2 * Routines for socks versions 4 &5 packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
5 * $Id: packet-socks.c,v 1.45 2003/04/23 10:20:29 sahlberg Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 * The Version 4 decode is based on SOCKS4.protocol and SOCKS4A.protocol.
27 * The Version 5 decoder is based upon rfc-1928
28 * The Version 5 User/Password authentication is based on rfc-1929.
30 * See http://www.socks.nec.com/socksprot.html for these and other documents
34 * 2001-01-08 JCFoster Fixed problem with NULL pointer for hash data.
35 * Now test and exit if hash_info is null.
38 /* Possible enhancements -
40 * Add GSS-API authentication per rfc-1961
41 * Add CHAP authentication
42 * Decode FLAG bits per
43 * http://www.socks.nec.com/draft/draft-ietf-aft-socks-pro-v-04.txt
44 * In call_next_dissector, could load the destination address into the
45 * pi structure before calling next dissector.
46 * remove display_string or at least make it use protocol identifiers
47 * socks_hash_entry_t needs to handle V5 address type and domain names
62 #include <epan/packet.h>
63 #include <epan/resolv.h>
64 #include "alignment.h"
65 #include <epan/conversation.h>
67 #include "packet-tcp.h"
68 #include "packet-udp.h"
69 #include <epan/strutil.h>
72 #define compare_packet(X) (X == (pinfo->fd->num))
73 #define get_packet_ptr (pinfo->fd->num)
74 #define row_pointer_type guint32
76 #define TCP_PORT_SOCKS 1080
79 /**************** Socks commands ******************/
81 #define CONNECT_COMMAND 1
82 #define BIND_COMMAND 2
83 #define UDP_ASSOCIATE_COMMAND 3
84 #define PING_COMMAND 0x80
85 #define TRACERT_COMMAND 0x81
88 /********** V5 Authentication methods *************/
90 #define NO_AUTHENTICATION 0
91 #define GSS_API_AUTHENTICATION 1
92 #define USER_NAME_AUTHENTICATION 2
93 #define CHAP_AUTHENTICATION 3
94 #define AUTHENTICATION_FAILED 0xff
97 /*********** Header field identifiers *************/
99 static int proto_socks = -1;
101 static int ett_socks = -1;
102 static int ett_socks_auth = -1;
103 static int ett_socks_name = -1;
105 static int hf_socks_ver = -1;
106 static int hf_socks_ip_dst = -1;
107 static int hf_socks_ip6_dst = -1;
108 static int hf_user_name = -1;
109 static int hf_socks_dstport = -1;
110 static int hf_socks_cmd = -1;
111 static int hf_socks_results = -1;
112 static int hf_socks_results_4 = -1;
113 static int hf_socks_results_5 = -1;
116 /************* Dissector handles ***********/
118 static dissector_handle_t socks_handle;
119 static dissector_handle_t socks_udp_handle;
121 /************* State Machine names ***********/
146 guint32 udp_remote_port;
149 row_pointer_type v4_name_row;
150 row_pointer_type v4_user_name_row;
151 row_pointer_type connect_row;
152 row_pointer_type cmd_reply_row;
153 row_pointer_type bind_reply_row;
154 row_pointer_type command_row;
155 row_pointer_type auth_method_row;
156 row_pointer_type user_name_auth_row;
157 guint32 start_done_row;
159 guint32 dst_addr; /* this needs to handle IPv6 */
165 static char *address_type_table[] = {
175 /* String table for the V4 reply status messages */
178 static char *reply_table_v4[] = {
180 "Rejected or Failed",
181 "Rejected because SOCKS server cannot connect to identd on the client",
182 "Rejected because the client program and identd report different user-ids",
187 static const value_string reply_table_v4[] = {
189 {91, "Rejected or Failed"},
190 {92, "Rejected because SOCKS server cannot connect to identd on the client"},
191 {93, "Rejected because the client program and identd report different user-ids"},
