4 * Routines for Minecraft Pocket Edition protocol packet disassembly.
6 * Nick Carter <ncarter100@gmail.com>
7 * Copyright 2014 Nick Carter
10 * http://wiki.vg/Pocket_Minecraft_Protocol#Packet_Encapsulation
12 * Wireshark - Network traffic analyzer
13 * By Gerald Combs <gerald@wireshark.org>
14 * Copyright 1998 Gerald Combs
16 * SPDX-License-Identifier: GPL-2.0-or-later
20 #include <epan/conversation.h>
21 #include <epan/expert.h>
22 #include <epan/packet.h>
23 #include <epan/prefs.h>
25 #include "packet-raknet.h"
27 /* Minecraft Pocket Edition Protocol
30 * http://wiki.vg/Pocket_Edition_Protocol_Documentation
33 #define MCPE_UDP_PORT_DEFAULT 19132 /* Not IANA registered */
34 static guint mcpe_udp_port_requested = MCPE_UDP_PORT_DEFAULT;
36 static int proto_mcpe = -1;
37 static gint ett_mcpe = -1; /* Should this node be expanded */
38 static gint ett_mcpe_batch = -1;
39 static gint ett_mcpe_batch_record = -1;
40 static gint ett_mcpe_login = -1;
41 static gint ett_mcpe_string = -1;
46 static dissector_handle_t mcpe_handle = NULL;
47 static dissector_table_t mcpe_packet_dissectors = NULL;
52 static expert_field ei_mcpe_unknown_packet_id = EI_INIT;
53 static expert_field ei_mcpe_decompression_failed = EI_INIT;
54 static expert_field ei_mcpe_encrypted_packet = EI_INIT;
57 * Common Header fields
59 static int hf_mcpe_message_id = -1;
60 static int hf_mcpe_packet_id = -1;
61 static int hf_mcpe_string_length = -1;
62 static int hf_mcpe_UTF8_string = -1;
63 static int hf_mcpe_byte_string = -1;
66 * Fields specific to a packet ID
68 static int hf_mcpe_protocol_version = -1;
69 static int hf_mcpe_login_data_length = -1;
70 static int hf_mcpe_login_data = -1;
71 static int hf_mcpe_login = -1;
72 static int hf_mcpe_chain_JSON = -1;
73 static int hf_mcpe_client_data_JWT = -1;
74 static int hf_mcpe_public_key = -1;
75 static int hf_mcpe_server_token = -1;
77 static int hf_mcpe_batch_length = -1;
78 static int hf_mcpe_batch_body = -1;
79 static int hf_mcpe_batch_records = -1;
80 static int hf_mcpe_batch_record_length = -1;
81 static int hf_mcpe_batch_record = -1;
86 static const value_string mcpe_message_names[] = {
92 * Forward declarations
94 void proto_register_mcpe(void);
95 void proto_reg_handoff_mcpe(void);
96 static int mcpe_dissect_login(tvbuff_t*, packet_info*, proto_tree*, void*);
97 static int mcpe_dissect_server_to_client_handshake(tvbuff_t*, packet_info*, proto_tree*, void*);
98 static int mcpe_dissect_batch(tvbuff_t*, packet_info*, proto_tree*, void*);
101 * Protocol definition and handlers.
103 struct mcpe_handler_entry {
105 dissector_t dissector_fp;
108 static const struct mcpe_handler_entry mcpe_packet_handlers[] = {
110 mcpe_dissect_login },
111 { { 0x03, "Server to Client Handshake" },
112 mcpe_dissect_server_to_client_handshake },
114 mcpe_dissect_batch },
118 * Look up table from packet ID to name
120 static value_string mcpe_packet_names[array_length(mcpe_packet_handlers)+1];
125 typedef struct mcpe_session_state {
127 guint32 encryption_starts_after; /* Frame number */
128 } mcpe_session_state_t;
130 static mcpe_session_state_t*
131 mcpe_get_session_state(packet_info *pinfo) {
132 conversation_t* conversation;
133 mcpe_session_state_t* state;
135 conversation = find_or_create_conversation(pinfo);
136 state = (mcpe_session_state_t*)conversation_get_proto_data(conversation, proto_mcpe);
139 state = (mcpe_session_state_t*)wmem_alloc(wmem_file_scope(), sizeof(mcpe_session_state_t));
140 state->encrypted = FALSE;
141 state->encryption_starts_after = 0;
143 conversation_add_proto_data(conversation, proto_mcpe, state);
153 mcpe_dissect_string(proto_tree *tree, int hf, tvbuff_t *tvb, gint *offset, guint encoding) {
155 proto_tree *string_tree;
157 guint32 length_width;
159 if (encoding & ENC_LITTLE_ENDIAN) {
161 * Yes it's crazy. Lengths of string come with two flavors:
162 * big-endian uint16 and little-endian uint32.
164 length = tvb_get_letohl(tvb, *offset);
168 length = tvb_get_ntohs(tvb, *offset);
172 if (encoding & ENC_UTF_8) {
175 string = tvb_get_string_enc(wmem_packet_scope(), tvb, *offset + length_width, length, ENC_UTF_8);
177 ti = proto_tree_add_string(tree, hf, tvb, *offset, length + length_width, string);
178 string_tree = proto_item_add_subtree(ti, ett_mcpe_string);
180 proto_tree_add_item(string_tree, hf_mcpe_string_length, tvb,
181 *offset, length_width, encoding);
182 *offset += length_width;
184 proto_tree_add_item(string_tree, hf_mcpe_UTF8_string, tvb,
185 *offset, length, ENC_UTF_8|ENC_NA);
191 bytes = (guint8*)tvb_memdup(wmem_packet_scope(), tvb, *offset + length_width, length);
193 ti = proto_tree_add_bytes_with_length(tree, hf, tvb, *offset, length + length_width, bytes, length);
194 string_tree = proto_item_add_subtree(ti, ett_mcpe_string);
196 proto_tree_add_item(string_tree, hf_mcpe_string_length, tvb,
197 *offset, length_width, encoding);
198 *offset += length_width;
200 proto_tree_add_item(string_tree, hf_mcpe_byte_string, tvb,
201 *offset, length, ENC_NA);
207 mcpe_dissect_login(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
217 proto_tree_add_item(tree, hf_mcpe_protocol_version, tvb,
218 offset, item_size, ENC_BIG_ENDIAN);
222 proto_tree_add_item_ret_uint(tree, hf_mcpe_login_data_length, tvb,
223 offset, item_size, ENC_BIG_ENDIAN, &comp_length);
226 item_size = comp_length;
227 ti = proto_tree_add_item(tree, hf_mcpe_login_data, tvb,
228 offset, item_size, ENC_NA);
230 login_tvb = tvb_uncompress(tvb, offset, comp_length);
232 guint32 decomp_length;
233 proto_tree *login_tree;
235 add_new_data_source(pinfo, login_tvb, "MCPE Decompressed login data");
236 decomp_length = tvb_captured_length(login_tvb);
239 item_size = decomp_length;
240 ti = proto_tree_add_item(tree, hf_mcpe_login, login_tvb,
241 offset, item_size, ENC_NA);
242 login_tree = proto_item_add_subtree(ti, ett_mcpe_login);
243 proto_item_append_text(ti, " (%u octets)", decomp_length);
244 proto_item_set_generated(ti);
246 mcpe_dissect_string(login_tree, hf_mcpe_chain_JSON , login_tvb, &offset, ENC_LITTLE_ENDIAN | ENC_UTF_8);
247 mcpe_dissect_string(login_tree, hf_mcpe_client_data_JWT, login_tvb, &offset, ENC_LITTLE_ENDIAN | ENC_UTF_8);
250 expert_add_info(pinfo, ti, &ei_mcpe_decompression_failed);
253 return tvb_reported_length(tvb);
257 mcpe_dissect_server_to_client_handshake(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
261 mcpe_session_state_t *state;
263 mcpe_dissect_string(tree, hf_mcpe_public_key, tvb, &offset, ENC_BIG_ENDIAN | ENC_UTF_8);
264 mcpe_dissect_string(tree, hf_mcpe_server_token, tvb, &offset, ENC_BIG_ENDIAN);
267 * Everything will be encrypted once the server sends this.
