2 * Routines for HTTP packet disassembly
6 * Guy Harris <guy@alum.mit.edu>
8 * Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net>
9 * Copyright 2002, Tim Potter <tpot@samba.org>
10 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
14 * Wireshark - Network traffic analyzer
15 * By Gerald Combs <gerald@wireshark.org>
16 * Copyright 1998 Gerald Combs
18 * This program is free software; you can redistribute it and/or
19 * modify it under the terms of the GNU General Public License
20 * as published by the Free Software Foundation; either version 2
21 * of the License, or (at your option) any later version.
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
41 #include <epan/packet.h>
42 #include <epan/strutil.h>
43 #include <epan/base64.h>
44 #include <epan/emem.h>
45 #include <epan/stats_tree.h>
47 #include <epan/req_resp_hdrs.h>
48 #include "packet-http.h"
49 #include <epan/prefs.h>
50 #include <epan/expert.h>
52 typedef enum _http_type {
61 static int http_tap = -1;
63 static int proto_http = -1;
64 static int hf_http_notification = -1;
65 static int hf_http_response = -1;
66 static int hf_http_request = -1;
67 static int hf_http_basic = -1;
68 static int hf_http_request_method = -1;
69 static int hf_http_request_uri = -1;
70 static int hf_http_version = -1;
71 static int hf_http_response_code = -1;
72 static int hf_http_authorization = -1;
73 static int hf_http_proxy_authenticate = -1;
74 static int hf_http_proxy_authorization = -1;
75 static int hf_http_www_authenticate = -1;
76 static int hf_http_content_type = -1;
77 static int hf_http_content_length = -1;
78 static int hf_http_content_encoding = -1;
79 static int hf_http_transfer_encoding = -1;
80 static int hf_http_user_agent = -1;
81 static int hf_http_host = -1;
82 static int hf_http_connection = -1;
83 static int hf_http_cookie = -1;
84 static int hf_http_accept = -1;
85 static int hf_http_referer = -1;
86 static int hf_http_accept_language = -1;
87 static int hf_http_accept_encoding = -1;
88 static int hf_http_date = -1;
89 static int hf_http_cache_control = -1;
90 static int hf_http_server = -1;
91 static int hf_http_location = -1;
92 static int hf_http_set_cookie = -1;
93 static int hf_http_last_modified = -1;
94 static int hf_http_x_forwarded_for = -1;
96 static gint ett_http = -1;
97 static gint ett_http_ntlmssp = -1;
98 static gint ett_http_request = -1;
99 static gint ett_http_chunked_response = -1;
100 static gint ett_http_chunk_data = -1;
101 static gint ett_http_encoded_entity = -1;
103 static dissector_handle_t data_handle;
104 static dissector_handle_t media_handle;
105 static dissector_handle_t http_handle;
108 * desegmentation of HTTP headers
109 * (when we are over TCP or another protocol providing the desegmentation API)
111 static gboolean http_desegment_headers = TRUE;
114 * desegmentation of HTTP bodies
115 * (when we are over TCP or another protocol providing the desegmentation API)
116 * TODO let the user filter on content-type the bodies he wants desegmented
118 static gboolean http_desegment_body = TRUE;
121 * De-chunking of content-encoding: chunk entity bodies.
123 static gboolean http_dechunk_body = TRUE;
126 * Decompression of zlib encoded entities.
129 static gboolean http_decompress_body = TRUE;
131 static gboolean http_decompress_body = FALSE;
135 #define TCP_PORT_HTTP 80
136 #define TCP_PORT_PROXY_HTTP 3128
137 #define TCP_PORT_PROXY_ADMIN_HTTP 3132
138 #define TCP_ALT_PORT_HTTP 8080
139 #define TCP_RADAN_HTTP 8088
140 #define TCP_PORT_HKP 11371
141 #define TCP_PORT_DAAP 3689
143 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
145 #define TCP_PORT_SSDP 1900
146 #define UDP_PORT_SSDP 1900
151 static guint http_alternate_tcp_port = 0;
152 static guint alternate_tcp_port = 0;
155 * Protocols implemented atop HTTP.
158 PROTO_HTTP, /* just HTTP */
159 PROTO_SSDP, /* Simple Service Discovery Protocol */
160 PROTO_DAAP /* Digital Audio Access Protocol */
163 typedef void (*ReqRespDissector)(tvbuff_t*, proto_tree*, int, const guchar*,
167 * Structure holding information from headers needed by main
168 * HTTP dissector code.
172 char *content_type_parameters;
173 gboolean have_content_length;
174 long content_length; /* XXX - make it 64-bit? */
175 char *content_encoding;
176 char *transfer_encoding;
179 static int is_http_request_or_reply(const gchar *data, int linelen,
180 http_type_t *type, ReqRespDissector *reqresp_dissector);
181 static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
182 proto_tree *tree, int offset);
183 static void process_header(tvbuff_t *tvb, int offset, int next_offset,
184 const guchar *line, int linelen, int colon_offset, packet_info *pinfo,
185 proto_tree *tree, headers_t *eh_ptr);
186 static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len);
187 static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb,
188 packet_info *pinfo, gchar *value);
189 static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb,
192 static dissector_table_t port_subdissector_table;
193 static dissector_table_t media_type_subdissector_table;
194 static heur_dissector_list_t heur_subdissector_list;
196 static dissector_handle_t ntlmssp_handle=NULL;
197 static dissector_handle_t gssapi_handle=NULL;
199 static const value_string vals_status_code[] = {
201 { 101, "Switching Protocols" },
202 { 102, "Processing" },
203 { 199, "Informational - Others" },
208 { 203, "Non-authoritative Information"},
209 { 204, "No Content"},
210 { 205, "Reset Content"},
211 { 206, "Partial Content"},
212 { 207, "Multi-Status"},
213 { 299, "Success - Others"},
215 { 300, "Multiple Choices"},
216 { 301, "Moved Permanently"},
219 { 304, "Not Modified"},
221 { 307, "Temporary Redirect"},
222 { 399, "Redirection - Others"},
224 { 400, "Bad Request"},
225 { 401, "Unauthorized"},
226 { 402, "Payment Required"},
229 { 405, "Method Not Allowed"},
230 { 406, "Not Acceptable"},
231 { 407, "Proxy Authentication Required"},
232 { 408, "Request Time-out"},
235 { 411, "Length Required"},
236 { 412, "Precondition Failed"},
237 { 413, "Request Entity Too Large"},
238 { 414, "Request-URI Too Long"},
239 { 415, "Unsupported Media Type"},
240 { 416, "Requested Range Not Satisfiable"},
241 { 417, "Expectation Failed"},
242 { 422, "Unprocessable Entity"},
244 { 424, "Failed Dependency"},
245 { 499, "Client Error - Others"},
247 { 500, "Internal Server Error"},
248 { 501, "Not Implemented"},
249 { 502, "Bad Gateway"},
250 { 503, "Service Unavailable"},
251 { 504, "Gateway Time-out"},
252 { 505, "HTTP Version not supported"},
253 { 507, "Insufficient Storage"},
254 { 599, "Server Error - Others"},
259 static const gchar* st_str_reqs = "HTTP Requests by Server";
260 static const gchar* st_str_reqs_by_srv_addr = "HTTP Requests by Server Address";
261 static const gchar* st_str_reqs_by_http_host = "HTTP Requests by HTTP Host";
262 static const gchar* st_str_resps_by_srv_addr = "HTTP Responses by Server Address";
264 static int st_node_reqs = -1;
265 static int st_node_reqs_by_srv_addr = -1;
266 static int st_node_reqs_by_http_host = -1;
267 static int st_node_resps_by_srv_addr = -1;
269 static void http_reqs_stats_tree_init(stats_tree* st) {
