5 * Copyright 1998 Mike Hall <mlh@io.com>
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
37 #include <epan/packet.h>
38 #include <epan/ipproto.h>
39 #include <epan/dissectors/packet-tcp.h>
41 #include <epan/conversation.h>
43 #define MAX_IPADDR_LEN 16
45 typedef struct _tcp_frag {
50 struct _tcp_frag *next;
54 FILE* data_out_file = NULL;
56 gboolean empty_tcp_stream;
57 gboolean incomplete_tcp_stream;
59 static guint32 tcp_stream_to_follow;
60 static guint8 ip_address[2][MAX_IPADDR_LEN];
62 static guint bytes_written[2];
63 static gboolean is_ipv6 = FALSE;
65 static int check_fragments( int, tcp_stream_chunk *, guint32 );
66 static void write_packet_data( int, tcp_stream_chunk *, const char * );
69 follow_stats(follow_stats_t* stats)
73 for (i = 0; i < 2 ; i++) {
74 memcpy(stats->ip_address[i], ip_address[i], MAX_IPADDR_LEN);
75 stats->port[i] = port[i];
76 stats->bytes_written[i] = bytes_written[i];
77 stats->is_ipv6 = is_ipv6;
81 /* this will build libpcap filter text that will only
82 pass the packets related to the stream. There is a
83 chance that two streams could intersect, but not a
86 build_follow_filter( packet_info *pi ) {
89 conversation_t *conv=NULL;
90 struct tcp_analysis *tcpd;
92 if( ((pi->net_src.type == AT_IPv4 && pi->net_dst.type == AT_IPv4) ||
93 (pi->net_src.type == AT_IPv6 && pi->net_dst.type == AT_IPv6))
94 && pi->ipproto == IP_PROTO_TCP
95 && (conv=find_conversation(pi->fd->num, &pi->src, &pi->dst, pi->ptype,
96 pi->srcport, pi->destport, 0)) != NULL ) {
98 tcpd=get_tcp_conversation_data(conv, pi);
100 buf = g_strdup_printf("tcp.stream eq %d", tcpd->stream);
101 tcp_stream_to_follow = tcpd->stream;
102 if (pi->net_src.type == AT_IPv4) {
113 else if( pi->net_src.type == AT_IPv4 && pi->net_dst.type == AT_IPv4
114 && pi->ipproto == IP_PROTO_UDP ) {
116 buf = g_strdup_printf(
117 "(ip.addr eq %s and ip.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
118 ip_to_str((guint8 *)pi->net_src.data),
119 ip_to_str((guint8 *)pi->net_dst.data),
120 pi->srcport, pi->destport );
124 else if( pi->net_src.type == AT_IPv6 && pi->net_dst.type == AT_IPv6
125 && pi->ipproto == IP_PROTO_UDP ) {
127 buf = g_strdup_printf(
128 "(ipv6.addr eq %s and ipv6.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
129 ip6_to_str((const struct e_in6_addr *)pi->net_src.data),
130 ip6_to_str((const struct e_in6_addr *)pi->net_dst.data),
131 pi->srcport, pi->destport );
138 memcpy(ip_address[0], pi->net_src.data, len);
139 memcpy(ip_address[1], pi->net_dst.data, len);
140 port[0] = pi->srcport;
141 port[1] = pi->destport;
145 static gboolean find_tcp_addr;
146 static address tcp_addr[2];
147 static gboolean find_tcp_index;
149 /* select a tcp stream to follow via it's address/port pairs */
151 follow_tcp_addr(const address *addr0, guint port0,
152 const address *addr1, guint port1)
154 if (addr0 == NULL || addr1 == NULL || addr0->type != addr1->type ||
155 port0 > G_MAXUINT16 || port1 > G_MAXUINT16 ) {
159 if (find_tcp_index || find_tcp_addr) {
163 switch (addr0->type) {
168 is_ipv6 = addr0->type == AT_IPv6;
172 find_tcp_index = TRUE;
174 memcpy(ip_address[0], addr0->data, addr0->len);
175 SET_ADDRESS(&tcp_addr[0], addr0->type, addr0->len, ip_address[0]);
178 memcpy(ip_address[1], addr1->data, addr1->len);
179 SET_ADDRESS(&tcp_addr[1], addr1->type, addr1->len, ip_address[1]);
185 /* select a tcp stream to follow via its index */
187 follow_tcp_index(guint32 indx)
189 if (find_tcp_index || find_tcp_addr) {
193 find_tcp_addr = TRUE;
194 tcp_stream_to_follow = indx;
195 memset(ip_address, 0, sizeof ip_address);
196 port[0] = port[1] = 0;
201 /* here we are going to try and reconstruct the data portion of a TCP
202 session. We will try and handle duplicates, TCP fragments, and out
203 of order packets in a smart way. */
205 static tcp_frag *frags[2] = { 0, 0 };
206 static guint32 seq[2];
207 static guint8 src_addr[2][MAX_IPADDR_LEN];
208 static guint src_port[2] = { 0, 0 };
211 reassemble_tcp( guint32 tcp_stream, guint32 sequence, guint32 acknowledgement,
212 guint32 length, const char* data, guint32 data_length,
213 int synflag, address *net_src, address *net_dst,
214 guint srcport, guint dstport) {
215 guint8 srcx[MAX_IPADDR_LEN], dstx[MAX_IPADDR_LEN];
216 int src_index, j, first = 0, len;
223 /* First, check if this packet should be processed. */
224 if (find_tcp_index) {
225 if ((port[0] == srcport && port[1] == dstport &&
226 ADDRESSES_EQUAL(&tcp_addr[0], net_src) &&
227 ADDRESSES_EQUAL(&tcp_addr[1], net_dst))
229 (port[1] == srcport && port[0] == dstport &&
230 ADDRESSES_EQUAL(&tcp_addr[1], net_src) &&
231 ADDRESSES_EQUAL(&tcp_addr[0], net_dst))) {
232 find_tcp_index = FALSE;
233 tcp_stream_to_follow = tcp_stream;
239 else if ( tcp_stream != tcp_stream_to_follow )
242 if ((net_src->type != AT_IPv4 && net_src->type != AT_IPv6) ||
243 (net_dst->type != AT_IPv4 && net_dst->type != AT_IPv6))
246 if (net_src->type == AT_IPv4)
251 memcpy(srcx, net_src->data, len);
252 memcpy(dstx, net_dst->data, len);
254 /* follow_tcp_index() needs to learn address/port pairs */
256 find_tcp_addr = FALSE;
257 memcpy(ip_address[0], net_src->data, net_src->len);
259 memcpy(ip_address[1], net_dst->data, net_dst->len);
263 /* Check to see if we have seen this source IP and port before.
264 (Yes, we have to check both source IP and port; the connection
265 might be between two different ports on the same machine.) */
266 for( j=0; j<2; j++ ) {
267 if (memcmp(src_addr[j], srcx, len) == 0 && src_port[j] == srcport ) {
271 /* we didn't find it if src_index == -1 */
272 if( src_index < 0 ) {
273 /* assign it to a src_index and get going */
274 for( j=0; j<2; j++ ) {
275 if( src_port[j] == 0 ) {
276 memcpy(src_addr[j], srcx, len);
277 src_port[j] = srcport;
284 if( src_index < 0 ) {
285 fprintf( stderr, "ERROR in reassemble_tcp: Too many addresses!\n");
289 if( data_length < length ) {
290 incomplete_tcp_stream = TRUE;
293 /* Before adding data for this flow to the data_out_file, check whether
294 * this frame acks fragments that were already seen. This happens when
295 * frames are not in the capture file, but were actually seen by the
296 * receiving host (Fixes bug 592).
298 if( frags[1-src_index] ) {
299 memcpy(sc.src_addr, dstx, len);
300 sc.src_port = dstport;
301 sc.dlen = 0; /* Will be filled in in check_fragments */
302 while ( check_fragments( 1-src_index, &sc, acknowledgement ) )
306 /* Initialize our stream chunk. This data gets written to disk. */
307 memcpy(sc.src_addr, srcx, len);
308 sc.src_port = srcport;
309 sc.dlen = data_length;
311 /* now that we have filed away the srcs, lets get the sequence number stuff
314 /* this is the first time we have seen this src's sequence number */
315 seq[src_index] = sequence + length;
319 /* write out the packet data */
320 write_packet_data( src_index, &sc, data );
323 /* if we are here, we have already seen this src, let's
324 try and figure out if this packet is in the right place */
325 if( sequence < seq[src_index] ) {
326 /* this sequence number seems dated, but
327 check the end to make sure it has no more
328 info than we have already seen */
329 newseq = sequence + length;
330 if( newseq > seq[src_index] ) {
333 /* this one has more than we have seen. let's get the
334 payload that we have not seen. */
336 new_len = seq[src_index] - sequence;
338 if ( data_length <= new_len ) {
341 incomplete_tcp_stream = TRUE;
344 data_length -= new_len;
346 sc.dlen = data_length;
347 sequence = seq[src_index];
348 length = newseq - seq[src_index];
350 /* this will now appear to be right on time :) */
353 if ( sequence == seq[src_index] ) {
355 seq[src_index] += length;
356 if( synflag ) seq[src_index]++;
358 write_packet_data( src_index, &sc, data );
360 /* done with the packet, see if it caused a fragment to fit */
361 while( check_fragments( src_index, &sc, 0 ) )
365 /* out of order packet */
366 if(data_length > 0 && ((glong)(sequence - seq[src_index]) > 0) ) {
367 tmp_frag = (tcp_frag *)g_malloc( sizeof( tcp_frag ) );
368 tmp_frag->data = (gchar *)g_malloc( data_length );
369 tmp_frag->seq = sequence;
370 tmp_frag->len = length;
371 tmp_frag->data_len = data_length;
372 memcpy( tmp_frag->data, data, data_length );
373 if( frags[src_index] ) {
374 tmp_frag->next = frags[src_index];
376 tmp_frag->next = NULL;
378 frags[src_index] = tmp_frag;
381 } /* end reassemble_tcp */
383 /* here we search through all the frag we have collected to see if
386 check_fragments( int idx, tcp_stream_chunk *sc, guint32 acknowledged ) {
387 tcp_frag *prev = NULL;
392 current = frags[idx];
394 lowest_seq = current->seq;
396 if( (glong)(lowest_seq - current->seq) > 0 ) {
397 lowest_seq = current->seq;
400 if( current->seq < seq[idx] ) {
402 /* this sequence number seems dated, but
403 check the end to make sure it has no more
404 info than we have already seen */
405 newseq = current->seq + current->len;
406 if( newseq > seq[idx] ) {
409 /* this one has more than we have seen. let's get the
410 payload that we have not seen. This happens when
411 part of this frame has been retransmitted */
413 new_pos = seq[idx] - current->seq;
415 if ( current->data_len > new_pos ) {
416 sc->dlen = current->data_len - new_pos;
417 write_packet_data( idx, sc, current->data + new_pos );
420 seq[idx] += (current->len - new_pos);
423 /* Remove the fragment from the list as the "new" part of it
424 * has been processed or its data has been seen already in
427 prev->next = current->next;
429 frags[idx] = current->next;
431 g_free( current->data );
436 if( current->seq == seq[idx] ) {
437 /* this fragment fits the stream */
438 if( current->data ) {
439 sc->dlen = current->data_len;
440 write_packet_data( idx, sc, current->data );
442 seq[idx] += current->len;
444 prev->next = current->next;
446 frags[idx] = current->next;
448 g_free( current->data );
453 current = current->next;
455 if( (glong)(acknowledged - lowest_seq) > 0 ) {
456 /* There are frames missing in the capture file that were seen
457 * by the receiving host. Add dummy stream chunk with the data
458 * "[xxx bytes missing in capture file]".
460 dummy_str = g_strdup_printf("[%d bytes missing in capture file]",
461 (int)(lowest_seq - seq[idx]) );
462 sc->dlen = (guint32) strlen(dummy_str);
463 write_packet_data( idx, sc, dummy_str );
465 seq[idx] = lowest_seq;
472 /* this should always be called before we start to reassemble a stream */
474 reset_tcp_reassembly(void)
476 tcp_frag *current, *next;
479 empty_tcp_stream = TRUE;
480 incomplete_tcp_stream = FALSE;
481 find_tcp_addr = FALSE;
482 find_tcp_index = FALSE;
483 for( i=0; i<2; i++ ) {
485 memset(src_addr[i], '\0', MAX_IPADDR_LEN);
487 memset(ip_address[i], '\0', MAX_IPADDR_LEN);
489 bytes_written[i] = 0;
492 next = current->next;
493 g_free( current->data );
502 write_packet_data( int idx, tcp_stream_chunk *sc, const char *data )
506 ret = fwrite( sc, 1, sizeof(tcp_stream_chunk), data_out_file );
507 DISSECTOR_ASSERT(sizeof(tcp_stream_chunk) == ret);
509 ret = fwrite( data, 1, sc->dlen, data_out_file );
510 DISSECTOR_ASSERT(sc->dlen == ret);
512 bytes_written[idx] += sc->dlen;
513 empty_tcp_stream = FALSE;