2 * Routines for {fragment,segment} reassembly
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include <epan/packet.h>
33 #include <epan/reassemble.h>
35 #include <epan/emem.h>
37 #include <epan/dissectors/packet-dcerpc.h>
39 typedef struct _fragment_key {
45 typedef struct _dcerpc_fragment_key {
50 } dcerpc_fragment_key;
52 static GMemChunk *fragment_key_chunk = NULL;
53 static GMemChunk *fragment_data_chunk = NULL;
54 static int fragment_init_count = 200;
56 #define LINK_FRAG(fd_head,fd) \
57 { fragment_data *fd_i; \
58 /* add fragment to list, keep list sorted */ \
59 for(fd_i=(fd_head);fd_i->next;fd_i=fd_i->next){ \
60 if( ((fd)->offset) < (fd_i->next->offset) ) \
63 (fd)->next=fd_i->next; \
68 fragment_equal(gconstpointer k1, gconstpointer k2)
70 const fragment_key* key1 = (const fragment_key*) k1;
71 const fragment_key* key2 = (const fragment_key*) k2;
73 /*key.id is the first item to compare since item is most
74 likely to differ between sessions, thus shortcircuiting
75 the comparasion of addresses.
77 return ( ( (key1->id == key2->id) &&
78 (ADDRESSES_EQUAL(&key1->src, &key2->src)) &&
79 (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
85 fragment_hash(gconstpointer k)
87 const fragment_key* key = (const fragment_key*) k;
95 /* More than likely: in most captures src and dst addresses are the
96 same, and would hash the same.
97 We only use id as the hash as an optimization.
99 for (i = 0; i < key->src.len; i++)
100 hash_val += key->src.data[i];
101 for (i = 0; i < key->dst.len; i++)
102 hash_val += key->dst.data[i];
111 dcerpc_fragment_equal(gconstpointer k1, gconstpointer k2)
113 const dcerpc_fragment_key* key1 = (const dcerpc_fragment_key*) k1;
114 const dcerpc_fragment_key* key2 = (const dcerpc_fragment_key*) k2;
116 /*key.id is the first item to compare since item is most
117 likely to differ between sessions, thus shortcircuiting
118 the comparasion of addresses.
120 return (((key1->id == key2->id)
121 && (ADDRESSES_EQUAL(&key1->src, &key2->src))
122 && (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
123 && (memcmp (&key1->act_id, &key2->act_id, sizeof (e_uuid_t)) == 0))
128 dcerpc_fragment_hash(gconstpointer k)
130 const dcerpc_fragment_key* key = (const dcerpc_fragment_key*) k;
136 hash_val += key->act_id.Data1;
137 hash_val += key->act_id.Data2 << 16;
138 hash_val += key->act_id.Data3;
143 typedef struct _reassembled_key {
149 reassembled_equal(gconstpointer k1, gconstpointer k2)
151 const reassembled_key* key1 = (const reassembled_key*) k1;
152 const reassembled_key* key2 = (const reassembled_key*) k2;
155 * We assume that the frame numbers are unlikely to be equal,
156 * so we check them first.
158 return key1->frame == key2->frame && key1->id == key2->id;
162 reassembled_hash(gconstpointer k)
164 const reassembled_key* key = (const reassembled_key*) k;
170 * For a fragment hash table entry, free the address data to which the key
171 * refers and the fragment data to which the value refers.
172 * (The actual key and value structures get freed by "reassemble_init()".)
175 free_all_fragments(gpointer key_arg, gpointer value, gpointer user_data _U_)
177 fragment_key *key = key_arg;
178 fragment_data *fd_head;
181 * Grr. I guess the theory here is that freeing
182 * something sure as heck modifies it, so you
183 * want to ban attempts to free it, but, alas,
184 * if we make the "data" field of an "address"
185 * structure not a "const", the compiler whines if
186 * we try to make it point into the data for a packet,
187 * as that's a "const" array (and should be, as dissectors
188 * shouldn't trash it).
190 * So we cast the complaint into oblivion, and rely on
191 * the fact that these addresses are known to have had
192 * their data mallocated, i.e. they don't point into,
193 * say, the middle of the data for a packet.
195 g_free((gpointer)key->src.data);
196 g_free((gpointer)key->dst.data);
198 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
199 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED))
200 g_free(fd_head->data);
207 * For a reassembled-packet hash table entry, free the fragment data
208 * to which the value refers.
209 * (The actual value structures get freed by "reassemble_init()".)
212 free_all_reassembled_fragments(gpointer key_arg _U_, gpointer value,
213 gpointer user_data _U_)
215 fragment_data *fd_head;
217 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
218 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED)) {
219 g_free(fd_head->data);
222 * A reassembled packet is inserted into the
223 * hash table once for every frame that made
224 * up the reassembled packet; clear the data
225 * pointer so that we only free the data the
226 * first time we see it.
228 fd_head->data = NULL;
236 * Initialize a fragment table.
239 fragment_table_init(GHashTable **fragment_table)
241 if (*fragment_table != NULL) {
243 * The fragment hash table exists.
245 * Remove all entries and free fragment data for
246 * each entry. (The key and value data is freed
247 * by "reassemble_init()".)
249 g_hash_table_foreach_remove(*fragment_table,
250 free_all_fragments, NULL);
252 /* The fragment table does not exist. Create it */
253 *fragment_table = g_hash_table_new(fragment_hash,
259 dcerpc_fragment_table_init(GHashTable **fragment_table)
261 if (*fragment_table != NULL) {
263 * The fragment hash table exists.
265 * Remove all entries and free fragment data for
266 * each entry. (The key and value data is freed
267 * by "reassemble_init()".)
269 g_hash_table_foreach_remove(*fragment_table,
270 free_all_fragments, NULL);
272 /* The fragment table does not exist. Create it */
273 *fragment_table = g_hash_table_new(dcerpc_fragment_hash,
274 dcerpc_fragment_equal);
279 * Initialize a reassembled-packet table.
282 reassembled_table_init(GHashTable **reassembled_table)
284 if (*reassembled_table != NULL) {
286 * The reassembled-packet hash table exists.
288 * Remove all entries and free reassembled packet
289 * data for each entry. (The key data is freed
290 * by "reassemble_init()".)
292 g_hash_table_foreach_remove(*reassembled_table,
293 free_all_reassembled_fragments, NULL);
295 /* The fragment table does not exist. Create it */
296 *reassembled_table = g_hash_table_new(reassembled_hash,
302 * Free up all space allocated for fragment keys and data and
306 reassemble_init(void)
308 if (fragment_key_chunk != NULL)
309 g_mem_chunk_destroy(fragment_key_chunk);
310 if (fragment_data_chunk != NULL)
311 g_mem_chunk_destroy(fragment_data_chunk);
312 fragment_key_chunk = g_mem_chunk_new("fragment_key_chunk",
313 sizeof(fragment_key),
314 fragment_init_count * sizeof(fragment_key),
316 fragment_data_chunk = g_mem_chunk_new("fragment_data_chunk",
317 sizeof(fragment_data),
318 fragment_init_count * sizeof(fragment_data),
322 /* This function cleans up the stored state and removes the reassembly data and
323 * (with one exception) all allocated memory for matching reassembly.
326 * If the PDU was already completely reassembled, then the buffer containing the
327 * reassembled data WILL NOT be free()d, and the pointer to that buffer will be
329 * Othervise the function will return NULL.
331 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible to
332 * g_free() that buffer.
335 fragment_delete(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
337 fragment_data *fd_head, *fd;
339 unsigned char *data=NULL;
341 /* create key to search hash with */
342 key.src = pinfo->src;
343 key.dst = pinfo->dst;
346 fd_head = g_hash_table_lookup(fragment_table, &key);
349 /* We do not recognize this as a PDU we have seen before. return*/
354 /* loop over all partial fragments and free any buffers */
355 for(fd=fd_head->next;fd;){
356 fragment_data *tmp_fd;
359 if( !(fd->flags&FD_NOT_MALLOCED) )
361 g_mem_chunk_free(fragment_data_chunk, fd);
364 g_mem_chunk_free(fragment_data_chunk, fd_head);
365 g_hash_table_remove(fragment_table, &key);
370 /* This function is used to check if there is partial or completed reassembly state
371 * matching this packet. I.e. Are there reassembly going on or not for this packet?
374 fragment_get(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
376 fragment_data *fd_head;
379 /* create key to search hash with */
380 key.src = pinfo->src;
381 key.dst = pinfo->dst;
384 fd_head = g_hash_table_lookup(fragment_table, &key);
389 /* id *must* be the frame number for this to work! */
391 fragment_get_reassembled(packet_info *pinfo, guint32 id, GHashTable *reassembled_table)
393 fragment_data *fd_head;
396 /* create key to search hash with */
399 fd_head = g_hash_table_lookup(reassembled_table, &key);
405 fragment_get_reassembled_id(packet_info *pinfo, guint32 id, GHashTable *reassembled_table)
407 fragment_data *fd_head;
410 /* create key to search hash with */
411 key.frame = pinfo->fd->num;
413 fd_head = g_hash_table_lookup(reassembled_table, &key);
418 /* This function can be used to explicitely set the total length (if known)
419 * for reassembly of a PDU.
420 * This is useful for reassembly of PDUs where one may have the total length specified
421 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
422 * is the last fragment.
424 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
425 * and just tell the reassembly engine the expected total length of the reassembled data
426 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
428 * note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
429 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
430 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
433 fragment_set_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table,
436 fragment_data *fd_head;
439 /* create key to search hash with */
440 key.src = pinfo->src;
441 key.dst = pinfo->dst;
444 fd_head = g_hash_table_lookup(fragment_table, &key);
447 fd_head->datalen = tot_len;
454 fragment_get_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
456 fragment_data *fd_head;
459 /* create key to search hash with */
460 key.src = pinfo->src;
461 key.dst = pinfo->dst;
464 fd_head = g_hash_table_lookup(fragment_table, &key);
467 return fd_head->datalen;
474 /* This function will set the partial reassembly flag for a fh.
475 When this function is called, the fh MUST already exist, i.e.
476 the fh MUST be created by the initial call to fragment_add() before
477 this function is called.
478 Also note that this function MUST be called to indicate a fh will be
479 extended (increase the already stored data)
483 fragment_set_partial_reassembly(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
485 fragment_data *fd_head;
488 /* create key to search hash with */
489 key.src = pinfo->src;
490 key.dst = pinfo->dst;
493 fd_head = g_hash_table_lookup(fragment_table, &key);
496 * XXX - why not do all the stuff done early in "fragment_add_work()",
497 * turning off FD_DEFRAGMENTED and pointing the fragments' data
498 * pointers to the appropriate part of the already-reassembled
499 * data, and clearing the data length and "reassembled in" frame
500 * number, here? We currently have a hack in the TCP dissector
501 * not to set the "reassembled in" value if the "partial reassembly"
502 * flag is set, so that in the first pass through the packets
503 * we don't falsely set a packet as reassembled in that packet
504 * if the dissector decided that even more reassembly was needed.
507 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
512 * This function gets rid of an entry from a fragment table, given
513 * a pointer to the key for that entry; it also frees up the key
514 * and the addresses in it.
517 fragment_unhash(GHashTable *fragment_table, fragment_key *key)
520 * Remove the entry from the fragment table.
522 g_hash_table_remove(fragment_table, key);
525 * Free up the copies of the addresses from the old key.
527 g_free((gpointer)key->src.data);
528 g_free((gpointer)key->dst.data);
531 * Free the key itself.
533 g_mem_chunk_free(fragment_key_chunk, key);
537 * This function adds fragment_data structure to a reassembled-packet
538 * hash table, using the frame numbers of each of the frames from
539 * which it was reassembled as keys, and sets the "reassembled_in"
543 fragment_reassembled(fragment_data *fd_head, packet_info *pinfo,
544 GHashTable *reassembled_table, guint32 id)
546 reassembled_key *new_key;
549 if (fd_head->next == NULL) {
551 * This was not fragmented, so there's no fragment
552 * table; just hash it using the current frame number.
554 new_key = se_alloc(sizeof(reassembled_key));
555 new_key->frame = pinfo->fd->num;
557 g_hash_table_insert(reassembled_table, new_key, fd_head);
560 * Hash it with the frame numbers for all the frames.
562 for (fd = fd_head->next; fd != NULL; fd = fd->next){
563 new_key = se_alloc(sizeof(reassembled_key));
564 new_key->frame = fd->frame;
566 g_hash_table_insert(reassembled_table, new_key,
570 fd_head->flags |= FD_DEFRAGMENTED;
571 fd_head->reassembled_in = pinfo->fd->num;
575 * This function adds a new fragment to the fragment hash table.
576 * If this is the first fragment seen for this datagram, a new entry
577 * is created in the hash table, otherwise this fragment is just added
578 * to the linked list of fragments for this packet.
579 * The list of fragments for a specific datagram is kept sorted for
582 * Returns a pointer to the head of the fragment data list if we have all the
583 * fragments, NULL otherwise.
585 * This function assumes frag_offset being a byte offset into the defragment
589 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
590 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
591 * using fragment_set_partial_reassembly() before calling fragment_add
592 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
593 * are lowered when a new extension process is started.
596 fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
597 packet_info *pinfo, guint32 frag_offset,
598 guint32 frag_data_len, gboolean more_frags)
603 unsigned char *old_data;
605 /* create new fd describing this fragment */
606 fd = g_mem_chunk_alloc(fragment_data_chunk);
609 fd->frame = pinfo->fd->num;
610 fd->offset = frag_offset;
611 fd->len = frag_data_len;
615 * If it was already defragmented and this new fragment goes beyond
616 * data limits, set flag in already empty fds & point old fds to malloc'ed data.
618 if(fd_head->flags & FD_DEFRAGMENTED && (frag_offset+frag_data_len) >= fd_head->datalen &&
619 fd_head->flags & FD_PARTIAL_REASSEMBLY){
620 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
622 fd_i->data = fd_head->data + fd_i->offset;
623 fd_i->flags |= FD_NOT_MALLOCED;
625 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
627 fd_head->flags ^= FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY;
628 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
630 fd_head->reassembled_in=0;
635 * This is the tail fragment in the sequence.
637 if (fd_head->datalen) {
638 /* ok we have already seen other tails for this packet
639 * it might be a duplicate.
641 if (fd_head->datalen != (fd->offset + fd->len) ){
642 /* Oops, this tail indicates a different packet
643 * len than the previous ones. Somethings wrong
645 fd->flags |= FD_MULTIPLETAILS;
646 fd_head->flags |= FD_MULTIPLETAILS;
649 /* this was the first tail fragment, now we know the
650 * length of the packet
652 fd_head->datalen = fd->offset + fd->len;
659 /* If the packet is already defragmented, this MUST be an overlap.
660 * The entire defragmented packet is in fd_head->data
661 * Even if we have previously defragmented this packet, we still check
662 * check it. Someone might play overlap and TTL games.
664 if (fd_head->flags & FD_DEFRAGMENTED) {
665 fd->flags |= FD_OVERLAP;
666 fd_head->flags |= FD_OVERLAP;
667 /* make sure its not too long */
668 if (fd->offset + fd->len > fd_head->datalen) {
669 fd->flags |= FD_TOOLONGFRAGMENT;
670 fd_head->flags |= FD_TOOLONGFRAGMENT;
671 LINK_FRAG(fd_head,fd);
674 /* make sure it doesnt conflict with previous data */
675 if ( memcmp(fd_head->data+fd->offset,
676 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
677 fd->flags |= FD_OVERLAPCONFLICT;
678 fd_head->flags |= FD_OVERLAPCONFLICT;
679 LINK_FRAG(fd_head,fd);
682 /* it was just an overlap, link it and return */
683 LINK_FRAG(fd_head,fd);
689 /* If we have reached this point, the packet is not defragmented yet.
690 * Save all payload in a buffer until we can defragment.
691 * XXX - what if we didn't capture the entire fragment due
692 * to a too-short snapshot length?
694 fd->data = g_malloc(fd->len);
695 tvb_memcpy(tvb, fd->data, offset, fd->len);
696 LINK_FRAG(fd_head,fd);
699 if( !(fd_head->datalen) ){
700 /* if we dont know the datalen, there are still missing
701 * packets. Cheaper than the check below.
708 * Check if we have received the entire fragment.
709 * This is easy since the list is sorted and the head is faked.
711 * First, we compute the amount of contiguous data that's
712 * available. (The check for fd_i->offset <= max rules out
713 * fragments that don't start before or at the end of the
714 * previous fragment, i.e. fragments that have a gap between
715 * them and the previous fragment.)
718 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
719 if ( ((fd_i->offset)<=max) &&
720 ((fd_i->offset+fd_i->len)>max) ){
721 max = fd_i->offset+fd_i->len;
725 if (max < (fd_head->datalen)) {
727 * The amount of contiguous data we have is less than the
728 * amount of data we're trying to reassemble, so we haven't
729 * received all packets yet.
735 if (max > (fd_head->datalen)) {
736 /*XXX not sure if current fd was the TOOLONG*/
737 /*XXX is it fair to flag current fd*/
738 /* oops, too long fragment detected */
739 fd->flags |= FD_TOOLONGFRAGMENT;
740 fd_head->flags |= FD_TOOLONGFRAGMENT;
743 /* we have received an entire packet, defragment it and
746 /* store old data just in case */
747 old_data=fd_head->data;
748 fd_head->data = g_malloc(max);
750 /* add all data fragments */
751 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
753 if (fd_i->offset < dfpos) {
754 fd_i->flags |= FD_OVERLAP;
755 fd_head->flags |= FD_OVERLAP;
756 if ( memcmp(fd_head->data+fd_i->offset,
758 MIN(fd_i->len,(dfpos-fd_i->offset))
760 fd_i->flags |= FD_OVERLAPCONFLICT;
761 fd_head->flags |= FD_OVERLAPCONFLICT;
764 /* dfpos is always >= than fd_i->offset */
765 /* No gaps can exist here, max_loop(above) does this */
766 /* XXX - true? Can we get fd_i->offset+fd-i->len */
767 /* overflowing, for example? */
768 if( fd_i->offset+fd_i->len > dfpos ) {
769 if (fd_i->offset+fd_i->len > max)
770 g_warning("Reassemble error in frame %u: offset %u + len %u > max %u",
771 pinfo->fd->num, fd_i->offset,
773 else if (dfpos < fd_i->offset)
774 g_warning("Reassemble error in frame %u: dfpos %u < offset %u",
775 pinfo->fd->num, dfpos, fd_i->offset);
776 else if (dfpos-fd_i->offset > fd_i->len)
777 g_warning("Reassemble error in frame %u: dfpos %u - offset %u > len %u",
778 pinfo->fd->num, dfpos, fd_i->offset,
781 memcpy(fd_head->data+dfpos,
782 fd_i->data+(dfpos-fd_i->offset),
783 fd_i->len-(dfpos-fd_i->offset));
785 if (fd_i->offset+fd_i->len < fd_i->offset)
786 g_warning("Reassemble error in frame %u: offset %u + len %u < offset",
787 pinfo->fd->num, fd_i->offset,
790 if( fd_i->flags & FD_NOT_MALLOCED )
791 fd_i->flags &= ~FD_NOT_MALLOCED;
796 dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
802 /* mark this packet as defragmented.
803 allows us to skip any trailing fragments */
804 fd_head->flags |= FD_DEFRAGMENTED;
805 fd_head->reassembled_in=pinfo->fd->num;
810 static fragment_data *
811 fragment_add_common(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
812 GHashTable *fragment_table, guint32 frag_offset,
813 guint32 frag_data_len, gboolean more_frags,
814 gboolean check_already_added)
816 fragment_key key, *new_key;
817 fragment_data *fd_head;
818 fragment_data *fd_item;
819 gboolean already_added=pinfo->fd->flags.visited;
822 /* dissector shouldn't give us garbage tvb info */
823 DISSECTOR_ASSERT(tvb_bytes_exist(tvb, offset, frag_data_len));
825 /* create key to search hash with */
826 key.src = pinfo->src;
827 key.dst = pinfo->dst;
830 fd_head = g_hash_table_lookup(fragment_table, &key);
833 /* debug output of associated fragments. */
834 /* leave it here for future debugging sessions */
835 if(strcmp(pinfo->current_proto, "DCERPC") == 0) {
836 printf("proto:%s num:%u id:%u offset:%u len:%u more:%u visited:%u\n",
837 pinfo->current_proto, pinfo->fd->num, id, frag_offset, frag_data_len, more_frags, pinfo->fd->flags.visited);
838 if(fd_head != NULL) {
839 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
840 printf("fd_frame:%u fd_offset:%u len:%u datalen:%u\n",
841 fd_item->frame, fd_item->offset, fd_item->len, fd_item->datalen);
848 * "already_added" is true if "pinfo->fd->flags.visited" is true;
849 * if "pinfo->fd->flags.visited", this isn't the first pass, so
850 * we've already done all the reassembly and added all the
853 * If it's not true, but "check_already_added" is true, just check
854 * if we have seen this fragment before, i.e., if we have already
855 * added it to reassembly.
856 * That can be true even if "pinfo->fd->flags.visited" is false
857 * since we sometimes might call a subdissector multiple times.
858 * As an additional check, just make sure we have not already added
859 * this frame to the reassembly list, if there is a reassembly list;
860 * note that the first item in the reassembly list is not a
861 * fragment, it's a data structure for the reassembled packet.
862 * We don't check it because its "frame" member isn't initialized
863 * to anything, and because it doesn't count in any case.
865 * And as another additional check, make sure the fragment offsets are
866 * the same, as otherwise we get into trouble if multiple fragments
869 if (!already_added && check_already_added && fd_head != NULL) {
870 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
871 if(pinfo->fd->num==fd_item->frame && frag_offset==fd_item->offset){
876 /* have we already added this frame ?*/
878 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
886 /* not found, this must be the first snooped fragment for this
887 * packet. Create list-head.
889 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
891 /* head/first structure in list only holds no other data than
892 * 'datalen' then we don't have to change the head of the list
893 * even if we want to keep it sorted
901 fd_head->reassembled_in=0;
904 * We're going to use the key to insert the fragment,
905 * so allocate a structure for it, and copy the
906 * addresses, allocating new buffers for the address
909 new_key = g_mem_chunk_alloc(fragment_key_chunk);
910 COPY_ADDRESS(&new_key->src, &key.src);
911 COPY_ADDRESS(&new_key->dst, &key.dst);
912 new_key->id = key.id;
913 g_hash_table_insert(fragment_table, new_key, fd_head);
916 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
917 frag_data_len, more_frags)) {
919 * Reassembly is complete.
924 * Reassembly isn't complete.
931 fragment_add(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
932 GHashTable *fragment_table, guint32 frag_offset,
933 guint32 frag_data_len, gboolean more_frags)
935 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
936 frag_offset, frag_data_len, more_frags, TRUE);
940 * For use when you can have multiple fragments in the same frame added
941 * to the same reassembled PDU, e.g. with ONC RPC-over-TCP.
944 fragment_add_multiple_ok(tvbuff_t *tvb, int offset, packet_info *pinfo,
945 guint32 id, GHashTable *fragment_table,
946 guint32 frag_offset, guint32 frag_data_len,
949 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
950 frag_offset, frag_data_len, more_frags, FALSE);
954 fragment_add_check(tvbuff_t *tvb, int offset, packet_info *pinfo,
955 guint32 id, GHashTable *fragment_table,
956 GHashTable *reassembled_table, guint32 frag_offset,
957 guint32 frag_data_len, gboolean more_frags)
959 reassembled_key reass_key;
960 fragment_key key, *new_key, *old_key;
961 gpointer orig_key, value;
962 fragment_data *fd_head;
965 * If this isn't the first pass, look for this frame in the table
966 * of reassembled packets.
968 if (pinfo->fd->flags.visited) {
969 reass_key.frame = pinfo->fd->num;
971 return g_hash_table_lookup(reassembled_table, &reass_key);
974 /* create key to search hash with */
975 key.src = pinfo->src;
976 key.dst = pinfo->dst;
979 if (!g_hash_table_lookup_extended(fragment_table, &key,
980 &orig_key, &value)) {
981 /* not found, this must be the first snooped fragment for this
982 * packet. Create list-head.
984 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
986 /* head/first structure in list only holds no other data than
987 * 'datalen' then we don't have to change the head of the list
988 * even if we want to keep it sorted
996 fd_head->reassembled_in=0;
999 * We're going to use the key to insert the fragment,
1000 * so allocate a structure for it, and copy the
1001 * addresses, allocating new buffers for the address
1004 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1005 COPY_ADDRESS(&new_key->src, &key.src);
1006 COPY_ADDRESS(&new_key->dst, &key.dst);
1007 new_key->id = key.id;
1008 g_hash_table_insert(fragment_table, new_key, fd_head);
1010 orig_key = new_key; /* for unhashing it later */
1019 * If this is a short frame, then we can't, and don't, do
1020 * reassembly on it. We just give up.
1022 if (tvb_reported_length(tvb) > tvb_length(tvb))
1025 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1026 frag_data_len, more_frags)) {
1028 * Reassembly is complete.
1029 * Remove this from the table of in-progress
1030 * reassemblies, add it to the table of
1031 * reassembled packets, and return it.
1035 * Remove this from the table of in-progress reassemblies,
1036 * and free up any memory used for it in that table.
1039 fragment_unhash(fragment_table, old_key);
1042 * Add this item to the table of reassembled packets.
1044 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
1048 * Reassembly isn't complete.
1055 * This function adds a new fragment to the entry for a reassembly
1058 * The list of fragments for a specific datagram is kept sorted for
1061 * Returns TRUE if we have all the fragments, FALSE otherwise.
1063 * This function assumes frag_number being a block sequence number.
1064 * The bsn for the first block is 0.
1067 fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
1068 packet_info *pinfo, guint32 frag_number,
1069 guint32 frag_data_len, gboolean more_frags)
1072 fragment_data *fd_i;
1073 fragment_data *last_fd;
1074 guint32 max, dfpos, size;
1076 /* create new fd describing this fragment */
1077 fd = g_mem_chunk_alloc(fragment_data_chunk);
1080 fd->frame = pinfo->fd->num;
1081 fd->offset = frag_number;
1082 fd->len = frag_data_len;
1087 * This is the tail fragment in the sequence.
1089 if (fd_head->datalen) {
1090 /* ok we have already seen other tails for this packet
1091 * it might be a duplicate.
1093 if (fd_head->datalen != fd->offset ){
1094 /* Oops, this tail indicates a different packet
1095 * len than the previous ones. Somethings wrong
1097 fd->flags |= FD_MULTIPLETAILS;
1098 fd_head->flags |= FD_MULTIPLETAILS;
1101 /* this was the first tail fragment, now we know the
1102 * sequence number of that fragment (which is NOT
1103 * the length of the packet!)
1105 fd_head->datalen = fd->offset;
1109 /* If the packet is already defragmented, this MUST be an overlap.
1110 * The entire defragmented packet is in fd_head->data
1111 * Even if we have previously defragmented this packet, we still check
1112 * check it. Someone might play overlap and TTL games.
1114 if (fd_head->flags & FD_DEFRAGMENTED) {
1115 fd->flags |= FD_OVERLAP;
1116 fd_head->flags |= FD_OVERLAP;
1118 /* make sure it's not past the end */
1119 if (fd->offset > fd_head->datalen) {
1120 /* new fragment comes after the end */
1121 fd->flags |= FD_TOOLONGFRAGMENT;
1122 fd_head->flags |= FD_TOOLONGFRAGMENT;
1123 LINK_FRAG(fd_head,fd);
1126 /* make sure it doesnt conflict with previous data */
1129 for (fd_i=fd_head->next;fd_i && (fd_i->offset!=fd->offset);fd_i=fd_i->next) {
1130 if (!last_fd || last_fd->offset!=fd_i->offset){
1136 /* new fragment overlaps existing fragment */
1137 if(fd_i->len!=fd->len){
1139 * They have different lengths; this
1140 * is definitely a conflict.
1142 fd->flags |= FD_OVERLAPCONFLICT;
1143 fd_head->flags |= FD_OVERLAPCONFLICT;
1144 LINK_FRAG(fd_head,fd);
1147 DISSECTOR_ASSERT(fd_head->len >= dfpos + fd->len);
1148 if ( memcmp(fd_head->data+dfpos,
1149 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1151 * They have the same length, but the
1152 * data isn't the same.
1154 fd->flags |= FD_OVERLAPCONFLICT;
1155 fd_head->flags |= FD_OVERLAPCONFLICT;
1156 LINK_FRAG(fd_head,fd);
1159 /* it was just an overlap, link it and return */
1160 LINK_FRAG(fd_head,fd);
1164 * New fragment doesn't overlap an existing
1165 * fragment - there was presumably a gap in
1166 * the sequence number space.
1168 * XXX - what should we do here? Is it always
1169 * the case that there are no gaps, or are there
1170 * protcols using sequence numbers where there
1173 * If the former, the check below for having
1174 * received all the fragments should check for
1175 * holes in the sequence number space and for the
1176 * first sequence number being 0. If we do that,
1177 * the only way we can get here is if this fragment
1178 * is past the end of the sequence number space -
1179 * but the check for "fd->offset > fd_head->datalen"
1180 * would have caught that above, so it can't happen.
1182 * If the latter, we don't have a good way of
1183 * knowing whether reassembly is complete if we
1184 * get packet out of order such that the "last"
1185 * fragment doesn't show up last - but, unless
1186 * in-order reliable delivery of fragments is
1187 * guaranteed, an implementation of the protocol
1188 * has no way of knowing whether reassembly is
1191 * For now, we just link the fragment in and
1194 LINK_FRAG(fd_head,fd);
1199 /* If we have reached this point, the packet is not defragmented yet.
1200 * Save all payload in a buffer until we can defragment.
1201 * XXX - what if we didn't capture the entire fragment due
1202 * to a too-short snapshot length?
1204 /* check len, ther may be a fragment with 0 len, that is actually the tail */
1206 fd->data = g_malloc(fd->len);
1207 tvb_memcpy(tvb, fd->data, offset, fd->len);
1209 LINK_FRAG(fd_head,fd);
1212 if( !(fd_head->datalen) ){
1213 /* if we dont know the sequence number of the last fragment,
1214 * there are definitely still missing packets. Cheaper than
1221 /* check if we have received the entire fragment
1222 * this is easy since the list is sorted and the head is faked.
1225 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1226 if ( fd_i->offset==max ){
1230 /* max will now be datalen+1 if all fragments have been seen */
1232 if (max <= fd_head->datalen) {
1233 /* we have not received all packets yet */
1238 if (max > (fd_head->datalen+1)) {
1239 /* oops, too long fragment detected */
1240 fd->flags |= FD_TOOLONGFRAGMENT;
1241 fd_head->flags |= FD_TOOLONGFRAGMENT;
1245 /* we have received an entire packet, defragment it and
1246 * free all fragments
1250 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1251 if(!last_fd || last_fd->offset!=fd_i->offset){
1256 fd_head->data = g_malloc(size);
1257 fd_head->len = size; /* record size for caller */
1259 /* add all data fragments */
1262 for (fd_i=fd_head->next;fd_i && fd_i->len + dfpos <= size;fd_i=fd_i->next) {
1264 if(!last_fd || last_fd->offset!=fd_i->offset){
1265 memcpy(fd_head->data+dfpos,fd_i->data,fd_i->len);
1268 /* duplicate/retransmission/overlap */
1269 fd_i->flags |= FD_OVERLAP;
1270 fd_head->flags |= FD_OVERLAP;
1271 if( (last_fd->len!=fd_i->datalen)
1272 || memcmp(last_fd->data, fd_i->data, last_fd->len) ){
1273 fd->flags |= FD_OVERLAPCONFLICT;
1274 fd_head->flags |= FD_OVERLAPCONFLICT;
1281 /* we have defragmented the pdu, now free all fragments*/
1282 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1289 /* mark this packet as defragmented.
1290 allows us to skip any trailing fragments */
1291 fd_head->flags |= FD_DEFRAGMENTED;
1292 fd_head->reassembled_in=pinfo->fd->num;
1298 * This function adds a new fragment to the fragment hash table.
1299 * If this is the first fragment seen for this datagram, a new entry
1300 * is created in the hash table, otherwise this fragment is just added
1301 * to the linked list of fragments for this packet.
1303 * Returns a pointer to the head of the fragment data list if we have all the
1304 * fragments, NULL otherwise.
1306 * This function assumes frag_number being a block sequence number.
1307 * The bsn for the first block is 0.
1310 fragment_add_seq(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
1311 GHashTable *fragment_table, guint32 frag_number,
1312 guint32 frag_data_len, gboolean more_frags)
1314 fragment_key key, *new_key;
1315 fragment_data *fd_head;
1317 /* create key to search hash with */
1318 key.src = pinfo->src;
1319 key.dst = pinfo->dst;
1322 fd_head = g_hash_table_lookup(fragment_table, &key);
1324 /* have we already seen this frame ?*/
1325 if (pinfo->fd->flags.visited) {
1326 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1334 /* not found, this must be the first snooped fragment for this
1335 * packet. Create list-head.
1337 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
1339 /* head/first structure in list only holds no other data than
1340 * 'datalen' then we don't have to change the head of the list
1341 * even if we want to keep it sorted
1347 fd_head->flags=FD_BLOCKSEQUENCE;
1349 fd_head->reassembled_in=0;
1352 * We're going to use the key to insert the fragment,
1353 * so allocate a structure for it, and copy the
1354 * addresses, allocating new buffers for the address
1357 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1358 COPY_ADDRESS(&new_key->src, &key.src);
1359 COPY_ADDRESS(&new_key->dst, &key.dst);
1360 new_key->id = key.id;
1361 g_hash_table_insert(fragment_table, new_key, fd_head);
1364 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1365 frag_number, frag_data_len, more_frags)) {
1367 * Reassembly is complete.
1372 * Reassembly isn't complete.
1379 fragment_add_dcerpc_dg(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
1381 GHashTable *fragment_table, guint32 frag_number,
1382 guint32 frag_data_len, gboolean more_frags)
1384 dcerpc_fragment_key key, *new_key;
1385 fragment_data *fd_head;
1386 e_uuid_t *act_id = (e_uuid_t *)v_act_id;
1388 /* create key to search hash with */
1389 key.src = pinfo->src;
1390 key.dst = pinfo->dst;
1392 key.act_id = *act_id;
1394 fd_head = g_hash_table_lookup(fragment_table, &key);
1396 /* have we already seen this frame ?*/
1397 if (pinfo->fd->flags.visited) {
1398 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1406 /* not found, this must be the first snooped fragment for this
1407 * packet. Create list-head.
1409 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
1411 /* head/first structure in list only holds no other data than
1412 * 'datalen' then we don't have to change the head of the list
1413 * even if we want to keep it sorted
1419 fd_head->flags=FD_BLOCKSEQUENCE;
1421 fd_head->reassembled_in=0;
1424 * We're going to use the key to insert the fragment,
1425 * so allocate a structure for it, and copy the
1426 * addresses, allocating new buffers for the address
1429 new_key = se_alloc(sizeof(dcerpc_fragment_key));
1430 COPY_ADDRESS(&new_key->src, &key.src);
1431 COPY_ADDRESS(&new_key->dst, &key.dst);
1432 new_key->id = key.id;
1433 new_key->act_id = key.act_id;
1434 g_hash_table_insert(fragment_table, new_key, fd_head);
1437 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1438 frag_number, frag_data_len, more_frags)) {
1440 * Reassembly is complete.
1445 * Reassembly isn't complete.
1452 * This does the work for "fragment_add_seq_check()" and
1453 * "fragment_add_seq_next()".
1455 * This function assumes frag_number being a block sequence number.
1456 * The bsn for the first block is 0.
1458 * If "no_frag_number" is TRUE, it uses the next expected fragment number
1459 * as the fragment number if there is a reassembly in progress, otherwise
1462 * If "no_frag_number" is FALSE, it uses the "frag_number" argument as
1463 * the fragment number.
1465 * If this is the first fragment seen for this datagram, a new
1466 * "fragment_data" structure is allocated to refer to the reassembled,
1469 * if "more_frags" is false and "frag_802_11_hack" is true, the
1470 * structure is not added to the hash table, and not given any
1471 * fragments to refer to, but is just returned - this is a special
1472 * hack for the 802.11 dissector (see packet-80211.c);
1474 * otherwise, this fragment is added to the linked list of fragments
1475 * for this packet, and the "fragment_data" structure is put into
1478 * Otherwise, this fragment is just added to the linked list of fragments
1481 * If, after processing this fragment, we have all the fragments,
1482 * "fragment_add_seq_check_work()" removes that from the fragment hash
1483 * table if necessary and adds it to the table of reassembled fragments,
1484 * and returns a pointer to the head of the fragment list.
1486 * If this is the first fragment we've seen, and "more_frags" is false
1487 * and "frag_802_11_hack" is true, "fragment_add_seq_check_work()" does
1488 * nothing to the fragment data list, and returns a pointer to the head
1489 * of that (empty) list.
1491 * Otherwise, it returns NULL.
1493 * XXX - Should we simply return NULL for zero-length fragments?
1495 static fragment_data *
1496 fragment_add_seq_check_work(tvbuff_t *tvb, int offset, packet_info *pinfo,
1497 guint32 id, GHashTable *fragment_table,
1498 GHashTable *reassembled_table, guint32 frag_number,
1499 guint32 frag_data_len, gboolean more_frags,
1500 gboolean no_frag_number, gboolean frag_802_11_hack)
1502 reassembled_key reass_key;
1503 fragment_key key, *new_key, *old_key;
1504 gpointer orig_key, value;
1505 fragment_data *fd_head, *fd;
1508 * Have we already seen this frame?
1509 * If so, look for it in the table of reassembled packets.
1511 if (pinfo->fd->flags.visited) {
1512 reass_key.frame = pinfo->fd->num;
1514 return g_hash_table_lookup(reassembled_table, &reass_key);
1517 /* create key to search hash with */
1518 key.src = pinfo->src;
1519 key.dst = pinfo->dst;
1522 if (!g_hash_table_lookup_extended(fragment_table, &key,
1523 &orig_key, &value)) {
1524 /* not found, this must be the first snooped fragment for this
1525 * packet. Create list-head.
1527 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
1529 /* head/first structure in list only holds no other data than
1530 * 'datalen' then we don't have to change the head of the list
1531 * even if we want to keep it sorted
1537 fd_head->flags=FD_BLOCKSEQUENCE;
1539 fd_head->reassembled_in=0;
1541 if ((no_frag_number || frag_802_11_hack) && !more_frags) {
1543 * This is the last fragment for this packet, and
1544 * is the only one we've seen.
1546 * Either we don't have sequence numbers, in which
1547 * case we assume this is the first fragment for
1548 * this packet, or we're doing special 802.11
1549 * processing, in which case we assume it's one
1550 * of those reassembled packets with a non-zero
1551 * fragment number (see packet-80211.c); just
1552 * add the fragment to the table of reassembled
1553 * packets, and return a pointer to the head of
1556 fragment_reassembled(fd_head, pinfo,
1557 reassembled_table, id);
1562 * We're going to use the key to insert the fragment,
1563 * so allocate a structure for it, and copy the
1564 * addresses, allocating new buffers for the address
1567 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1568 COPY_ADDRESS(&new_key->src, &key.src);
1569 COPY_ADDRESS(&new_key->dst, &key.dst);
1570 new_key->id = key.id;
1571 g_hash_table_insert(fragment_table, new_key, fd_head);
1573 orig_key = new_key; /* for unhashing it later */
1576 * If we weren't given an initial fragment number,
1588 * If we weren't given an initial fragment number,
1589 * use the next expected fragment number as the fragment
1590 * number for this fragment.
1592 if (no_frag_number) {
1593 for (fd = fd_head; fd != NULL; fd = fd->next) {
1594 if (fd->next == NULL)
1595 frag_number = fd->offset + 1;
1601 * If we don't have all the data that is in this fragment,
1602 * then we can't, and don't, do reassembly on it.
1604 * If it's the first frame, handle it as an unfragmented packet.
1605 * Otherwise, just handle it as a fragment.
1607 * If "more_frags" isn't set, we get rid of the entry in the
1608 * hash table for this reassembly, as we don't need it any more.
1610 if (!tvb_bytes_exist(tvb, offset, frag_data_len)) {
1613 * Remove this from the table of in-progress
1614 * reassemblies, and free up any memory used for
1618 fragment_unhash(fragment_table, old_key);
1620 return frag_number == 0 ? fd_head : NULL;
1623 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1624 frag_number, frag_data_len, more_frags)) {
1626 * Reassembly is complete.
1627 * Remove this from the table of in-progress
1628 * reassemblies, add it to the table of
1629 * reassembled packets, and return it.
1633 * Remove this from the table of in-progress reassemblies,
1634 * and free up any memory used for it in that table.
1637 fragment_unhash(fragment_table, old_key);
1640 * Add this item to the table of reassembled packets.
1642 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
1646 * Reassembly isn't complete.
1653 fragment_add_seq_check(tvbuff_t *tvb, int offset, packet_info *pinfo,
1654 guint32 id, GHashTable *fragment_table,
1655 GHashTable *reassembled_table, guint32 frag_number,
1656 guint32 frag_data_len, gboolean more_frags)
1658 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1659 fragment_table, reassembled_table, frag_number, frag_data_len,
1660 more_frags, FALSE, FALSE);
1664 fragment_add_seq_802_11(tvbuff_t *tvb, int offset, packet_info *pinfo,
1665 guint32 id, GHashTable *fragment_table,
1666 GHashTable *reassembled_table, guint32 frag_number,
1667 guint32 frag_data_len, gboolean more_frags)
1669 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1670 fragment_table, reassembled_table, frag_number, frag_data_len,
1671 more_frags, FALSE, TRUE);
1675 fragment_add_seq_next(tvbuff_t *tvb, int offset, packet_info *pinfo,
1676 guint32 id, GHashTable *fragment_table,
1677 GHashTable *reassembled_table, guint32 frag_data_len,
1678 gboolean more_frags)
1680 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1681 fragment_table, reassembled_table, 0, frag_data_len,
1682 more_frags, TRUE, FALSE);
1686 * Process reassembled data; if we're on the frame in which the data
1687 * was reassembled, put the fragment information into the protocol
1688 * tree, and construct a tvbuff with the reassembled data, otherwise
1689 * just put a "reassembled in" item into the protocol tree.
1692 process_reassembled_data(tvbuff_t *tvb, int offset, packet_info *pinfo,
1693 const char *name, fragment_data *fd_head, const fragment_items *fit,
1694 gboolean *update_col_infop, proto_tree *tree)
1697 gboolean update_col_info;
1698 proto_item *frag_tree_item;
1700 if (fd_head != NULL && pinfo->fd->num == fd_head->reassembled_in) {
1702 * OK, we've reassembled this.
1703 * Is this something that's been reassembled from more
1704 * than one fragment?
1706 if (fd_head->next != NULL) {
1709 * Allocate a new tvbuff, referring to the
1710 * reassembled payload.
1712 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1713 next_tvb = tvb_new_real_data(fd_head->data,
1714 fd_head->len, fd_head->len);
1716 next_tvb = tvb_new_real_data(fd_head->data,
1717 fd_head->datalen, fd_head->datalen);
1721 * Add the tvbuff to the list of tvbuffs to which
1722 * the tvbuff we were handed refers, so it'll get
1723 * cleaned up when that tvbuff is cleaned up.
1725 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1727 /* Add the defragmented data to the data source list. */
1728 add_new_data_source(pinfo, next_tvb, name);
1730 /* show all fragments */
1731 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1732 update_col_info = !show_fragment_seq_tree(
1733 fd_head, fit, tree, pinfo, next_tvb, &frag_tree_item);
1735 update_col_info = !show_fragment_tree(fd_head,
1736 fit, tree, pinfo, next_tvb, &frag_tree_item);
1741 * Return a tvbuff with the payload.
1743 next_tvb = tvb_new_subset(tvb, offset, -1, -1);
1744 pinfo->fragmented = FALSE; /* one-fragment packet */
1745 update_col_info = TRUE;
1747 if (update_col_infop != NULL)
1748 *update_col_infop = update_col_info;
1751 * We don't have the complete reassembled payload, or this
1752 * isn't the final frame of that payload.
1757 * If we know what frame this was reassembled in,
1758 * and if there's a field to use for the number of
1759 * the frame in which the packet was reassembled,
1760 * add it to the protocol tree.
1762 if (fd_head != NULL && fit->hf_reassembled_in != NULL) {
1763 proto_tree_add_uint(tree,
1764 *(fit->hf_reassembled_in), tvb,
1765 0, 0, fd_head->reassembled_in);
1772 * Show a single fragment in a fragment subtree, and put information about
1773 * it in the top-level item for that subtree.
1776 show_fragment(fragment_data *fd, int offset, const fragment_items *fit,
1777 proto_tree *ft, proto_item *fi, gboolean first_frag, tvbuff_t *tvb)
1779 proto_item *fei=NULL;
1783 proto_item_append_text(fi, " (%u byte%s): ", tvb_length(tvb),
1784 plurality(tvb_length(tvb), "", "s"));
1786 proto_item_append_text(fi, ", ");
1787 proto_item_append_text(fi, "#%u(%u)", fd->frame, fd->len);
1789 if (fd->flags & (FD_OVERLAPCONFLICT
1790 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1791 hf = *(fit->hf_fragment_error);
1793 hf = *(fit->hf_fragment);
1796 fei = proto_tree_add_uint_format(ft, hf,
1797 tvb, offset, fd->len,
1799 "Frame: %u (no data)",
1802 fei = proto_tree_add_uint_format(ft, hf,
1803 tvb, offset, fd->len,
1805 "Frame: %u, payload: %u-%u (%u byte%s)",
1810 plurality(fd->len, "", "s"));
1812 PROTO_ITEM_SET_GENERATED(fei);
1813 if (fd->flags & (FD_OVERLAP|FD_OVERLAPCONFLICT
1814 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1815 /* this fragment has some flags set, create a subtree
1816 * for it and display the flags.
1818 proto_tree *fet=NULL;
1820 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
1821 if (fd->flags&FD_OVERLAP) {
1822 fei=proto_tree_add_boolean(fet,
1823 *(fit->hf_fragment_overlap),
1826 PROTO_ITEM_SET_GENERATED(fei);
1828 if (fd->flags&FD_OVERLAPCONFLICT) {
1829 fei=proto_tree_add_boolean(fet,
1830 *(fit->hf_fragment_overlap_conflict),
1833 PROTO_ITEM_SET_GENERATED(fei);
1835 if (fd->flags&FD_MULTIPLETAILS) {
1836 fei=proto_tree_add_boolean(fet,
1837 *(fit->hf_fragment_multiple_tails),
1840 PROTO_ITEM_SET_GENERATED(fei);
1842 if (fd->flags&FD_TOOLONGFRAGMENT) {
1843 fei=proto_tree_add_boolean(fet,
1844 *(fit->hf_fragment_too_long_fragment),
1847 PROTO_ITEM_SET_GENERATED(fei);
1853 show_fragment_errs_in_col(fragment_data *fd_head, const fragment_items *fit,
1856 if (fd_head->flags & (FD_OVERLAPCONFLICT
1857 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1858 if (check_col(pinfo->cinfo, COL_INFO)) {
1859 col_add_fstr(pinfo->cinfo, COL_INFO,
1860 "[Illegal %s]", fit->tag);
1868 /* This function will build the fragment subtree; it's for fragments
1869 reassembled with "fragment_add()".
1871 It will return TRUE if there were fragmentation errors
1872 or FALSE if fragmentation was ok.
1875 show_fragment_tree(fragment_data *fd_head, const fragment_items *fit,
1876 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
1880 gboolean first_frag;
1882 /* It's not fragmented. */
1883 pinfo->fragmented = FALSE;
1885 *fi = proto_tree_add_item(tree, *(fit->hf_fragments),
1887 PROTO_ITEM_SET_GENERATED(*fi);
1889 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
1891 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
1892 show_fragment(fd, fd->offset, fit, ft, *fi, first_frag, tvb);
1896 return show_fragment_errs_in_col(fd_head, fit, pinfo);
1899 /* This function will build the fragment subtree; it's for fragments
1900 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
1902 It will return TRUE if there were fragmentation errors
1903 or FALSE if fragmentation was ok.
1906 show_fragment_seq_tree(fragment_data *fd_head, const fragment_items *fit,
1907 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
1909 guint32 offset, next_offset;
1910 fragment_data *fd, *last_fd;
1912 gboolean first_frag;
1914 /* It's not fragmented. */
1915 pinfo->fragmented = FALSE;
1917 *fi = proto_tree_add_item(tree, *(fit->hf_fragments),
1919 PROTO_ITEM_SET_GENERATED(*fi);
1921 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
1926 for (fd = fd_head->next; fd != NULL; fd = fd->next){
1927 if (last_fd == NULL || last_fd->offset != fd->offset) {
1928 offset = next_offset;
1929 next_offset += fd->len;
1932 show_fragment(fd, offset, fit, ft, *fi, first_frag, tvb);
1936 return show_fragment_errs_in_col(fd_head, fit, pinfo);
git.samba.org / metze / wireshark / wip.git / blob