270 st_node_reqs = stats_tree_create_node(st, st_str_reqs, 0, TRUE);
271 st_node_reqs_by_srv_addr = stats_tree_create_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
272 st_node_reqs_by_http_host = stats_tree_create_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
273 st_node_resps_by_srv_addr = stats_tree_create_node(st, st_str_resps_by_srv_addr, 0, TRUE);
276 static int http_reqs_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt _U_, const void* p) {
277 const http_info_value_t* v = p;
278 int reqs_by_this_host;
279 int reqs_by_this_addr;
280 int resps_by_this_addr;
281 int i = v->response_code;
282 static gchar ip_str[256];
285 if (v->request_method) {
286 g_snprintf(ip_str,sizeof(ip_str),"%s",address_to_str(&pinfo->dst));
288 tick_stat_node(st, st_str_reqs, 0, FALSE);
289 tick_stat_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
290 tick_stat_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
291 reqs_by_this_addr = tick_stat_node(st, ip_str, st_node_reqs_by_srv_addr, TRUE);
294 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_reqs_by_http_host, TRUE);
295 tick_stat_node(st, ip_str, reqs_by_this_host, FALSE);
297 tick_stat_node(st, v->http_host, reqs_by_this_addr, FALSE);
303 g_snprintf(ip_str,sizeof(ip_str),"%s",address_to_str(&pinfo->src));
305 tick_stat_node(st, st_str_resps_by_srv_addr, 0, FALSE);
306 resps_by_this_addr = tick_stat_node(st, ip_str, st_node_resps_by_srv_addr, TRUE);
308 if ( (i>100)&&(i<400) ) {
309 tick_stat_node(st, "OK", resps_by_this_addr, FALSE);
311 tick_stat_node(st, "KO", resps_by_this_addr, FALSE);
321 static int st_node_requests_by_host = -1;
322 static const guint8* st_str_requests_by_host = "HTTP Requests by HTTP Host";
324 static void http_req_stats_tree_init(stats_tree* st) {
325 st_node_requests_by_host = stats_tree_create_node(st, st_str_requests_by_host, 0, TRUE);
328 static int http_req_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p) {
329 const http_info_value_t* v = p;
330 int reqs_by_this_host;
332 if (v->request_method) {
333 tick_stat_node(st, st_str_requests_by_host, 0, FALSE);
336 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_requests_by_host, TRUE);
338 if (v->request_uri) {
339 tick_stat_node(st, v->request_uri, reqs_by_this_host, TRUE);
349 static const guint8* st_str_packets = "Total HTTP Packets";
350 static const guint8* st_str_requests = "HTTP Request Packets";
351 static const guint8* st_str_responses = "HTTP Response Packets";
352 static const guint8* st_str_resp_broken = "???: broken";
353 static const guint8* st_str_resp_100 = "1xx: Informational";
354 static const guint8* st_str_resp_200 = "2xx: Success";
355 static const guint8* st_str_resp_300 = "3xx: Redirection";
356 static const guint8* st_str_resp_400 = "4xx: Client Error";
357 static const guint8* st_str_resp_500 = "5xx: Server Error";
358 static const guint8* st_str_other = "Other HTTP Packets";
360 static int st_node_packets = -1;
361 static int st_node_requests = -1;
362 static int st_node_responses = -1;
363 static int st_node_resp_broken = -1;
364 static int st_node_resp_100 = -1;
365 static int st_node_resp_200 = -1;
366 static int st_node_resp_300 = -1;
367 static int st_node_resp_400 = -1;
368 static int st_node_resp_500 = -1;
369 static int st_node_other = -1;
372 static void http_stats_tree_init(stats_tree* st) {
373 st_node_packets = stats_tree_create_node(st, st_str_packets, 0, TRUE);
374 st_node_requests = stats_tree_create_pivot(st, st_str_requests, st_node_packets);
375 st_node_responses = stats_tree_create_node(st, st_str_responses, st_node_packets, TRUE);
376 st_node_resp_broken = stats_tree_create_node(st, st_str_resp_broken, st_node_responses, TRUE);
377 st_node_resp_100 = stats_tree_create_node(st, st_str_resp_100, st_node_responses, TRUE);
378 st_node_resp_200 = stats_tree_create_node(st, st_str_resp_200, st_node_responses, TRUE);
379 st_node_resp_300 = stats_tree_create_node(st, st_str_resp_300, st_node_responses, TRUE);
380 st_node_resp_400 = stats_tree_create_node(st, st_str_resp_400, st_node_responses, TRUE);
381 st_node_resp_500 = stats_tree_create_node(st, st_str_resp_500, st_node_responses, TRUE);
382 st_node_other = stats_tree_create_node(st, st_str_other, st_node_packets,FALSE);
385 static int http_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p) {
386 const http_info_value_t* v = p;
387 guint i = v->response_code;
389 const guint8* resp_str;
390 static gchar str[64];
392 tick_stat_node(st, st_str_packets, 0, FALSE);
395 tick_stat_node(st, st_str_responses, st_node_packets, FALSE);
397 if ( (i<100)||(i>=600) ) {
398 resp_grp = st_node_resp_broken;
399 resp_str = st_str_resp_broken;
401 resp_grp = st_node_resp_100;
402 resp_str = st_str_resp_100;
404 resp_grp = st_node_resp_200;
405 resp_str = st_str_resp_200;
407 resp_grp = st_node_resp_300;
408 resp_str = st_str_resp_300;
410 resp_grp = st_node_resp_400;
411 resp_str = st_str_resp_400;
413 resp_grp = st_node_resp_500;
414 resp_str = st_str_resp_500;
417 tick_stat_node(st, resp_str, st_node_responses, FALSE);
419 g_snprintf(str, sizeof(str),"%u %s",i,match_strval(i,vals_status_code));
420 tick_stat_node(st, str, resp_grp, FALSE);
421 } else if (v->request_method) {
422 stats_tree_tick_pivot(st,st_node_requests,v->request_method);
424 tick_stat_node(st, st_str_other, st_node_packets, FALSE);
430 /* Return a tvb that contains the binary representation of a base64
434 base64_to_tvb(const char *base64)
437 char *data = g_strdup(base64);
440 len = epan_base64_decode(data);
441 tvb = tvb_new_real_data((const guint8 *)data, len, len);
443 tvb_set_free_cb(tvb, g_free);
449 dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
452 tvbuff_t *ntlmssp_tvb;
454 ntlmssp_tvb = base64_to_tvb(line);
455 tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb);
456 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP / GSSAPI Data");
457 if (tvb_strneql(ntlmssp_tvb, 0, "NTLMSSP", 7) == 0)
458 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
460 call_dissector(gssapi_handle, ntlmssp_tvb, pinfo, tree);
464 * TODO: remove this ugly global variable.
465 * XXX: do we really want to have to pass this from one function to another?
467 static http_info_value_t *stat_info;
470 dissect_http_message(tvbuff_t *tvb, int offset, packet_info *pinfo,
474 const char *proto_tag;
475 proto_tree *http_tree = NULL;
476 proto_item *ti = NULL;
479 const guchar *linep, *lineend;
481 int first_linelen, linelen;
482 gboolean is_request_or_reply;
483 gboolean saw_req_resp_or_header;
485 http_type_t http_type;
486 proto_item *hdr_item = NULL;
487 ReqRespDissector reqresp_dissector;
488 proto_tree *req_tree;
492 int reported_datalen = -1;
493 dissector_handle_t handle;
496 guint32 framenum = pinfo->fd->num;
497 /*http_info_value_t *si;*/
500 * Is this a request or response?
502 * Note that "tvb_find_line_end()" will return a value that
503 * is not longer than what's in the buffer, so the
504 * "tvb_get_ptr()" call won't throw an exception.
506 first_linelen = tvb_find_line_end(tvb, offset,
507 tvb_ensure_length_remaining(tvb, offset), &next_offset,
510 * Is the first line a request or response?
512 line = tvb_get_ptr(tvb, offset, first_linelen);
513 http_type = HTTP_OTHERS; /* type not known yet */
514 is_request_or_reply = is_http_request_or_reply((const gchar *)line,
515 first_linelen, &http_type, NULL);
516 if (is_request_or_reply) {
518 * Yes, it's a request or response.
519 * Do header desegmentation if we've been told to,
520 * and do body desegmentation if we've been told to and
521 * we find a Content-Length header.
523 if (!req_resp_hdrs_do_reassembly(tvb, offset, pinfo,
524 http_desegment_headers, http_desegment_body)) {
526 * More data needed for desegmentation.
532 /* we first allocate and initialize the current stat_info */
533 stat_info = ep_alloc(sizeof(http_info_value_t));
534 stat_info->framenum = framenum;
535 stat_info->response_code = 0;
536 stat_info->request_method = NULL;
537 stat_info->request_uri = NULL;
538 stat_info->http_host = NULL;
540 switch (pinfo->match_port) {
542 case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
558 if (check_col(pinfo->cinfo, COL_PROTOCOL))
559 col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
560 if (check_col(pinfo->cinfo, COL_INFO)) {
562 * Put the first line from the buffer into the summary
563 * if it's an HTTP request or reply (but leave out the
565 * Otherwise, just call it a continuation.
567 * Note that "tvb_find_line_end()" will return a value that
568 * is not longer than what's in the buffer, so the
569 * "tvb_get_ptr()" call won't throw an exception.
571 line = tvb_get_ptr(tvb, offset, first_linelen);
572 if (is_request_or_reply)
573 col_add_str(pinfo->cinfo, COL_INFO,
574 format_text(line, first_linelen));
576 col_set_str(pinfo->cinfo, COL_INFO, "Continuation or non-HTTP traffic");
579 orig_offset = offset;
581 ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
583 http_tree = proto_item_add_subtree(ti, ett_http);
587 * Process the packet data, a line at a time.
589 http_type = HTTP_OTHERS; /* type not known yet */
590 headers.content_type = NULL; /* content type not known yet */
591 headers.content_type_parameters = NULL; /* content type parameters too */
592 headers.have_content_length = FALSE; /* content length not known yet */
593 headers.content_encoding = NULL; /* content encoding not known yet */
594 headers.transfer_encoding = NULL; /* transfer encoding not known yet */
595 saw_req_resp_or_header = FALSE; /* haven't seen anything yet */
596 while (tvb_reported_length_remaining(tvb, offset) != 0) {
598 * Find the end of the line.
599 * XXX - what if we don't find it because the packet
600 * is cut short by a snapshot length or the header is
601 * split across TCP segments? How much dissection should
604 linelen = tvb_find_line_end(tvb, offset,
605 tvb_ensure_length_remaining(tvb, offset), &next_offset,
611 * Get a buffer that refers to the line.
613 line = tvb_get_ptr(tvb, offset, linelen);
614 lineend = line + linelen;
618 * OK, does it look like an HTTP request or response?
620 reqresp_dissector = NULL;
621 is_request_or_reply =
622 is_http_request_or_reply((const gchar *)line,
623 linelen, &http_type, &reqresp_dissector);
624 if (is_request_or_reply)
628 * No. Does it look like a blank line (as would appear
629 * at the end of an HTTP request)?
632 goto is_http; /* Yes. */
635 * No. Does it look like a header?
638 colon_offset = offset;
639 while (linep < lineend) {
643 * This must be a CHAR to be part of a token; that
644 * means it must be ASCII.
647 break; /* not ASCII, thus not a CHAR */
650 * This mustn't be a CTL to be part of a token.
652 * XXX - what about leading LWS on continuation
656 break; /* CTL, not part of a header */
659 * This mustn't be a SEP to be part of a token;
660 * a ':' ends the token, everything else is an
661 * indication that this isn't a header.
683 * It's a separator, so it's not part of a
684 * token, so it's not a field name for the
685 * beginning of a header.
687 * (We don't have to check for HT; that's
688 * already been ruled out by "iscntrl()".)
694 * This ends the token; we consider this
706 * We haven't seen the colon, but everything else looks
707 * OK for a header line.
709 * If we've already seen an HTTP request or response
710 * line, or a header line, and we're at the end of
711 * the tvbuff, we assume this is an incomplete header
712 * line. (We quit this loop after seeing a blank line,
713 * so if we've seen a request or response line, or a
714 * header line, this is probably more of the request
715 * or response we're presumably seeing. There is some
716 * risk of false positives, but the same applies for
717 * full request or response lines or header lines,
718 * although that's less likely.)
720 * We throw an exception in that case, by checking for
721 * the existence of the next byte after the last one
722 * in the line. If it exists, "tvb_ensure_bytes_exist()"
723 * throws no exception, and we fall through to the
724 * "not HTTP" case. If it doesn't exist,
725 * "tvb_ensure_bytes_exist()" will throw the appropriate
728 if (saw_req_resp_or_header)
729 tvb_ensure_bytes_exist(tvb, offset, linelen + 1);
733 * We don't consider this part of an HTTP request or
734 * reply, so we don't display it.
735 * (Yeah, that means we don't display, say, a text/http
736 * page, but you can get that from the data pane.)
746 * This is a blank line, which means that
747 * whatever follows it isn't part of this
750 proto_tree_add_text(http_tree, tvb, offset,
751 next_offset - offset, "%s",
752 tvb_format_text(tvb, offset, next_offset - offset));
753 offset = next_offset;
758 * Not a blank line - either a request, a reply, or a header
761 saw_req_resp_or_header = TRUE;
762 if (is_request_or_reply) {
764 hdr_item = proto_tree_add_text(http_tree, tvb,
765 offset, next_offset - offset, "%s",
766 tvb_format_text(tvb, offset,
767 next_offset - offset));
769 expert_add_info_format(pinfo, hdr_item, PI_SEQUENCE, PI_CHAT,
771 tvb_format_text(tvb, offset, next_offset - offset));
772 if (reqresp_dissector) {
773 if (tree) req_tree = proto_item_add_subtree(hdr_item, ett_http_request);
774 else req_tree = NULL;
776 reqresp_dissector(tvb, req_tree, offset, line, lineend);
782 process_header(tvb, offset, next_offset, line, linelen,
783 colon_offset, pinfo, http_tree, &headers);
785 offset = next_offset;
791 case HTTP_NOTIFICATION:
792 proto_tree_add_boolean_hidden(http_tree,
793 hf_http_notification, tvb, 0, 0, 1);
797 proto_tree_add_boolean_hidden(http_tree,
798 hf_http_response, tvb, 0, 0, 1);
802 proto_tree_add_boolean_hidden(http_tree,
803 hf_http_request, tvb, 0, 0, 1);
813 * If a content length was supplied, the amount of data to be
814 * processed as HTTP payload is the minimum of the content
815 * length and the amount of data remaining in the frame.
817 * If no content length was supplied (or if a bad content length
818 * was supplied), the amount of data to be processed is the amount
819 * of data remaining in the frame.
821 * If there was no Content-Length entity header, we should
822 * accumulate all data until the end of the connection.
823 * That'd require that the TCP dissector call subdissectors
824 * for all frames with FIN, even if they contain no data,
825 * which would require subdissectors to deal intelligently
826 * with empty segments.
828 * Acccording to RFC 2616, however, 1xx responses, 204 responses,
829 * and 304 responses MUST NOT include a message body; if no
830 * content length is specified for them, we don't attempt to
833 * XXX - it says the same about responses to HEAD requests;
834 * unless there's a way to determine from the response
835 * whether it's a response to a HEAD request, we have to
836 * keep information about the request and associate that with
837 * the response in order to handle that.
839 datalen = tvb_length_remaining(tvb, offset);
840 if (headers.have_content_length && headers.content_length != -1) {
841 if (datalen > headers.content_length)
842 datalen = headers.content_length;
845 * XXX - limit the reported length in the tvbuff we'll
846 * hand to a subdissector to be no greater than the
849 * We really need both unreassembled and "how long it'd
850 * be if it were reassembled" lengths for tvbuffs, so
851 * that we throw the appropriate exceptions for
852 * "not enough data captured" (running past the length),
853 * "packet needed reassembly" (within the length but
854 * running past the unreassembled length), and
855 * "packet is malformed" (running past the reassembled
858 reported_datalen = tvb_reported_length_remaining(tvb, offset);
859 if (reported_datalen > headers.content_length)
860 reported_datalen = headers.content_length;
866 * Requests have no content if there's no
867 * Content-Length header and no Transfer-Encoding
870 if (headers.transfer_encoding == NULL)
873 reported_datalen = -1;
877 if ((stat_info->response_code/100) == 1 ||
878 stat_info->response_code == 204 ||
879 stat_info->response_code == 304)
880 datalen = 0; /* no content! */
883 * XXX - responses to HEAD requests,
884 * and possibly other responses,
885 * "MUST NOT" include a
888 reported_datalen = -1;
894 * XXX - what about HTTP_NOTIFICATION?
896 reported_datalen = -1;
903 * There's stuff left over; process it.
906 void *save_private_data = NULL;
907 gint chunks_decoded = 0;
910 * Create a tvbuff for the payload.
912 * The amount of data to be processed that's
913 * available in the tvbuff is "datalen", which
914 * is the minimum of the amount of data left in
915 * the tvbuff and any specified content length.
917 * The amount of data to be processed that's in
918 * this frame, regardless of whether it was
919 * captured or not, is "reported_datalen",
920 * which, if no content length was specified,
921 * is -1, i.e. "to the end of the frame.
923 next_tvb = tvb_new_subset(tvb, offset, datalen,
926 * BEWARE - next_tvb is a subset of another tvb,
927 * so we MUST NOT attempt tvb_free(next_tvb);
931 * Handle *transfer* encodings other than "identity".
933 if (headers.transfer_encoding != NULL &&
934 strcasecmp(headers.transfer_encoding, "identity") != 0) {
935 if (http_dechunk_body &&
936 (strncasecmp(headers.transfer_encoding, "chunked", 7)
939 chunks_decoded = chunked_encoding_dissector(
940 &next_tvb, pinfo, http_tree, 0);
942 if (chunks_decoded <= 0) {
944 * The chunks weren't reassembled,
945 * or there was a single zero
951 * Add a new data source for the
954 tvb_set_child_real_data_tvbuff(tvb,
956 add_new_data_source(pinfo, next_tvb,
957 "De-chunked entity body");
961 * We currently can't handle, for example,
962 * "gzip", "compress", or "deflate" as
963 * *transfer* encodings; just handle them
966 call_dissector(data_handle, next_tvb, pinfo,
972 * At this point, any chunked *transfer* coding has been removed
973 * (the entity body has been dechunked) so it can be presented
974 * for the following operation (*content* encoding), or it has
975 * been been handed off to the data dissector.
977 * Handle *content* encodings other than "identity" (which
978 * shouldn't appear in a Content-Encoding header, but
979 * we handle it in any case).
981 if (headers.content_encoding != NULL &&
982 strcasecmp(headers.content_encoding, "identity") != 0) {
984 * We currently can't handle, for example, "compress";
985 * just handle them as data for now.
987 * After July 7, 2004 the LZW patent expires, so support
988 * might be added then. However, I don't think that
989 * anybody ever really implemented "compress", due to
990 * the aforementioned patent.
992 tvbuff_t *uncomp_tvb = NULL;
993 proto_item *e_ti = NULL;
994 proto_tree *e_tree = NULL;
996 if (http_decompress_body &&
997 (strcasecmp(headers.content_encoding, "gzip") == 0 ||
998 strcasecmp(headers.content_encoding, "deflate")
1001 uncomp_tvb = tvb_uncompress(next_tvb, 0,
1002 tvb_length(next_tvb));
1006 * Add the encoded entity to the protocol tree
1008 e_ti = proto_tree_add_text(http_tree, next_tvb,
1009 0, tvb_length(next_tvb),
1010 "Content-encoded entity body (%s): %u bytes",
1011 headers.content_encoding,
1012 tvb_length(next_tvb));
1013 e_tree = proto_item_add_subtree(e_ti,
1014 ett_http_encoded_entity);
1016 if (uncomp_tvb != NULL) {
1018 * Decompression worked
1021 /* XXX - Don't free this, since it's possible
1022 * that the data was only partially
1023 * decompressed, such as when desegmentation
1028 proto_item_append_text(e_ti, " -> %u bytes", tvb_length(uncomp_tvb));
1029 next_tvb = uncomp_tvb;
1030 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1031 add_new_data_source(pinfo, next_tvb,
1032 "Uncompressed entity body");
1034 if (chunks_decoded > 1) {
1035 tvb_set_child_real_data_tvbuff(tvb,
1037 add_new_data_source(pinfo, next_tvb,
1038 "Compressed entity body");
1040 call_dissector(data_handle, next_tvb, pinfo,
1043 goto body_dissected;
1047 * Note that a new data source is added for the entity body
1048 * only if it was content-encoded and/or transfer-encoded.
1052 * Do subdissector checks.
1054 * First, check whether some subdissector asked that they
1055 * be called if something was on some particular port.
1057 handle = dissector_get_port_handle(port_subdissector_table,
1059 if (handle == NULL && headers.content_type != NULL) {
1061 * We didn't find any subdissector that
1062 * registered for the port, and we have a
1063 * Content-Type value. Is there any subdissector
1064 * for that content type?
1066 save_private_data = pinfo->private_data;
1068 if (headers.content_type_parameters)
1069 pinfo->private_data = ep_strdup(headers.content_type_parameters);
1071 pinfo->private_data = NULL;
1073 * Calling the string handle for the media type
1074 * dissector table will set pinfo->match_string
1075 * to headers.content_type for us.
1077 pinfo->match_string = headers.content_type;
1078 handle = dissector_get_string_handle(
1079 media_type_subdissector_table,
1080 headers.content_type);
1082 * Calling the default media handle otherwise
1084 if (handle == NULL) {
1085 handle = media_handle;
1088 if (handle != NULL) {
1090 * We have a subdissector - call it.
1092 dissected = call_dissector(handle, next_tvb, pinfo,
1096 * We don't have a subdissector - try the heuristic
1099 dissected = dissector_try_heuristic(
1100 heur_subdissector_list, next_tvb, pinfo, tree);
1104 * The subdissector dissected the body.
1105 * Fix up the top-level item so that it doesn't
1106 * include the stuff for that protocol.
1109 proto_item_set_len(ti, offset);
1111 call_dissector(data_handle, next_tvb, pinfo,
1117 * Do *not* attempt at freeing the private data;
1118 * it may be in use by subdissectors.
1120 if (save_private_data)
1121 pinfo->private_data = save_private_data;
1123 * We've processed "datalen" bytes worth of data
1124 * (which may be no data at all); advance the
1125 * offset past whatever data we've processed.
1130 tap_queue_packet(http_tap, pinfo, stat_info);
1132 return offset - orig_offset;
1135 /* This can be used to dissect an HTTP request until such time
1136 * that a more complete dissector is written for that HTTP request.
1137 * This simple dissector only puts the request method, URI, and
1138 * protocol version into a sub-tree.
1141 basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1142 const guchar *line, const guchar *lineend)
1144 const guchar *next_token;
1147 /* The first token is the method. */
1148 tokenlen = get_token_len(line, lineend, &next_token);
1151 proto_tree_add_item(tree, hf_http_request_method, tvb, offset, tokenlen,
1153 offset += next_token - line;
1156 /* The next token is the URI. */
1157 tokenlen = get_token_len(line, lineend, &next_token);
1160 stat_info->request_uri = (gchar*) tvb_get_ephemeral_string(tvb, offset, tokenlen);
1161 proto_tree_add_string(tree, hf_http_request_uri, tvb, offset, tokenlen,
1162 stat_info->request_uri);
1163 offset += next_token - line;
1166 /* Everything to the end of the line is the version. */
1167 tokenlen = lineend - line;
1170 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1175 basic_response_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1176 const guchar *line, const guchar *lineend)
1178 const guchar *next_token;
1180 gchar response_chars[4];
1182 /* The first token is the version. */
1183 tokenlen = get_token_len(line, lineend, &next_token);
1186 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1188 offset += next_token - line;
1191 /* The next token is the status code. */
1192 tokenlen = get_token_len(line, lineend, &next_token);
1195 memcpy(response_chars, line, 3);
1196 response_chars[3] = '\0';
1198 stat_info->response_code = strtoul(response_chars,NULL,10);
1200 proto_tree_add_uint(tree, hf_http_response_code, tvb, offset, 3,
1201 stat_info->response_code);
1205 * Dissect the http data chunks and add them to the tree.
1208 chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
1209 proto_tree *tree, int offset)
1211 guint8 *chunk_string = NULL;
1212 guint32 chunk_size = 0;
1213 gint chunk_offset = 0;
1214 guint32 datalen = 0;
1216 gint chunks_decoded = 0;
1217 tvbuff_t *tvb = NULL;
1218 tvbuff_t *new_tvb = NULL;
1219 gint chunked_data_size = 0;
1220 proto_tree *subtree = NULL;
1221 proto_item *ti = NULL;
1223 if (tvb_ptr == NULL || *tvb_ptr == NULL) {
1229 datalen = tvb_reported_length_remaining(tvb, offset);
1232 ti = proto_tree_add_text(tree, tvb, offset, datalen,
1233 "HTTP chunked response");
1234 subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
1238 while (datalen != 0) {
1239 proto_item *chunk_ti = NULL;
1240 proto_tree *chunk_subtree = NULL;
1241 tvbuff_t *data_tvb = NULL;
1246 linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
1249 /* Can't get the chunk size line */
1253 chunk_string = tvb_get_ephemeral_string(tvb, offset, linelen);
1255 if (chunk_string == NULL) {
1256 /* Can't get the chunk size line */
1260 c = (gchar*) chunk_string;
1263 * We don't care about the extensions.
1265 if ((c = strchr(c, ';'))) {
1269 if ( ( chunk_size = strtol((gchar*)chunk_string, NULL, 16) ) == 0 ) {
1274 if (chunk_size > datalen) {
1276 * The chunk size is more than what's in the tvbuff,
1277 * so either the user hasn't enabled decoding, or all
1278 * of the segments weren't captured.
1280 chunk_size = datalen;
1283 * chunk_size is guaranteed to be >0 from here on
1286 else if (new_tvb == NULL) {
1287 new_tvb = tvb_new_composite();
1292 if (new_tvb != NULL && chunk_size != 0) {
1293 tvbuff_t *chunk_tvb = NULL;
1295 chunk_tvb = tvb_new_subset(tvb, chunk_offset,
1296 chunk_size, datalen);
1298 tvb_composite_append(new_tvb, chunk_tvb);
1303 chunked_data_size += chunk_size;
1305 raw_data = g_malloc(chunked_data_size);
1308 if (new_tvb != NULL) {
1309 raw_len = tvb_length_remaining(new_tvb, 0);
1310 tvb_memcpy(new_tvb, raw_data, 0, raw_len);
1315 tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len),
1316 chunk_offset, chunk_size);
1318 new_tvb = tvb_new_real_data(raw_data,
1319 chunked_data_size, chunked_data_size);
1320 tvb_set_free_cb(new_tvb, g_free);
1324 chunk_ti = proto_tree_add_text(subtree, tvb,
1326 chunk_offset - offset + chunk_size + 2,
1327 "Data chunk (%u octets)", chunk_size);
1329 chunk_subtree = proto_item_add_subtree(chunk_ti,
1330 ett_http_chunk_data);
1332 proto_tree_add_text(chunk_subtree, tvb, offset,
1333 chunk_offset - offset, "Chunk size: %u octets",
1336 data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size,
1341 * XXX - just use "proto_tree_add_text()"?
1342 * This means that, in TShark, you get
1343 * the entire chunk dumped out in hex,
1344 * in addition to whatever dissection is
1345 * done on the reassembled data.
1347 call_dissector(data_handle, data_tvb, pinfo,
1350 proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
1351 chunk_size, 2, "Chunk boundary");
1355 offset = chunk_offset + chunk_size + 2;
1356 datalen = tvb_reported_length_remaining(tvb, offset);
1359 if (new_tvb != NULL) {
1361 /* Placeholder for the day that composite tvbuffer's will work.
1362 tvb_composite_finalize(new_tvb);
1363 / * tvb_set_reported_length(new_tvb, chunked_data_size); * /
1367 * XXX - Don't free this, since the tvbuffer that was passed
1368 * may be used if the data spans multiple frames and reassembly
1377 * We didn't create a new tvb, so don't allow sub dissectors
1378 * try to decode the non-existant entity body.
1380 chunks_decoded = -1;
1383 return chunks_decoded;
1389 * XXX - this won't handle HTTP 0.9 replies, but they're all data
1393 is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
1394 ReqRespDissector *reqresp_dissector)
1396 int isHttpRequestOrReply = FALSE;
1400 * From RFC 2774 - An HTTP Extension Framework
1402 * Support the command prefix that identifies the presence of
1403 * a "mandatory" header.
1405 if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
1412 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
1413 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
1415 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
1418 if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
1419 *type = HTTP_RESPONSE;
1420 isHttpRequestOrReply = TRUE; /* response */
1421 if (reqresp_dissector)
1422 *reqresp_dissector = basic_response_dissector;
1424 const guchar * ptr = (const guchar *)data;
1427 /* Look for the space following the Method */
1428 while (index < linelen) {
1437 /* Check the methods that have same length */
1441 if (strncmp(data, "GET", index) == 0 ||
1442 strncmp(data, "PUT", index) == 0) {
1443 *type = HTTP_REQUEST;
1444 isHttpRequestOrReply = TRUE;
1446 else if (strncmp(data, "ICY", index) == 0) {
1447 *type = HTTP_RESPONSE;
1448 isHttpRequestOrReply = TRUE;
1453 if (strncmp(data, "COPY", index) == 0 ||
1454 strncmp(data, "HEAD", index) == 0 ||
1455 strncmp(data, "LOCK", index) == 0 ||
1456 strncmp(data, "MOVE", index) == 0 ||
1457 strncmp(data, "POLL", index) == 0 ||
1458 strncmp(data, "POST", index) == 0) {
1459 *type = HTTP_REQUEST;
1460 isHttpRequestOrReply = TRUE;
1465 if (strncmp(data, "BCOPY", index) == 0 ||
1466 strncmp(data, "BMOVE", index) == 0 ||
1467 strncmp(data, "MKCOL", index) == 0 ||
1468 strncmp(data, "TRACE", index) == 0 ||
1469 strncmp(data, "LABEL", index) == 0 || /* RFC 3253 8.2 */
1470 strncmp(data, "MERGE", index) == 0) { /* RFC 3253 11.2 */
1471 *type = HTTP_REQUEST;
1472 isHttpRequestOrReply = TRUE;
1477 if (strncmp(data, "DELETE", index) == 0 ||
1478 strncmp(data, "SEARCH", index) == 0 ||
1479 strncmp(data, "UNLOCK", index) == 0 ||
1480 strncmp(data, "REPORT", index) == 0 || /* RFC 3253 3.6 */
1481 strncmp(data, "UPDATE", index) == 0) { /* RFC 3253 7.1 */
1482 *type = HTTP_REQUEST;
1483 isHttpRequestOrReply = TRUE;
1485 else if (strncmp(data, "NOTIFY", index) == 0) {
1486 *type = HTTP_NOTIFICATION;
1487 isHttpRequestOrReply = TRUE;
1492 if (strncmp(data, "BDELETE", index) == 0 ||
1493 strncmp(data, "CONNECT", index) == 0 ||
1494 strncmp(data, "OPTIONS", index) == 0 ||
1495 strncmp(data, "CHECKIN", index) == 0) { /* RFC 3253 4.4, 9.4 */
1496 *type = HTTP_REQUEST;
1497 isHttpRequestOrReply = TRUE;
1502 if (strncmp(data, "PROPFIND", index) == 0 ||
1503 strncmp(data, "CHECKOUT", index) == 0 || /* RFC 3253 4.3, 9.3 */
1504 strncmp(data, "CCM_POST", index) == 0) {
1505 *type = HTTP_REQUEST;
1506 isHttpRequestOrReply = TRUE;
1511 if (strncmp(data, "SUBSCRIBE", index) == 0) {
1512 *type = HTTP_NOTIFICATION;
1513 isHttpRequestOrReply = TRUE;
1514 } else if (strncmp(data, "PROPPATCH", index) == 0 ||
1515 strncmp(data, "BPROPFIND", index) == 0) {
1516 *type = HTTP_REQUEST;
1517 isHttpRequestOrReply = TRUE;
1522 if (strncmp(data, "BPROPPATCH", index) == 0 ||
1523 strncmp(data, "UNCHECKOUT", index) == 0 || /* RFC 3253 4.5 */
1524 strncmp(data, "MKACTIVITY", index) == 0) { /* RFC 3253 13.5 */
1525 *type = HTTP_REQUEST;
1526 isHttpRequestOrReply = TRUE;
1531 if (strncmp(data, "MKWORKSPACE", index) == 0) { /* RFC 3253 6.3 */
1532 *type = HTTP_REQUEST;
1533 isHttpRequestOrReply = TRUE;
1534 } else if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
1535 *type = HTTP_NOTIFICATION;
1536 isHttpRequestOrReply = TRUE;
1537 } else if (strncmp(data, "RPC_CONNECT", index) == 0) {
1538 *type = HTTP_REQUEST;
1539 isHttpRequestOrReply = TRUE;
1544 if (strncmp(data, "VERSION-CONTROL", index) == 0) { /* RFC 3253 3.5 */
1545 *type = HTTP_REQUEST;
1546 isHttpRequestOrReply = TRUE;
1551 if (strncmp(data, "BASELINE-CONTROL", index) == 0) { /* RFC 3253 12.6 */
1552 *type = HTTP_REQUEST;
1553 isHttpRequestOrReply = TRUE;
1561 if (isHttpRequestOrReply && reqresp_dissector) {
1562 *reqresp_dissector = basic_request_dissector;
1563 if (!stat_info->request_method)
1564 stat_info->request_method = ep_strndup(data, index+1);
1568 return isHttpRequestOrReply;
1580 #define HDR_NO_SPECIAL 0
1581 #define HDR_AUTHORIZATION 1
1582 #define HDR_AUTHENTICATE 2
1583 #define HDR_CONTENT_TYPE 3
1584 #define HDR_CONTENT_LENGTH 4
1585 #define HDR_CONTENT_ENCODING 5
1586 #define HDR_TRANSFER_ENCODING 6
1589 static const header_info headers[] = {
1590 { "Authorization", &hf_http_authorization, HDR_AUTHORIZATION },
1591 { "Proxy-Authorization", &hf_http_proxy_authorization, HDR_AUTHORIZATION },
1592 { "Proxy-Authenticate", &hf_http_proxy_authenticate, HDR_AUTHENTICATE },
1593 { "WWW-Authenticate", &hf_http_www_authenticate, HDR_AUTHENTICATE },
1594 { "Content-Type", &hf_http_content_type, HDR_CONTENT_TYPE },
1595 { "Content-Length", &hf_http_content_length, HDR_CONTENT_LENGTH },
1596 { "Content-Encoding", &hf_http_content_encoding, HDR_CONTENT_ENCODING },
1597 { "Transfer-Encoding", &hf_http_transfer_encoding, HDR_TRANSFER_ENCODING },
1598 { "User-Agent", &hf_http_user_agent, HDR_NO_SPECIAL },
1599 { "Host", &hf_http_host, HDR_HOST },
1600 { "Connection", &hf_http_connection, HDR_NO_SPECIAL },
1601 { "Cookie", &hf_http_cookie, HDR_NO_SPECIAL },
1602 { "Accept", &hf_http_accept, HDR_NO_SPECIAL },
1603 { "Referer", &hf_http_referer, HDR_NO_SPECIAL },
1604 { "Accept-Language", &hf_http_accept_language, HDR_NO_SPECIAL },
1605 { "Accept-Encoding", &hf_http_accept_encoding, HDR_NO_SPECIAL },
1606 { "Date", &hf_http_date, HDR_NO_SPECIAL },
1607 { "Cache-Control", &hf_http_cache_control, HDR_NO_SPECIAL },
1608 { "Server", &hf_http_server, HDR_NO_SPECIAL },
1609 { "Location", &hf_http_location, HDR_NO_SPECIAL },
1610 { "Set-Cookie", &hf_http_set_cookie, HDR_NO_SPECIAL },
1611 { "Last-Modified", &hf_http_last_modified, HDR_NO_SPECIAL },
1612 { "X-Forwarded-For", &hf_http_x_forwarded_for, HDR_NO_SPECIAL },
1616 process_header(tvbuff_t *tvb, int offset, int next_offset,
1617 const guchar *line, int linelen, int colon_offset,
1618 packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr)
1621 int line_end_offset;
1630 proto_item *hdr_item;
1633 len = next_offset - offset;
1634 line_end_offset = offset + linelen;
1635 header_len = colon_offset - offset;
1636 hf_index = find_header_hf_value(tvb, offset, header_len);
1638 if (hf_index == -1) {
1640 * Not a header we know anything about. Just put it into
1644 proto_tree_add_text(tree, tvb, offset, len,
1645 "%s", format_text(line, len));
1649 * Skip whitespace after the colon.
1651 value_offset = colon_offset + 1;
1652 while (value_offset < line_end_offset
1653 && ((c = line[value_offset - offset]) == ' ' || c == '\t'))
1659 value_len = line_end_offset - value_offset;
1660 value = ep_strndup(&line[value_offset - offset], value_len);
1663 * Add it to the protocol tree as a particular field,
1664 * but display the line as is.
1667 hdr_item = proto_tree_add_string_format(tree,
1668 *headers[hf_index].hf, tvb, offset, len,
1669 value, "%s", format_text(line, len));
1674 * Do any special processing that particular headers
1677 switch (headers[hf_index].special) {
1679 case HDR_AUTHORIZATION:
1680 if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
1681 break; /* dissected NTLMSSP */
1682 check_auth_basic(hdr_item, tvb, value);
1685 case HDR_AUTHENTICATE:
1686 check_auth_ntlmssp(hdr_item, tvb, pinfo, value);
1689 case HDR_CONTENT_TYPE:
1690 eh_ptr->content_type = (gchar*) ep_memdup((guint8*)value,value_len + 1);
1692 for (i = 0; i < value_len; i++) {
1694 if (c == ';' || isspace(c)) {
1696 * End of subtype - either
1697 * white space or a ";"
1698 * separating the subtype from
1705 * Map the character to lower case;
1706 * content types are case-insensitive.
1708 eh_ptr->content_type[i] = tolower(eh_ptr->content_type[i]);
1710 eh_ptr->content_type[i] = '\0';
1712 * Now find the start of the optional parameters;
1713 * skip the optional white space and the semicolon
1714 * if this has not been done before.
1717 while (i < value_len) {
1718 c = eh_ptr->content_type[i];
1719 if (c == ';' || isspace(c))
1720 /* Skip till start of parameters */
1726 eh_ptr->content_type_parameters = eh_ptr->content_type + i;
1728 eh_ptr->content_type_parameters = NULL;
1731 case HDR_CONTENT_LENGTH:
1732 eh_ptr->content_length = strtol(value, &p, 10);
1734 if (eh_ptr->content_length < 0 || p == value ||
1735 (*up != '\0' && !isspace(*up))) {
1737 * Content length not valid; pretend
1740 eh_ptr->have_content_length = FALSE;
1743 * We do have a valid content length.
1745 eh_ptr->have_content_length = TRUE;
1749 case HDR_CONTENT_ENCODING:
1750 eh_ptr->content_encoding = ep_strndup(value, value_len);
1753 case HDR_TRANSFER_ENCODING:
1754 eh_ptr->transfer_encoding = ep_strndup(value, value_len);
1758 stat_info->http_host = ep_strndup(value, value_len);
1765 /* Returns index of header tag in headers */
1767 find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len)
1771 for (i = 0; i < array_length(headers); i++) {
1772 if (header_len == strlen(headers[i].name) &&
1773 tvb_strncaseeql(tvb, offset,
1774 headers[i].name, header_len) == 0)
1782 * Dissect Microsoft's abomination called NTLMSSP over HTTP.
1785 check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo,
1788 static const char *ntlm_headers[] = {
1793 const char **header;
1795 proto_tree *hdr_tree;
1798 * Check for NTLM credentials and challenge; those can
1799 * occur with WWW-Authenticate.
1801 for (header = &ntlm_headers[0]; *header != NULL; header++) {
1802 hdrlen = strlen(*header);
1803 if (strncmp(value, *header, hdrlen) == 0) {
1804 if (hdr_item != NULL) {
1805 hdr_tree = proto_item_add_subtree(hdr_item,
1810 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, value);
1818 * Dissect HTTP Basic authorization.
1821 check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value)
1823 static const char *basic_headers[] = {
1827 const char **header;
1829 proto_tree *hdr_tree;
1832 for (header = &basic_headers[0]; *header != NULL; header++) {
1833 hdrlen = strlen(*header);
1834 if (strncmp(value, *header, hdrlen) == 0) {
1835 if (hdr_item != NULL) {
1836 hdr_tree = proto_item_add_subtree(hdr_item,
1842 len = epan_base64_decode(value);
1844 proto_tree_add_string(hdr_tree, hf_http_basic, tvb,
1854 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1859 while (tvb_reported_length_remaining(tvb, offset) != 0) {
1860 len = dissect_http_message(tvb, offset, pinfo, tree);
1866 * OK, we've set the Protocol and Info columns for the
1867 * first HTTP message; make the columns non-writable,
1868 * so that we don't change it for subsequent HTTP messages.
1870 col_set_writable(pinfo->cinfo, FALSE);
1875 dissect_http_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1877 dissect_http_message(tvb, 0, pinfo, tree);
1880 static void reinit_http(void) {
1881 if ( http_alternate_tcp_port != alternate_tcp_port ) {
1883 if (alternate_tcp_port)
1884 dissector_delete("tcp.port", alternate_tcp_port, http_handle );
1886 if (http_alternate_tcp_port)
1887 dissector_add("tcp.port", http_alternate_tcp_port, http_handle);
1889 alternate_tcp_port = http_alternate_tcp_port;
1894 proto_register_http(void)
1896 static hf_register_info hf[] = {
1897 { &hf_http_notification,
1898 { "Notification", "http.notification",
1899 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1900 "TRUE if HTTP notification", HFILL }},
1901 { &hf_http_response,
1902 { "Response", "http.response",
1903 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1904 "TRUE if HTTP response", HFILL }},
1906 { "Request", "http.request",
1907 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1908 "TRUE if HTTP request", HFILL }},
1910 { "Credentials", "http.authbasic",
1911 FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
1912 { &hf_http_request_method,
1913 { "Request Method", "http.request.method",
1914 FT_STRING, BASE_NONE, NULL, 0x0,
1915 "HTTP Request Method", HFILL }},
1916 { &hf_http_request_uri,
1917 { "Request URI", "http.request.uri",
1918 FT_STRING, BASE_NONE, NULL, 0x0,
1919 "HTTP Request-URI", HFILL }},
1921 { "Request Version", "http.request.version",
1922 FT_STRING, BASE_NONE, NULL, 0x0,
1923 "HTTP Request HTTP-Version", HFILL }},
1924 { &hf_http_response_code,
1925 { "Response Code", "http.response.code",
1926 FT_UINT16, BASE_DEC, NULL, 0x0,
1927 "HTTP Response Code", HFILL }},
1928 { &hf_http_authorization,
1929 { "Authorization", "http.authorization",
1930 FT_STRING, BASE_NONE, NULL, 0x0,
1931 "HTTP Authorization header", HFILL }},
1932 { &hf_http_proxy_authenticate,
1933 { "Proxy-Authenticate", "http.proxy_authenticate",
1934 FT_STRING, BASE_NONE, NULL, 0x0,
1935 "HTTP Proxy-Authenticate header", HFILL }},
1936 { &hf_http_proxy_authorization,
1937 { "Proxy-Authorization", "http.proxy_authorization",
1938 FT_STRING, BASE_NONE, NULL, 0x0,
1939 "HTTP Proxy-Authorization header", HFILL }},
1940 { &hf_http_www_authenticate,
1941 { "WWW-Authenticate", "http.www_authenticate",
1942 FT_STRING, BASE_NONE, NULL, 0x0,
1943 "HTTP WWW-Authenticate header", HFILL }},
1944 { &hf_http_content_type,
1945 { "Content-Type", "http.content_type",
1946 FT_STRING, BASE_NONE, NULL, 0x0,
1947 "HTTP Content-Type header", HFILL }},
1948 { &hf_http_content_length,
1949 { "Content-Length", "http.content_length",
1950 FT_STRING, BASE_NONE, NULL, 0x0,
1951 "HTTP Content-Length header", HFILL }},
1952 { &hf_http_content_encoding,
1953 { "Content-Encoding", "http.content_encoding",
1954 FT_STRING, BASE_NONE, NULL, 0x0,
1955 "HTTP Content-Encoding header", HFILL }},
1956 { &hf_http_transfer_encoding,
1957 { "Transfer-Encoding", "http.transfer_encoding",
1958 FT_STRING, BASE_NONE, NULL, 0x0,
1959 "HTTP Transfer-Encoding header", HFILL }},
1960 { &hf_http_user_agent,
1961 { "User-Agent", "http.user_agent",
1962 FT_STRING, BASE_NONE, NULL, 0x0,
1963 "HTTP User-Agent header", HFILL }},
1965 { "Host", "http.host",
1966 FT_STRING, BASE_NONE, NULL, 0x0,
1967 "HTTP Host", HFILL }},
1968 { &hf_http_connection,
1969 { "Connection", "http.connection",
1970 FT_STRING, BASE_NONE, NULL, 0x0,
1971 "HTTP Connection", HFILL }},
1973 { "Cookie", "http.cookie",
1974 FT_STRING, BASE_NONE, NULL, 0x0,
1975 "HTTP Cookie", HFILL }},
1977 { "Accept", "http.accept",
1978 FT_STRING, BASE_NONE, NULL, 0x0,
1979 "HTTP Accept", HFILL }},
1981 { "Referer", "http.referer",
1982 FT_STRING, BASE_NONE, NULL, 0x0,
1983 "HTTP Referer", HFILL }},
1984 { &hf_http_accept_language,
1985 { "Accept-Language", "http.accept_language",
1986 FT_STRING, BASE_NONE, NULL, 0x0,
1987 "HTTP Accept Language", HFILL }},
1988 { &hf_http_accept_encoding,
1989 { "Accept Encoding", "http.accept_encoding",
1990 FT_STRING, BASE_NONE, NULL, 0x0,
1991 "HTTP Accept Encoding", HFILL }},
1993 { "Date", "http.date",
1994 FT_STRING, BASE_NONE, NULL, 0x0,
1995 "HTTP Date", HFILL }},
1996 { &hf_http_cache_control,
1997 { "Cache-Control", "http.cache_control",
1998 FT_STRING, BASE_NONE, NULL, 0x0,
1999 "HTTP Cache Control", HFILL }},
2001 { "Server", "http.server",
2002 FT_STRING, BASE_NONE, NULL, 0x0,
2003 "HTTP Server", HFILL }},
2004 { &hf_http_location,
2005 { "Location", "http.location",
2006 FT_STRING, BASE_NONE, NULL, 0x0,
2007 "HTTP Location", HFILL }},
2008 { &hf_http_set_cookie,
2009 { "Set-Cookie", "http.set_cookie",
2010 FT_STRING, BASE_NONE, NULL, 0x0,
2011 "HTTP Set Cookie", HFILL }},
2012 { &hf_http_last_modified,
2013 { "Last-Modified", "http.last_modified",
2014 FT_STRING, BASE_NONE, NULL, 0x0,
2015 "HTTP Last Modified", HFILL }},
2016 { &hf_http_x_forwarded_for,
2017 { "X-Forwarded-For", "http.x_forwarded_for",
2018 FT_STRING, BASE_NONE, NULL, 0x0,
2019 "HTTP X-Forwarded-For", HFILL }},
2021 static gint *ett[] = {
2025 &ett_http_chunked_response,
2026 &ett_http_chunk_data,
2027 &ett_http_encoded_entity,
2029 module_t *http_module;
2031 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
2033 proto_register_field_array(proto_http, hf, array_length(hf));
2034 proto_register_subtree_array(ett, array_length(ett));
2035 register_dissector("http", dissect_http, proto_http);
2036 http_module = prefs_register_protocol(proto_http, reinit_http);
2037 prefs_register_bool_preference(http_module, "desegment_headers",
2038 "Reassemble HTTP headers spanning multiple TCP segments",
2039 "Whether the HTTP dissector should reassemble headers "
2040 "of a request spanning multiple TCP segments. "
2041 "To use this option, you must also enable "
2042 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
2043 &http_desegment_headers);
2044 prefs_register_bool_preference(http_module, "desegment_body",
2045 "Reassemble HTTP bodies spanning multiple TCP segments",
2046 "Whether the HTTP dissector should use the "
2047 "\"Content-length:\" value, if present, to reassemble "
2048 "the body of a request spanning multiple TCP segments, "
2049 "and reassemble chunked data spanning multiple TCP segments. "
2050 "To use this option, you must also enable "
2051 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
2052 &http_desegment_body);
2053 prefs_register_bool_preference(http_module, "dechunk_body",
2054 "Reassemble chunked transfer-coded bodies",
2055 "Whether to reassemble bodies of entities that are transfered "
2056 "using the \"Transfer-Encoding: chunked\" method",
2057 &http_dechunk_body);
2059 prefs_register_bool_preference(http_module, "decompress_body",
2060 "Uncompress entity bodies",
2061 "Whether to uncompress entity bodies that are compressed "
2062 "using \"Content-Encoding: \"",
2063 &http_decompress_body);
2065 prefs_register_uint_preference(http_module, "tcp_alternate_port",
2066 "Alternate TCP port",
2067 "Decode packets on this TCP port as HTTP",
2068 10,&http_alternate_tcp_port);
2070 http_handle = create_dissector_handle(dissect_http, proto_http);
2073 * Dissectors shouldn't register themselves in this table;
2074 * instead, they should call "http_dissector_add()", and
2075 * we'll register the port number they specify as a port
2076 * for HTTP, and register them in our subdissector table.
2078 * This only works for protocols such as IPP that run over
2079 * HTTP on a specific non-HTTP port.
2081 port_subdissector_table = register_dissector_table("http.port",
2082 "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
2085 * Dissectors can register themselves in this table.
2086 * It's just "media_type", not "http.content_type", because
2087 * it's an Internet media type, usable by other protocols as well.
2089 media_type_subdissector_table =
2090 register_dissector_table("media_type",
2091 "Internet media type", FT_STRING, BASE_NONE);
2094 * Heuristic dissectors SHOULD register themselves in
2095 * this table using the standard heur_dissector_add()
2098 register_heur_dissector_list("http", &heur_subdissector_list);
2101 * Register for tapping
2103 http_tap = register_tap("http");
2107 * Called by dissectors for protocols that run atop HTTP/TCP.
2110 http_dissector_add(guint32 port, dissector_handle_t handle)
2113 * Register ourselves as the handler for that port number
2116 dissector_add("tcp.port", port, http_handle);
2119 * And register them in *our* table for that port.
2121 dissector_add("http.port", port, handle);
2125 proto_reg_handoff_http(void)
2127 dissector_handle_t http_udp_handle;
2129 data_handle = find_dissector("data");
2130 media_handle = find_dissector("media");
2132 dissector_add("tcp.port", TCP_PORT_HTTP, http_handle);
2133 dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle);
2134 dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle);
2135 dissector_add("tcp.port", TCP_RADAN_HTTP, http_handle);
2136 dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle);
2137 dissector_add("tcp.port", TCP_PORT_HKP, http_handle);
2140 * XXX - is there anything to dissect in the body of an SSDP
2141 * request or reply? I.e., should there be an SSDP dissector?
2143 dissector_add("tcp.port", TCP_PORT_SSDP, http_handle);
2144 http_udp_handle = create_dissector_handle(dissect_http_udp, proto_http);
2145 dissector_add("udp.port", UDP_PORT_SSDP, http_udp_handle);
2147 ntlmssp_handle = find_dissector("ntlmssp");
2148 gssapi_handle = find_dissector("gssapi");
2150 stats_tree_register("http","http","HTTP/Packet Counter", http_stats_tree_packet, http_stats_tree_init, NULL );
2151 stats_tree_register("http","http_req","HTTP/Requests", http_req_stats_tree_packet, http_req_stats_tree_init, NULL );
2152 stats_tree_register("http","http_srv","HTTP/Load Distribution",http_reqs_stats_tree_packet,http_reqs_stats_tree_init, NULL );
2157 * Content-Type: message/http
2160 static gint proto_message_http = -1;
2161 static gint ett_message_http = -1;
2162 static dissector_handle_t message_http_handle;
2165 dissect_message_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
2167 proto_tree *subtree;
2169 gint offset = 0, next_offset;
2172 if (check_col(pinfo->cinfo, COL_INFO))
2173 col_append_str(pinfo->cinfo, COL_INFO, " (message/http)");
2175 ti = proto_tree_add_item(tree, proto_message_http,
2177 subtree = proto_item_add_subtree(ti, ett_message_http);
2178 while (tvb_reported_length_remaining(tvb, offset) != 0) {
2179 len = tvb_find_line_end(tvb, offset,
2180 tvb_ensure_length_remaining(tvb, offset),
2181 &next_offset, FALSE);
2184 proto_tree_add_text(subtree, tvb, offset, next_offset - offset,
2185 "%s", tvb_format_text(tvb, offset, len));
2186 offset = next_offset;
2192 proto_register_message_http(void)
2194 static gint *ett[] = {
2198 proto_message_http = proto_register_protocol(
2199 "Media Type: message/http",
2203 proto_register_subtree_array(ett, array_length(ett));
2207 proto_reg_handoff_message_http(void)
2209 message_http_handle = create_dissector_handle(dissect_message_http,
2210 proto_message_http);
2212 dissector_add_string("media_type", "message/http", message_http_handle);