2 * Routines for UDP/UDPLite packet disassembly
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
8 * Richard Sharpe, 13-Feb-1999, added dispatch table support and
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26 #define NEW_PROTO_TREE_API
34 #include <epan/packet.h>
35 #include <epan/wmem/wmem.h>
36 #include <epan/addr_resolv.h>
37 #include <epan/ipproto.h>
38 #include <epan/in_cksum.h>
39 #include <epan/prefs.h>
40 #include <epan/expert.h>
42 #include "packet-udp.h"
44 #include "packet-ip.h"
45 #include <epan/conversation.h>
47 #include <epan/decode_as.h>
49 void proto_register_udp(void);
50 void proto_reg_handoff_udp(void);
52 static dissector_handle_t udp_handle;
53 static dissector_handle_t udplite_handle;
55 static int udp_tap = -1;
56 static int udp_follow_tap = -1;
58 static header_field_info *hfi_udp = NULL;
59 static header_field_info *hfi_udplite = NULL;
61 #define UDP_HFI_INIT HFI_INIT(proto_udp)
62 #define UDPLITE_HFI_INIT HFI_INIT(proto_udplite)
64 static header_field_info hfi_udp_srcport UDP_HFI_INIT =
65 { "Source Port", "udp.srcport", FT_UINT16, BASE_DEC, NULL, 0x0,
68 static header_field_info hfi_udp_dstport UDP_HFI_INIT =
69 { "Destination Port", "udp.dstport", FT_UINT16, BASE_DEC, NULL, 0x0,
72 static header_field_info hfi_udp_port UDP_HFI_INIT =
73 { "Source or Destination Port", "udp.port", FT_UINT16, BASE_DEC, NULL, 0x0,
76 static header_field_info hfi_udp_stream UDP_HFI_INIT =
77 { "Stream index", "udp.stream", FT_UINT32, BASE_DEC, NULL, 0x0,
80 static header_field_info hfi_udp_length UDP_HFI_INIT =
81 { "Length", "udp.length", FT_UINT16, BASE_DEC, NULL, 0x0,
84 static header_field_info hfi_udp_checksum UDP_HFI_INIT =
85 { "Checksum", "udp.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
86 "Details at: http://www.wireshark.org/docs/wsug_html_chunked/ChAdvChecksums.html", HFILL };
88 static header_field_info hfi_udp_checksum_good UDP_HFI_INIT =
89 { "Good Checksum", "udp.checksum_good", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
90 "True: checksum matches packet content; False: doesn't match content or not checked", HFILL };
92 static header_field_info hfi_udp_checksum_bad UDP_HFI_INIT =
93 { "Bad Checksum", "udp.checksum_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
94 "True: checksum doesn't match packet content; False: matches content or not checked", HFILL };
96 static header_field_info hfi_udp_proc_src_uid UDP_HFI_INIT =
97 { "Source process user ID", "udp.proc.srcuid", FT_UINT32, BASE_DEC, NULL, 0x0,
100 static header_field_info hfi_udp_proc_src_pid UDP_HFI_INIT =
101 { "Source process ID", "udp.proc.srcpid", FT_UINT32, BASE_DEC, NULL, 0x0,
104 static header_field_info hfi_udp_proc_src_uname UDP_HFI_INIT =
105 { "Source process user name", "udp.proc.srcuname", FT_STRING, BASE_NONE, NULL, 0x0,
108 static header_field_info hfi_udp_proc_src_cmd UDP_HFI_INIT =
109 { "Source process name", "udp.proc.srccmd", FT_STRING, BASE_NONE, NULL, 0x0,
110 "Source process command name", HFILL};
112 static header_field_info hfi_udp_proc_dst_uid UDP_HFI_INIT =
113 { "Destination process user ID", "udp.proc.dstuid", FT_UINT32, BASE_DEC, NULL, 0x0,
116 static header_field_info hfi_udp_proc_dst_pid UDP_HFI_INIT =
117 { "Destination process ID", "udp.proc.dstpid", FT_UINT32, BASE_DEC, NULL, 0x0,
120 static header_field_info hfi_udp_proc_dst_uname UDP_HFI_INIT =
121 { "Destination process user name", "udp.proc.dstuname", FT_STRING, BASE_NONE, NULL, 0x0,
124 static header_field_info hfi_udp_proc_dst_cmd UDP_HFI_INIT =
125 { "Destination process name", "udp.proc.dstcmd", FT_STRING, BASE_NONE, NULL, 0x0,
126 "Destination process command name", HFILL};
128 static header_field_info hfi_udplite_checksum_coverage UDPLITE_HFI_INIT =
129 { "Checksum coverage", "udp.checksum_coverage", FT_UINT16, BASE_DEC, NULL, 0x0,
132 static header_field_info hfi_udplite_checksum_coverage_bad UDPLITE_HFI_INIT =
133 { "Bad Checksum coverage", "udp.checksum_coverage_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
136 static gint ett_udp = -1;
137 static gint ett_udp_checksum = -1;
138 static gint ett_udp_process_info = -1;
140 static expert_field ei_udp_possible_traceroute = EI_INIT;
141 static expert_field ei_udp_length = EI_INIT;
142 static expert_field ei_udplite_checksum_coverage = EI_INIT;
143 static expert_field ei_udp_checksum_zero = EI_INIT;
144 static expert_field ei_udp_checksum_bad = EI_INIT;
148 /* Place UDP summary in proto tree */
149 static gboolean udp_summary_in_tree = TRUE;
151 /* Check UDP checksums */
152 static gboolean udp_check_checksum = FALSE;
154 /* Collect IPFIX process flow information */
155 static gboolean udp_process_info = FALSE;
157 /* Ignore an invalid checksum coverage field for UDPLite */
158 static gboolean udplite_ignore_checksum_coverage = TRUE;
160 /* Check UDPLite checksums */
161 static gboolean udplite_check_checksum = FALSE;
163 static dissector_table_t udp_dissector_table;
164 static heur_dissector_list_t heur_subdissector_list;
165 static dissector_handle_t data_handle;
166 static guint32 udp_stream_count;
168 /* Determine if there is a sub-dissector and call it. This has been */
169 /* separated into a stand alone routine so other protocol dissectors */
170 /* can call to it, ie. socks */
172 static gboolean try_heuristic_first = FALSE;
174 /* Per-packet-info for UDP */
177 gboolean found_heuristic;
181 /* XXX - redefined here to not create UI dependencies */
182 #define UTF8_LEFTWARDS_ARROW "\xe2\x86\x90" /* 8592 / 0x2190 */
183 #define UTF8_RIGHTWARDS_ARROW "\xe2\x86\x92" /* 8594 / 0x2192 */
184 #define UTF8_LEFT_RIGHT_ARROW "\xe2\x86\x94" /* 8596 / 0x2194 */
187 udp_src_prompt(packet_info *pinfo, gchar *result)
189 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "source (%u%s)", pinfo->srcport, UTF8_RIGHTWARDS_ARROW);
193 udp_src_value(packet_info *pinfo)
195 return GUINT_TO_POINTER(pinfo->srcport);
199 udp_dst_prompt(packet_info *pinfo, gchar *result)
201 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, pinfo->destport);
205 udp_dst_value(packet_info *pinfo)
207 return GUINT_TO_POINTER(pinfo->destport);
211 udp_both_prompt(packet_info *pinfo, gchar *result)
213 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "Both (%u%s%u)", pinfo->srcport, UTF8_LEFT_RIGHT_ARROW, pinfo->destport);
216 /* Conversation and process code originally copied from packet-tcp.c */
217 static struct udp_analysis *
218 init_udp_conversation_data(void)
220 struct udp_analysis *udpd;
222 /* Initialize the udp protocol data structure to add to the udp conversation */
223 udpd = wmem_new0(wmem_file_scope(), struct udp_analysis);
225 udpd->flow1.username = NULL;
226 udpd->flow1.command = NULL;
227 udpd->flow2.username = NULL;
228 udpd->flow2.command = NULL;
231 udpd->stream = udp_stream_count++;
236 static struct udp_analysis *
237 get_udp_conversation_data(conversation_t *conv, packet_info *pinfo)
240 struct udp_analysis *udpd=NULL;
242 /* Did the caller supply the conversation pointer? */
244 conv = find_or_create_conversation(pinfo);
246 /* Get the data for this conversation */
247 udpd=(struct udp_analysis *)conversation_get_proto_data(conv, hfi_udp->id);
249 /* If the conversation was just created or it matched a
250 * conversation with template options, udpd will not
251 * have been initialized. So, initialize
252 * a new udpd structure for the conversation.
255 udpd = init_udp_conversation_data();
256 conversation_add_proto_data(conv, hfi_udp->id, udpd);
263 /* check direction and get ua lists */
264 direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
265 /* if the addresses are equal, match the ports instead */
266 if (direction == 0) {
267 direction= (pinfo->srcport > pinfo->destport) ? 1 : -1;
269 if (direction >= 0) {
270 udpd->fwd=&(udpd->flow1);
271 udpd->rev=&(udpd->flow2);
273 udpd->fwd=&(udpd->flow2);
274 udpd->rev=&(udpd->flow1);
280 /* Attach process info to a flow */
281 /* XXX - We depend on the UDP dissector finding the conversation first */
283 add_udp_process_info(guint32 frame_num, address *local_addr, address *remote_addr, guint16 local_port, guint16 remote_port, guint32 uid, guint32 pid, gchar *username, gchar *command) {
284 conversation_t *conv;
285 struct udp_analysis *udpd;
286 udp_flow_t *flow = NULL;
288 if (!udp_process_info) {
292 conv = find_conversation(frame_num, local_addr, remote_addr, PT_UDP, local_port, remote_port, 0);
297 udpd = (struct udp_analysis *)conversation_get_proto_data(conv, hfi_udp->id);
302 if ((CMP_ADDRESS(local_addr, &conv->key_ptr->addr1) == 0) && (local_port == conv->key_ptr->port1)) {
304 } else if ((CMP_ADDRESS(remote_addr, &conv->key_ptr->addr1) == 0) && (remote_port == conv->key_ptr->port1)) {
307 if (!flow || flow->command) {
311 flow->process_uid = uid;
312 flow->process_pid = pid;
313 flow->username = wmem_strdup(wmem_file_scope(), username);
314 flow->command = wmem_strdup(wmem_file_scope(), command);
318 /* Return the current stream count */
319 guint32 get_udp_stream_count(void)
321 return udp_stream_count;
325 decode_udp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
326 proto_tree *tree, int uh_sport, int uh_dport, int uh_ulen)
329 int low_port, high_port;
330 gint len, reported_len;
331 udp_p_info_t *udp_p_info = NULL;
332 gboolean prev_heur_found = FALSE;
334 if (pinfo->fd->flags.visited) {
335 udp_p_info = (udp_p_info_t*)p_get_proto_data(wmem_file_scope(), pinfo, hfi_udp->id, pinfo->curr_layer_num);
337 prev_heur_found = udp_p_info->found_heuristic;
340 /* Force heuristic check on first pass */
341 prev_heur_found = TRUE;
344 len = tvb_length_remaining(tvb, offset);
345 reported_len = tvb_reported_length_remaining(tvb, offset);
347 /* This is the length from the UDP header; the payload should be cut
348 off at that length. (If our caller passed a value here, they
349 are assumed to have checked that it's >= 8, and hence >= offset.)
351 XXX - what if it's *greater* than the reported length? */
352 if ((uh_ulen - offset) < reported_len)
353 reported_len = uh_ulen - offset;
354 if (len > reported_len)
358 next_tvb = tvb_new_subset(tvb, offset, len, reported_len);
360 /* If the user has a "Follow UDP Stream" window loading, pass a pointer
361 * to the payload tvb through the tap system. */
362 if (have_tap_listener(udp_follow_tap))
363 tap_queue_packet(udp_follow_tap, pinfo, next_tvb);
365 /* determine if this packet is part of a conversation and call dissector */
366 /* for the conversation if available */
368 if (try_conversation_dissector(&pinfo->dst, &pinfo->src, PT_UDP,
369 uh_dport, uh_sport, next_tvb, pinfo, tree, NULL)) {
373 if (try_heuristic_first && prev_heur_found) {
374 /* Do lookup with the heuristic subdissector table */
375 /* Save curr_layer_num as it might be changed by subdissector */
376 guint8 curr_layer_num = pinfo->curr_layer_num;
377 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, NULL)) {
379 udp_p_info = wmem_new0(wmem_file_scope(), udp_p_info_t);
380 udp_p_info->found_heuristic = TRUE;
381 p_add_proto_data(wmem_file_scope(), pinfo, hfi_udp->id, curr_layer_num, udp_p_info);
387 /* Do lookups with the subdissector table.
388 We try the port number with the lower value first, followed by the
389 port number with the higher value. This means that, for packets
390 where a dissector is registered for *both* port numbers:
392 1) we pick the same dissector for traffic going in both directions;
394 2) we prefer the port number that's more likely to be the right
395 one (as that prefers well-known ports to reserved ports);
397 although there is, of course, no guarantee that any such strategy
398 will always pick the right port number.
400 XXX - we ignore port numbers of 0, as some dissectors use a port
401 number of 0 to disable the port, and as RFC 768 says that the source
402 port in UDP datagrams is optional and is 0 if not used. */
403 if (uh_sport > uh_dport) {
405 high_port = uh_sport;
408 high_port = uh_dport;
410 if ((low_port != 0) &&
411 dissector_try_uint(udp_dissector_table, low_port, next_tvb, pinfo, tree))
413 if ((high_port != 0) &&
414 dissector_try_uint(udp_dissector_table, high_port, next_tvb, pinfo, tree))
417 if (!try_heuristic_first && prev_heur_found) {
418 /* Do lookup with the heuristic subdissector table */
419 /* Save curr_layer_num as it might be changed by subdissector */
420 guint8 curr_layer_num = pinfo->curr_layer_num;
421 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, NULL)) {
423 udp_p_info = wmem_new0(wmem_file_scope(), udp_p_info_t);
424 udp_p_info->found_heuristic = TRUE;
425 p_add_proto_data(wmem_file_scope(), pinfo, hfi_udp->id, curr_layer_num, udp_p_info);
431 call_dissector(data_handle,next_tvb, pinfo, tree);
436 dissect(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 ip_proto)
438 proto_tree *udp_tree = NULL;
439 proto_item *ti, *hidden_item, *port_item;
444 guint16 computed_cksum;
447 proto_tree *checksum_tree;
449 conversation_t *conv = NULL;
450 struct udp_analysis *udpd = NULL;
451 proto_tree *process_tree;
453 udph=wmem_new(wmem_packet_scope(), e_udphdr);
454 SET_ADDRESS(&udph->ip_src, pinfo->src.type, pinfo->src.len, pinfo->src.data);
455 SET_ADDRESS(&udph->ip_dst, pinfo->dst.type, pinfo->dst.len, pinfo->dst.data);
457 col_set_str(pinfo->cinfo, COL_PROTOCOL, (ip_proto == IP_PROTO_UDP) ? "UDP" : "UDPlite");
458 col_clear(pinfo->cinfo, COL_INFO);
460 udph->uh_sport=tvb_get_ntohs(tvb, offset);
461 udph->uh_dport=tvb_get_ntohs(tvb, offset+2);
463 col_add_fstr(pinfo->cinfo, COL_INFO, "Source port: %s Destination port: %s",
464 get_udp_port(udph->uh_sport), get_udp_port(udph->uh_dport));
467 if (udp_summary_in_tree) {
468 if (ip_proto == IP_PROTO_UDP) {
469 ti = proto_tree_add_protocol_format(tree, hfi_udp->id, tvb, offset, 8,
470 "User Datagram Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
471 get_udp_port(udph->uh_sport), udph->uh_sport, get_udp_port(udph->uh_dport), udph->uh_dport);
473 ti = proto_tree_add_protocol_format(tree, hfi_udplite->id, tvb, offset, 8,
474 "Lightweight User Datagram Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
475 get_udp_port(udph->uh_sport), udph->uh_sport, get_udp_port(udph->uh_dport), udph->uh_dport);
478 ti = proto_tree_add_item(tree, (ip_proto == IP_PROTO_UDP) ? hfi_udp : hfi_udplite, tvb, offset, 8, ENC_NA);
480 udp_tree = proto_item_add_subtree(ti, ett_udp);
482 port_item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_srcport.id, tvb, offset, 2, udph->uh_sport,
483 "%s (%u)", get_udp_port(udph->uh_sport), udph->uh_sport);
484 /* The beginning port number, 32768 + 666 (33434), is from LBL's traceroute.c source code and this code
485 * further assumes that 3 attempts are made per hop */
486 if ((udph->uh_sport > (32768 + 666)) && (udph->uh_sport <= (32768 + 666 + 30)))
487 expert_add_info_format(pinfo, port_item, &ei_udp_possible_traceroute, "Possible traceroute: hop #%u, attempt #%u",
488 ((udph->uh_sport - 32768 - 666 - 1) / 3) + 1,
489 ((udph->uh_sport - 32768 - 666 - 1) % 3) + 1
492 port_item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_dstport.id, tvb, offset + 2, 2, udph->uh_dport,
493 "%s (%u)", get_udp_port(udph->uh_dport), udph->uh_dport);
494 if ((udph->uh_dport > (32768 + 666)) && (udph->uh_dport <= (32768 + 666 + 30)))
495 expert_add_info_format(pinfo, port_item, &ei_udp_possible_traceroute, "Possible traceroute: hop #%u, attempt #%u",
496 ((udph->uh_dport - 32768 - 666 - 1) / 3) + 1,
497 ((udph->uh_dport - 32768 - 666 - 1) % 3) + 1
500 hidden_item = proto_tree_add_uint(udp_tree, &hfi_udp_port, tvb, offset, 2, udph->uh_sport);
501 PROTO_ITEM_SET_HIDDEN(hidden_item);
502 hidden_item = proto_tree_add_uint(udp_tree, &hfi_udp_port, tvb, offset+2, 2, udph->uh_dport);
503 PROTO_ITEM_SET_HIDDEN(hidden_item);
506 if (ip_proto == IP_PROTO_UDP) {
507 udph->uh_ulen = udph->uh_sum_cov = tvb_get_ntohs(tvb, offset+4);
508 if (udph->uh_ulen < 8) {
509 /* Bogus length - it includes the header, so it must be >= 8. */
510 /* XXX - should handle IPv6 UDP jumbograms (RFC 2675), where the length is zero */
511 item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_length.id, tvb, offset + 4, 2,
512 udph->uh_ulen, "%u (bogus, must be >= 8)", udph->uh_ulen);
513 expert_add_info_format(pinfo, item, &ei_udp_length, "Bad length value %u < 8", udph->uh_ulen);
514 col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD UDP LENGTH %u < 8]", udph->uh_ulen);
517 if ((udph->uh_ulen > tvb_reported_length(tvb)) && ! pinfo->fragmented && ! pinfo->flags.in_error_pkt) {
518 /* Bogus length - it goes past the end of the IP payload */
519 item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_length.id, tvb, offset + 4, 2,
520 udph->uh_ulen, "%u (bogus, payload length %u)", udph->uh_ulen, tvb_reported_length(tvb));
521 expert_add_info_format(pinfo, item, &ei_udp_length, "Bad length value %u > IP payload length", udph->uh_ulen);
522 col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD UDP LENGTH %u > IP PAYLOAD LENGTH]", udph->uh_ulen);
525 proto_tree_add_uint(udp_tree, &hfi_udp_length, tvb, offset + 4, 2, udph->uh_ulen);
526 /* XXX - why is this here, given that this is UDP, not Lightweight UDP? */
527 hidden_item = proto_tree_add_uint(udp_tree, &hfi_udplite_checksum_coverage, tvb, offset + 4,
528 0, udph->uh_sum_cov);
529 PROTO_ITEM_SET_HIDDEN(hidden_item);
533 udph->uh_ulen = tvb_reported_length(tvb);
534 udph->uh_sum_cov = tvb_get_ntohs(tvb, offset+4);
535 if (((udph->uh_sum_cov > 0) && (udph->uh_sum_cov < 8)) || (udph->uh_sum_cov > udph->uh_ulen)) {
536 /* Bogus length - it includes the header, so it must be >= 8, and no larger then the IP payload size. */
538 hidden_item = proto_tree_add_boolean(udp_tree, &hfi_udplite_checksum_coverage_bad, tvb, offset + 4, 2, TRUE);
539 PROTO_ITEM_SET_HIDDEN(hidden_item);
540 hidden_item = proto_tree_add_uint(udp_tree, &hfi_udp_length, tvb, offset + 4, 0, udph->uh_ulen);
541 PROTO_ITEM_SET_HIDDEN(hidden_item);
543 item = proto_tree_add_uint_format_value(udp_tree, hfi_udplite_checksum_coverage.id, tvb, offset + 4, 2,
544 udph->uh_sum_cov, "%u (bogus, must be >= 8 and <= %u (ip.len-ip.hdr_len))",
545 udph->uh_sum_cov, udph->uh_ulen);
546 expert_add_info_format(pinfo, item, &ei_udplite_checksum_coverage, "Bad checksum coverage length value %u < 8 or > %u",
547 udph->uh_sum_cov, udph->uh_ulen);
548 col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD LIGHTWEIGHT UDP CHECKSUM COVERAGE LENGTH %u < 8 or > %u]",
549 udph->uh_sum_cov, udph->uh_ulen);
550 if (!udplite_ignore_checksum_coverage)
554 hidden_item = proto_tree_add_uint(udp_tree, &hfi_udp_length, tvb, offset + 4, 0, udph->uh_ulen);
555 PROTO_ITEM_SET_HIDDEN(hidden_item);
556 proto_tree_add_uint(udp_tree, &hfi_udplite_checksum_coverage, tvb, offset + 4, 2, udph->uh_sum_cov);
561 udph->uh_sum_cov = (udph->uh_sum_cov) ? udph->uh_sum_cov : udph->uh_ulen;
562 udph->uh_sum = tvb_get_ntohs(tvb, offset+6);
563 reported_len = tvb_reported_length(tvb);
564 len = tvb_length(tvb);
565 if (udph->uh_sum == 0) {
566 /* No checksum supplied in the packet. */
567 if ((ip_proto == IP_PROTO_UDP) && (pinfo->src.type == AT_IPv4)) {
568 item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb, offset + 6, 2, 0,
571 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
572 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
573 offset + 6, 2, FALSE);
574 PROTO_ITEM_SET_GENERATED(item);
575 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
576 offset + 6, 2, FALSE);
577 PROTO_ITEM_SET_GENERATED(item);
579 item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb, offset + 6, 2, 0,
580 "0x%04x (Illegal)", 0);
581 expert_add_info(pinfo, item, &ei_udp_checksum_zero);
582 col_append_str(pinfo->cinfo, COL_INFO, " [ILLEGAL CHECKSUM (0)]");
584 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
585 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
586 offset + 6, 2, FALSE);
587 PROTO_ITEM_SET_GENERATED(item);
588 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
589 offset + 6, 2, TRUE);
590 PROTO_ITEM_SET_GENERATED(item);
592 } else if (!pinfo->fragmented && (len >= reported_len) &&
593 (len >= udph->uh_sum_cov) && (reported_len >= udph->uh_sum_cov) &&
594 (udph->uh_sum_cov >= 8)) {
595 /* The packet isn't part of a fragmented datagram and isn't
596 truncated, so we can checksum it.
597 XXX - make a bigger scatter-gather list once we do fragment
600 if (((ip_proto == IP_PROTO_UDP) && udp_check_checksum) ||
601 ((ip_proto == IP_PROTO_UDPLITE) && udplite_check_checksum)) {
602 /* Set up the fields of the pseudo-header. */
603 cksum_vec[0].ptr = (const guint8 *)pinfo->src.data;
604 cksum_vec[0].len = pinfo->src.len;
605 cksum_vec[1].ptr = (const guint8 *)pinfo->dst.data;
606 cksum_vec[1].len = pinfo->dst.len;
607 cksum_vec[2].ptr = (const guint8 *)&phdr;
608 switch (pinfo->src.type) {
611 if (ip_proto == IP_PROTO_UDP)
612 phdr[0] = g_htonl((ip_proto<<16) | udph->uh_ulen);
614 phdr[0] = g_htonl((ip_proto<<16) | reported_len);
615 cksum_vec[2].len = 4;
619 if (ip_proto == IP_PROTO_UDP)
620 phdr[0] = g_htonl(udph->uh_ulen);
622 phdr[0] = g_htonl(reported_len);
623 phdr[1] = g_htonl(ip_proto);
624 cksum_vec[2].len = 8;
628 /* UDP runs only atop IPv4 and IPv6.... */
629 DISSECTOR_ASSERT_NOT_REACHED();
632 cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, udph->uh_sum_cov);
633 cksum_vec[3].len = udph->uh_sum_cov;
634 computed_cksum = in_cksum(&cksum_vec[0], 4);
635 if (computed_cksum == 0) {
636 item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb,
637 offset + 6, 2, udph->uh_sum, "0x%04x [correct]", udph->uh_sum);
639 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
640 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
641 offset + 6, 2, TRUE);
642 PROTO_ITEM_SET_GENERATED(item);
643 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
644 offset + 6, 2, FALSE);
645 PROTO_ITEM_SET_GENERATED(item);
647 item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb,
648 offset + 6, 2, udph->uh_sum,
649 "0x%04x [incorrect, should be 0x%04x (maybe caused by \"UDP checksum offload\"?)]", udph->uh_sum,
650 in_cksum_shouldbe(udph->uh_sum, computed_cksum));
652 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
653 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
654 offset + 6, 2, FALSE);
655 PROTO_ITEM_SET_GENERATED(item);
656 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
657 offset + 6, 2, TRUE);
658 PROTO_ITEM_SET_GENERATED(item);
659 expert_add_info(pinfo, item, &ei_udp_checksum_bad);
661 col_append_str(pinfo->cinfo, COL_INFO, " [UDP CHECKSUM INCORRECT]");
664 item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb,
665 offset + 6, 2, udph->uh_sum, "0x%04x [validation disabled]", udph->uh_sum);
666 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
667 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
668 offset + 6, 2, FALSE);
669 PROTO_ITEM_SET_GENERATED(item);
670 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
671 offset + 6, 2, FALSE);
672 PROTO_ITEM_SET_GENERATED(item);
675 item = proto_tree_add_uint_format_value(udp_tree, hfi_udp_checksum.id, tvb,
676 offset + 6, 2, udph->uh_sum, "0x%04x [unchecked, not all data available]", udph->uh_sum);
678 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
679 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_good, tvb,
680 offset + 6, 2, FALSE);
681 PROTO_ITEM_SET_GENERATED(item);
682 item = proto_tree_add_boolean(checksum_tree, &hfi_udp_checksum_bad, tvb,
683 offset + 6, 2, FALSE);
684 PROTO_ITEM_SET_GENERATED(item);
687 /* Skip over header */
690 pinfo->ptype = PT_UDP;
691 pinfo->srcport = udph->uh_sport;
692 pinfo->destport = udph->uh_dport;
694 tap_queue_packet(udp_tap, pinfo, udph);
696 /* find(or create if needed) the conversation for this udp session */
697 conv=find_or_create_conversation(pinfo);
698 udpd=get_udp_conversation_data(conv,pinfo);
702 item = proto_tree_add_uint(udp_tree, &hfi_udp_stream, tvb, offset, 0, udpd->stream);
703 PROTO_ITEM_SET_GENERATED(item);
705 /* Copy the stream index into the header as well to make it available
708 udph->uh_stream = udpd->stream;
711 if (udpd && ((udpd->fwd && udpd->fwd->command) || (udpd->rev && udpd->rev->command))) {
712 ti = proto_tree_add_text(udp_tree, tvb, offset, 0, "Process Information");
713 PROTO_ITEM_SET_GENERATED(ti);
714 process_tree = proto_item_add_subtree(ti, ett_udp_process_info);
715 if (udpd->fwd && udpd->fwd->command) {
716 proto_tree_add_uint_format_value(process_tree, hfi_udp_proc_dst_uid.id, tvb, 0, 0,
717 udpd->fwd->process_uid, "%u", udpd->fwd->process_uid);
718 proto_tree_add_uint_format_value(process_tree, hfi_udp_proc_dst_pid.id, tvb, 0, 0,
719 udpd->fwd->process_pid, "%u", udpd->fwd->process_pid);
720 proto_tree_add_string_format_value(process_tree, hfi_udp_proc_dst_uname.id, tvb, 0, 0,
721 udpd->fwd->username, "%s", udpd->fwd->username);
722 proto_tree_add_string_format_value(process_tree, hfi_udp_proc_dst_cmd.id, tvb, 0, 0,
723 udpd->fwd->command, "%s", udpd->fwd->command);
725 if (udpd->rev->command) {
726 proto_tree_add_uint_format_value(process_tree, hfi_udp_proc_src_uid.id, tvb, 0, 0,
727 udpd->rev->process_uid, "%u", udpd->rev->process_uid);
728 proto_tree_add_uint_format_value(process_tree, hfi_udp_proc_src_pid.id, tvb, 0, 0,
729 udpd->rev->process_pid, "%u", udpd->rev->process_pid);
730 proto_tree_add_string_format_value(process_tree, hfi_udp_proc_src_uname.id, tvb, 0, 0,
731 udpd->rev->username, "%s", udpd->rev->username);
732 proto_tree_add_string_format_value(process_tree, hfi_udp_proc_src_cmd.id, tvb, 0, 0,
733 udpd->rev->command, "%s", udpd->rev->command);
738 * Call sub-dissectors.
740 * XXX - should we do this if this is included in an error packet?
741 * It might be nice to see the details of the packet that caused the
742 * ICMP error, but it might not be nice to have the dissector update
744 * Also, we probably don't want to run UDP taps on those packets.
746 * We definitely don't want to do it for an error packet if there's
747 * nothing left in the packet.
749 if (!pinfo->flags.in_error_pkt || (tvb_length_remaining(tvb, offset) > 0))
750 decode_udp_ports(tvb, offset, pinfo, tree, udph->uh_sport, udph->uh_dport,
755 dissect_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
757 dissect(tvb, pinfo, tree, IP_PROTO_UDP);
761 dissect_udplite(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
763 dissect(tvb, pinfo, tree, IP_PROTO_UDPLITE);
769 udp_stream_count = 0;
773 proto_register_udp(void)
775 module_t *udp_module;
776 module_t *udplite_module;
777 expert_module_t* expert_udp;
779 #ifndef HAVE_HFI_SECTION_INIT
780 static header_field_info *hfi[] = {
787 &hfi_udp_checksum_good,
788 &hfi_udp_checksum_bad,
789 &hfi_udp_proc_src_uid,
790 &hfi_udp_proc_src_pid,
791 &hfi_udp_proc_src_uname,
792 &hfi_udp_proc_src_cmd,
793 &hfi_udp_proc_dst_uid,
794 &hfi_udp_proc_dst_pid,
795 &hfi_udp_proc_dst_uname,
796 &hfi_udp_proc_dst_cmd,
799 static header_field_info *hfi_lite[] = {
800 &hfi_udplite_checksum_coverage_bad,
801 &hfi_udplite_checksum_coverage,
805 static gint *ett[] = {
808 &ett_udp_process_info
811 static ei_register_info ei[] = {
812 { &ei_udp_possible_traceroute, { "udp.possible_traceroute", PI_SEQUENCE, PI_CHAT, "Possible traceroute", EXPFILL }},
813 { &ei_udp_length, { "udp.length.bad", PI_MALFORMED, PI_ERROR, "Bad length value", EXPFILL }},
814 { &ei_udplite_checksum_coverage, { "udp.checksum_coverage.expert", PI_MALFORMED, PI_ERROR, "Bad checksum coverage length value", EXPFILL }},
815 { &ei_udp_checksum_zero, { "udp.checksum.zero", PI_CHECKSUM, PI_ERROR, "Illegal Checksum value (0)", EXPFILL }},
816 { &ei_udp_checksum_bad, { "udp.checksum_bad.expert", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
819 static build_valid_func udp_da_src_values[1] = {udp_src_value};
820 static build_valid_func udp_da_dst_values[1] = {udp_dst_value};
821 static build_valid_func udp_da_both_values[2] = {udp_src_value, udp_dst_value};
822 static decode_as_value_t udp_da_values[3] = {{udp_src_prompt, 1, udp_da_src_values}, {udp_dst_prompt, 1, udp_da_dst_values}, {udp_both_prompt, 2, udp_da_both_values}};
823 static decode_as_t udp_da = {"udp", "Transport", "udp.port", 3, 2, udp_da_values, "UDP", "port(s) as",
824 decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL};
826 int proto_udp, proto_udplite;
828 proto_udp = proto_register_protocol("User Datagram Protocol",
830 hfi_udp = proto_registrar_get_nth(proto_udp);
831 udp_handle = register_dissector("udp", dissect_udp, proto_udp);
832 expert_udp = expert_register_protocol(proto_udp);
833 proto_register_fields(proto_udp, hfi, array_length(hfi));
835 proto_udplite = proto_register_protocol("Lightweight User Datagram Protocol",
836 "UDPlite", "udplite");
837 udplite_handle = create_dissector_handle(dissect_udplite, proto_udplite);
838 hfi_udplite = proto_registrar_get_nth(proto_udplite);
839 proto_register_fields(proto_udplite, hfi_lite, array_length(hfi_lite));
841 proto_register_subtree_array(ett, array_length(ett));
842 expert_register_field_array(expert_udp, ei, array_length(ei));
844 /* subdissector code */
845 udp_dissector_table = register_dissector_table("udp.port",
846 "UDP port", FT_UINT16, BASE_DEC);
847 register_heur_dissector_list("udp", &heur_subdissector_list);
848 register_heur_dissector_list("udplite", &heur_subdissector_list);
850 /* Register configuration preferences */
851 udp_module = prefs_register_protocol(proto_udp, NULL);
852 prefs_register_bool_preference(udp_module, "summary_in_tree",
853 "Show UDP summary in protocol tree",
854 "Whether the UDP summary line should be shown in the protocol tree",
855 &udp_summary_in_tree);
856 prefs_register_bool_preference(udp_module, "try_heuristic_first",
857 "Try heuristic sub-dissectors first",
858 "Try to decode a packet using an heuristic sub-dissector"
859 " before using a sub-dissector registered to a specific port",
860 &try_heuristic_first);
861 prefs_register_bool_preference(udp_module, "check_checksum",
862 "Validate the UDP checksum if possible",
863 "Whether to validate the UDP checksum",
864 &udp_check_checksum);
865 prefs_register_bool_preference(udp_module, "process_info",
866 "Collect process flow information",
867 "Collect process flow information from IPFIX",
870 udplite_module = prefs_register_protocol(proto_udplite, NULL);
871 prefs_register_bool_preference(udplite_module, "ignore_checksum_coverage",
872 "Ignore UDPlite checksum coverage",
873 "Ignore an invalid checksum coverage field and continue dissection",
874 &udplite_ignore_checksum_coverage);
875 prefs_register_bool_preference(udplite_module, "check_checksum",
876 "Validate the UDPlite checksum if possible",
877 "Whether to validate the UDPlite checksum",
878 &udplite_check_checksum);
880 register_decode_as(&udp_da);
882 register_init_routine(udp_init);
887 proto_reg_handoff_udp(void)
889 dissector_add_uint("ip.proto", IP_PROTO_UDP, udp_handle);
890 dissector_add_uint("ip.proto", IP_PROTO_UDPLITE, udplite_handle);
891 data_handle = find_dissector("data");
892 udp_tap = register_tap("udp");
893 udp_follow_tap = register_tap("udp_follow");
897 * Editor modelines - http://www.wireshark.org/tools/modelines.html
902 * indent-tabs-mode: nil
905 * vi: set shiftwidth=2 tabstop=8 expandtab:
906 * :indentSize=2:tabSize=8:noTabs=true: