2 * Routines for DICOM dissection
3 * Copyright 2003, Rich Coe <Richard.Coe@med.ge.com>
5 * DICOM communication protocol
6 * http://medical.nema.org/dicom/2003.html
7 * DICOM Part 8: Network Communication Support for Message Exchange
9 * (NOTE: you need to turn on 'Allow subdissector to desegment TCP streams'
10 * in Preferences/Protocols/TCP Option menu, in order to view
11 * DICOM packets correctly.
12 * Also, you might have to turn off tcp.check_checksum if tcp
13 * detects that the checksum is bad - for example, if you're
14 * capturing on a network interface that does TCP checksum
15 * offloading and you're capturing outgoing packets.
16 * This should probably be documented somewhere besides here.)
20 * Wireshark - Network traffic analyzer
21 * By Gerald Combs <gerald@wireshark.org>
22 * Copyright 1998 Gerald Combs
24 * This program is free software; you can redistribute it and/or
25 * modify it under the terms of the GNU General Public License
26 * as published by the Free Software Foundation; either version 2
27 * of the License, or (at your option) any later version.
29 * This program is distributed in the hope that it will be useful,
30 * but WITHOUT ANY WARRANTY; without even the implied warranty of
31 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
32 * GNU General Public License for more details.
34 * You should have received a copy of the GNU General Public License
35 * along with this program; if not, write to the Free Software
36 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
44 * This is my first pass at a Wireshark dissector to display
45 * DICOM (Digital Imaging and Communications in Medicine) packets.
47 * - It currently displays most of the DICOM packets.
49 * - I've used it to debug Query/Retrieve, Storage, and Echo protocols.
51 * - Not all DICOM tags are currently displayed symbolically.
52 * Unknown tags are displayed as '(unknown)'
53 * More known tags might be added in the future.
54 * If the tag data contains a string, it will be displayed.
55 * Even if the tag contains Explicit VR, it is not currently used to
56 * symbolically display the data. Consider this a future enhancement.
58 * - If the DATA PDU has the 'more' bit set, subsequent packets will
59 * not currently display. Finding out how much 'more' data is coming
60 * currently requires parsing the entire packet.
62 * - The 'value to string' routines should probably be hash lookups.
65 * - Fixed the heuristic code -- sometimes a conversation already exists
66 * - Fixed the dissect code to display all the tags in the pdu
69 * - fix memory leak when Assoc packet is processed repeatedly in wireshark
71 * - removed unused partial packet flag
73 * - added better support for DICOM VR
75 * - report actual VR in packet display, if supplied by xfer syntax
76 * - show that we are not displaying entire tag string with '[...]',
77 * some tags can hold up to 2^32-1 chars
79 * - remove my goofy attempt at trying to get access to the fragmented packets
80 * (anyone have an idea on how to fix this ???)
82 * - process all the data in the Assoc packet even if display is off
84 * - limit display of data in Assoc packet to defined size of the data even
85 * if reported size is larger
87 * - show the last tag in a packet as [incomplete] if we don't have all the data
89 * - added framework for reporting DICOM async negotiation (not finished)
90 * (I'm not aware of an implementation which currently supports this)
92 * - still need to fix display of continuation packets
104 #include <epan/packet.h>
105 #include <epan/emem.h>
106 #include <epan/strutil.h>
107 #include <epan/conversation.h>
108 #include <epan/emem.h>
110 #include "packet-tcp.h"
112 /* Initialize the protocol and registered fields */
113 static int proto_dcm = -1;
114 static int hf_dcm_pdu = -1,
116 hf_dcm_pdu_type = -1,
118 hf_dcm_pdi_name = -1,
119 hf_dcm_pdi_syntax = -1,
122 hf_dcm_pdu_maxlen = -1,
126 hf_dcm_data_len = -1,
127 hf_dcm_data_ctx = -1,
128 hf_dcm_data_flags = -1,
129 hf_dcm_data_tag = -1;
131 /* Initialize the subtree pointers */
132 static gint ett_dcm = -1, ett_assoc = -1, ett_dcm_data = -1;
134 static const value_string dcm_pdu_ids[] = {
135 { 1, "ASSOC Request" },
136 { 2, "ASSOC Accept" },
137 { 3, "ASSOC Reject" },
139 { 5, "RELEASE Request" },
140 { 6, "RELEASE Response" },
145 static const value_string dcm_pdi_ids[] = {
146 { 0x10, "Application Context" },
147 { 0x20, "Presentation Context" },
148 { 0x21, "Presentation Context Reply" },
149 { 0x30, "Abstract syntax" },
150 { 0x40, "Transfer syntax" },
151 { 0x50, "User Info" },
152 { 0x51, "Max Length" },
161 struct dcmItem *next, *prev;
163 guint8 id; /* 0x20 Presentation Context */
164 const guint8 *abs; /* 0x30 Abstract syntax */
165 char *xfer; /* 0x40 Transfer syntax */
167 #define DCM_ILE 0x01 /* implicit, little endian */
168 #define DCM_EBE 0x02 /* explicit, big endian */
169 #define DCM_ELE 0x03 /* explicit, little endian */
172 typedef struct dcmItem dcmItem_t;
175 dcmItem_t *first, *last;
176 guint8 pdu; /* protocol data unit */
177 guint32 tlen, clen, rlen; /* length: total, current, remaining */
178 int coff; /* current offset */
179 int valid; /* this conversation is a dicom conversation */
180 /* enum { DCM_NONE, DCM_ASSOC, DCM_ }; */
182 guint8 orig[1+AEEND], targ[1+AEEND], resp[1+AEEND], source, result, reason;
184 typedef struct dcmState dcmState_t;
195 #define DCM_TSTAT 6 /* call dcm_rsp2str() on TINT2 */
198 #define DCM_SQ 9 /* sequence */
199 #define DCM_OTH 10 /* other */
201 typedef struct dcmTag dcmTag_t;
203 static GHashTable *dcm_tagTable = NULL;
205 dcmItem_t * lookupCtx(dcmState_t *dd, guint8 ctx);
207 static dcmTag_t tagData[] = {
208 { 0x1, DCM_TRET, "(Ret) Length to End" },
209 { 0x2, DCM_TSTR, "Affected Class" },
210 { 0x3, DCM_TSTR, "Requested Class" },
211 { 0x0010, DCM_TRET, "(Ret) Recognition Code" },
212 { 0x0100, DCM_TCMD, "Command Field" },
213 { 0x0110, DCM_TINT2, "Message ID" },
214 { 0x0120, DCM_TINT2, "Resp Message ID" },
215 { 0x0200, DCM_TRET, "(Ret) Initiator" },
216 { 0x0300, DCM_TRET, "(Ret) Reciever" },
217 { 0x0400, DCM_TRET, "(Ret) Find Location" },
218 { 0x0600, DCM_TSTR, "Dest AE" },
219 { 0x0700, DCM_TINT2, "Priority" },
220 { 0x0800, DCM_TINT2, "Data Set (0x0101 means no data set present)" },
221 { 0x0850, DCM_TRET, "(Ret) Num Matches" },
222 { 0x0860, DCM_TRET, "(Ret) Resp Seq Num" },
223 { 0x0900, DCM_TSTAT, "Status" },
224 { 0x0901, DCM_TSTR, "Offending elm(s)" },
225 { 0x0902, DCM_TSTR, "Error Comment" },
226 { 0x0903, DCM_TINT2, "Error Id" },
227 { 0x1000, DCM_TSTR, "Affected Instance UID" },
228 { 0x1001, DCM_TSTR, "Requested Instance UID" },
229 { 0x1002, DCM_TINT2, "Event Type Id" },
230 { 0x1005, DCM_TSTR, "Attr Id List" },
231 { 0x1008, DCM_TINT2, "Action Type Id" },
232 { 0x1020, DCM_TINT2, "Num Remaining Ops" },
233 { 0x1021, DCM_TINT2, "Num Completed Ops" },
234 { 0x1022, DCM_TINT2, "Num Failed Ops" },
235 { 0x1023, DCM_TINT2, "Num Warning Ops" },
236 { 0x1030, DCM_TSTR, "Move Orig AE" },
237 { 0x1031, DCM_TINT2, "Move Orig Id" },
238 { 0x4000, DCM_TRET, "(Ret) DIALOG Recv'r" },
239 { 0x4010, DCM_TRET, "(Ret) Terminal Type" },
240 { 0x5010, DCM_TRET, "(Ret) Msg Set ID" },
241 { 0x5020, DCM_TRET, "(Ret) End Msg ID" },
242 { 0x5110, DCM_TRET, "(Ret) Display Fmt" },
243 { 0x5120, DCM_TRET, "(Ret) Page Position ID" },
244 { 0x5130, DCM_TRET, "(Ret) Text Fmt ID" },
245 { 0x5140, DCM_TRET, "(Ret) Nor/Rev" },
246 { 0x5150, DCM_TRET, "(Ret) Add Gray Scale" },
247 { 0x5160, DCM_TRET, "(Ret) Borders" },
248 { 0x5170, DCM_TRET, "(Ret) Copies" },
249 { 0x5180, DCM_TRET, "(Ret) Mag Type" },
250 { 0x5190, DCM_TRET, "(Ret) Erase" },
251 { 0x51a0, DCM_TRET, "(Ret) Print" },
252 { 0x080018, DCM_TSTR, "Image UID" },
253 { 0x080020, DCM_TSTR, "Study Date" },
254 { 0x080030, DCM_TSTR, "Study Time" },
255 { 0x080050, DCM_TSTR, "Acc Num" },
256 { 0x080052, DCM_TSTR, "Q/R Level" },
257 { 0x080054, DCM_TSTR, "Retrieve AE" },
258 { 0x080060, DCM_TSTR, "Modality" },
259 { 0x080070, DCM_TSTR, "Manuf" },
260 { 0x081030, DCM_TSTR, "Study Desc" },
261 { 0x08103e, DCM_TSTR, "Series Desc" },
262 { 0x100010, DCM_TSTR, "Patient Name" },
263 { 0x100020, DCM_TSTR, "Patient Id" },
264 { 0x20000d, DCM_TSTR, "Study UID" },
265 { 0x20000e, DCM_TSTR, "Series UID" },
266 { 0x200010, DCM_TSTR, "Study Num" },
267 { 0x200011, DCM_TSTR, "Series Num" },
268 { 0x200012, DCM_TSTR, "Acq Num" },
269 { 0x200013, DCM_TSTR, "Image Num" },
270 { 0x7fe00010, DCM_OTH, "Pixels" },
271 { 0xfffee000, DCM_TRET, "Item Begin" },
272 { 0xfffee00d, DCM_TRET, "Item End" },
273 { 0xfffee0dd, DCM_TRET, "Sequence End" },
279 if (NULL == dcm_tagTable) {
281 dcm_tagTable = g_hash_table_new(NULL, NULL);
282 for (i = 0; i < sizeof(tagData) / sizeof(dcmTag_t); i++)
283 g_hash_table_insert(dcm_tagTable, GINT_TO_POINTER(tagData[i].tag),
284 (gpointer) (tagData+i));
293 if (NULL == (ds = (dcmState_t *) g_malloc(sizeof(dcmState_t)))) {
297 ds->tlen = ds->rlen = 0;
299 memset(ds->orig, 0, sizeof(ds->orig));
300 memset(ds->targ, 0, sizeof(ds->targ));
301 memset(ds->resp, 0, sizeof(ds->resp));
302 ds->first = ds->last = NULL;
307 dcm_pdu2str(guint8 item)
311 case 1: s = "ASSOC Request"; break;
312 case 2: s = "ASSOC Accept"; break;
313 case 3: s = "ASSOC Reject"; break;
314 case 4: s = "Data"; break;
315 case 5: s = "RELEASE Request"; break;
316 case 6: s = "RELEASE Response"; break;
317 case 7: s = "ABORT"; break;
318 case 0x10: s = "Application Context"; break;
319 case 0x20: s = "Presentation Context"; break;
320 case 0x21: s = "Presentation Context Reply"; break;
321 case 0x30: s = "Abstract syntax"; break;
322 case 0x40: s = "Transfer syntax"; break;
323 case 0x50: s = "User Info"; break;
324 case 0x51: s = "Max Length"; break;
331 dcm_result2str(guint8 result)
335 case 1: s = "Reject Permanent"; break;
336 case 2: s = "Reject Transient"; break;
343 dcm_source2str(guint8 source)
347 case 1: s = "User"; break;
348 case 2: s = "Provider (ACSE)"; break;
349 case 3: s = "Provider (Presentation)"; break;
356 dcm_reason2str(guint8 source, guint8 reason)
359 if (1 == source) switch (reason) {
360 case 1: s = "No reason"; break;
361 case 2: s = "App Name not supported"; break;
362 case 3: s = "calling AET not recognized"; break;
363 case 7: s = "called AET not recognized"; break;
365 } else if (2 == source) switch (reason) {
366 case 1: s = "No reason"; break;
367 case 2: s = "protocol unsupported"; break;
369 } else if (3 == source) switch (reason) {
370 case 1: s = "temporary congestion"; break;
371 case 2: s = "local limit exceeded"; break;
378 dcm_abort2str(guint8 reason)
382 case 0: s = "not specified"; break;
383 case 1: s = "unrecognized"; break;
384 case 2: s = "unexpected"; break;
385 case 4: s = "unrecognized parameter"; break;
386 case 5: s = "unexpected parameter"; break;
387 case 6: s = "invalid parameter"; break;
394 dcm_PCresult2str(guint8 result)
398 case 0: s = "accept"; break;
399 case 1: s = "user-reject"; break;
400 case 2: s = "no-reason"; break;
401 case 3: s = "abstract syntax unsupported"; break;
402 case 4: s = "transfer syntax unsupported"; break;
409 dcm_flags2str(guint8 flags)
413 case 0: s = "Data, more Fragments"; break; /* 00 */
414 case 1: s = "Command, more Fragments"; break; /* 01 */
415 case 2: s = "Data, last Fragment"; break; /* 10 */
416 case 3: s = "Command, last Fragment"; break; /* 11 */
423 dcm_cmd2str(guint16 us)
426 /* there should be a better way to do this */
428 case 0x0001: s = "C-STORE-RQ"; break;
429 case 0x8001: s = "C-STORE-RSP"; break;
430 case 0x0010: s = "C-GET-RQ"; break;
431 case 0x8010: s = "C-GET-RSP"; break;
432 case 0x0020: s = "C-FIND-RQ"; break;
433 case 0x8020: s = "C-FIND-RSP"; break;
434 case 0x0021: s = "C-MOVE-RQ"; break;
435 case 0x8021: s = "C-MOVE-RSP"; break;
436 case 0x0030: s = "C-ECHO-RQ"; break;
437 case 0x8030: s = "C-ECHO-RSP"; break;
438 case 0x0100: s = "N-EVENT-REPORT-RQ"; break;
439 case 0x8100: s = "N-EVENT-REPORT-RSP"; break;
440 case 0x0110: s = "N-GET-RQ"; break;
441 case 0x8110: s = "N-GET-RSP"; break;
442 case 0x0120: s = "N-SET-RQ"; break;
443 case 0x8120: s = "N-SET-RSP"; break;
444 case 0x0130: s = "N-ACTION-RQ"; break;
445 case 0x8130: s = "N-ACTION-RSP"; break;
446 case 0x0140: s = "N-CREATE-RQ"; break;
447 case 0x8140: s = "N-CREATE-RSP"; break;
448 case 0x0150: s = "N-DELETE-RQ"; break;
449 case 0x8150: s = "N-DELETE-RSP"; break;
450 case 0x0fff: s = "C-CANCEL-RQ"; break;
457 dcm_rsp2str(guint16 us)
461 case 0x0000: s = "Success"; break;
463 case 0xa702: s = "Refused: Out of Resources"; break;
464 case 0xa801: s = "Refused: Move Destination unknown"; break;
465 case 0xa900: s = "Failed: Id does not match Class"; break;
466 case 0xb000: s = "Warning: operations complete -- One or more Failures"; break;
467 case 0xfe00: s = "Cancel: operations terminated by Cancel"; break;
468 case 0xff00: s = "Pending: operations are continuing"; break;
471 if (0xC000 == (0xF000 & us)) s = "Failed: Unable to Process";
476 dcm_setSyntax(dcmItem_t *di, char *name)
478 if (NULL == di) return;
479 if (di->xfer != NULL)
480 g_free(di->xfer); /* free prev allocated xfer */
482 di->xfer = g_strdup(name);
483 if (0 == *name) return;
484 /* this would be faster to skip the common parts, and have a FSA to
486 * Absent of coding that, this is in descending order of probability */
487 if (0 == strcmp(name, "1.2.840.10008.1.2"))
488 di->syntax = DCM_ILE; /* implicit little endian */
489 else if (0 == strcmp(name, "1.2.840.10008.1.2.1"))
490 di->syntax = DCM_ELE; /* explicit little endian */
491 else if (0 == strcmp(name, "1.2.840.10008.1.2.2"))
492 di->syntax = DCM_EBE; /* explicit big endian */
493 else if (0 == strcmp(name, "1.2.840.113619.5.2"))
494 di->syntax = DCM_ILE; /* implicit little endian, big endian pixels */
495 else if (0 == strcmp(name, "1.2.840.10008.1.2.4.70"))
496 di->syntax = DCM_ELE; /* explicit little endian, jpeg */
497 else if (0 == strncmp(name, "1.2.840.10008.1.2.4", 18))
498 di->syntax = DCM_ELE; /* explicit little endian, jpeg */
499 else if (0 == strcmp(name, "1.2.840.10008.1.2.1.99"))
500 di->syntax = DCM_ELE; /* explicit little endian, deflated */
504 dcm_tag2str(guint16 grp, guint16 elm, guint8 syntax, tvbuff_t *tvb, int offset, guint32 len, int vr, int tr)
512 static dcmTag_t utag = { 0, 0, "(unknown)" };
514 #define MAX_BUF_LEN 1024
515 buf=ep_alloc(MAX_BUF_LEN);
518 if (DCM_ILE & syntax)
519 val32 = tvb_get_letohl(tvb, offset);
520 else val32 = tvb_get_ntohl(tvb, offset);
521 g_snprintf(buf, MAX_BUF_LEN, "Group Length 0x%x (%d)", val32, val32);
524 tag = (grp << 16) | elm;
525 if (NULL == (dtag = g_hash_table_lookup(dcm_tagTable, GUINT_TO_POINTER(tag))))
528 DISSECTOR_ASSERT(MAX_BUF_LEN > strlen(dtag->desc));
530 p+=MIN(MAX_BUF_LEN-(p-buf),
531 g_snprintf(p, MAX_BUF_LEN-(p-buf), "%s", dtag->desc));
533 vval = tvb_format_text(tvb, vr, 2);
534 p+=MIN(MAX_BUF_LEN-(p-buf),
535 g_snprintf(p, MAX_BUF_LEN-(p-buf), " [%s]", vval));
538 switch (tr > 0 ? tr : dtag->dtype) {
540 default: /* try ascii */
541 vval = tvb_format_text(tvb, offset, len);
542 p+=MIN(MAX_BUF_LEN-(p-buf),
543 g_snprintf(p, MAX_BUF_LEN-(p-buf), " %s", vval));
546 if (DCM_ILE & syntax)
547 val16 = tvb_get_letohs(tvb, offset);
548 else val16 = tvb_get_ntohs(tvb, offset);
549 p+=MIN(MAX_BUF_LEN-(p-buf),
550 g_snprintf(p, MAX_BUF_LEN-(p-buf), " 0x%x (%d)", val16, val16));
553 if (DCM_ILE & syntax)
554 val32 = tvb_get_letohl(tvb, offset);
555 else val32 = tvb_get_ntohl(tvb, offset);
556 p+=MIN(MAX_BUF_LEN-(p-buf),
557 g_snprintf(p, MAX_BUF_LEN-(p-buf), " 0x%x (%d)", val32, val32));
561 if (DCM_ILE & syntax)
562 valf = tvb_get_letohieee_float(tvb, offset);
563 else valf = tvb_get_ntohieee_float(tvb, offset);
564 p+=MIN(MAX_BUF_LEN-(p-buf),
565 g_snprintf(p, MAX_BUF_LEN-(p-buf), " (%f)", valf));
569 if (DCM_ILE & syntax)
570 vald = tvb_get_letohieee_double(tvb, offset);
571 else vald = tvb_get_ntohieee_double(tvb, offset);
572 p+=MIN(MAX_BUF_LEN-(p-buf),
573 g_snprintf(p, MAX_BUF_LEN-(p-buf), " (%f)", vald));
575 case DCM_TSTAT: /* call dcm_rsp2str() on TINT2 */
576 if (DCM_ILE & syntax)
577 val16 = tvb_get_letohs(tvb, offset);
578 else val16 = tvb_get_ntohs(tvb, offset);
579 p+=MIN(MAX_BUF_LEN-(p-buf),
580 g_snprintf(p, MAX_BUF_LEN-(p-buf), " 0x%x '%s'", val16, dcm_rsp2str(val16)));
582 case DCM_TCMD: /* call dcm_cmd2str() on TINT2 */
583 if (DCM_ILE & syntax)
584 val16 = tvb_get_letohs(tvb, offset);
585 else val16 = tvb_get_ntohs(tvb, offset);
586 p+=MIN(MAX_BUF_LEN-(p-buf),
587 g_snprintf(p, MAX_BUF_LEN-(p-buf), " 0x%x '%s'", val16, dcm_cmd2str(val16)));
589 case DCM_SQ: /* Sequence */
590 case DCM_OTH: /* Other BYTE, WORD, ... */
591 case DCM_TRET: /* Retired */
598 dcm_get_pdu_len(tvbuff_t *tvb, int offset)
602 len = tvb_get_ntohl(tvb, 2 + offset);
603 return len + 6; /* add in fixed header part */
607 dissect_dcm_assoc(dcmState_t *dcm_data, proto_item *ti, tvbuff_t *tvb, int offset)
609 proto_tree *dcm_tree = NULL;
610 dcmItem_t *di = NULL;
611 guint8 id, *name, result;
617 dcm_tree = proto_item_add_subtree(ti, ett_assoc);
618 while (-1 < offset && offset < (int) dcm_data->clen) {
621 id = tvb_get_guint8(tvb, offset);
622 len = tvb_get_ntohs(tvb, 2 + offset);
624 proto_tree_add_uint_format(dcm_tree, hf_dcm_pdi, tvb,
625 offset, 4+len, id, "Item 0x%x (%s)", id, dcm_pdu2str(id));
628 case 0x10: /* App context */
630 proto_tree_add_item(dcm_tree, hf_dcm_pdi_name, tvb, offset, len > 65 ? 65 : len, FALSE);
633 case 0x30: /* Abstract syntax */
635 proto_tree_add_item(dcm_tree, hf_dcm_pdi_syntax, tvb, offset, len > 65 ? 65 : len, FALSE);
638 case 0x40: /* Transfer syntax */
640 proto_tree_add_item(dcm_tree, hf_dcm_pdi_syntax, tvb, offset, len > 65 ? 65 : len, FALSE);
641 if (reply && di && di->valid) {
642 name = tvb_get_ephemeral_string(tvb, offset, len);
643 dcm_setSyntax(di, name);
648 case 0x20: /* Presentation context */
649 id = tvb_get_guint8(tvb, offset);
650 di = lookupCtx(dcm_data, id);
652 di = se_alloc(sizeof(struct dcmItem));
656 di->syntax = DCM_UNK;
657 di->next = di->prev = NULL;
658 if (dcm_data->last) {
659 dcm_data->last->next = di;
660 di->prev = dcm_data->last;
663 dcm_data->first = dcm_data->last = di;
666 proto_tree_add_item(dcm_tree, hf_dcm_pctxt, tvb, offset, 1, FALSE);
669 case 0x21: /* Presentation context reply */
670 id = tvb_get_guint8(tvb, offset);
671 result = tvb_get_guint8(tvb, 2 + offset);
673 proto_tree_add_item(dcm_tree, hf_dcm_pctxt, tvb, offset, 1, FALSE);
674 proto_tree_add_uint_format(dcm_tree, hf_dcm_pcres, tvb,
675 2 + offset, 1, result,
676 "Result 0x%x (%s)", result, dcm_PCresult2str(result));
680 di = lookupCtx(dcm_data, id);
685 case 0x50: /* User Info */
687 case 0x51: /* Max length */
688 mlen = tvb_get_ntohl(tvb, offset);
690 proto_tree_add_item(dcm_tree, hf_dcm_pdu_maxlen, tvb, offset, 4, FALSE);
695 proto_tree_add_item(dcm_tree, hf_dcm_impl, tvb, offset, len > 65 ? 65 : len, FALSE);
698 case 0x55: /* version */
700 proto_tree_add_item(dcm_tree, hf_dcm_vers, tvb, offset, len > 17 ? 17 : len, FALSE);
703 case 0x53: /* async negotion */
715 lookupCtx(dcmState_t *dd, guint8 ctx)
717 dcmItem_t *di = dd->first;
718 static dcmItem_t dunk = { NULL, NULL, 0, -1,
719 "not found - click on ASSOC Request",
720 "not found - click on ASSOC Request", DCM_UNK };
726 return di ? di : &dunk;
733 - (1+) presentation data value (PDV) items
735 10 1 Presentation Context ID (odd ints 1 - 255)
738 0x01 if set, contains Message Command info, else Message Data
739 0x02 if set, contains last fragment
749 dissect_dcm_data(dcmState_t *dcm_data, proto_item *ti, tvbuff_t *tvb)
751 int len, offset, toffset, state, vr, tr;
752 proto_tree *dcm_tree;
754 guint8 ctx, syntax = DCM_UNK;
755 guint16 grp = 0, elm = 0;
756 guint32 tlen = 0, nlen;
758 dcm_tree = proto_item_add_subtree(ti, ett_dcm_data);
759 proto_tree_add_item(dcm_tree, hf_dcm_data_len, tvb, 6, 4, FALSE);
760 ctx = tvb_get_guint8(tvb, 10);
761 di = lookupCtx(dcm_data, ctx);
763 * XXX - telling the user to "click on ASSOC request" is bogus if we
764 * have already identified the ASSOC request and can connect it to
765 * this mnessage; if clicking on a request prior to this one causes
766 * additional state information to be set up that would affect the
767 * dissection of this request, we should set up that state *at the
768 * time we dissect that request*, if possible, and if clicking on it
769 * doesn't change any state, clicking on the request doesn't convey
770 * any additional information.
772 proto_tree_add_uint_format(dcm_tree, hf_dcm_data_ctx, tvb, 10, 1,
773 ctx, "Context 0x%x (%s)", ctx,
774 di->xfer == NULL ? "not found - click on ASSOC Request" :
776 if (DCM_UNK == di->syntax)
778 len = offset = toffset = 11;
781 while (len + nlen <= dcm_data->tlen && len + nlen <= dcm_data->clen) {
785 flags = tvb_get_guint8(tvb, offset);
786 proto_tree_add_uint_format(dcm_tree, hf_dcm_data_flags, tvb, offset, 1,
787 flags, "Flags 0x%x (%s)", flags, dcm_flags2str(flags));
788 /* proto_tree_add_item(dcm_tree, hf_dcm_data_flags, tvb, offset, 1, FALSE); */
793 else if (DCM_UNK == di->syntax) {
795 tlen = dcm_data->clen - len;
796 val = tvb_get_ptr(tvb, offset, tlen+8);
797 proto_tree_add_bytes_format(dcm_tree, hf_dcm_data_tag, tvb,
798 offset, tlen, val, "(%04x,%04x) %-8x Unparsed data", 0, 0, tlen);
799 len = dcm_data->clen; /* ends parsing */
804 } break; /* don't fall through -- check length */
807 if (DCM_ILE & syntax) {
808 grp = tvb_get_letohs(tvb, offset);
809 elm = tvb_get_letohs(tvb, offset+2);
810 state = (DCM_EBE & syntax) ? D_VR : D_LEN4; /* is Explicit */
811 nlen = (DCM_EBE & syntax) ? 2 : 4; /* is Explicit */
813 grp = tvb_get_ntohs(tvb, offset);
814 elm = tvb_get_ntohs(tvb, offset+2);
819 if (0xfffe == grp) state = D_LEN4;
822 } break; /* don't fall through -- check length */
826 V = tvb_get_guint8(tvb, offset); offset++;
827 R = tvb_get_guint8(tvb, offset); offset++;
829 /* 4byte lengths OB, OW, OF, SQ, UN, UT */
832 if ((('O' == V) && ('B' == R || 'W' == R || 'F' == R) && (tr = DCM_OTH))
833 || (('U' == V) && ('N' == R || (('T' == R) && (tr = DCM_TSTR))))
834 || ('S' == V && 'Q' == R && (tr = DCM_SQ))) {
836 offset += 2; /* skip 00 (2 bytes) */
839 } else if ('F' == V && 'L' == R) {
841 } else if ('F' == V && 'D' == R) {
843 } else if (('S' == V && 'L' == R) || ('U' == V && 'L' == R)) {
845 } else if (('S' == V && 'S' == R) || ('U' == V && 'S' == R)) {
847 } else if ('A' == V && 'T' == R) {
852 else if (('A' == V && ('E' == R || 'S' == R))
853 || ('C' == V && 'S' == R)
854 || ('D' == V && ('A' == R || 'S' == R || 'T' == R))
855 || ('I' == V && 'S' == R)
856 || ('L' == V && ('O' == R || 'T' == R))
857 || ('P' == V && 'N' == R)
858 || ('S' == V && ('H' == R ||| 'T' == R))
859 || ('T' == V && 'M' == R)
860 || ('U' == V && ('I' == R || 'T' == R)))
863 } break; /* don't fall through -- check length */
865 if (DCM_ILE & syntax) /* is it LE */
866 tlen = tvb_get_letohs(tvb, offset);
868 tlen = tvb_get_ntohs(tvb, offset);
875 if (DCM_ILE & syntax) /* is it LE */
876 tlen = tvb_get_letohl(tvb, offset);
878 tlen = tvb_get_ntohl(tvb, offset);
883 } break; /* don't fall through -- check length */
886 int totlen = (offset - toffset);
887 if (0xffffffff == tlen || 0xfffe == grp) {
888 val = tvb_get_ptr(tvb, toffset, totlen);
889 proto_tree_add_bytes_format(dcm_tree, hf_dcm_data_tag, tvb,
890 toffset, totlen, val,
891 "(%04x,%04x) %-8x %s", grp, elm, tlen,
892 dcm_tag2str(grp, elm, syntax, tvb, offset, 0, vr, tr));
894 /* } else if (0xfffe == grp) { */ /* need to make a sub-tree here */
897 val = tvb_get_ptr(tvb, toffset, totlen);
898 proto_tree_add_bytes_format(dcm_tree, hf_dcm_data_tag, tvb,
899 toffset, totlen, val,
900 "(%04x,%04x) %-8x %s", grp, elm, tlen,
901 dcm_tag2str(grp, elm, syntax, tvb, offset, tlen, vr, tr));
910 if (D_VALUE == state) {
912 int totlen = (offset - toffset);
913 val = tvb_get_ptr(tvb, toffset, totlen);
914 proto_tree_add_bytes_format(dcm_tree, hf_dcm_data_tag, tvb,
915 toffset, totlen, val,
916 "(%04x,%04x) %-8x %s [incomplete]", grp, elm, tlen,
917 dcm_tag2str(grp, elm, syntax, tvb, offset, tlen, vr, tr));
922 Originator src:srcport dest:destport
923 Acceptor src:srcport dest:destport
925 conn = lookup(src:srcport, dest:destport)
927 look at data payload of packet
928 if no-data return false;
929 if 01 == *p && *p+10 ... *p+42 <= [ 0x20 .. printable ]
933 static void dissect_dcm_pdu(tvbuff_t *tvb,packet_info *pinfo,proto_tree *tree);
935 /* Code to actually dissect the packets */
937 dissect_dcm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
939 conversation_t *conv;
943 dcmState_t *dcm_data = NULL;
945 conv = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst,
946 pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
948 if (NULL != conv) /* conversation exists */
949 /* do we have any data for this conversation ? */
950 dcm_data = conversation_get_proto_data(conv, proto_dcm);
952 conv = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
953 pinfo->srcport, pinfo->destport, 0);
955 if (NULL == dcm_data) {
956 /* No conversation found.
957 * only look for the first packet of a DICOM conversation.
958 * if we don't get the first packet, we cannot decode the rest
961 if (NULL == (dcm_data = mkds()))
962 return FALSE; /* internal error */
963 if (10 > (tlen = tvb_reported_length(tvb)) /* not long enough */
964 || 1 != (pdu = tvb_get_guint8(tvb, 0)) /* look for the start */
965 || 1 != (vers = tvb_get_ntohs(tvb, 6))) /* not version 1 */
966 dcm_data->valid = FALSE;
968 len = 6 + tvb_get_ntohl(tvb, 2);
970 dcm_data->valid = FALSE; /* packet is > decl len */
973 conversation_add_proto_data(conv, proto_dcm, dcm_data);
976 if (FALSE == dcm_data->valid)
979 if (check_col(pinfo->cinfo, COL_PROTOCOL))
980 col_clear(pinfo->cinfo, COL_PROTOCOL);
982 tcp_dissect_pdus(tvb, pinfo, tree, 1, 6, dcm_get_pdu_len, dissect_dcm_pdu);
988 dissect_dcm_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
991 dcmState_t *dcm_data;
992 proto_tree *dcm_tree;
993 conversation_t *conv;
997 if (NULL == (conv = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst,
998 pinfo->ptype, pinfo->srcport, pinfo->destport, 0)))
1001 dcm_data = conversation_get_proto_data(conv, proto_dcm);
1003 if (check_col(pinfo->cinfo, COL_PROTOCOL))
1004 col_set_str(pinfo->cinfo, COL_PROTOCOL, "DCM");
1006 /* This field shows up as the "Info" column in the display; you should make
1007 it, if possible, summarize what's in the packet, so that a user looking
1008 at the list of packets can tell what type of packet it is. See section 1.5
1009 for more information.
1012 if (check_col(pinfo->cinfo, COL_INFO))
1013 col_clear(pinfo->cinfo, COL_INFO);
1015 dcm_data->pdu = tvb_get_guint8(tvb, 0);
1016 dcm_data->tlen = tvb_get_ntohl(tvb, 2) + 6;
1017 dcm_data->clen = tvb_reported_length(tvb);
1019 switch (dcm_data->pdu) {
1020 case 1: /* ASSOC Request */
1021 tvb_memcpy(tvb, dcm_data->orig, 10, 16);
1022 tvb_memcpy(tvb, dcm_data->targ, 26, 16);
1023 dcm_data->orig[AEEND] = dcm_data->targ[AEEND] = 0;
1024 buf = ep_alloc(128);
1025 g_snprintf(buf, 128, "DCM ASSOC Request %s <-- %s",
1026 dcm_data->orig, dcm_data->targ);
1029 case 2: /* ASSOC Accept */
1030 tvb_memcpy(tvb, dcm_data->resp, 26, 16);
1031 buf = ep_alloc(128);
1032 g_snprintf(buf, 128, "DCM ASSOC Accept %s <-- %s (%s)",
1033 dcm_data->orig, dcm_data->targ, dcm_data->resp);
1036 case 3: /* ASSOC Reject */
1037 dcm_data->result = tvb_get_guint8(tvb, 7);
1038 dcm_data->source = tvb_get_guint8(tvb, 8);
1039 dcm_data->reason = tvb_get_guint8(tvb, 9);
1040 buf = ep_alloc(128);
1041 g_snprintf(buf, 128, "DCM ASSOC Reject %s <-- %s %s %s %s",
1042 dcm_data->orig, dcm_data->targ,
1043 dcm_result2str(dcm_data->result),
1044 dcm_source2str(dcm_data->source),
1045 dcm_reason2str(dcm_data->source, dcm_data->reason));
1052 case 5: /* RELEASE Request */
1053 buf="DCM RELEASE Request";
1056 case 6: /* RELEASE Response */
1057 buf="DCM RELEASE Response";
1061 dcm_data->source = tvb_get_guint8(tvb, 8);
1062 dcm_data->reason = tvb_get_guint8(tvb, 9);
1063 buf = ep_alloc(128);
1064 g_snprintf(buf, 128, "DCM ABORT %s <-- %s %s %s",
1065 dcm_data->orig, dcm_data->targ,
1066 (dcm_data->source == 1) ? "USER" :
1067 (dcm_data->source == 2) ? "PROVIDER" : "",
1068 dcm_data->source == 1 ? dcm_abort2str(dcm_data->reason) : "");
1071 buf="DCM Continuation";
1072 offset = -1; /* cannot continue parsing */
1075 if (check_col(pinfo->cinfo, COL_INFO))
1076 col_set_str(pinfo->cinfo, COL_INFO, buf);
1078 /* In the interest of speed, if "tree" is NULL, don't do any work not
1079 necessary to generate protocol tree items. */
1082 ti = proto_tree_add_item(tree, proto_dcm, tvb, 0, -1, FALSE);
1083 dcm_tree = proto_item_add_subtree(ti, ett_dcm);
1084 proto_tree_add_uint_format(dcm_tree, hf_dcm_pdu, tvb, 0, dcm_data->tlen,
1085 dcm_data->pdu, "PDU 0x%x (%s)", dcm_data->pdu,
1086 dcm_pdu2str(dcm_data->pdu));
1087 proto_tree_add_item(dcm_tree, hf_dcm_pdu_len, tvb, 2, 4, FALSE);
1089 switch (dcm_data->pdu) {
1090 case 1: /* ASSOC Request */
1091 case 2: /* ASSOC Accept */
1092 case 3: /* ASSOC Reject */
1093 case 5: /* RELEASE Request */
1094 case 6: /* RELEASE Response */
1096 tf = proto_tree_add_string(dcm_tree, hf_dcm_pdu_type, tvb, 0, dcm_data->tlen, buf);
1097 dissect_dcm_assoc(dcm_data, tf, tvb, offset);
1100 tf = proto_tree_add_string(dcm_tree, hf_dcm_pdu_type, tvb, 0, dcm_data->tlen, buf);
1101 dissect_dcm_data(dcm_data, tf, tvb);
1107 /* Continue adding tree items to process the packet here */
1108 } else if (1 == dcm_data->pdu || 2 == dcm_data->pdu) {
1109 dissect_dcm_assoc(dcm_data, NULL, tvb, offset);
1112 /* If this protocol has a sub-dissector call it here, see section 1.8 */
1116 /* Register the protocol with Wireshark */
1118 /* this format is require because a script is used to build the C function
1119 that calls all the protocol registration.
1123 proto_register_dcm(void)
1125 /* Setup list of header fields See Section 1.6.1 for details*/
1126 static hf_register_info hf[] = {
1127 { &hf_dcm_pdu, { "PDU", "dcm.pdu",
1128 FT_UINT8, BASE_HEX, VALS(dcm_pdu_ids), 0, "", HFILL } },
1129 { &hf_dcm_pdu_len, { "PDU LENGTH", "dcm.pdu_len",
1130 FT_UINT32, BASE_HEX, NULL, 0, "", HFILL } },
1131 { &hf_dcm_pdu_type, { "PDU Detail", "dcm.pdu_detail",
1132 FT_STRING, BASE_NONE, NULL, 0, "", HFILL } },
1133 { &hf_dcm_pdi, { "Item", "dcm.pdu.pdi",
1134 FT_UINT8, BASE_HEX, VALS(dcm_pdi_ids), 0, "", HFILL } },
1135 { &hf_dcm_pdi_name, { "Application Context", "dcm.pdi.name",
1136 FT_STRING, BASE_NONE, NULL, 0, "", HFILL } },
1137 { &hf_dcm_pdi_syntax, { "Abstract Syntax", "dcm.pdi.syntax",
1138 FT_STRING, BASE_NONE, NULL, 0, "", HFILL } },
1139 { &hf_dcm_pctxt, { "Presentation Context", "dcm.pdi.ctxt",
1140 FT_UINT8, BASE_HEX, NULL, 0, "", HFILL } },
1141 { &hf_dcm_pcres, { "Presentation Context result", "dcm.pdi.result",
1142 FT_UINT8, BASE_HEX, VALS(dcm_pdi_ids), 0, "", HFILL } },
1143 { &hf_dcm_pdu_maxlen, { "MAX PDU LENGTH", "dcm.max_pdu_len",
1144 FT_UINT32, BASE_DEC, NULL, 0, "", HFILL } },
1145 { &hf_dcm_impl, { "Implementation", "dcm.pdi.impl",
1146 FT_STRING, BASE_NONE, NULL, 0, "", HFILL } },
1147 { &hf_dcm_vers, { "Version", "dcm.pdi.version",
1148 FT_STRING, BASE_NONE, NULL, 0, "", HFILL } },
1149 { &hf_dcm_async, { "Asynch", "dcm.pdi.async",
1150 FT_STRING, BASE_NONE, NULL, 0, "", HFILL } },
1151 { &hf_dcm_data_len, { "DATA LENGTH", "dcm.data.len",
1152 FT_UINT32, BASE_HEX, NULL, 0, "", HFILL } },
1153 { &hf_dcm_data_ctx, { "Data Context", "dcm.data.ctx",
1154 FT_UINT8, BASE_HEX, NULL, 0, "", HFILL } },
1155 { &hf_dcm_data_flags, { "Flags", "dcm.data.flags",
1156 FT_UINT8, BASE_HEX, NULL, 0, "", HFILL } },
1157 { &hf_dcm_data_tag, { "Tag", "dcm.data.tag",
1158 FT_BYTES, BASE_HEX, NULL, 0, "", HFILL } },
1160 { &hf_dcm_FIELDABBREV, { "FIELDNAME", "dcm.FIELDABBREV",
1161 FIELDTYPE, FIELDBASE, FIELDCONVERT, BITMASK, "FIELDDESCR", HFILL } },
1165 /* Setup protocol subtree array */
1166 static gint *ett[] = {
1171 /* Register the protocol name and description */
1172 proto_dcm = proto_register_protocol("DICOM", "dicom", "dcm");
1174 /* Required function calls to register the header fields and subtrees used */
1175 proto_register_field_array(proto_dcm, hf, array_length(hf));
1176 proto_register_subtree_array(ett, array_length(ett));
1178 register_init_routine(&dcm_init);
1182 /* If this dissector uses sub-dissector registration add a registration routine.
1183 This format is required because a script is used to find these routines and
1184 create the code that calls these routines.
1187 proto_reg_handoff_dcm(void)
1189 dissector_handle_t dcm_handle;
1191 heur_dissector_add("tcp", dissect_dcm, proto_dcm);
1192 dcm_handle = new_create_dissector_handle(dissect_dcm, proto_dcm);
1193 dissector_add("tcp.port", 104, dcm_handle);
1202 6 2 protocol version (0x0 0x1)
1207 74 - presentation data value items
1212 2 protocol version (0x0 0x1)
1214 16 dest aetitle (not checked)
1215 16 src aetitle (not checked)
1217 - presentation data value items
1223 1 result (1 reject perm, 2 reject transient)
1224 1 source (1 service user, 2 service provider, 3 service profider)
1228 2 application context name not supported
1229 3 calling aetitle not recognized
1230 7 called aetitle not recognized
1233 2 protocol version not supported
1235 1 temporary congestion
1236 2 local limit exceeded
1241 - (1+) presentation data value (PDV) items
1243 10 1 Presentation Context ID (odd ints 1 - 255)
1246 0x01 if set, contains Message Command info, else Message Data
1247 0x02 if set, contains last fragment
1263 1 source (0 = user, 1 = provider)
1264 1 reason if 1 == source (0 not spec, 1 unrecognized, 2 unexpected 4 unrecognized param, 5 unexpected param, 6 invalid param)
1269 10 Application Context
1274 20 Presentation Context
1277 1 Presentation context id
1279 - (1) abstract and (1+) transfer syntax sub-items
1281 21 Presentation Context (Reply)
1284 1 ID (odd int's 1-255)
1286 1 result (0 accept, 1 user-reject, 2 no-reason, 3 abstract not supported, 4- transfer syntax not supported)