269 state = mcpe_get_session_state(pinfo);
270 state->encrypted = TRUE;
271 state->encryption_starts_after = pinfo->num;
273 return tvb_reported_length(tvb);
277 mcpe_dissect_batch(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
287 proto_tree_add_item_ret_uint(tree, hf_mcpe_batch_length, tvb,
288 offset, item_size, ENC_BIG_ENDIAN, &comp_length);
291 item_size = comp_length;
292 ti = proto_tree_add_item(tree, hf_mcpe_batch_body, tvb,
293 offset, item_size, ENC_NA);
295 batch_tvb = tvb_uncompress(tvb, offset, comp_length);
297 guint32 decomp_length;
298 proto_tree *batch_tree;
300 add_new_data_source(pinfo, batch_tvb, "MCPE Decompressed batch");
301 decomp_length = tvb_captured_length(batch_tvb);
304 item_size = decomp_length;
305 ti = proto_tree_add_item(tree, hf_mcpe_batch_records, batch_tvb,
306 offset, item_size, ENC_NA);
307 batch_tree = proto_item_add_subtree(ti, ett_mcpe_batch);
308 proto_item_append_text(ti, " (%u octets)", decomp_length);
309 proto_item_set_generated(ti);
311 col_append_str(pinfo->cinfo, COL_INFO, " [");
314 guint32 record_length;
315 tvbuff_t *record_tvb;
316 proto_tree *record_tree;
321 proto_tree_add_item_ret_uint(batch_tree, hf_mcpe_batch_record_length, batch_tvb,
322 offset, item_size, ENC_BIG_ENDIAN, &record_length);
325 record_tvb = tvb_new_subset_length(batch_tvb, offset, record_length);
326 offset += record_length;
329 * Take the whole buffer as a single MCPE packet.
331 ti = proto_tree_add_item(batch_tree, hf_mcpe_batch_record, record_tvb,
333 record_tree = proto_item_add_subtree(ti, ett_mcpe_batch_record);
336 * The first octet is the packet ID.
338 proto_tree_add_item_ret_uint(record_tree, hf_mcpe_packet_id,
339 record_tvb, 0, 1, ENC_NA, &packet_id);
341 proto_item_append_text(ti, " (%s)",
342 val_to_str(packet_id, mcpe_packet_names, "Unknown ID: %#x"));
343 col_append_str(pinfo->cinfo, COL_INFO,
344 val_to_str(packet_id, mcpe_packet_names, "Unknown packet ID: %#x"));
347 dissector_try_uint_new(mcpe_packet_dissectors, packet_id,
348 record_tvb, pinfo, record_tree, TRUE, data);
350 expert_add_info(pinfo, ti, &ei_mcpe_unknown_packet_id);
353 if (offset < decomp_length) {
354 col_append_str(pinfo->cinfo, COL_INFO, ", ");
361 col_append_str(pinfo->cinfo, COL_INFO, "]");
364 expert_add_info(pinfo, ti, &ei_mcpe_decompression_failed);
367 return tvb_reported_length(tvb);
371 mcpe_init_message_names(void)
375 for (i = 0; i < array_length(mcpe_packet_handlers); i++) {
376 mcpe_packet_names[i].value = mcpe_packet_handlers[i].vs.value;
377 mcpe_packet_names[i].strptr = mcpe_packet_handlers[i].vs.strptr;
379 mcpe_packet_names[array_length(mcpe_packet_handlers)].value = 0;
380 mcpe_packet_names[array_length(mcpe_packet_handlers)].strptr = NULL;
384 test_mcpe_heur(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree _U_, void* data _U_)
387 * 0xFE "Wrapper" is the only message ID that MCPE uses. The sole
388 * purpose of Wrapper message is to make a RakNet message out of a
391 if (tvb_strneql(tvb, 0, "\xFE", 1) == 0) {
393 * Does the message have a packet ID?
395 if (tvb_captured_length(tvb) >= 2) {
397 * Inspect the packet ID. If it's known to us the message
398 * can be considered to be an MCPE packet.
400 gint8 packet_id = tvb_get_guint8(tvb, 1);
402 *(dissector_handle_t*)data =
403 dissector_get_uint_handle(mcpe_packet_dissectors, packet_id);
405 if (*(dissector_handle_t*)data) {
414 dissect_mcpe_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
416 dissector_handle_t handle;
418 if (test_mcpe_heur(tvb, pinfo, tree, &handle)) {
420 proto_tree *mcpe_tree;
423 tvbuff_t *packet_tvb;
425 raknet_conversation_set_dissector(pinfo, mcpe_handle);
426 col_set_str(pinfo->cinfo, COL_PROTOCOL, "MCPE");
427 col_clear(pinfo->cinfo, COL_INFO);
430 * Take the whole buffer as a single MCPE packet.
432 ti = proto_tree_add_item(tree, proto_mcpe, tvb, 0, -1, ENC_NA);
433 mcpe_tree = proto_item_add_subtree(ti, ett_mcpe);
436 * The first octet is always 0xFE (Wrapper). We intentionally
437 * use DISSECTOR_ASSERT() here because test_mcpe_heur() has
440 proto_tree_add_item_ret_uint(mcpe_tree, hf_mcpe_message_id,
441 tvb, 0, 1, ENC_NA, &message_id);
442 DISSECTOR_ASSERT(message_id == 0xFE);
445 * The next octet is the packet ID.
447 proto_tree_add_item_ret_uint(mcpe_tree, hf_mcpe_packet_id,
448 tvb, 1, 1, ENC_NA, &packet_id);
450 proto_item_append_text(ti, " (%s)",
451 val_to_str(packet_id, mcpe_packet_names, "Unknown ID: %#x"));
452 col_add_str(pinfo->cinfo, COL_INFO,
453 val_to_str(packet_id, mcpe_packet_names, "Unknown packet ID: %#x"));
455 packet_tvb = tvb_new_subset_remaining(tvb, 1);
456 return call_dissector_only(handle, packet_tvb, pinfo, mcpe_tree, data) > 0;
464 dissect_mcpe(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
466 mcpe_session_state_t *state;
468 state = mcpe_get_session_state(pinfo);
469 if (state->encrypted && pinfo->num > state->encryption_starts_after) {
471 * Encrypted packets don't even have any headers indicating
472 * they are encrypted. And we don't support the cipher they
478 col_set_str(pinfo->cinfo, COL_PROTOCOL, "MCPE");
479 col_add_str(pinfo->cinfo, COL_INFO, "Encrypted packet");
481 packet_size = tvb_reported_length(tvb);
482 ti = proto_tree_add_item(tree, proto_mcpe, tvb, 0, packet_size, ENC_NA);
483 proto_item_append_text(ti, ", Encrypted packet (%d octets)", packet_size);
484 expert_add_info(pinfo, ti, &ei_mcpe_encrypted_packet);
486 return tvb_captured_length(tvb);
490 * We reuse our heuristic dissector here because we have no reason
491 * to implement almost the same dissector twice.
493 if (dissect_mcpe_heur(tvb, pinfo, tree, data)) {
494 return tvb_captured_length(tvb);
503 proto_register_mcpe(void)
505 static hf_register_info hf[] = {
507 * Common Header fields
509 { &hf_mcpe_message_id,
510 { "MCPE Message ID", "mcpe.message.id",
512 VALS(mcpe_message_names), 0x0,
515 { &hf_mcpe_packet_id,
516 { "MCPE Packet ID", "mcpe.packet.id",
518 VALS(mcpe_packet_names), 0x0,
521 { &hf_mcpe_string_length,
522 { "MCPE String length", "mcpe.string.length",
527 { &hf_mcpe_UTF8_string,
528 { "MCPE UTF-8 String", "mcpe.string.UTF8",
529 FT_STRING, BASE_NONE,
533 { &hf_mcpe_byte_string,
534 { "MCPE Byte string", "mcpe.string.bytes",
540 * Fields specific to a packet ID
542 { &hf_mcpe_protocol_version,
543 { "MCPE Protocol version", "mcpe.protocol.version",
548 { &hf_mcpe_login_data_length,
549 { "MCPE Compressed login data length", "mcpe.login.data.length",
554 { &hf_mcpe_login_data,
555 { "MCPE Compressed login data", "mcpe.login.data",
561 { "MCPE Decompressed login data", "mcpe.login",
566 { &hf_mcpe_chain_JSON,
567 { "MCPE Chain JSON", "mcpe.chain.JSON",
568 FT_STRING, BASE_NONE,
572 { &hf_mcpe_client_data_JWT,
573 { "MCPE Client data JWT", "mcpe.client.data.JWT",
574 FT_STRING, BASE_NONE,
578 { &hf_mcpe_public_key,
579 { "MCPE Public key", "mcpe.public.key",
580 FT_STRING, BASE_NONE,
584 { &hf_mcpe_server_token,
585 { "MCPE Server token", "mcpe.server.token",
590 { &hf_mcpe_batch_length,
591 { "MCPE Compressed batch length", "mcpe.batch.length",
596 { &hf_mcpe_batch_body,
597 { "MCPE Compressed batch body", "mcpe.batch.body",
602 { &hf_mcpe_batch_records,
603 { "MCPE Decompressed batch records", "mcpe.batch.records",
608 { &hf_mcpe_batch_record_length,
609 { "MCPE Batch record length", "mcpe.batch.record.length",
614 { &hf_mcpe_batch_record,
615 { "MCPE Batch record", "mcpe.batch.record",
623 * Setup protocol subtree array
625 static gint *ett[] = {
628 &ett_mcpe_batch_record,
632 module_t *mcpe_module;
635 * Set up expert info.
637 static ei_register_info ei[] = {
638 { &ei_mcpe_unknown_packet_id,
639 { "mcpe.unknown.id", PI_UNDECODED, PI_WARN,
640 "MCPE unknown packet ID",
643 { &ei_mcpe_decompression_failed,
644 { "mcpe.decompression.failed", PI_MALFORMED, PI_ERROR,
645 "MCPE packet decompression failed",
648 { &ei_mcpe_encrypted_packet,
649 { "mcpe.encrypted", PI_DECRYPTION, PI_NOTE,
650 "MCPE encrypted packet",
654 expert_module_t *expert_mcpe;
659 mcpe_init_message_names();
662 * Register the protocol with wireshark.
664 proto_mcpe = proto_register_protocol ("Minecraft Pocket Edition", "MCPE", "mcpe");
667 * Register expert support.
669 expert_mcpe = expert_register_protocol(proto_mcpe);
670 expert_register_field_array(expert_mcpe, ei, array_length(ei));
673 * Register detailed dissection arrays.
675 proto_register_field_array(proto_mcpe, hf, array_length(hf));
676 proto_register_subtree_array(ett, array_length(ett));
679 * Register dissectors.
682 register_dissector("mcpe", dissect_mcpe, proto_mcpe);
684 mcpe_packet_dissectors =
685 register_dissector_table("mcpe.packet.id", "MCPE packets",
686 proto_mcpe, FT_UINT8, BASE_HEX);
688 /* Register a configuration option for UDP port */
690 prefs_register_protocol(proto_mcpe, proto_reg_handoff_mcpe);
692 prefs_register_uint_preference(mcpe_module, "udp.port",
693 "MCPE Server UDP Port",
694 "Set the UDP port for the MCPE Server",
695 10, &mcpe_udp_port_requested);
699 proto_reg_handoff_mcpe(void)
701 static guint last_server_port;
702 static gboolean init_done = FALSE;
705 raknet_delete_udp_dissector(last_server_port, mcpe_handle);
710 for (i = 0; i < array_length(mcpe_packet_handlers); i++) {
713 mcpe_packet_handlers[i].vs.value,
714 create_dissector_handle(
715 mcpe_packet_handlers[i].dissector_fp, proto_mcpe));
718 heur_dissector_add("raknet", dissect_mcpe_heur,
719 "MCPE over RakNet", "mcpe_raknet", proto_mcpe, HEURISTIC_ENABLE);
722 last_server_port = mcpe_udp_port_requested;
725 /* MCPE is a protocol that carries RakNet packets over UDP */
726 raknet_add_udp_dissector(mcpe_udp_port_requested, mcpe_handle);
730 * Editor modelines - https://www.wireshark.org/tools/modelines.html
735 * indent-tabs-mode: nil
738 * vi: set shiftwidth=4 tabstop=8 expandtab:
739 * :indentSize=4:tabSize=8:noTabs=true: