 /* using the same allocation (instance for you object guys) */
173 /* wouldn't work because there may be multiple child conversations */
174 /* from the same MSProxy conversation */
180 guint32 server_int_port;
185 /************** conversation hash stuff ***************/
187 #define hash_init_count 20
188 #define hash_val_length (sizeof(hash_entry_t))
190 static GMemChunk *vals = NULL;
195 guint32 server_int_port;
201 /************** negotiated conversation hash stuff ***************/
203 #define redirect_init_count 20
204 #define redirect_val_length (sizeof(redirect_entry_t))
206 static GMemChunk *redirect_vals = NULL;
209 static guint32 last_row= 0; /* used to see if packet is new */
211 static void msproxy_sub_dissector( const u_char *pd, int offset, frame_data *fd,
214 /* Conversation dissector called from TCP or UDP dissector. Decode and */
215 /* display the socks header, the pass the rest of the data to the tcp */
216 /* or udp port decode routine to handle the payload. */
219 redirect_entry_t *redirect_info;
220 conversation_t *conversation;
221 proto_tree *msp_tree;
224 conversation = find_conversation( &pi.src, &pi.dst, pi.ptype,
225 pi.srcport, pi.destport);
227 g_assert( conversation); /* should always find a conversation */
229 redirect_info = (redirect_entry_t*)conversation->data;
231 if (check_col(fd, COL_PROTOCOL))
232 col_add_str(fd, COL_PROTOCOL, "MS Proxy");
234 if (check_col(fd, COL_INFO))
235 col_add_fstr(fd, COL_INFO, "%s",
236 (( redirect_info->proto == PT_TCP) ? "TCP stream" :
240 ti = proto_tree_add_item( tree, proto_msproxy, NullTVB, offset, 0,
243 msp_tree = proto_item_add_subtree(ti, ett_msproxy);
245 proto_tree_add_uint( msp_tree, hf_msproxy_dstport, NullTVB,
246 offset, 0, redirect_info->remote_port);
248 proto_tree_add_ipv4( msp_tree, hf_msproxy_dstaddr, NullTVB, offset, 0,
249 redirect_info->remote_addr);
253 /* set pi src/dst port and call the udp sub-dissector lookup */
255 if ( pi.srcport == redirect_info->clnt_port)
260 *ptr = redirect_info->remote_port;
262 if ( redirect_info->proto == PT_TCP)
263 decode_tcp_ports( pd, offset, fd, tree, pi.srcport, pi.destport);
265 decode_udp_ports( pd, offset, fd, tree, pi.srcport, pi.destport);
267 *ptr = redirect_info->server_int_port;
272 static void add_msproxy_conversation( hash_entry_t *hash_info){
274 /* check to see if a conversation already exists, if it does assume */
275 /* it's our conversation and quit. Otherwise create a new conversation. */
276 /* Load the conversation dissector to our dissector and load the */
277 /* conversation data structure with the info needed to call the TCP or */
278 /* UDP port decoder. */
280 /* NOTE: Currently this assume that the conversation will be created */
281 /* during a packet from the server. If that changes, the pi.src */
282 /* and pi.dst will not be correct and this routine will have to */
285 redirect_entry_t *new_conv_info;
287 conversation_t *conversation = find_conversation( &pi.src, &pi.dst,
288 hash_info->proto, hash_info->server_int_port,
289 hash_info->clnt_port);
294 new_conv_info = g_mem_chunk_alloc(redirect_vals);
295 conversation = conversation_new( &pi.src, &pi.dst, hash_info->proto,
