2 * Routines for HTTP packet disassembly
6 * Guy Harris <guy@alum.mit.edu>
8 * Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net>
9 * Copyright 2002, Tim Potter <tpot@samba.org>
10 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
14 * Wireshark - Network traffic analyzer
15 * By Gerald Combs <gerald@wireshark.org>
16 * Copyright 1998 Gerald Combs
18 * This program is free software; you can redistribute it and/or
19 * modify it under the terms of the GNU General Public License
20 * as published by the Free Software Foundation; either version 2
21 * of the License, or (at your option) any later version.
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
41 #include <epan/conversation.h>
42 #include <epan/packet.h>
43 #include <epan/strutil.h>
44 #include <epan/base64.h>
45 #include <epan/emem.h>
46 #include <epan/stats_tree.h>
47 #include <epan/ws_strsplit.h>
49 #include <epan/req_resp_hdrs.h>
50 #include "packet-http.h"
51 #include "packet-tcp.h"
52 #include <epan/prefs.h>
53 #include <epan/expert.h>
55 typedef enum _http_type {
64 static int http_tap = -1;
66 static int proto_http = -1;
67 static int hf_http_notification = -1;
68 static int hf_http_response = -1;
69 static int hf_http_request = -1;
70 static int hf_http_basic = -1;
71 static int hf_http_request_method = -1;
72 static int hf_http_request_uri = -1;
73 static int hf_http_version = -1;
74 static int hf_http_response_code = -1;
75 static int hf_http_authorization = -1;
76 static int hf_http_proxy_authenticate = -1;
77 static int hf_http_proxy_authorization = -1;
78 static int hf_http_www_authenticate = -1;
79 static int hf_http_content_type = -1;
80 static int hf_http_content_length = -1;
81 static int hf_http_content_encoding = -1;
82 static int hf_http_transfer_encoding = -1;
83 static int hf_http_user_agent = -1;
84 static int hf_http_host = -1;
85 static int hf_http_connection = -1;
86 static int hf_http_cookie = -1;
87 static int hf_http_accept = -1;
88 static int hf_http_referer = -1;
89 static int hf_http_accept_language = -1;
90 static int hf_http_accept_encoding = -1;
91 static int hf_http_date = -1;
92 static int hf_http_cache_control = -1;
93 static int hf_http_server = -1;
94 static int hf_http_location = -1;
95 static int hf_http_set_cookie = -1;
96 static int hf_http_last_modified = -1;
97 static int hf_http_x_forwarded_for = -1;
99 static gint ett_http = -1;
100 static gint ett_http_ntlmssp = -1;
101 static gint ett_http_request = -1;
102 static gint ett_http_chunked_response = -1;
103 static gint ett_http_chunk_data = -1;
104 static gint ett_http_encoded_entity = -1;
106 static dissector_handle_t data_handle;
107 static dissector_handle_t media_handle;
108 static dissector_handle_t http_handle;
111 * desegmentation of HTTP headers
112 * (when we are over TCP or another protocol providing the desegmentation API)
114 static gboolean http_desegment_headers = TRUE;
117 * desegmentation of HTTP bodies
118 * (when we are over TCP or another protocol providing the desegmentation API)
119 * TODO let the user filter on content-type the bodies he wants desegmented
121 static gboolean http_desegment_body = TRUE;
124 * De-chunking of content-encoding: chunk entity bodies.
126 static gboolean http_dechunk_body = TRUE;
129 * Decompression of zlib encoded entities.
132 static gboolean http_decompress_body = TRUE;
134 static gboolean http_decompress_body = FALSE;
138 #define TCP_PORT_HTTP 80
139 #define TCP_PORT_PROXY_HTTP 3128
140 #define TCP_PORT_PROXY_ADMIN_HTTP 3132
141 #define TCP_ALT_PORT_HTTP 8080
142 #define TCP_RADAN_HTTP 8088
143 #define TCP_PORT_HKP 11371
144 #define TCP_PORT_DAAP 3689
147 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
149 #define TCP_PORT_SSDP 1900
150 #define UDP_PORT_SSDP 1900
155 static guint http_alternate_tcp_port = 0;
156 static guint alternate_tcp_port = 0;
159 * Protocols implemented atop HTTP.
162 PROTO_HTTP, /* just HTTP */
163 PROTO_SSDP, /* Simple Service Discovery Protocol */
164 PROTO_DAAP /* Digital Audio Access Protocol */
167 typedef void (*ReqRespDissector)(tvbuff_t*, proto_tree*, int, const guchar*,
171 * Structure holding information from headers needed by main
172 * HTTP dissector code.
176 char *content_type_parameters;
177 gboolean have_content_length;
178 long content_length; /* XXX - make it 64-bit? */
179 char *content_encoding;
180 char *transfer_encoding;
183 static int is_http_request_or_reply(const gchar *data, int linelen,
184 http_type_t *type, ReqRespDissector *reqresp_dissector);
185 static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
186 proto_tree *tree, int offset);
187 static void http_payload_subdissector(tvbuff_t *next_tvb, proto_tree *tree, proto_tree *sub_tree, packet_info *pinfo);
188 static void process_header(tvbuff_t *tvb, int offset, int next_offset,
189 const guchar *line, int linelen, int colon_offset, packet_info *pinfo,
190 proto_tree *tree, headers_t *eh_ptr);
191 static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len);
192 static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb,
193 packet_info *pinfo, gchar *value);
194 static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb,
197 static dissector_table_t port_subdissector_table;
198 static dissector_table_t media_type_subdissector_table;
199 static heur_dissector_list_t heur_subdissector_list;
201 static dissector_handle_t ntlmssp_handle=NULL;
202 static dissector_handle_t gssapi_handle=NULL;
204 static const value_string vals_status_code[] = {
206 { 101, "Switching Protocols" },
207 { 102, "Processing" },
208 { 199, "Informational - Others" },
213 { 203, "Non-authoritative Information"},
214 { 204, "No Content"},
215 { 205, "Reset Content"},
216 { 206, "Partial Content"},
217 { 207, "Multi-Status"},
218 { 299, "Success - Others"},
220 { 300, "Multiple Choices"},
221 { 301, "Moved Permanently"},
224 { 304, "Not Modified"},
226 { 307, "Temporary Redirect"},
227 { 399, "Redirection - Others"},
229 { 400, "Bad Request"},
230 { 401, "Unauthorized"},
231 { 402, "Payment Required"},
234 { 405, "Method Not Allowed"},
235 { 406, "Not Acceptable"},
236 { 407, "Proxy Authentication Required"},
237 { 408, "Request Time-out"},
240 { 411, "Length Required"},
241 { 412, "Precondition Failed"},
242 { 413, "Request Entity Too Large"},
243 { 414, "Request-URI Too Long"},
244 { 415, "Unsupported Media Type"},
245 { 416, "Requested Range Not Satisfiable"},
246 { 417, "Expectation Failed"},
247 { 422, "Unprocessable Entity"},
249 { 424, "Failed Dependency"},
250 { 499, "Client Error - Others"},
252 { 500, "Internal Server Error"},
253 { 501, "Not Implemented"},
254 { 502, "Bad Gateway"},
255 { 503, "Service Unavailable"},
256 { 504, "Gateway Time-out"},
257 { 505, "HTTP Version not supported"},
258 { 507, "Insufficient Storage"},
259 { 599, "Server Error - Others"},
264 static const gchar* st_str_reqs = "HTTP Requests by Server";
265 static const gchar* st_str_reqs_by_srv_addr = "HTTP Requests by Server Address";
266 static const gchar* st_str_reqs_by_http_host = "HTTP Requests by HTTP Host";
267 static const gchar* st_str_resps_by_srv_addr = "HTTP Responses by Server Address";
269 static int st_node_reqs = -1;
270 static int st_node_reqs_by_srv_addr = -1;
271 static int st_node_reqs_by_http_host = -1;
272 static int st_node_resps_by_srv_addr = -1;
274 /* HTTP/Load Distribution stats init function */
275 static void http_reqs_stats_tree_init(stats_tree* st) {
276 st_node_reqs = stats_tree_create_node(st, st_str_reqs, 0, TRUE);
277 st_node_reqs_by_srv_addr = stats_tree_create_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
278 st_node_reqs_by_http_host = stats_tree_create_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
279 st_node_resps_by_srv_addr = stats_tree_create_node(st, st_str_resps_by_srv_addr, 0, TRUE);
282 /* HTTP/Load Distribution stats packet function */
283 static int http_reqs_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt _U_, const void* p) {
284 const http_info_value_t* v = p;
285 int reqs_by_this_host;
286 int reqs_by_this_addr;
287 int resps_by_this_addr;
288 int i = v->response_code;
289 static gchar ip_str[256];
292 if (v->request_method) {
293 g_snprintf(ip_str,sizeof(ip_str),"%s",address_to_str(&pinfo->dst));
295 tick_stat_node(st, st_str_reqs, 0, FALSE);
296 tick_stat_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
297 tick_stat_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
298 reqs_by_this_addr = tick_stat_node(st, ip_str, st_node_reqs_by_srv_addr, TRUE);
301 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_reqs_by_http_host, TRUE);
302 tick_stat_node(st, ip_str, reqs_by_this_host, FALSE);
304 tick_stat_node(st, v->http_host, reqs_by_this_addr, FALSE);
310 g_snprintf(ip_str,sizeof(ip_str),"%s",address_to_str(&pinfo->src));
312 tick_stat_node(st, st_str_resps_by_srv_addr, 0, FALSE);
313 resps_by_this_addr = tick_stat_node(st, ip_str, st_node_resps_by_srv_addr, TRUE);
315 if ( (i>100)&&(i<400) ) {
316 tick_stat_node(st, "OK", resps_by_this_addr, FALSE);
318 tick_stat_node(st, "KO", resps_by_this_addr, FALSE);
328 static int st_node_requests_by_host = -1;
329 static const guint8* st_str_requests_by_host = "HTTP Requests by HTTP Host";
331 /* HTTP/Requests stats init function */
332 static void http_req_stats_tree_init(stats_tree* st) {
333 st_node_requests_by_host = stats_tree_create_node(st, st_str_requests_by_host, 0, TRUE);
336 /* HTTP/Requests stats packet function */
337 static int http_req_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p) {
338 const http_info_value_t* v = p;
339 int reqs_by_this_host;
341 if (v->request_method) {
342 tick_stat_node(st, st_str_requests_by_host, 0, FALSE);
345 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_requests_by_host, TRUE);
347 if (v->request_uri) {
348 tick_stat_node(st, v->request_uri, reqs_by_this_host, TRUE);
358 static const guint8* st_str_packets = "Total HTTP Packets";
359 static const guint8* st_str_requests = "HTTP Request Packets";
360 static const guint8* st_str_responses = "HTTP Response Packets";
361 static const guint8* st_str_resp_broken = "???: broken";
362 static const guint8* st_str_resp_100 = "1xx: Informational";
363 static const guint8* st_str_resp_200 = "2xx: Success";
364 static const guint8* st_str_resp_300 = "3xx: Redirection";
365 static const guint8* st_str_resp_400 = "4xx: Client Error";
366 static const guint8* st_str_resp_500 = "5xx: Server Error";
367 static const guint8* st_str_other = "Other HTTP Packets";
369 static int st_node_packets = -1;
370 static int st_node_requests = -1;
371 static int st_node_responses = -1;
372 static int st_node_resp_broken = -1;
373 static int st_node_resp_100 = -1;
374 static int st_node_resp_200 = -1;
375 static int st_node_resp_300 = -1;
376 static int st_node_resp_400 = -1;
377 static int st_node_resp_500 = -1;
378 static int st_node_other = -1;
381 /* HTTP/Packet Counter stats init function */
382 static void http_stats_tree_init(stats_tree* st) {
383 st_node_packets = stats_tree_create_node(st, st_str_packets, 0, TRUE);
384 st_node_requests = stats_tree_create_pivot(st, st_str_requests, st_node_packets);
385 st_node_responses = stats_tree_create_node(st, st_str_responses, st_node_packets, TRUE);
386 st_node_resp_broken = stats_tree_create_node(st, st_str_resp_broken, st_node_responses, TRUE);
387 st_node_resp_100 = stats_tree_create_node(st, st_str_resp_100, st_node_responses, TRUE);
388 st_node_resp_200 = stats_tree_create_node(st, st_str_resp_200, st_node_responses, TRUE);
389 st_node_resp_300 = stats_tree_create_node(st, st_str_resp_300, st_node_responses, TRUE);
390 st_node_resp_400 = stats_tree_create_node(st, st_str_resp_400, st_node_responses, TRUE);
391 st_node_resp_500 = stats_tree_create_node(st, st_str_resp_500, st_node_responses, TRUE);
392 st_node_other = stats_tree_create_node(st, st_str_other, st_node_packets,FALSE);
395 /* HTTP/Packet Counter stats packet function */
396 static int http_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p) {
397 const http_info_value_t* v = p;
398 guint i = v->response_code;
400 const guint8* resp_str;
401 static gchar str[64];
403 tick_stat_node(st, st_str_packets, 0, FALSE);
406 tick_stat_node(st, st_str_responses, st_node_packets, FALSE);
408 if ( (i<100)||(i>=600) ) {
409 resp_grp = st_node_resp_broken;
410 resp_str = st_str_resp_broken;
412 resp_grp = st_node_resp_100;
413 resp_str = st_str_resp_100;
415 resp_grp = st_node_resp_200;
416 resp_str = st_str_resp_200;
418 resp_grp = st_node_resp_300;
419 resp_str = st_str_resp_300;
421 resp_grp = st_node_resp_400;
422 resp_str = st_str_resp_400;
424 resp_grp = st_node_resp_500;
425 resp_str = st_str_resp_500;
428 tick_stat_node(st, resp_str, st_node_responses, FALSE);
430 g_snprintf(str, sizeof(str),"%u %s",i,match_strval(i,vals_status_code));
431 tick_stat_node(st, str, resp_grp, FALSE);
432 } else if (v->request_method) {
433 stats_tree_tick_pivot(st,st_node_requests,v->request_method);
435 tick_stat_node(st, st_str_other, st_node_packets, FALSE);
441 /* Return a tvb that contains the binary representation of a base64
445 base64_to_tvb(const char *base64)
448 char *data = g_strdup(base64);
451 len = epan_base64_decode(data);
452 tvb = tvb_new_real_data((const guint8 *)data, len, len);
454 tvb_set_free_cb(tvb, g_free);
460 dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
463 tvbuff_t *ntlmssp_tvb;
465 ntlmssp_tvb = base64_to_tvb(line);
466 tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb);
467 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP / GSSAPI Data");
468 if (tvb_strneql(ntlmssp_tvb, 0, "NTLMSSP", 7) == 0)
469 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
471 call_dissector(gssapi_handle, ntlmssp_tvb, pinfo, tree);
475 * TODO: remove this ugly global variable.
476 * XXX: do we really want to have to pass this from one function to another?
478 static http_info_value_t *stat_info;
481 dissect_http_message(tvbuff_t *tvb, int offset, packet_info *pinfo,
485 const char *proto_tag;
486 proto_tree *http_tree = NULL;
487 proto_item *ti = NULL;
490 const guchar *linep, *lineend;
492 int first_linelen, linelen;
493 gboolean is_request_or_reply;
494 gboolean saw_req_resp_or_header;
496 http_type_t http_type;
497 proto_item *hdr_item = NULL;
498 ReqRespDissector reqresp_dissector;
499 proto_tree *req_tree;
503 int reported_datalen = -1;
504 dissector_handle_t handle;
507 /*http_info_value_t *si;*/
508 conversation_t *conversation;
511 * Is this a request or response?
513 * Note that "tvb_find_line_end()" will return a value that
514 * is not longer than what's in the buffer, so the
515 * "tvb_get_ptr()" call won't throw an exception.
517 first_linelen = tvb_find_line_end(tvb, offset,
518 tvb_ensure_length_remaining(tvb, offset), &next_offset,
521 * Is the first line a request or response?
523 line = tvb_get_ptr(tvb, offset, first_linelen);
524 http_type = HTTP_OTHERS; /* type not known yet */
525 is_request_or_reply = is_http_request_or_reply((const gchar *)line,
526 first_linelen, &http_type, NULL);
527 if (is_request_or_reply) {
529 * Yes, it's a request or response.
530 * Do header desegmentation if we've been told to,
531 * and do body desegmentation if we've been told to and
532 * we find a Content-Length header.
534 if (!req_resp_hdrs_do_reassembly(tvb, offset, pinfo,
535 http_desegment_headers, http_desegment_body)) {
537 * More data needed for desegmentation.
543 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
545 if(!conversation) { /* Conversation does not exist yet - create it */
546 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
549 /* Retrieve information from conversation
550 * or add it if it isn't there yet
552 stat_info = conversation_get_proto_data(conversation, proto_http);
554 stat_info = se_alloc(sizeof(http_info_value_t));
555 stat_info->response_code = 0;
556 stat_info->request_method = NULL;
557 stat_info->request_uri = NULL;
558 stat_info->http_host = NULL;
560 conversation_add_proto_data(conversation, proto_http, stat_info);
563 switch (pinfo->match_port) {
565 case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
581 if (check_col(pinfo->cinfo, COL_PROTOCOL))
582 col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
583 if (check_col(pinfo->cinfo, COL_INFO)) {
585 * Put the first line from the buffer into the summary
586 * if it's an HTTP request or reply (but leave out the
588 * Otherwise, just call it a continuation.
590 * Note that "tvb_find_line_end()" will return a value that
591 * is not longer than what's in the buffer, so the
592 * "tvb_get_ptr()" call won't throw an exception.
594 line = tvb_get_ptr(tvb, offset, first_linelen);
595 if (is_request_or_reply)
596 col_add_str(pinfo->cinfo, COL_INFO,
597 format_text(line, first_linelen));
599 col_set_str(pinfo->cinfo, COL_INFO, "Continuation or non-HTTP traffic");
602 orig_offset = offset;
604 ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
606 http_tree = proto_item_add_subtree(ti, ett_http);
610 * Process the packet data, a line at a time.
612 http_type = HTTP_OTHERS; /* type not known yet */
613 headers.content_type = NULL; /* content type not known yet */
614 headers.content_type_parameters = NULL; /* content type parameters too */
615 headers.have_content_length = FALSE; /* content length not known yet */
616 headers.content_encoding = NULL; /* content encoding not known yet */
617 headers.transfer_encoding = NULL; /* transfer encoding not known yet */
618 saw_req_resp_or_header = FALSE; /* haven't seen anything yet */
619 while (tvb_reported_length_remaining(tvb, offset) != 0) {
621 * Find the end of the line.
622 * XXX - what if we don't find it because the packet
623 * is cut short by a snapshot length or the header is
624 * split across TCP segments? How much dissection should
627 linelen = tvb_find_line_end(tvb, offset,
628 tvb_ensure_length_remaining(tvb, offset), &next_offset,
634 * Get a buffer that refers to the line.
636 line = tvb_get_ptr(tvb, offset, linelen);
637 lineend = line + linelen;
641 * OK, does it look like an HTTP request or response?
643 reqresp_dissector = NULL;
644 is_request_or_reply =
645 is_http_request_or_reply((const gchar *)line,
646 linelen, &http_type, &reqresp_dissector);
647 if (is_request_or_reply)
651 * No. Does it look like a blank line (as would appear
652 * at the end of an HTTP request)?
655 goto is_http; /* Yes. */
658 * No. Does it look like a header?
661 colon_offset = offset;
662 while (linep < lineend) {
666 * This must be a CHAR to be part of a token; that
667 * means it must be ASCII.
670 break; /* not ASCII, thus not a CHAR */
673 * This mustn't be a CTL to be part of a token.
675 * XXX - what about leading LWS on continuation
679 break; /* CTL, not part of a header */
682 * This mustn't be a SEP to be part of a token;
683 * a ':' ends the token, everything else is an
684 * indication that this isn't a header.
706 * It's a separator, so it's not part of a
707 * token, so it's not a field name for the
708 * beginning of a header.
710 * (We don't have to check for HT; that's
711 * already been ruled out by "iscntrl()".)
717 * This ends the token; we consider this
729 * We haven't seen the colon, but everything else looks
730 * OK for a header line.
732 * If we've already seen an HTTP request or response
733 * line, or a header line, and we're at the end of
734 * the tvbuff, we assume this is an incomplete header
735 * line. (We quit this loop after seeing a blank line,
736 * so if we've seen a request or response line, or a
737 * header line, this is probably more of the request
738 * or response we're presumably seeing. There is some
739 * risk of false positives, but the same applies for
740 * full request or response lines or header lines,
741 * although that's less likely.)
743 * We throw an exception in that case, by checking for
744 * the existence of the next byte after the last one
745 * in the line. If it exists, "tvb_ensure_bytes_exist()"
746 * throws no exception, and we fall through to the
747 * "not HTTP" case. If it doesn't exist,
748 * "tvb_ensure_bytes_exist()" will throw the appropriate
751 if (saw_req_resp_or_header)
752 tvb_ensure_bytes_exist(tvb, offset, linelen + 1);
756 * We don't consider this part of an HTTP request or
757 * reply, so we don't display it.
758 * (Yeah, that means we don't display, say, a text/http
759 * page, but you can get that from the data pane.)
769 * This is a blank line, which means that
770 * whatever follows it isn't part of this
773 proto_tree_add_text(http_tree, tvb, offset,
774 next_offset - offset, "%s",
775 tvb_format_text(tvb, offset, next_offset - offset));
776 offset = next_offset;
781 * Not a blank line - either a request, a reply, or a header
784 saw_req_resp_or_header = TRUE;
785 if (is_request_or_reply) {
787 hdr_item = proto_tree_add_text(http_tree, tvb,
788 offset, next_offset - offset, "%s",
789 tvb_format_text(tvb, offset,
790 next_offset - offset));
792 expert_add_info_format(pinfo, hdr_item, PI_SEQUENCE, PI_CHAT,
794 tvb_format_text(tvb, offset, next_offset - offset));
795 if (reqresp_dissector) {
796 if (tree) req_tree = proto_item_add_subtree(hdr_item, ett_http_request);
797 else req_tree = NULL;
799 reqresp_dissector(tvb, req_tree, offset, line, lineend);
805 process_header(tvb, offset, next_offset, line, linelen,
806 colon_offset, pinfo, http_tree, &headers);
808 offset = next_offset;
814 case HTTP_NOTIFICATION:
815 proto_tree_add_boolean_hidden(http_tree,
816 hf_http_notification, tvb, 0, 0, 1);
820 proto_tree_add_boolean_hidden(http_tree,
821 hf_http_response, tvb, 0, 0, 1);
825 proto_tree_add_boolean_hidden(http_tree,
826 hf_http_request, tvb, 0, 0, 1);
836 * If a content length was supplied, the amount of data to be
837 * processed as HTTP payload is the minimum of the content
838 * length and the amount of data remaining in the frame.
840 * If no content length was supplied (or if a bad content length
841 * was supplied), the amount of data to be processed is the amount
842 * of data remaining in the frame.
844 * If there was no Content-Length entity header, we should
845 * accumulate all data until the end of the connection.
846 * That'd require that the TCP dissector call subdissectors
847 * for all frames with FIN, even if they contain no data,
848 * which would require subdissectors to deal intelligently
849 * with empty segments.
851 * Acccording to RFC 2616, however, 1xx responses, 204 responses,
852 * and 304 responses MUST NOT include a message body; if no
853 * content length is specified for them, we don't attempt to
856 * XXX - it says the same about responses to HEAD requests;
857 * unless there's a way to determine from the response
858 * whether it's a response to a HEAD request, we have to
859 * keep information about the request and associate that with
860 * the response in order to handle that.
862 datalen = tvb_length_remaining(tvb, offset);
863 if (headers.have_content_length && headers.content_length != -1) {
864 if (datalen > headers.content_length)
865 datalen = headers.content_length;
868 * XXX - limit the reported length in the tvbuff we'll
869 * hand to a subdissector to be no greater than the
872 * We really need both unreassembled and "how long it'd
873 * be if it were reassembled" lengths for tvbuffs, so
874 * that we throw the appropriate exceptions for
875 * "not enough data captured" (running past the length),
876 * "packet needed reassembly" (within the length but
877 * running past the unreassembled length), and
878 * "packet is malformed" (running past the reassembled
881 reported_datalen = tvb_reported_length_remaining(tvb, offset);
882 if (reported_datalen > headers.content_length)
883 reported_datalen = headers.content_length;
889 * Requests have no content if there's no
890 * Content-Length header and no Transfer-Encoding
893 if (headers.transfer_encoding == NULL)
896 reported_datalen = -1;
900 if ((stat_info->response_code/100) == 1 ||
901 stat_info->response_code == 204 ||
902 stat_info->response_code == 304)
903 datalen = 0; /* no content! */
906 * XXX - responses to HEAD requests,
907 * and possibly other responses,
908 * "MUST NOT" include a
911 reported_datalen = -1;
917 * XXX - what about HTTP_NOTIFICATION?
919 reported_datalen = -1;
926 * There's stuff left over; process it.
929 void *save_private_data = NULL;
930 gint chunks_decoded = 0;
933 * Create a tvbuff for the payload.
935 * The amount of data to be processed that's
936 * available in the tvbuff is "datalen", which
937 * is the minimum of the amount of data left in
938 * the tvbuff and any specified content length.
940 * The amount of data to be processed that's in
941 * this frame, regardless of whether it was
942 * captured or not, is "reported_datalen",
943 * which, if no content length was specified,
944 * is -1, i.e. "to the end of the frame.
946 next_tvb = tvb_new_subset(tvb, offset, datalen,
949 * BEWARE - next_tvb is a subset of another tvb,
950 * so we MUST NOT attempt tvb_free(next_tvb);
954 * Handle *transfer* encodings other than "identity".
956 if (headers.transfer_encoding != NULL &&
957 strcasecmp(headers.transfer_encoding, "identity") != 0) {
958 if (http_dechunk_body &&
959 (strncasecmp(headers.transfer_encoding, "chunked", 7)
962 chunks_decoded = chunked_encoding_dissector(
963 &next_tvb, pinfo, http_tree, 0);
965 if (chunks_decoded <= 0) {
967 * The chunks weren't reassembled,
968 * or there was a single zero
974 * Add a new data source for the
977 tvb_set_child_real_data_tvbuff(tvb,
979 add_new_data_source(pinfo, next_tvb,
980 "De-chunked entity body");
984 * We currently can't handle, for example,
985 * "gzip", "compress", or "deflate" as
986 * *transfer* encodings; just handle them
989 call_dissector(data_handle, next_tvb, pinfo,
995 * At this point, any chunked *transfer* coding has been removed
996 * (the entity body has been dechunked) so it can be presented
997 * for the following operation (*content* encoding), or it has
998 * been been handed off to the data dissector.
1000 * Handle *content* encodings other than "identity" (which
1001 * shouldn't appear in a Content-Encoding header, but
1002 * we handle it in any case).
1004 if (headers.content_encoding != NULL &&
1005 strcasecmp(headers.content_encoding, "identity") != 0) {
1007 * We currently can't handle, for example, "compress";
1008 * just handle them as data for now.
1010 * After July 7, 2004 the LZW patent expires, so support
1011 * might be added then. However, I don't think that
1012 * anybody ever really implemented "compress", due to
1013 * the aforementioned patent.
1015 tvbuff_t *uncomp_tvb = NULL;
1016 proto_item *e_ti = NULL;
1017 proto_tree *e_tree = NULL;
1019 if (http_decompress_body &&
1020 (strcasecmp(headers.content_encoding, "gzip") == 0 ||
1021 strcasecmp(headers.content_encoding, "deflate")
1024 uncomp_tvb = tvb_uncompress(next_tvb, 0,
1025 tvb_length(next_tvb));
1029 * Add the encoded entity to the protocol tree
1031 e_ti = proto_tree_add_text(http_tree, next_tvb,
1032 0, tvb_length(next_tvb),
1033 "Content-encoded entity body (%s): %u bytes",
1034 headers.content_encoding,
1035 tvb_length(next_tvb));
1036 e_tree = proto_item_add_subtree(e_ti,
1037 ett_http_encoded_entity);
1039 if (uncomp_tvb != NULL) {
1041 * Decompression worked
1044 /* XXX - Don't free this, since it's possible
1045 * that the data was only partially
1046 * decompressed, such as when desegmentation
1051 proto_item_append_text(e_ti, " -> %u bytes", tvb_length(uncomp_tvb));
1052 next_tvb = uncomp_tvb;
1053 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1054 add_new_data_source(pinfo, next_tvb,
1055 "Uncompressed entity body");
1057 if (chunks_decoded > 1) {
1058 tvb_set_child_real_data_tvbuff(tvb,
1060 add_new_data_source(pinfo, next_tvb,
1061 "Compressed entity body");
1063 call_dissector(data_handle, next_tvb, pinfo,
1066 goto body_dissected;
1070 * Note that a new data source is added for the entity body
1071 * only if it was content-encoded and/or transfer-encoded.
1075 * Do subdissector checks.
1077 * First, check whether some subdissector asked that they
1078 * be called if something was on some particular port.
1080 handle = dissector_get_port_handle(port_subdissector_table,
1082 if (handle == NULL && headers.content_type != NULL) {
1084 * We didn't find any subdissector that
1085 * registered for the port, and we have a
1086 * Content-Type value. Is there any subdissector
1087 * for that content type?
1089 save_private_data = pinfo->private_data;
1091 if (headers.content_type_parameters)
1092 pinfo->private_data = ep_strdup(headers.content_type_parameters);
1094 pinfo->private_data = NULL;
1096 * Calling the string handle for the media type
1097 * dissector table will set pinfo->match_string
1098 * to headers.content_type for us.
1100 pinfo->match_string = headers.content_type;
1101 handle = dissector_get_string_handle(
1102 media_type_subdissector_table,
1103 headers.content_type);
1105 if (handle != NULL) {
1107 * We have a subdissector - call it.
1109 dissected = call_dissector(handle, next_tvb, pinfo,
1113 * We don't have a subdissector - try the heuristic
1116 dissected = dissector_try_heuristic(
1117 heur_subdissector_list, next_tvb, pinfo, tree);
1121 * The subdissector dissected the body.
1122 * Fix up the top-level item so that it doesn't
1123 * include the stuff for that protocol.
1126 proto_item_set_len(ti, offset);
1128 if (headers.content_type != NULL) {
1130 * Calling the default media handle if there is a content-type that
1131 * wasn't handled above.
1133 call_dissector(media_handle, next_tvb, pinfo, tree);
1135 /* Call the subdissector (defaults to data), otherwise. */
1136 http_payload_subdissector(next_tvb, tree, http_tree, pinfo);
1142 * Do *not* attempt at freeing the private data;
1143 * it may be in use by subdissectors.
1145 if (save_private_data)
1146 pinfo->private_data = save_private_data;
1148 * We've processed "datalen" bytes worth of data
1149 * (which may be no data at all); advance the
1150 * offset past whatever data we've processed.
1155 tap_queue_packet(http_tap, pinfo, stat_info);
1157 return offset - orig_offset;
1160 /* This can be used to dissect an HTTP request until such time
1161 * that a more complete dissector is written for that HTTP request.
1162 * This simple dissector only puts the request method, URI, and
1163 * protocol version into a sub-tree.
1166 basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1167 const guchar *line, const guchar *lineend)
1169 const guchar *next_token;
1172 /* The first token is the method. */
1173 tokenlen = get_token_len(line, lineend, &next_token);
1176 proto_tree_add_item(tree, hf_http_request_method, tvb, offset, tokenlen,
1178 offset += next_token - line;
1181 /* The next token is the URI. */
1182 tokenlen = get_token_len(line, lineend, &next_token);
1185 stat_info->request_uri = se_strdup((gchar*) tvb_get_ephemeral_string(tvb, offset, tokenlen));
1186 proto_tree_add_string(tree, hf_http_request_uri, tvb, offset, tokenlen,
1187 stat_info->request_uri);
1188 offset += next_token - line;
1191 /* Everything to the end of the line is the version. */
1192 tokenlen = lineend - line;
1195 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1200 basic_response_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1201 const guchar *line, const guchar *lineend)
1203 const guchar *next_token;
1205 gchar response_chars[4];
1207 /* The first token is the version. */
1208 tokenlen = get_token_len(line, lineend, &next_token);
1211 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1213 offset += next_token - line;
1216 /* The next token is the status code. */
1217 tokenlen = get_token_len(line, lineend, &next_token);
1220 memcpy(response_chars, line, 3);
1221 response_chars[3] = '\0';
1223 stat_info->response_code = strtoul(response_chars,NULL,10);
1225 proto_tree_add_uint(tree, hf_http_response_code, tvb, offset, 3,
1226 stat_info->response_code);
1230 * Dissect the http data chunks and add them to the tree.
1233 chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
1234 proto_tree *tree, int offset)
1236 guint8 *chunk_string = NULL;
1237 guint32 chunk_size = 0;
1238 gint chunk_offset = 0;
1239 guint32 datalen = 0;
1241 gint chunks_decoded = 0;
1242 tvbuff_t *tvb = NULL;
1243 tvbuff_t *new_tvb = NULL;
1244 gint chunked_data_size = 0;
1245 proto_tree *subtree = NULL;
1246 proto_item *ti = NULL;
1248 if (tvb_ptr == NULL || *tvb_ptr == NULL) {
1254 datalen = tvb_reported_length_remaining(tvb, offset);
1257 ti = proto_tree_add_text(tree, tvb, offset, datalen,
1258 "HTTP chunked response");
1259 subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
1263 while (datalen != 0) {
1264 proto_item *chunk_ti = NULL;
1265 proto_tree *chunk_subtree = NULL;
1266 tvbuff_t *data_tvb = NULL;
1271 linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
1274 /* Can't get the chunk size line */
1278 chunk_string = tvb_get_ephemeral_string(tvb, offset, linelen);
1280 if (chunk_string == NULL) {
1281 /* Can't get the chunk size line */
1285 c = (gchar*) chunk_string;
1288 * We don't care about the extensions.
1290 if ((c = strchr(c, ';'))) {
1294 chunk_size = strtol((gchar*)chunk_string, NULL, 16);
1296 if (chunk_size > datalen) {
1298 * The chunk size is more than what's in the tvbuff,
1299 * so either the user hasn't enabled decoding, or all
1300 * of the segments weren't captured.
1302 chunk_size = datalen;
1305 else if (new_tvb == NULL) {
1306 new_tvb = tvb_new_composite();
1311 if (new_tvb != NULL && chunk_size != 0) {
1312 tvbuff_t *chunk_tvb = NULL;
1314 chunk_tvb = tvb_new_subset(tvb, chunk_offset,
1315 chunk_size, datalen);
1317 tvb_composite_append(new_tvb, chunk_tvb);
1322 chunked_data_size += chunk_size;
1324 raw_data = g_malloc(chunked_data_size);
1327 if (new_tvb != NULL) {
1328 raw_len = tvb_length_remaining(new_tvb, 0);
1329 tvb_memcpy(new_tvb, raw_data, 0, raw_len);
1334 tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len),
1335 chunk_offset, chunk_size);
1337 new_tvb = tvb_new_real_data(raw_data,
1338 chunked_data_size, chunked_data_size);
1339 tvb_set_free_cb(new_tvb, g_free);
1343 if(chunk_size == 0) {
1344 chunk_ti = proto_tree_add_text(subtree, tvb,
1346 chunk_offset - offset + chunk_size + 2,
1347 "End of chunked encoding");
1349 chunk_ti = proto_tree_add_text(subtree, tvb,
1351 chunk_offset - offset + chunk_size + 2,
1352 "Data chunk (%u octets)", chunk_size);
1355 chunk_subtree = proto_item_add_subtree(chunk_ti,
1356 ett_http_chunk_data);
1358 proto_tree_add_text(chunk_subtree, tvb, offset,
1359 chunk_offset - offset, "Chunk size: %u octets",
1362 data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size,
1367 * XXX - just use "proto_tree_add_text()"?
1368 * This means that, in TShark, you get
1369 * the entire chunk dumped out in hex,
1370 * in addition to whatever dissection is
1371 * done on the reassembled data.
1373 call_dissector(data_handle, data_tvb, pinfo,
1376 proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
1377 chunk_size, 2, "Chunk boundary");
1381 offset = chunk_offset + chunk_size + 2;
1382 datalen = tvb_reported_length_remaining(tvb, offset);
1385 if (new_tvb != NULL) {
1387 /* Placeholder for the day that composite tvbuffer's will work.
1388 tvb_composite_finalize(new_tvb);
1389 / * tvb_set_reported_length(new_tvb, chunked_data_size); * /
1393 * XXX - Don't free this, since the tvbuffer that was passed
1394 * may be used if the data spans multiple frames and reassembly
1403 * We didn't create a new tvb, so don't allow sub dissectors
1404 * try to decode the non-existant entity body.
1406 chunks_decoded = -1;
1409 return chunks_decoded;
1414 http_payload_subdissector(tvbuff_t *next_tvb, proto_tree *tree, proto_tree *sub_tree, packet_info *pinfo)
1416 /* tree = the main protocol tree that the subdissector would be listed in
1417 * sub_tree = the http protocol tree
1420 struct tcpinfo *tcpinfo = pinfo->private_data;
1421 struct tcp_analysis *tcpd=NULL;
1422 gchar **strings; /* An array for splitting the request URI into hostname and port */
1424 /* Response code 200 means "OK" and strncmp() == 0 means the strings match exactly */
1425 if(stat_info->request_uri && stat_info->response_code == 200 &&
1426 stat_info->request_method && strncmp(stat_info->request_method, "CONNECT", 7) == 0) {
1428 /* Call a subdissector to handle HTTP CONNECT's traffic */
1429 tcpd=get_tcp_conversation_data(pinfo);
1431 /* Grab the destination port number from the request URI to find the right subdissector */
1432 strings = g_strsplit(stat_info->request_uri, ":", 2);
1434 if(strings[0] != NULL && strings[1] != NULL) { /* The string was successfuly split in two */
1435 proto_tree_add_text(sub_tree, next_tvb, 0, 0, "Proxy connect hostname: %s", strings[0]);
1436 proto_tree_add_text(sub_tree, next_tvb, 0, 0, "Proxy connect port: %s", strings[1]);
1438 /* Replaces the pinfo->destport or srcport with the port the http connect was done to by
1439 * checking to see which is the http port. */
1440 if (pinfo->destport == TCP_PORT_HTTP || pinfo->destport == TCP_PORT_PROXY_HTTP ||
1441 pinfo->destport == TCP_PORT_PROXY_ADMIN_HTTP || pinfo->destport == TCP_ALT_PORT_HTTP ||
1442 pinfo->destport == TCP_RADAN_HTTP || pinfo->destport == TCP_PORT_HKP ||
1443 pinfo->destport == TCP_PORT_DAAP || pinfo->destport == http_alternate_tcp_port)
1444 ptr = &pinfo->destport;
1446 ptr = &pinfo->srcport;
1448 *ptr = (int)strtol(strings[1], NULL, 10); /* Convert string to a base-10 integer */
1450 /* We're going to get stuck in a loop if we call let dissect_tcp_payload call
1451 us, so call the data dissector instead for proxy connections to http ports. */
1452 if(*ptr == TCP_PORT_HTTP || *ptr == TCP_PORT_PROXY_HTTP ||
1453 *ptr == TCP_PORT_PROXY_ADMIN_HTTP || *ptr == TCP_ALT_PORT_HTTP ||
1454 *ptr == TCP_RADAN_HTTP || *ptr == TCP_PORT_HKP ||
1455 *ptr == TCP_PORT_DAAP || *ptr == http_alternate_tcp_port) {
1456 call_dissector(data_handle, next_tvb, pinfo, tree);
1458 dissect_tcp_payload(next_tvb, pinfo, 0, tcpinfo->seq, /* 0 = offset */
1459 tcpinfo->nxtseq, pinfo->srcport, pinfo->destport,
1464 g_strfreev(strings); /* Free the result of g_strsplit() above */
1467 /* Call the default data dissector */
1468 call_dissector(data_handle, next_tvb, pinfo, sub_tree);
1475 * XXX - this won't handle HTTP 0.9 replies, but they're all data
1479 is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
1480 ReqRespDissector *reqresp_dissector)
1482 int isHttpRequestOrReply = FALSE;
1486 * From RFC 2774 - An HTTP Extension Framework
1488 * Support the command prefix that identifies the presence of
1489 * a "mandatory" header.
1491 if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
1498 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
1499 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
1501 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
1504 if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
1505 *type = HTTP_RESPONSE;
1506 isHttpRequestOrReply = TRUE; /* response */
1507 if (reqresp_dissector)
1508 *reqresp_dissector = basic_response_dissector;
1510 const guchar * ptr = (const guchar *)data;
1513 /* Look for the space following the Method */
1514 while (index < linelen) {
1523 /* Check the methods that have same length */
1527 if (strncmp(data, "GET", index) == 0 ||
1528 strncmp(data, "PUT", index) == 0) {
1529 *type = HTTP_REQUEST;
1530 isHttpRequestOrReply = TRUE;
1532 else if (strncmp(data, "ICY", index) == 0) {
1533 *type = HTTP_RESPONSE;
1534 isHttpRequestOrReply = TRUE;
1539 if (strncmp(data, "COPY", index) == 0 ||
1540 strncmp(data, "HEAD", index) == 0 ||
1541 strncmp(data, "LOCK", index) == 0 ||
1542 strncmp(data, "MOVE", index) == 0 ||
1543 strncmp(data, "POLL", index) == 0 ||
1544 strncmp(data, "POST", index) == 0) {
1545 *type = HTTP_REQUEST;
1546 isHttpRequestOrReply = TRUE;
1551 if (strncmp(data, "BCOPY", index) == 0 ||
1552 strncmp(data, "BMOVE", index) == 0 ||
1553 strncmp(data, "MKCOL", index) == 0 ||
1554 strncmp(data, "TRACE", index) == 0 ||
1555 strncmp(data, "LABEL", index) == 0 || /* RFC 3253 8.2 */
1556 strncmp(data, "MERGE", index) == 0) { /* RFC 3253 11.2 */
1557 *type = HTTP_REQUEST;
1558 isHttpRequestOrReply = TRUE;
1563 if (strncmp(data, "DELETE", index) == 0 ||
1564 strncmp(data, "SEARCH", index) == 0 ||
1565 strncmp(data, "UNLOCK", index) == 0 ||
1566 strncmp(data, "REPORT", index) == 0 || /* RFC 3253 3.6 */
1567 strncmp(data, "UPDATE", index) == 0) { /* RFC 3253 7.1 */
1568 *type = HTTP_REQUEST;
1569 isHttpRequestOrReply = TRUE;
1571 else if (strncmp(data, "NOTIFY", index) == 0) {
1572 *type = HTTP_NOTIFICATION;
1573 isHttpRequestOrReply = TRUE;
1578 if (strncmp(data, "BDELETE", index) == 0 ||
1579 strncmp(data, "CONNECT", index) == 0 ||
1580 strncmp(data, "OPTIONS", index) == 0 ||
1581 strncmp(data, "CHECKIN", index) == 0) { /* RFC 3253 4.4, 9.4 */
1582 *type = HTTP_REQUEST;
1583 isHttpRequestOrReply = TRUE;
1588 if (strncmp(data, "PROPFIND", index) == 0 ||
1589 strncmp(data, "CHECKOUT", index) == 0 || /* RFC 3253 4.3, 9.3 */
1590 strncmp(data, "CCM_POST", index) == 0) {
1591 *type = HTTP_REQUEST;
1592 isHttpRequestOrReply = TRUE;
1597 if (strncmp(data, "SUBSCRIBE", index) == 0) {
1598 *type = HTTP_NOTIFICATION;
1599 isHttpRequestOrReply = TRUE;
1600 } else if (strncmp(data, "PROPPATCH", index) == 0 ||
1601 strncmp(data, "BPROPFIND", index) == 0) {
1602 *type = HTTP_REQUEST;
1603 isHttpRequestOrReply = TRUE;
1608 if (strncmp(data, "BPROPPATCH", index) == 0 ||
1609 strncmp(data, "UNCHECKOUT", index) == 0 || /* RFC 3253 4.5 */
1610 strncmp(data, "MKACTIVITY", index) == 0) { /* RFC 3253 13.5 */
1611 *type = HTTP_REQUEST;
1612 isHttpRequestOrReply = TRUE;
1617 if (strncmp(data, "MKWORKSPACE", index) == 0) { /* RFC 3253 6.3 */
1618 *type = HTTP_REQUEST;
1619 isHttpRequestOrReply = TRUE;
1620 } else if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
1621 *type = HTTP_NOTIFICATION;
1622 isHttpRequestOrReply = TRUE;
1623 } else if (strncmp(data, "RPC_CONNECT", index) == 0) {
1624 *type = HTTP_REQUEST;
1625 isHttpRequestOrReply = TRUE;
1630 if (strncmp(data, "VERSION-CONTROL", index) == 0) { /* RFC 3253 3.5 */
1631 *type = HTTP_REQUEST;
1632 isHttpRequestOrReply = TRUE;
1637 if (strncmp(data, "BASELINE-CONTROL", index) == 0) { /* RFC 3253 12.6 */
1638 *type = HTTP_REQUEST;
1639 isHttpRequestOrReply = TRUE;
1647 if (isHttpRequestOrReply && reqresp_dissector) {
1648 *reqresp_dissector = basic_request_dissector;
1649 if (!stat_info->request_method)
1650 stat_info->request_method = se_strndup(data, index+1);
1654 return isHttpRequestOrReply;
1666 #define HDR_NO_SPECIAL 0
1667 #define HDR_AUTHORIZATION 1
1668 #define HDR_AUTHENTICATE 2
1669 #define HDR_CONTENT_TYPE 3
1670 #define HDR_CONTENT_LENGTH 4
1671 #define HDR_CONTENT_ENCODING 5
1672 #define HDR_TRANSFER_ENCODING 6
1675 static const header_info headers[] = {
1676 { "Authorization", &hf_http_authorization, HDR_AUTHORIZATION },
1677 { "Proxy-Authorization", &hf_http_proxy_authorization, HDR_AUTHORIZATION },
1678 { "Proxy-Authenticate", &hf_http_proxy_authenticate, HDR_AUTHENTICATE },
1679 { "WWW-Authenticate", &hf_http_www_authenticate, HDR_AUTHENTICATE },
1680 { "Content-Type", &hf_http_content_type, HDR_CONTENT_TYPE },
1681 { "Content-Length", &hf_http_content_length, HDR_CONTENT_LENGTH },
1682 { "Content-Encoding", &hf_http_content_encoding, HDR_CONTENT_ENCODING },
1683 { "Transfer-Encoding", &hf_http_transfer_encoding, HDR_TRANSFER_ENCODING },
1684 { "User-Agent", &hf_http_user_agent, HDR_NO_SPECIAL },
1685 { "Host", &hf_http_host, HDR_HOST },
1686 { "Connection", &hf_http_connection, HDR_NO_SPECIAL },
1687 { "Cookie", &hf_http_cookie, HDR_NO_SPECIAL },
1688 { "Accept", &hf_http_accept, HDR_NO_SPECIAL },
1689 { "Referer", &hf_http_referer, HDR_NO_SPECIAL },
1690 { "Accept-Language", &hf_http_accept_language, HDR_NO_SPECIAL },
1691 { "Accept-Encoding", &hf_http_accept_encoding, HDR_NO_SPECIAL },
1692 { "Date", &hf_http_date, HDR_NO_SPECIAL },
1693 { "Cache-Control", &hf_http_cache_control, HDR_NO_SPECIAL },
1694 { "Server", &hf_http_server, HDR_NO_SPECIAL },
1695 { "Location", &hf_http_location, HDR_NO_SPECIAL },
1696 { "Set-Cookie", &hf_http_set_cookie, HDR_NO_SPECIAL },
1697 { "Last-Modified", &hf_http_last_modified, HDR_NO_SPECIAL },
1698 { "X-Forwarded-For", &hf_http_x_forwarded_for, HDR_NO_SPECIAL },
1702 process_header(tvbuff_t *tvb, int offset, int next_offset,
1703 const guchar *line, int linelen, int colon_offset,
1704 packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr)
1707 int line_end_offset;
1716 proto_item *hdr_item;
1719 len = next_offset - offset;
1720 line_end_offset = offset + linelen;
1721 header_len = colon_offset - offset;
1722 hf_index = find_header_hf_value(tvb, offset, header_len);
1724 if (hf_index == -1) {
1726 * Not a header we know anything about. Just put it into
1730 proto_tree_add_text(tree, tvb, offset, len,
1731 "%s", format_text(line, len));
1735 * Skip whitespace after the colon.
1737 value_offset = colon_offset + 1;
1738 while (value_offset < line_end_offset
1739 && ((c = line[value_offset - offset]) == ' ' || c == '\t'))
1745 value_len = line_end_offset - value_offset;
1746 value = ep_strndup(&line[value_offset - offset], value_len);
1749 * Add it to the protocol tree as a particular field,
1750 * but display the line as is.
1753 header_field_info *hfinfo;
1756 hfinfo = proto_registrar_get_nth(*headers[hf_index].hf);
1757 switch(hfinfo->type){
1766 tmp=strtol(value, NULL, 10);
1767 hdr_item = proto_tree_add_uint(tree, *headers[hf_index].hf, tvb, offset, len, tmp);
1770 hdr_item = proto_tree_add_string_format(tree,
1771 *headers[hf_index].hf, tvb, offset, len,
1772 value, "%s", format_text(line, len));
1778 * Do any special processing that particular headers
1781 switch (headers[hf_index].special) {
1783 case HDR_AUTHORIZATION:
1784 if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
1785 break; /* dissected NTLMSSP */
1786 check_auth_basic(hdr_item, tvb, value);
1789 case HDR_AUTHENTICATE:
1790 check_auth_ntlmssp(hdr_item, tvb, pinfo, value);
1793 case HDR_CONTENT_TYPE:
1794 eh_ptr->content_type = (gchar*) ep_memdup((guint8*)value,value_len + 1);
1796 for (i = 0; i < value_len; i++) {
1798 if (c == ';' || isspace(c)) {
1800 * End of subtype - either
1801 * white space or a ";"
1802 * separating the subtype from
1809 * Map the character to lower case;
1810 * content types are case-insensitive.
1812 eh_ptr->content_type[i] = tolower(eh_ptr->content_type[i]);
1814 eh_ptr->content_type[i] = '\0';
1816 * Now find the start of the optional parameters;
1817 * skip the optional white space and the semicolon
1818 * if this has not been done before.
1821 while (i < value_len) {
1822 c = eh_ptr->content_type[i];
1823 if (c == ';' || isspace(c))
1824 /* Skip till start of parameters */
1830 eh_ptr->content_type_parameters = eh_ptr->content_type + i;
1832 eh_ptr->content_type_parameters = NULL;
1835 case HDR_CONTENT_LENGTH:
1836 eh_ptr->content_length = strtol(value, &p, 10);
1838 if (eh_ptr->content_length < 0 || p == value ||
1839 (*up != '\0' && !isspace(*up))) {
1841 * Content length not valid; pretend
1844 eh_ptr->have_content_length = FALSE;
1847 * We do have a valid content length.
1849 eh_ptr->have_content_length = TRUE;
1853 case HDR_CONTENT_ENCODING:
1854 eh_ptr->content_encoding = ep_strndup(value, value_len);
1857 case HDR_TRANSFER_ENCODING:
1858 eh_ptr->transfer_encoding = ep_strndup(value, value_len);
1862 stat_info->http_host = se_strndup(value, value_len);
1869 /* Returns index of header tag in headers */
1871 find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len)
1875 for (i = 0; i < array_length(headers); i++) {
1876 if (header_len == strlen(headers[i].name) &&
1877 tvb_strncaseeql(tvb, offset,
1878 headers[i].name, header_len) == 0)
1886 * Dissect Microsoft's abomination called NTLMSSP over HTTP.
1889 check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo,
1892 static const char *ntlm_headers[] = {
1897 const char **header;
1899 proto_tree *hdr_tree;
1902 * Check for NTLM credentials and challenge; those can
1903 * occur with WWW-Authenticate.
1905 for (header = &ntlm_headers[0]; *header != NULL; header++) {
1906 hdrlen = strlen(*header);
1907 if (strncmp(value, *header, hdrlen) == 0) {
1908 if (hdr_item != NULL) {
1909 hdr_tree = proto_item_add_subtree(hdr_item,
1914 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, value);
1922 * Dissect HTTP Basic authorization.
1925 check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value)
1927 static const char *basic_headers[] = {
1931 const char **header;
1933 proto_tree *hdr_tree;
1936 for (header = &basic_headers[0]; *header != NULL; header++) {
1937 hdrlen = strlen(*header);
1938 if (strncmp(value, *header, hdrlen) == 0) {
1939 if (hdr_item != NULL) {
1940 hdr_tree = proto_item_add_subtree(hdr_item,
1946 len = epan_base64_decode(value);
1948 proto_tree_add_string(hdr_tree, hf_http_basic, tvb,
1958 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1963 while (tvb_reported_length_remaining(tvb, offset) != 0) {
1964 len = dissect_http_message(tvb, offset, pinfo, tree);
1970 * OK, we've set the Protocol and Info columns for the
1971 * first HTTP message; make the columns non-writable,
1972 * so that we don't change it for subsequent HTTP messages.
1974 col_set_writable(pinfo->cinfo, FALSE);
1979 dissect_http_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1981 dissect_http_message(tvb, 0, pinfo, tree);
1984 static void reinit_http(void) {
1985 if ( http_alternate_tcp_port != alternate_tcp_port ) {
1987 if (alternate_tcp_port)
1988 dissector_delete("tcp.port", alternate_tcp_port, http_handle );
1990 if (http_alternate_tcp_port)
1991 dissector_add("tcp.port", http_alternate_tcp_port, http_handle);
1993 alternate_tcp_port = http_alternate_tcp_port;
1998 proto_register_http(void)
2000 static hf_register_info hf[] = {
2001 { &hf_http_notification,
2002 { "Notification", "http.notification",
2003 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2004 "TRUE if HTTP notification", HFILL }},
2005 { &hf_http_response,
2006 { "Response", "http.response",
2007 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2008 "TRUE if HTTP response", HFILL }},
2010 { "Request", "http.request",
2011 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2012 "TRUE if HTTP request", HFILL }},
2014 { "Credentials", "http.authbasic",
2015 FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
2016 { &hf_http_request_method,
2017 { "Request Method", "http.request.method",
2018 FT_STRING, BASE_NONE, NULL, 0x0,
2019 "HTTP Request Method", HFILL }},
2020 { &hf_http_request_uri,
2021 { "Request URI", "http.request.uri",
2022 FT_STRING, BASE_NONE, NULL, 0x0,
2023 "HTTP Request-URI", HFILL }},
2025 { "Request Version", "http.request.version",
2026 FT_STRING, BASE_NONE, NULL, 0x0,
2027 "HTTP Request HTTP-Version", HFILL }},
2028 { &hf_http_response_code,
2029 { "Response Code", "http.response.code",
2030 FT_UINT16, BASE_DEC, NULL, 0x0,
2031 "HTTP Response Code", HFILL }},
2032 { &hf_http_authorization,
2033 { "Authorization", "http.authorization",
2034 FT_STRING, BASE_NONE, NULL, 0x0,
2035 "HTTP Authorization header", HFILL }},
2036 { &hf_http_proxy_authenticate,
2037 { "Proxy-Authenticate", "http.proxy_authenticate",
2038 FT_STRING, BASE_NONE, NULL, 0x0,
2039 "HTTP Proxy-Authenticate header", HFILL }},
2040 { &hf_http_proxy_authorization,
2041 { "Proxy-Authorization", "http.proxy_authorization",
2042 FT_STRING, BASE_NONE, NULL, 0x0,
2043 "HTTP Proxy-Authorization header", HFILL }},
2044 { &hf_http_www_authenticate,
2045 { "WWW-Authenticate", "http.www_authenticate",
2046 FT_STRING, BASE_NONE, NULL, 0x0,
2047 "HTTP WWW-Authenticate header", HFILL }},
2048 { &hf_http_content_type,
2049 { "Content-Type", "http.content_type",
2050 FT_STRING, BASE_NONE, NULL, 0x0,
2051 "HTTP Content-Type header", HFILL }},
2052 { &hf_http_content_length,
2053 { "Content-Length", "http.content_length",
2054 FT_UINT32, BASE_DEC, NULL, 0x0,
2055 "HTTP Content-Length header", HFILL }},
2056 { &hf_http_content_encoding,
2057 { "Content-Encoding", "http.content_encoding",
2058 FT_STRING, BASE_NONE, NULL, 0x0,
2059 "HTTP Content-Encoding header", HFILL }},
2060 { &hf_http_transfer_encoding,
2061 { "Transfer-Encoding", "http.transfer_encoding",
2062 FT_STRING, BASE_NONE, NULL, 0x0,
2063 "HTTP Transfer-Encoding header", HFILL }},
2064 { &hf_http_user_agent,
2065 { "User-Agent", "http.user_agent",
2066 FT_STRING, BASE_NONE, NULL, 0x0,
2067 "HTTP User-Agent header", HFILL }},
2069 { "Host", "http.host",
2070 FT_STRING, BASE_NONE, NULL, 0x0,
2071 "HTTP Host", HFILL }},
2072 { &hf_http_connection,
2073 { "Connection", "http.connection",
2074 FT_STRING, BASE_NONE, NULL, 0x0,
2075 "HTTP Connection", HFILL }},
2077 { "Cookie", "http.cookie",
2078 FT_STRING, BASE_NONE, NULL, 0x0,
2079 "HTTP Cookie", HFILL }},
2081 { "Accept", "http.accept",
2082 FT_STRING, BASE_NONE, NULL, 0x0,
2083 "HTTP Accept", HFILL }},
2085 { "Referer", "http.referer",
2086 FT_STRING, BASE_NONE, NULL, 0x0,
2087 "HTTP Referer", HFILL }},
2088 { &hf_http_accept_language,
2089 { "Accept-Language", "http.accept_language",
2090 FT_STRING, BASE_NONE, NULL, 0x0,
2091 "HTTP Accept Language", HFILL }},
2092 { &hf_http_accept_encoding,
2093 { "Accept Encoding", "http.accept_encoding",
2094 FT_STRING, BASE_NONE, NULL, 0x0,
2095 "HTTP Accept Encoding", HFILL }},
2097 { "Date", "http.date",
2098 FT_STRING, BASE_NONE, NULL, 0x0,
2099 "HTTP Date", HFILL }},
2100 { &hf_http_cache_control,
2101 { "Cache-Control", "http.cache_control",
2102 FT_STRING, BASE_NONE, NULL, 0x0,
2103 "HTTP Cache Control", HFILL }},
2105 { "Server", "http.server",
2106 FT_STRING, BASE_NONE, NULL, 0x0,
2107 "HTTP Server", HFILL }},
2108 { &hf_http_location,
2109 { "Location", "http.location",
2110 FT_STRING, BASE_NONE, NULL, 0x0,
2111 "HTTP Location", HFILL }},
2112 { &hf_http_set_cookie,
2113 { "Set-Cookie", "http.set_cookie",
2114 FT_STRING, BASE_NONE, NULL, 0x0,
2115 "HTTP Set Cookie", HFILL }},
2116 { &hf_http_last_modified,
2117 { "Last-Modified", "http.last_modified",
2118 FT_STRING, BASE_NONE, NULL, 0x0,
2119 "HTTP Last Modified", HFILL }},
2120 { &hf_http_x_forwarded_for,
2121 { "X-Forwarded-For", "http.x_forwarded_for",
2122 FT_STRING, BASE_NONE, NULL, 0x0,
2123 "HTTP X-Forwarded-For", HFILL }},
2125 static gint *ett[] = {
2129 &ett_http_chunked_response,
2130 &ett_http_chunk_data,
2131 &ett_http_encoded_entity,
2133 module_t *http_module;
2135 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
2137 proto_register_field_array(proto_http, hf, array_length(hf));
2138 proto_register_subtree_array(ett, array_length(ett));
2139 register_dissector("http", dissect_http, proto_http);
2140 http_module = prefs_register_protocol(proto_http, reinit_http);
2141 prefs_register_bool_preference(http_module, "desegment_headers",
2142 "Reassemble HTTP headers spanning multiple TCP segments",
2143 "Whether the HTTP dissector should reassemble headers "
2144 "of a request spanning multiple TCP segments. "
2145 "To use this option, you must also enable "
2146 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
2147 &http_desegment_headers);
2148 prefs_register_bool_preference(http_module, "desegment_body",
2149 "Reassemble HTTP bodies spanning multiple TCP segments",
2150 "Whether the HTTP dissector should use the "
2151 "\"Content-length:\" value, if present, to reassemble "
2152 "the body of a request spanning multiple TCP segments, "
2153 "and reassemble chunked data spanning multiple TCP segments. "
2154 "To use this option, you must also enable "
2155 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
2156 &http_desegment_body);
2157 prefs_register_bool_preference(http_module, "dechunk_body",
2158 "Reassemble chunked transfer-coded bodies",
2159 "Whether to reassemble bodies of entities that are transfered "
2160 "using the \"Transfer-Encoding: chunked\" method",
2161 &http_dechunk_body);
2163 prefs_register_bool_preference(http_module, "decompress_body",
2164 "Uncompress entity bodies",
2165 "Whether to uncompress entity bodies that are compressed "
2166 "using \"Content-Encoding: \"",
2167 &http_decompress_body);
2169 prefs_register_uint_preference(http_module, "tcp_alternate_port",
2170 "Alternate TCP port",
2171 "Decode packets on this TCP port as HTTP",
2172 10,&http_alternate_tcp_port);
2174 http_handle = create_dissector_handle(dissect_http, proto_http);
2177 * Dissectors shouldn't register themselves in this table;
2178 * instead, they should call "http_dissector_add()", and
2179 * we'll register the port number they specify as a port
2180 * for HTTP, and register them in our subdissector table.
2182 * This only works for protocols such as IPP that run over
2183 * HTTP on a specific non-HTTP port.
2185 port_subdissector_table = register_dissector_table("http.port",
2186 "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
2189 * Dissectors can register themselves in this table.
2190 * It's just "media_type", not "http.content_type", because
2191 * it's an Internet media type, usable by other protocols as well.
2193 media_type_subdissector_table =
2194 register_dissector_table("media_type",
2195 "Internet media type", FT_STRING, BASE_NONE);
2198 * Heuristic dissectors SHOULD register themselves in
2199 * this table using the standard heur_dissector_add()
2202 register_heur_dissector_list("http", &heur_subdissector_list);
2205 * Register for tapping
2207 http_tap = register_tap("http");
2211 * Called by dissectors for protocols that run atop HTTP/TCP.
2214 http_dissector_add(guint32 port, dissector_handle_t handle)
2217 * Register ourselves as the handler for that port number
2220 dissector_add("tcp.port", port, http_handle);
2223 * And register them in *our* table for that port.
2225 dissector_add("http.port", port, handle);
2229 proto_reg_handoff_http(void)
2231 dissector_handle_t http_udp_handle;
2233 data_handle = find_dissector("data");
2234 media_handle = find_dissector("media");
2236 dissector_add("tcp.port", TCP_PORT_HTTP, http_handle);
2237 dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle);
2238 dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle);
2239 dissector_add("tcp.port", TCP_RADAN_HTTP, http_handle);
2240 dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle);
2241 dissector_add("tcp.port", TCP_PORT_HKP, http_handle);
2244 * XXX - is there anything to dissect in the body of an SSDP
2245 * request or reply? I.e., should there be an SSDP dissector?
2247 dissector_add("tcp.port", TCP_PORT_SSDP, http_handle);
2248 http_udp_handle = create_dissector_handle(dissect_http_udp, proto_http);
2249 dissector_add("udp.port", UDP_PORT_SSDP, http_udp_handle);
2251 ntlmssp_handle = find_dissector("ntlmssp");
2252 gssapi_handle = find_dissector("gssapi");
2254 stats_tree_register("http","http","HTTP/Packet Counter", http_stats_tree_packet, http_stats_tree_init, NULL );
2255 stats_tree_register("http","http_req","HTTP/Requests", http_req_stats_tree_packet, http_req_stats_tree_init, NULL );
2256 stats_tree_register("http","http_srv","HTTP/Load Distribution",http_reqs_stats_tree_packet,http_reqs_stats_tree_init, NULL );
2261 * Content-Type: message/http
2264 static gint proto_message_http = -1;
2265 static gint ett_message_http = -1;
2266 static dissector_handle_t message_http_handle;
2269 dissect_message_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
2271 proto_tree *subtree;
2273 gint offset = 0, next_offset;
2276 if (check_col(pinfo->cinfo, COL_INFO))
2277 col_append_str(pinfo->cinfo, COL_INFO, " (message/http)");
2279 ti = proto_tree_add_item(tree, proto_message_http,
2281 subtree = proto_item_add_subtree(ti, ett_message_http);
2282 while (tvb_reported_length_remaining(tvb, offset) != 0) {
2283 len = tvb_find_line_end(tvb, offset,
2284 tvb_ensure_length_remaining(tvb, offset),
2285 &next_offset, FALSE);
2288 proto_tree_add_text(subtree, tvb, offset, next_offset - offset,
2289 "%s", tvb_format_text(tvb, offset, len));
2290 offset = next_offset;
2296 proto_register_message_http(void)
2298 static gint *ett[] = {
2302 proto_message_http = proto_register_protocol(
2303 "Media Type: message/http",
2307 proto_register_subtree_array(ett, array_length(ett));
2311 proto_reg_handoff_message_http(void)
2313 message_http_handle = create_dissector_handle(dissect_message_http,
2314 proto_message_http);
2316 dissector_add_string("media_type", "message/http", message_http_handle);