195 /* String table for the V5 reply status messages */
198 static char *reply_table_v5[] = {
200 "General SOCKS server failure",
201 "Connection not allowed by ruleset",
202 "Network unreachable",
204 "Connection refused",
206 "Command not supported",
207 "Address type not supported",
212 static const value_string reply_table_v5[] = {
214 {1, "General SOCKS server failure"},
215 {2, "Connection not allowed by ruleset"},
216 {3, "Network unreachable"},
217 {4, "Host unreachable"},
218 {5, "Connection refused"},
220 {7, "Command not supported"},
221 {8, "Address type not supported"}
224 static const value_string cmd_strings[] = {
230 {0x81, "Traceroute"},
234 #define socks_hash_init_count 20
235 #define socks_hash_val_length (sizeof(socks_hash_entry_t))
237 static GMemChunk *socks_vals = NULL;
240 /************************* Support routines ***************************/
243 static int display_string(tvbuff_t *tvb, int offset,
244 proto_tree *tree, char *label){
246 /* display a string with a length, characters encoding */
247 /* they are displayed under a tree with the name in Label variable */
248 /* return the length of the string and the length byte */
251 proto_tree *name_tree;
255 int length = tvb_get_guint8(tvb, offset);
257 tvb_memcpy(tvb, (guint8 *)temp, offset+1, length);
260 ti = proto_tree_add_text(tree, tvb, offset, length + 1,
261 "%s: %s" , label, temp);
264 name_tree = proto_item_add_subtree(ti, ett_socks_name);
266 proto_tree_add_text( name_tree, tvb, offset, 1, "Length: %u", length);
270 proto_tree_add_text( name_tree, tvb, offset, length, "String: %s", temp);
277 static char *get_auth_method_name( guint Number){
279 /* return the name of the authenication method */
281 if ( Number == 0) return "No authentication";
282 if ( Number == 1) return "GSSAPI";
283 if ( Number == 2) return "Username/Password";
284 if ( Number == 3) return "Chap";
285 if (( Number >= 4) && ( Number <= 0x7f))return "IANA assigned";
286 if (( Number >= 0x80) && ( Number <= 0xfe)) return "private method";
287 if ( Number == 0xff) return "no acceptable method";
289 /* shouldn't reach here */
291 return "Bad method number (not 0-0xff)";
295 static char *get_command_name( guint Number){
297 /* return the name of the command as a string */
299 if ( Number == 0) return "Unknow";
300 if ( Number == 1) return "Connect";
301 if ( Number == 2) return "Bind";
302 if ( Number == 3) return "UdpAssociate";
303 if ( Number == 0x80) return "Ping";
304 if ( Number == 0x81) return "Traceroute";
309 static int display_address(tvbuff_t *tvb, int offset, proto_tree *tree) {
311 /* decode and display the v5 address, return offset of next byte */
313 int a_type = tvb_get_guint8(tvb, offset);
315 proto_tree_add_text( tree, tvb, offset, 1,
316 "Address Type: %d (%s)", a_type,
317 address_type_table[ MIN( (guint) a_type,
318 array_length( address_type_table)-1) ]);
322 if ( a_type == 1){ /* IPv4 address */
323 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset,
327 else if ( a_type == 3){ /* domain name address */
329 offset += display_string(tvb, offset, tree,
332 else if ( a_type == 4){ /* IPv6 address */
333 proto_tree_add_item( tree, hf_socks_ip6_dst, tvb, offset,
342 static int get_address_v5(tvbuff_t *tvb, int offset,
343 socks_hash_entry_t *hash_info) {
345 /* decode the v5 address and return offset of next byte */
346 /*XXX this needs to handle IPV6 and domain name addresses */
349 int a_type = tvb_get_guint8(tvb, offset++);
351 if ( a_type == 1){ /* IPv4 address */
354 tvb_memcpy(tvb, (guint8 *)&hash_info->dst_addr,
359 else if ( a_type == 4) /* IPv6 address */
362 else if ( a_type == 3) /* domain name address */
363 offset += tvb_get_guint8(tvb, offset) + 1;
368 /********************* V5 UDP Associate handlers ***********************/
371 socks_udp_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
373 /* Conversation dissector called from UDP dissector. Decode and display */
374 /* the socks header, the pass the rest of the data to the udp port */
375 /* decode routine to handle the payload. */
379 socks_hash_entry_t *hash_info;
380 conversation_t *conversation;
381 proto_tree *socks_tree;
384 conversation = find_conversation( &pinfo->src, &pinfo->dst, pinfo->ptype,
385 pinfo->srcport, pinfo->destport, 0);
387 g_assert( conversation); /* should always find a conversation */
389 hash_info = conversation_get_proto_data(conversation, proto_socks);
391 if (check_col(pinfo->cinfo, COL_PROTOCOL))
392 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Socks");
394 if (check_col(pinfo->cinfo, COL_INFO))
395 col_add_fstr(pinfo->cinfo, COL_INFO, "Version: 5, UDP Associated packet");
398 ti = proto_tree_add_protocol_format( tree, proto_socks, tvb,
399 offset, -1, "Socks" );
401 socks_tree = proto_item_add_subtree(ti, ett_socks);
403 proto_tree_add_text( socks_tree, tvb, offset, 2, "Reserved");
406 proto_tree_add_text( socks_tree, tvb, offset, 1, "Fragment Number: %d", tvb_get_guint8(tvb, offset));
410 offset = display_address( tvb, offset, socks_tree);
411 hash_info->udp_remote_port = tvb_get_ntohs(tvb, offset);
413 proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb,
414 offset, 2, hash_info->udp_remote_port);
418 else { /* no tree, skip past the socks header */
420 offset = get_address_v5( tvb, offset, 0) + 2;
424 /* set pi src/dst port and call the udp sub-dissector lookup */
426 if ( pinfo->srcport == hash_info->port)
427 ptr = &pinfo->destport;
429 ptr = &pinfo->srcport;
431 *ptr = hash_info->udp_remote_port;
433 decode_udp_ports( tvb, offset, pinfo, tree, pinfo->srcport, pinfo->destport);
435 *ptr = hash_info->udp_port;
441 new_udp_conversation( socks_hash_entry_t *hash_info, packet_info *pinfo){
443 conversation_t *conversation = conversation_new( &pinfo->src, &pinfo->dst, PT_UDP,
444 hash_info->udp_port, hash_info->port, 0);
446 g_assert( conversation);
448 conversation_add_proto_data(conversation, proto_socks, hash_info);
449 conversation_set_dissector(conversation, socks_udp_handle);
455 /**************** Protocol Tree Display routines ******************/
458 display_socks_v4(tvbuff_t *tvb, int offset, packet_info *pinfo,
459 proto_tree *tree, socks_hash_entry_t *hash_info) {
462 /* Display the protocol tree for the V4 version. This routine uses the */
463 /* stored conversation information to decide what to do with the row. */
464 /* Per packet information would have been better to do this, but we */
465 /* didn't have that when I wrote this. And I didn't expect this to get */
471 /* Display command from client */
472 if (compare_packet( hash_info->connect_row)){
474 proto_tree_add_text( tree, tvb, offset, 1,
475 "Version: %u ", hash_info->version);
477 command = tvb_get_guint8(tvb, offset);
479 proto_tree_add_text( tree, tvb, offset, 1,
480 "Command: %u (%s)", command,
481 get_command_name( command));
485 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2,
489 /* Do destination address */
490 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset,
495 /*XXX check this, needs to do length checking */
496 /* Should perhaps do TCP reassembly as well */
497 if ( tvb_offset_exists(tvb, offset)) {
498 /* display user name */
499 proto_tree_add_string( tree, hf_user_name, tvb, offset,
500 tvb_strsize(tvb, offset),
501 tvb_get_ptr(tvb, offset, -1));
505 /*Display command response from server*/
507 else if ( compare_packet( hash_info->cmd_reply_row)){
509 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1,
512 /* Do results code */
513 proto_tree_add_item( tree, hf_socks_results_4, tvb, offset, 1, FALSE);
514 proto_tree_add_item_hidden(tree, hf_socks_results, tvb, offset, 1, FALSE);
519 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2,
522 /* Do remote address */
523 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset, 4,
527 else if ( compare_packet( hash_info->v4_user_name_row)){
529 /*XXX check this, needs to do length checking */
530 /* Should perhaps do TCP reassembly as well */
531 if ( tvb_offset_exists(tvb, offset)) {
532 proto_tree_add_text( tree, tvb, offset,
533 tvb_strsize(tvb, offset),
534 "User Name: %s", tvb_get_ptr(tvb, offset, -1));
541 display_socks_v5(tvbuff_t *tvb, int offset, packet_info *pinfo,
542 proto_tree *tree, socks_hash_entry_t *hash_info) {
544 /* Display the protocol tree for the version. This routine uses the */
545 /* stored conversation information to decide what to do with the row. */
546 /* Per packet information would have been better to do this, but we */
547 /* didn't have that when I wrote this. And I didn't expect this to get */
550 unsigned int i, command;
555 if (compare_packet( hash_info->connect_row)){
557 proto_tree *AuthTree;
561 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1,
565 temp = tvb_get_guint8(tvb, offset); /* Get Auth method count */
566 /* build auth tree */
567 ti = proto_tree_add_text( tree, tvb, offset, 1,
568 "Client Authentication Methods");
570 AuthTree = proto_item_add_subtree(ti, ett_socks_auth);
572 proto_tree_add_text( AuthTree, tvb, offset, 1,
576 for( i = 0; i < temp; ++i) {
578 AuthMethodStr = get_auth_method_name(
579 tvb_get_guint8( tvb, offset + i));
580 proto_tree_add_text( AuthTree, tvb, offset + i, 1,
581 "Method[%d]: %u (%s)", i,
582 tvb_get_guint8( tvb, offset + i), AuthMethodStr);
585 } /* Get accepted auth method */
586 else if (compare_packet( hash_info->auth_method_row)) {
590 proto_tree_add_text( tree, tvb, offset, 1,
591 "Accepted Auth Method: 0x%0x (%s)", tvb_get_guint8( tvb, offset),
592 get_auth_method_name( tvb_get_guint8( tvb, offset)));
595 } /* handle user/password auth */
596 else if (compare_packet( hash_info->user_name_auth_row)) {
598 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, FALSE);
600 /* process user name */
601 offset += display_string( tvb, offset, tree,
603 /* process password */
604 offset += display_string( tvb, offset, tree,
607 /* command to the server */
608 /* command response from server */
609 else if ((compare_packet( hash_info->command_row)) ||
610 (compare_packet( hash_info->cmd_reply_row)) ||
611 (compare_packet( hash_info->bind_reply_row))){
613 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, FALSE);
617 command = tvb_get_guint8(tvb, offset);
619 if (compare_packet( hash_info->command_row))
620 proto_tree_add_uint( tree, hf_socks_cmd, tvb, offset, 1,
624 proto_tree_add_item( tree, hf_socks_results_5, tvb, offset, 1, FALSE);
625 proto_tree_add_item_hidden(tree, hf_socks_results, tvb, offset, 1, FALSE);
630 proto_tree_add_text( tree, tvb, offset, 1,
631 "Reserved: 0x%0x (should = 0x00)", tvb_get_guint8(tvb, offset));
634 offset = display_address(tvb, offset, tree);
635 /*XXX Add remote port for search somehow */
637 proto_tree_add_text( tree, tvb, offset, 2,
639 (compare_packet( hash_info->bind_reply_row) ?
640 "Remote Host " : ""),
641 tvb_get_ntohs(tvb, offset));
647 /**************** Decoder State Machines ******************/
651 state_machine_v4( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
652 int offset, packet_info *pinfo) {
654 /* Decode V4 protocol. This is done on the first pass through the */
655 /* list. Based upon the current state, decode the packet and determine */
656 /* what the next state should be. If we had per packet information, */
657 /* this would be the place to load them up. */
659 if ( hash_info->state == None) { /* new connection */
661 if (check_col(pinfo->cinfo, COL_INFO))
662 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server request");
664 hash_info->state = Connecting; /* change state */
666 hash_info->command = tvb_get_guint8(tvb, offset + 1);
667 /* get remote port */
668 if ( hash_info->command == CONNECT_COMMAND)
669 hash_info->port = tvb_get_ntohs(tvb, offset + 2);
670 /* get remote address */
672 tvb_memcpy(tvb, (guint8 *)&hash_info->dst_addr, offset + 4, 4);
674 /* save the packet pointer */
675 hash_info->connect_row = get_packet_ptr;
677 /* skip past this stuff */
678 hash_info->connect_offset = offset + 8;
682 if ( !tvb_offset_exists(tvb, offset)) { /* if no user name */
684 hash_info->state = V4UserNameWait;
686 * XXX - add 1, or leave it alone?
687 * We were adding "strlen(...) + 1".
689 hash_info->connect_offset += 1;
692 * Add in the length of the user name.
693 * XXX - what if the user name is split between
696 hash_info->connect_offset += tvb_strsize(tvb, offset);
699 if ( !hash_info->dst_addr){ /* if no dest address */
701 if ( tvb_offset_exists(tvb, hash_info->connect_offset)) {
702 /*XXX copy remote name here ??? */
703 hash_info->state = Connecting;
706 hash_info->state = V4NameWait;
708 /* waiting for V4 user name */
709 }else if ( hash_info->state == V4UserNameWait){
711 if (check_col(pinfo->cinfo, COL_INFO))
712 col_append_str(pinfo->cinfo, COL_INFO, " Connect Request (User name)");
714 hash_info->v4_user_name_row = get_packet_ptr;
715 /*XXX may need to check for domain name here */
716 hash_info->state = Connecting;
718 /* waiting for V4 domain name */
719 else if ( hash_info->state == V4NameWait){
721 hash_info->v4_name_row = get_packet_ptr;
722 hash_info->state = Connecting;
725 else if ( hash_info->state == Connecting){
727 if (check_col(pinfo->cinfo, COL_INFO))
728 col_append_str(pinfo->cinfo, COL_INFO, " Connect Response");
730 /* save packet pointer */
731 hash_info->cmd_reply_row = get_packet_ptr;
732 hash_info->state = Done; /* change state */
742 state_machine_v5( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
743 int offset, packet_info *pinfo) {
745 /* Decode V5 protocol. This is done on the first pass through the */
746 /* list. Based upon the current state, decode the packet and determine */
747 /* what the next state should be. If we had per packet information, */
748 /* this would be the place to load them up. */
753 if ( hash_info->state == None) {
755 if (check_col(pinfo->cinfo, COL_INFO))
756 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server request");
758 hash_info->state = Connecting; /* change state */
759 hash_info->connect_row = get_packet_ptr;
761 temp = tvb_get_guint8(tvb, offset + 1);
762 /* skip past auth methods */
763 offset = hash_info->connect_offset = offset + 1 + temp;
765 else if ( hash_info->state == Connecting){
767 guint AuthMethod = tvb_get_guint8(tvb, offset + 1);
769 if (check_col(pinfo->cinfo, COL_INFO))
770 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server response");
772 hash_info->auth_method_row = get_packet_ptr;
774 if ( AuthMethod == NO_AUTHENTICATION)
775 hash_info->state = V5Command;
777 else if ( AuthMethod == USER_NAME_AUTHENTICATION)
778 hash_info->state = UserNameAuth;
780 else if ( AuthMethod == GSS_API_AUTHENTICATION)
781 /*XXX should be this hash_info->state = GssApiAuth; */
782 hash_info->state = Done;
784 else hash_info->state = Done; /*Auth failed or error*/
788 else if ( hash_info->state == V5Command) { /* Handle V5 Command */
792 hash_info->command = tvb_get_guint8(tvb, offset + 1); /* get command */
794 if (check_col(pinfo->cinfo, COL_INFO))
795 col_append_fstr(pinfo->cinfo, COL_INFO, " Command Request - %s",
796 get_command_name(hash_info->command));
798 hash_info->state = V5Reply;
799 hash_info->command_row = get_packet_ptr;
801 offset += 3; /* skip to address type */
803 offset = get_address_v5(tvb, offset, hash_info);
805 temp = tvb_get_guint8(tvb, offset);
807 if (( hash_info->command == CONNECT_COMMAND) ||
808 ( hash_info->command == UDP_ASSOCIATE_COMMAND))
809 /* get remote port */
810 hash_info->port = tvb_get_ntohs(tvb, offset);
813 else if ( hash_info->state == V5Reply) { /* V5 Command Reply */
816 if (check_col(pinfo->cinfo, COL_INFO))
817 col_append_fstr(pinfo->cinfo, COL_INFO, " Command Response - %s",
818 get_command_name(hash_info->command));
820 hash_info->cmd_reply_row = get_packet_ptr;
822 if (( hash_info->command == CONNECT_COMMAND) ||
823 (hash_info->command == PING_COMMAND) ||
824 (hash_info->command == TRACERT_COMMAND))
825 hash_info->state = Done;
827 else if ( hash_info->command == BIND_COMMAND)
828 hash_info->state = V5BindReply;
830 else if ( hash_info->command == UDP_ASSOCIATE_COMMAND){
831 offset += 3; /* skip to address type */
832 offset = get_address_v5(tvb, offset, hash_info);
834 /* save server udp port and create udp conversation */
835 hash_info->udp_port = tvb_get_ntohs(tvb, offset);
837 if (!pinfo->fd->flags.visited)
838 new_udp_conversation( hash_info, pinfo);
840 /*XXX may need else statement to handle unknows and generate error message */
844 else if ( hash_info->state == V5BindReply) { /* V5 Bind Second Reply */
846 if (check_col(pinfo->cinfo, COL_INFO))
847 col_append_str(pinfo->cinfo, COL_INFO, " Command Response: Bind remote host info");
849 hash_info->bind_reply_row = get_packet_ptr;
850 hash_info->state = Done;
852 else if ( hash_info->state == UserNameAuth) { /* Handle V5 User Auth*/
853 if (check_col(pinfo->cinfo, COL_INFO))
854 col_append_str(pinfo->cinfo, COL_INFO,
855 " User authentication response");
857 hash_info->user_name_auth_row = get_packet_ptr;
858 hash_info->state = AuthReply;
861 else if ( hash_info->state == AuthReply){ /* V5 User Auth reply */
862 hash_info->cmd_reply_row = get_packet_ptr;
863 if (check_col(pinfo->cinfo, COL_INFO))
864 col_append_str(pinfo->cinfo, COL_INFO, " User authentication reply");
865 hash_info->state = V5Command;
872 display_ping_and_tracert(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, socks_hash_entry_t *hash_info) {
874 /* Display the ping/trace_route conversation */
877 const guchar *data, *dataend;
878 const guchar *lineend, *eol;
881 /* handle the end command */
882 if ( pinfo->destport == TCP_PORT_SOCKS){
883 if (check_col(pinfo->cinfo, COL_INFO))
884 col_append_str(pinfo->cinfo, COL_INFO, ", Terminate Request");
887 proto_tree_add_text(tree, tvb, offset, 1,
888 (hash_info->command == PING_COMMAND) ?
889 "Ping: End command" :
890 "Traceroute: End command");
892 else{ /* display the PING or Traceroute results */
893 if (check_col(pinfo->cinfo, COL_INFO))
894 col_append_str(pinfo->cinfo, COL_INFO, ", Results");
897 proto_tree_add_text(tree, tvb, offset, -1,
898 (hash_info->command == PING_COMMAND) ?
900 "Traceroute Results");
902 data = tvb_get_ptr(tvb, offset, -1);
903 dataend = data + tvb_length_remaining(tvb, offset);
905 while (data < dataend) {
907 lineend = find_line_end(data, dataend, &eol);
908 linelen = lineend - data;
910 proto_tree_add_text( tree, tvb, offset, linelen,
911 "%s", format_text(data, linelen));
921 static void call_next_dissector(tvbuff_t *tvb, int offset, packet_info *pinfo,
922 proto_tree *tree, socks_hash_entry_t *hash_info) {
924 /* Display the results for PING and TRACERT extensions or */
925 /* Call TCP dissector for the port that was passed during the */
926 /* connect process */
927 /* Load pointer to pinfo->XXXport depending upon the direction, */
928 /* change pinfo port to the remote port, call next dissecotr to decode */
929 /* the payload, and restore the pinfo port after that is done. */
933 if (( hash_info->command == PING_COMMAND) ||
934 ( hash_info->command == TRACERT_COMMAND))
936 display_ping_and_tracert(tvb, offset, pinfo, tree, hash_info);
938 else { /* call the tcp port decoder to handle the payload */
940 /*XXX may want to load dest address here */
942 if ( pinfo->destport == TCP_PORT_SOCKS)
943 ptr = &pinfo->destport;
945 ptr = &pinfo->srcport;
947 *ptr = hash_info->port;
948 decode_tcp_ports( tvb, offset, pinfo, tree, pinfo->srcport, pinfo->destport, 0);
949 *ptr = TCP_PORT_SOCKS;
956 dissect_socks(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
959 proto_tree *socks_tree;
961 socks_hash_entry_t *hash_info;
962 conversation_t *conversation;
964 conversation = find_conversation( &pinfo->src, &pinfo->dst, pinfo->ptype,
965 pinfo->srcport, pinfo->destport, 0);
968 conversation = conversation_new( &pinfo->src, &pinfo->dst, pinfo->ptype,
969 pinfo->srcport, pinfo->destport, 0);
971 hash_info = conversation_get_proto_data(conversation,proto_socks);
973 hash_info = g_mem_chunk_alloc(socks_vals);
974 hash_info->start_done_row = G_MAXINT;
975 hash_info->state = None;
977 hash_info->version = tvb_get_guint8(tvb, offset); /* get version*/
979 if (( hash_info->version != 4) && /* error test version */
980 ( hash_info->version != 5))
981 hash_info->state = Done;
983 conversation_add_proto_data(conversation, proto_socks,
986 /* set dissector for now */
987 conversation_set_dissector(conversation, socks_handle);
990 /* display summary window information */
992 if (check_col(pinfo->cinfo, COL_PROTOCOL))
993 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Socks");
995 if (check_col(pinfo->cinfo, COL_INFO)){
996 if (( hash_info->version == 4) || ( hash_info->version == 5)){
997 col_add_fstr(pinfo->cinfo, COL_INFO, "Version: %d",
1000 else /* unknown version display error */
1001 col_set_str(pinfo->cinfo, COL_INFO, "Unknown");
1004 if ( hash_info->command == PING_COMMAND)
1005 col_append_str(pinfo->cinfo, COL_INFO, ", Ping Req");
1006 if ( hash_info->command == TRACERT_COMMAND)
1007 col_append_str(pinfo->cinfo, COL_INFO, ", Traceroute Req");
1009 /*XXX if ( hash_info->port != -1) */
1010 if ( hash_info->port != 0)
1011 col_append_fstr(pinfo->cinfo, COL_INFO, ", Remote Port: %d",
1016 /* run state machine if needed */
1018 if ((hash_info->state != Done) && ( !pinfo->fd->flags.visited)){
1020 if ( hash_info->version == 4)
1021 state_machine_v4( hash_info, tvb, offset, pinfo);
1023 else if ( hash_info->version == 5)
1024 state_machine_v5( hash_info, tvb, offset, pinfo);
1026 if (hash_info->state == Done) { /* if done now */
1027 hash_info->start_done_row = pinfo->fd->num;
1031 /* if proto tree, decode and display */
1034 ti = proto_tree_add_item( tree, proto_socks, tvb, offset, -1,
1037 socks_tree = proto_item_add_subtree(ti, ett_socks);
1039 if ( hash_info->version == 4)
1040 display_socks_v4(tvb, offset, pinfo, socks_tree,
1043 else if ( hash_info->version == 5)
1044 display_socks_v5(tvb, offset, pinfo, socks_tree,
1047 /* if past startup, add the faked stuff */
1048 if ( pinfo->fd->num > hash_info->start_done_row){
1049 /* add info to tree */
1050 proto_tree_add_text( socks_tree, tvb, offset, 0,
1051 "Command: %d (%s)", hash_info->command,
1052 get_command_name(hash_info->command));
1054 proto_tree_add_ipv4( socks_tree, hf_socks_ip_dst, tvb,
1055 offset, 0, hash_info->dst_addr);
1057 /* no fake address for ping & traceroute */
1059 if (( hash_info->command != PING_COMMAND) &&
1060 ( hash_info->command != TRACERT_COMMAND)){
1061 proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb,
1062 offset, 0, hash_info->port);
1069 /* call next dissector if ready */
1071 if ( pinfo->fd->num > hash_info->start_done_row){
1072 call_next_dissector(tvb, offset, pinfo, tree, hash_info);
1078 static void socks_reinit( void){
1080 /* Do the cleanup work when a new pass through the packet list is */
1081 /* performed. Reset the highest row seen counter and re-initialize the */
1082 /* conversation memory chunks. */
1085 g_mem_chunk_destroy(socks_vals);
1087 socks_vals = g_mem_chunk_new("socks_vals", socks_hash_val_length,
1088 socks_hash_init_count * socks_hash_val_length,
1094 proto_register_socks( void){
1096 /*** Prep the socks protocol, register it and a initialization routine */
1097 /* to clear the hash stuff. */
1100 static gint *ett[] = {
1107 static hf_register_info hf[] = {
1111 { "Version", "socks.version", FT_UINT8, BASE_DEC, NULL,
1116 { "Remote Address", "socks.dst", FT_IPv4, BASE_NONE, NULL,
1120 { &hf_socks_ip6_dst,
1121 { "Remote Address(ipv6)", "socks.dstV6", FT_IPv6, BASE_NONE, NULL,
1127 { "User Name", "socks.username", FT_STRING, BASE_NONE,
1128 NULL, 0x0, "", HFILL
1131 { &hf_socks_dstport,
1132 { "Remote Port", "socks.dstport", FT_UINT16,
1133 BASE_DEC, NULL, 0x0, "", HFILL
1137 { "Command", "socks.command", FT_UINT8,
1138 BASE_DEC, VALS(cmd_strings), 0x0, "", HFILL
1141 { &hf_socks_results_4,
1142 { "Results(V4)", "socks.results_v4", FT_UINT8,
1143 BASE_DEC, VALS(reply_table_v4), 0x0, "", HFILL
1146 { &hf_socks_results_5,
1147 { "Results(V5)", "socks.results_v5", FT_UINT8,
1148 BASE_DEC, VALS(reply_table_v5), 0x0, "", HFILL
1151 { &hf_socks_results,
1152 { "Results(V5)", "socks.results", FT_UINT8,
1153 BASE_DEC, NULL, 0x0, "", HFILL
1160 proto_socks = proto_register_protocol (
1161 "Socks Protocol", "Socks", "socks");
1163 proto_register_field_array(proto_socks, hf, array_length(hf));
1164 proto_register_subtree_array(ett, array_length(ett));
1166 register_init_routine( &socks_reinit); /* register re-init routine */
1168 socks_udp_handle = create_dissector_handle(socks_udp_dissector,
1170 socks_handle = create_dissector_handle(dissect_socks, proto_socks);
1175 proto_reg_handoff_socks(void) {
1177 /* dissector install routine */
1179 dissector_add("tcp.port", TCP_PORT_SOCKS, socks_handle);