296 hash_info->server_int_port, hash_info->clnt_port, new_conv_info);
298 g_assert( new_conv_info);
299 g_assert( conversation);
301 new_conv_info->remote_addr = hash_info->dst_addr;
302 new_conv_info->clnt_port = hash_info->clnt_port;
303 new_conv_info->remote_port = hash_info->dst_port;
304 new_conv_info->server_int_port = hash_info->server_int_port;
305 new_conv_info->proto = hash_info->proto;
307 old_conversation_set_dissector(conversation, msproxy_sub_dissector);
312 static int display_application_name(const u_char *pd, int offset,
313 frame_data *fd, proto_tree *tree) {
315 /* display the application name in the proto tree. */
317 /* NOTE: this routine assumes that the tree pointer is valid (not NULL) */
321 if (!IS_DATA_IN_FRAME(offset)){
322 proto_tree_add_text(tree, NullTVB, offset, 0, "****FRAME TOO SHORT***");
326 strncpy( temp, &pd[ offset], MIN( 255, END_OF_FRAME));
327 temp[ MIN( 255, END_OF_FRAME)] = 0;
328 proto_tree_add_text( tree, NullTVB, offset, strlen(temp), "Application: %s", temp);
335 static char *get_msproxy_cmd_name( int cmd, int direction) {
337 /* return the command name string for cmd */
340 case MSPROXY_HELLO_2:
341 case MSPROXY_HELLO: return "Hello";
343 /* MSPROXY_HELLO_ACK & MSPROXY_USERINFO have the same value (0x1000). */
344 /* So use the direction flag to determine which to use. */
346 case MSPROXY_USERINFO:
347 if ( direction == FROM_SERVER)
348 return "Hello Acknowledge";
351 case MSPROXY_USERINFO_ACK: return "User Info Acknowledge";
352 case MSPROXY_AUTH: return "Authentication";
353 case MSPROXY_AUTH_1_ACK: return "Authentication Acknowledge";
354 case MSPROXY_AUTH_2: return "Authentication 2";
355 case MSPROXY_AUTH_2_ACK: return "Authentication 2 Acknowledge";
356 case MSPROXY_RESOLVE: return "Resolve";
357 case MSPROXY_RESOLVE_ACK: return "Resolve Acknowledge";
358 case MSPROXY_BIND: return "Bind";
359 case MSPROXY_TCP_BIND: return "TCP Bind";
360 case MSPROXY_TCP_BIND_ACK: return "TCP Bind Acknowledge";
361 case MSPROXY_LISTEN: return "Listen";
362 case MSPROXY_BINDINFO: return "Bind Info";
363 case MSPROXY_BINDINFO_ACK: return "Bind Info Acknowledge";
364 case MSPROXY_CONNECT: return "Connect";
365 case MSPROXY_CONNECT_ACK: return "Connect Acknowledge";
366 case MSPROXY_UDPASSOCIATE: return "UDP Associate";
367 case MSPROXY_UDP_BIND_REQ: return "UDP Bind";
368 case MSPROXY_UDPASSOCIATE_ACK: return "Bind or Associate Acknowledge";
369 case MSPROXY_CONNECTED: return "Connected";
370 case MSPROXY_SESSIONEND: return "Session End";
372 default: return "Unknown";
378 static void dissect_user_info_2(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
380 /* decode the user, application, computer name */
386 strncpy( str, &pd[ offset], MIN( 255, END_OF_FRAME));
387 str[ MIN( 255, END_OF_FRAME)] = 0;
389 proto_tree_add_text( tree, NullTVB, offset, strlen( str) + 1,
390 "User name: %s", str);
391 offset += strlen( str) + 2;
393 strncpy( str, &pd[ offset], MIN( 255, END_OF_FRAME));
394 str[ MIN( 255, END_OF_FRAME)] = 0;
396 proto_tree_add_text( tree, NullTVB, offset, strlen( str) + 1,
397 "Application name: %s", str);
398 offset += strlen( str) + 1;
400 strncpy( str, &pd[ offset], MIN( 255, END_OF_FRAME));
401 str[ MIN( 255, END_OF_FRAME)] = 0;
403 proto_tree_add_text( tree, NullTVB, offset, strlen( str) + 1,
404 "Client computer name: %s", str);
410 static void dissect_msproxy_request_1(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
412 /* decode the request _1 structure */
417 dissect_user_info_2( pd, 262, fd, tree);
423 static void dissect_bind(const u_char *pd, int offset, frame_data *fd,
424 proto_tree *tree, hash_entry_t *conv_info) {
426 /* decode the bind request */
430 CHECK_PACKET_LENGTH( 4);
432 proto_tree_add_ipv4( tree, hf_msproxy_bindaddr, NullTVB, offset, 4,
436 CHECK_PACKET_LENGTH( 2);
438 proto_tree_add_uint( tree, hf_msproxy_bindport, NullTVB, offset, 2,
439 pntohs( &pd[ offset]));
442 CHECK_PACKET_LENGTH( 2);
444 proto_tree_add_uint( tree, hf_msproxy_clntport, NullTVB, offset, 2,
445 pntohs( &pd[ offset]));
448 conv_info->clnt_port = pntohs( &pd[ offset]);
452 CHECK_PACKET_LENGTH( 2);
453 proto_tree_add_uint( tree, hf_msproxy_boundport, NullTVB, offset, 2,
454 pntohs( &pd[ offset]));
457 display_application_name( pd, offset, fd, tree);
463 static void dissect_auth(const u_char *pd, int offset,
464 frame_data *fd, proto_tree *tree) {
466 /* decode the authorization request */
473 strncpy( temp, &pd[ offset], 7);
475 proto_tree_add_text( tree, NullTVB, offset, 7, "NTLMSSP signature: %s",
483 static void dissect_tcp_bind(const u_char *pd, int offset,
484 frame_data *fd, proto_tree *tree, hash_entry_t *conv_info) {
486 /* decode the bind packet. Set the protocol type in the conversation */
487 /* information so the bind_info can use it to create the payload */
491 conv_info->proto = PT_TCP;
496 CHECK_PACKET_LENGTH( 4);
497 proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
500 CHECK_PACKET_LENGTH( 2);
501 proto_tree_add_uint( tree, hf_msproxy_boundport, NullTVB, offset, 2,
502 pntohs( &pd[ offset]));
505 display_application_name( pd, offset, fd, tree);
510 static void dissect_request_connect(const u_char *pd, int offset, frame_data *fd,
511 proto_tree *tree, hash_entry_t *conv_info) {
513 /* decode the connect request, display */
515 conv_info->proto = PT_TCP;
519 CHECK_PACKET_LENGTH( 2);
521 proto_tree_add_uint( tree, hf_msproxy_dstport, NullTVB, offset, 2,
522 pntohs( &pd[ offset]));
524 conv_info->dst_port = pntohs( &pd[ offset]);
527 CHECK_PACKET_LENGTH( 4);
529 proto_tree_add_ipv4( tree, hf_msproxy_dstaddr, NullTVB, offset, 4,
532 memcpy( &conv_info->dst_addr, &pd[ offset], sizeof( guint32));
536 CHECK_PACKET_LENGTH( 2);
537 conv_info->clnt_port = pntohs( &pd[ offset]);
540 proto_tree_add_uint( tree, hf_msproxy_clntport, NullTVB, offset, 2,
541 pntohs( &pd[ offset]));
545 display_application_name( pd, offset, fd, tree);
550 static void dissect_bind_info_ack(const u_char *pd, int offset, frame_data *fd,
551 proto_tree *tree, hash_entry_t *conv_info) {
553 /* decode the client bind info ack */
559 CHECK_PACKET_LENGTH( 4);
560 proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
563 CHECK_PACKET_LENGTH( 2);
564 proto_tree_add_uint( tree, hf_msproxy_dstport, NullTVB, offset, 2,
565 pntohs( &pd[ offset]));
568 CHECK_PACKET_LENGTH( 4);
569 proto_tree_add_ipv4( tree, hf_msproxy_dstaddr, NullTVB, offset, 4,
573 CHECK_PACKET_LENGTH( 2);
574 proto_tree_add_uint( tree, hf_msproxy_server_int_port, NullTVB, offset,
575 2, pntohs( &pd[ offset]));
578 CHECK_PACKET_LENGTH( 2);
579 proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset,
580 2, pntohs( &pd[ offset]));
583 CHECK_PACKET_LENGTH( 4);
584 proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset,
585 4, GWORD( pd, offset));
588 display_application_name( pd, offset, fd, tree);
593 static void dissect_request_resolve(const u_char *pd, int offset,
594 frame_data *fd, proto_tree *tree) {
596 /* dissect the request resolve structure */
597 /* display a string with a length, characters encoding */
598 /* they are displayed under a tree with the name in Label variable */
599 /* return the length of the string and the length byte */
601 proto_tree *name_tree;
605 int length = GBYTE( pd, offset);
608 strncpy( temp, &pd[ offset + 18], length);
611 ti = proto_tree_add_text(tree, NullTVB, offset, length + 1,
612 "Host Name: %s", temp);
614 name_tree = proto_item_add_subtree(ti, ett_msproxy_name);
616 proto_tree_add_text( name_tree, NullTVB, offset, 1, "Length: %d", length);
621 proto_tree_add_text( name_tree, NullTVB, offset, length, "String: %s",
628 static void dissect_udp_bind(const u_char *pd, int offset,
629 frame_data *fd, proto_tree *tree, hash_entry_t *conv_info) {
631 /* Dissect the udp bind request. Load the protocol id (PT_UDP) and the */
632 /* remote address so bind_info can use it to create conversation */
635 conv_info->proto = PT_UDP;
640 CHECK_PACKET_LENGTH( 4);
642 proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
646 CHECK_PACKET_LENGTH( 2);
648 proto_tree_add_uint( tree, hf_msproxy_dstport, NullTVB, offset, 2,
649 pntohs( &pd[ offset]));
652 CHECK_PACKET_LENGTH( 4);
654 proto_tree_add_ipv4( tree, hf_msproxy_dstaddr, NullTVB, offset, 4,
660 display_application_name( pd, offset, fd, tree);
664 static void dissect_udp_assoc(const u_char *pd, int offset,
665 frame_data *fd, proto_tree *tree, hash_entry_t *conv_info) {
667 /* dissect the udp associate request. And load client port into */
668 /* conversation data structure for later. */
673 CHECK_PACKET_LENGTH( 2);
675 proto_tree_add_uint( tree, hf_msproxy_clntport, NullTVB, offset, 2,
676 pntohs( &pd[ offset]));
678 conv_info->clnt_port = pntohs( &pd[ offset]);
683 display_application_name( pd, offset, fd, tree);
689 static void dissect_msproxy_request(const u_char *pd, int offset, frame_data *fd,
690 proto_tree *tree, hash_entry_t *conv_info) {
696 CHECK_PACKET_LENGTH( 4);
697 proto_tree_add_text( tree, NullTVB, offset, 4, "Client id: 0x%0x",
701 CHECK_PACKET_LENGTH( 4);
702 proto_tree_add_text( tree, NullTVB, offset, 4, "Version: 0x%04x",
706 CHECK_PACKET_LENGTH( 4);
707 proto_tree_add_text( tree, NullTVB, offset, 4, "Server id: 0x%0x",
711 CHECK_PACKET_LENGTH( 2);
712 proto_tree_add_text( tree, NullTVB, offset, 1, "Server ack: %u",
716 CHECK_PACKET_LENGTH( 1);
717 proto_tree_add_text( tree, NullTVB, offset, 1, "Sequence Number: %u",
721 CHECK_PACKET_LENGTH( 4);
722 strncpy( temp, &pd[ offset], 4);
724 proto_tree_add_text( tree, NullTVB, offset, 4, "RWSP signature: %s", temp);
730 CHECK_PACKET_LENGTH( 1);
731 cmd = pntohs( &pd[offset]);
734 proto_tree_add_uint_format( tree, hf_msproxy_cmd, NullTVB, offset, 2,
735 cmd, "Command: 0x%02x (%s)", cmd,
736 get_msproxy_cmd_name( cmd, FROM_CLIENT));
742 dissect_auth( pd, offset, fd, tree);
746 dissect_bind( pd, offset, fd, tree, conv_info);
749 case MSPROXY_UDP_BIND_REQ:
750 dissect_udp_bind( pd, offset, fd, tree, conv_info);
753 case MSPROXY_AUTH_2: /*$$ this is probably wrong place for this */
754 case MSPROXY_TCP_BIND:
755 dissect_tcp_bind( pd, offset, fd, tree, conv_info);
758 case MSPROXY_RESOLVE:
759 dissect_request_resolve( pd, offset, fd, tree);
762 case MSPROXY_CONNECT:
764 dissect_request_connect( pd, offset, fd, tree,
768 case MSPROXY_BINDINFO_ACK:
769 dissect_bind_info_ack( pd, offset, fd, tree, conv_info);
773 case MSPROXY_HELLO_2:
774 dissect_msproxy_request_1( pd, offset, fd, tree);
777 case MSPROXY_UDPASSOCIATE:
778 dissect_udp_assoc( pd, offset, fd, tree, conv_info);
782 proto_tree_add_text( tree, NullTVB, offset, 0,
783 "Unhandled request command (report this, please)");
789 static void dissect_hello_ack(const u_char *pd, int offset, frame_data *fd,
790 proto_tree *tree, hash_entry_t *conv_info) {
792 /* decode the hello acknowledge packet */
797 CHECK_PACKET_LENGTH( 2);
798 proto_tree_add_uint( tree, hf_msproxy_serverport, NullTVB, offset, 2,
799 pntohs( &pd[ offset]));
802 CHECK_PACKET_LENGTH( 4);
803 proto_tree_add_ipv4( tree, hf_msproxy_serveraddr, NullTVB, offset, 4,
811 static void dissect_user_info_ack(const u_char *pd, int offset,
812 frame_data *fd, proto_tree *tree) {
814 /* decode the response _2 structure */
824 static void dissect_udpassociate_ack( const u_char *pd, int offset,
825 frame_data *fd, proto_tree *tree) {
831 CHECK_PACKET_LENGTH( 4);
832 proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
835 CHECK_PACKET_LENGTH( 2);
836 proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset, 2, pntohs( &pd[ offset]));
839 CHECK_PACKET_LENGTH( 4);
840 proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset, 4, GWORD( pd, offset));
843 display_application_name( pd, offset, fd, tree);
849 static void dissect_auth_1_ack(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
857 CHECK_PACKET_LENGTH( 7);
858 strncpy( temp, &pd[ offset], 7);
860 proto_tree_add_text( tree, NullTVB, offset, 7, "NTLMSSP signature: %s", temp);
863 strncpy( temp, &pd[ offset], MIN( 255, END_OF_FRAME));
864 temp[ MIN( 255, END_OF_FRAME)] = 0;
865 proto_tree_add_text( tree, NullTVB, offset, 255, "NT domain: %s", temp);
872 static void dissect_msproxy_response_4( const u_char *pd, int offset,
873 frame_data *fd, proto_tree *tree) {
875 /* decode the response _4 structure */
882 static void dissect_connect_ack( const u_char *pd, int offset, frame_data *fd,
883 proto_tree *tree, hash_entry_t *conv_info) {
885 /* decode the connect ack packet */
888 CHECK_PACKET_LENGTH( 2);
891 proto_tree_add_uint( tree, hf_msproxy_server_int_port, NullTVB, offset, 2, pntohs( &pd[ offset]));
894 conv_info->proto = PT_TCP;
895 conv_info->server_int_port = pntohs( &pd[ offset]);
899 CHECK_PACKET_LENGTH( 2);
900 proto_tree_add_ipv4( tree, hf_msproxy_server_int_addr, NullTVB, offset, 2, GWORD( pd, offset));
903 CHECK_PACKET_LENGTH( 2);
904 proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset, 2, pntohs( &pd[ offset]));
907 CHECK_PACKET_LENGTH( 4);
908 proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset, 4, GWORD( pd, offset));
911 display_application_name( pd, offset, fd, tree);
914 add_msproxy_conversation( conv_info);
919 static void dissect_tcp_bind_ack( const u_char *pd, int offset, frame_data *fd,
922 /* decode the tcp bind */
927 CHECK_PACKET_LENGTH( 4);
928 proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
931 CHECK_PACKET_LENGTH( 2);
932 proto_tree_add_uint( tree, hf_msproxy_server_int_port, NullTVB, offset,
933 2, pntohs( &pd[ offset]));
936 CHECK_PACKET_LENGTH( 2);
937 proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset,
938 2, pntohs( &pd[ offset]));
941 CHECK_PACKET_LENGTH( 4);
942 proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset,
943 4, GWORD( pd, offset));
947 display_application_name( pd, offset, fd, tree);
953 static void dissect_bind_info( const u_char *pd, int offset, frame_data *fd,
954 proto_tree *tree, hash_entry_t *conv_info) {
956 /* decode the Bind info response from server */
960 CHECK_PACKET_LENGTH( 4);
962 proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
966 CHECK_PACKET_LENGTH( 2);
968 proto_tree_add_uint( tree, hf_msproxy_dstport, NullTVB, offset, 2,
969 pntohs( &pd[ offset]));
970 conv_info->dst_port = pntohs( &pd[ offset]);
973 CHECK_PACKET_LENGTH( 4);
975 proto_tree_add_ipv4( tree, hf_msproxy_dstaddr, NullTVB, offset, 4,
978 memcpy( &conv_info->dst_addr, &pd[ offset], sizeof( guint32));
982 CHECK_PACKET_LENGTH( 2);
984 proto_tree_add_uint( tree, hf_msproxy_server_int_port, NullTVB, offset,
985 2, pntohs( &pd[ offset]));
986 conv_info->server_int_port = pntohs( &pd[ offset]);
991 CHECK_PACKET_LENGTH( 2);
992 proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset,
993 2, pntohs( &pd[ offset]));
996 CHECK_PACKET_LENGTH( 4);
997 proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset,
998 4, GWORD( pd, offset));
1001 display_application_name( pd, offset, fd, tree);
1005 add_msproxy_conversation( conv_info);
1010 static void dissect_resolve(const u_char *pd, int offset, frame_data *fd,
1013 /* dissect the response resolve structure */
1014 /* display a string with a length, characters encoding */
1015 /* they are displayed under a tree with the name in Label variable */
1016 /* return the length of the string and the length byte */
1020 int addr_offset = GBYTE( pd, offset);
1022 proto_tree_add_text( tree, NullTVB, offset, 1, "Address offset: %d",
1029 offset += addr_offset;
1031 CHECK_PACKET_LENGTH( 4);
1032 proto_tree_add_ipv4( tree, hf_msproxy_resolvaddr, NullTVB, offset, 4,
1033 GWORD( pd, offset));
1039 static void dissect_msproxy_response(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, hash_entry_t *conv_info) {
1046 CHECK_PACKET_LENGTH( 4);
1047 proto_tree_add_text( tree, NullTVB, offset, 4, "Client id: 0x%0x",
1048 GWORD( pd, offset));
1051 CHECK_PACKET_LENGTH( 4);
1052 proto_tree_add_text( tree, NullTVB, offset, 4, "Version: 0x%04x",
1053 GWORD( pd, offset));
1056 CHECK_PACKET_LENGTH( 4);
1057 proto_tree_add_text( tree, NullTVB, offset, 4, "Server id: 0x%04x",
1058 GWORD( pd, offset));
1061 CHECK_PACKET_LENGTH( 1);
1062 proto_tree_add_text( tree, NullTVB, offset, 1, "Client ack: 0x%02x",
1063 GBYTE( pd, offset));
1067 CHECK_PACKET_LENGTH( 1);
1068 proto_tree_add_text( tree, NullTVB, offset, 1, "Sequence Number: 0x%02x",
1069 GBYTE( pd, offset));
1073 CHECK_PACKET_LENGTH( 4);
1074 strncpy( temp, &pd[ offset], 4);
1076 proto_tree_add_text( tree, NullTVB, offset, 4, "RWSP signature: %s", temp);
1083 CHECK_PACKET_LENGTH( 2);
1084 cmd = pntohs( &pd[offset]);
1087 proto_tree_add_uint_format( tree, hf_msproxy_cmd, NullTVB, offset, 2,
1088 cmd, "Command: 0x%02x (%s)", cmd,
1089 get_msproxy_cmd_name( cmd, FROM_SERVER));
1093 case MSPROXY_HELLO_ACK:
1094 dissect_hello_ack( pd, offset, fd, tree, conv_info);
1097 case MSPROXY_USERINFO_ACK:
1098 dissect_user_info_ack( pd, offset, fd, tree);
1101 case MSPROXY_AUTH_1_ACK:
1102 dissect_auth_1_ack( pd, offset, fd, tree);
1105 /* this also handle the MSPROXY_BIND_ACK ??? check this */
1107 case MSPROXY_UDPASSOCIATE_ACK:
1108 dissect_udpassociate_ack( pd, offset, fd, tree);
1111 case MSPROXY_AUTH_2_ACK:
1112 case MSPROXY_AUTH_2_ACK2:
1113 dissect_msproxy_response_4( pd, offset, fd, tree);
1116 case MSPROXY_TCP_BIND_ACK:
1117 dissect_tcp_bind_ack( pd, offset, fd, tree);
1120 case MSPROXY_CONNECT_ACK:
1121 dissect_connect_ack( pd, offset, fd, tree, conv_info);
1124 case MSPROXY_BINDINFO:
1125 dissect_bind_info( pd, offset, fd, tree, conv_info);
1128 case MSPROXY_RESOLVE_ACK:
1129 dissect_resolve( pd, offset, fd, tree);
1132 case MSPROXY_CONNECT_AUTHFAILED:
1133 case MSPROXY_BIND_AUTHFAILED:
1134 proto_tree_add_text( tree, NullTVB, offset, 0, "No know information (help wanted)");
1140 (((cmd >> 8) == MSPROXY_CONNREFUSED) ||
1141 ((cmd >> 12) == MSPROXY_CONNREFUSED)))
1142 proto_tree_add_text( tree, NullTVB, offset, 0,
1143 "No know information (help wanted)");
1146 proto_tree_add_text( tree, NullTVB, offset, 0,
1147 "Unhandled response command (report this, please)");
1155 static void dissect_msproxy(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
1158 proto_tree *msproxy_tree = NULL;
1163 hash_entry_t *hash_info;
1164 conversation_t *conversation;
1166 OLD_CHECK_DISPLAY_AS_DATA(proto_msproxy, pd, offset, fd, tree);
1168 conversation = find_conversation( &pi.src, &pi.dst, pi.ptype,
1169 pi.srcport, pi.destport);
1171 if ( conversation) /* conversation found */
1172 hash_info = conversation->data;
1174 /* new conversation create local data structure */
1176 hash_info = g_mem_chunk_alloc(vals);
1178 conversation_new( &pi.src, &pi.dst, pi.ptype,
1179 pi.srcport, pi.destport, hash_info);
1182 if (check_col(fd, COL_PROTOCOL))
1183 col_add_str(fd, COL_PROTOCOL, "MSproxy");
1186 /* display packet info */
1187 if (check_col(fd, COL_INFO)){
1189 cmd = pntohs( &pd[offset + 36]);
1191 if ( pi.srcport == UDP_PORT_MSPROXY)
1192 col_add_fstr( fd, COL_INFO, "Server message: %s",
1193 get_msproxy_cmd_name( cmd, FROM_SERVER));
1195 col_add_fstr(fd, COL_INFO, "Client message: %s",
1196 get_msproxy_cmd_name( cmd, FROM_CLIENT));
1200 if (tree) { /* if proto tree, decode data */
1201 ti = proto_tree_add_item( tree, proto_msproxy, NullTVB, offset,
1202 END_OF_FRAME, FALSE );
1204 msproxy_tree = proto_item_add_subtree(ti, ett_msproxy);
1207 if ( pi.srcport == UDP_PORT_MSPROXY)
1208 dissect_msproxy_response( pd, offset, fd, msproxy_tree, hash_info);
1210 dissect_msproxy_request( pd, offset, fd, msproxy_tree, hash_info);
1215 static void msproxy_reinit( void){
1217 /* Do the cleanup work when a new pass through the packet list is */
1218 /* performed. Reset the highest row seen counter and re-initialize the */
1219 /* conversation memory chunks. */
1224 g_mem_chunk_destroy(vals);
1226 vals = g_mem_chunk_new("msproxy_vals", hash_val_length,
1227 hash_init_count * hash_val_length,
1231 g_mem_chunk_destroy(redirect_vals);
1233 redirect_vals = g_mem_chunk_new("msproxy_redirect_vals", redirect_val_length,
1234 redirect_init_count * redirect_val_length,
1241 proto_register_msproxy( void){
1243 /* Prep the msproxy protocol, for now, just register it */
1245 static gint *ett[] = {
1249 static hf_register_info hf[] = {
1252 { "Command", "msproxy.command", FT_UINT16, BASE_DEC,
1257 { &hf_msproxy_dstaddr,
1258 { "Destination Address", "msproxy.dstaddr", FT_IPv4, BASE_NONE, NULL,
1263 { &hf_msproxy_srcport,
1264 { "Source Port", "msproxy.srcport", FT_UINT16,
1265 BASE_DEC, NULL, 0x0, ""
1268 { &hf_msproxy_dstport,
1269 { "Destination Port", "msproxy.dstport", FT_UINT16,
1270 BASE_DEC, NULL, 0x0, ""
1273 { &hf_msproxy_clntport,
1274 { "Client Port", "msproxy.clntport", FT_UINT16,
1275 BASE_DEC, NULL, 0x0, ""
1278 { &hf_msproxy_server_ext_addr,
1279 { "Server External Address", "msproxy.server_ext_addr", FT_IPv4, BASE_NONE, NULL,
1284 { &hf_msproxy_server_ext_port,
1285 { "Server External Port", "msproxy.server_ext_port", FT_UINT16,
1286 BASE_DEC, NULL, 0x0, ""
1290 { &hf_msproxy_server_int_addr,
1291 { "Server Internal Address", "msproxy.server_int_addr", FT_IPv4, BASE_NONE, NULL,
1296 { &hf_msproxy_server_int_port,
1297 { "Server Internal Port", "msproxy.server_int_port", FT_UINT16,
1298 BASE_DEC, NULL, 0x0, ""
1301 { &hf_msproxy_serverport,
1302 { "Server Port", "msproxy.serverport", FT_UINT16,
1303 BASE_DEC, NULL, 0x0, ""
1306 { &hf_msproxy_bindport,
1307 { "Bind Port", "msproxy.bindport", FT_UINT16,
1308 BASE_DEC, NULL, 0x0, ""
1311 { &hf_msproxy_boundport,
1312 { "Bound Port", "msproxy.boundport", FT_UINT16,
1313 BASE_DEC, NULL, 0x0, ""
1316 { &hf_msproxy_serveraddr,
1317 { "Server Address", "msproxy.serveraddr", FT_IPv4, BASE_NONE, NULL,
1321 { &hf_msproxy_bindaddr,
1322 { "Destination", "msproxy.bindaddr", FT_IPv4, BASE_NONE, NULL,
1326 { &hf_msproxy_bind_id,
1327 { "Bound Port Id", "msproxy.bindid", FT_UINT32,
1328 BASE_HEX, NULL, 0x0, ""
1331 { &hf_msproxy_resolvaddr,
1332 { "Address", "msproxy.resolvaddr", FT_IPv4, BASE_NONE, NULL,
1339 proto_msproxy = proto_register_protocol ( "MSProxy Protocol", "msproxy");
1341 proto_register_field_array(proto_msproxy, hf, array_length(hf));
1342 proto_register_subtree_array(ett, array_length(ett));
1344 register_init_routine( &msproxy_reinit); /* register re-init routine */
1349 proto_reg_handoff_msproxy(void) {
1351 /* dissector install routine */
1353 old_dissector_add("udp.port", UDP_PORT_MSPROXY, dissect_msproxy);