2 * Routines for HTTP packet disassembly
6 * Guy Harris <guy@alum.mit.edu>
8 * Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net>
9 * Copyright 2002, Tim Potter <tpot@samba.org>
10 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
14 * Ethereal - Network traffic analyzer
15 * By Gerald Combs <gerald@ethereal.com>
16 * Copyright 1998 Gerald Combs
18 * This program is free software; you can redistribute it and/or
19 * modify it under the terms of the GNU General Public License
20 * as published by the Free Software Foundation; either version 2
21 * of the License, or (at your option) any later version.
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
41 #include <epan/packet.h>
42 #include <epan/strutil.h>
43 #include <epan/base64.h>
45 #include "req_resp_hdrs.h"
46 #include "packet-http.h"
49 typedef enum _http_type {
58 static int http_tap = -1;
60 static int proto_http = -1;
61 static int hf_http_notification = -1;
62 static int hf_http_response = -1;
63 static int hf_http_request = -1;
64 static int hf_http_basic = -1;
65 static int hf_http_request_method = -1;
66 static int hf_http_response_code = -1;
67 static int hf_http_authorization = -1;
68 static int hf_http_proxy_authenticate = -1;
69 static int hf_http_proxy_authorization = -1;
70 static int hf_http_www_authenticate = -1;
71 static int hf_http_content_type = -1;
72 static int hf_http_content_length = -1;
73 static int hf_http_content_encoding = -1;
74 static int hf_http_transfer_encoding = -1;
76 static gint ett_http = -1;
77 static gint ett_http_ntlmssp = -1;
78 static gint ett_http_request = -1;
79 static gint ett_http_chunked_response = -1;
80 static gint ett_http_chunk_data = -1;
81 static gint ett_http_encoded_entity = -1;
83 static dissector_handle_t data_handle;
84 static dissector_handle_t media_handle;
85 static dissector_handle_t http_handle;
88 * desegmentation of HTTP headers
89 * (when we are over TCP or another protocol providing the desegmentation API)
91 static gboolean http_desegment_headers = FALSE;
94 * desegmentation of HTTP bodies
95 * (when we are over TCP or another protocol providing the desegmentation API)
96 * TODO let the user filter on content-type the bodies he wants desegmented
98 static gboolean http_desegment_body = FALSE;
101 * De-chunking of content-encoding: chunk entity bodies.
103 static gboolean http_dechunk_body = TRUE;
106 * Decompression of zlib encoded entities.
109 static gboolean http_decompress_body = TRUE;
111 static gboolean http_decompress_body = FALSE;
115 #define TCP_PORT_HTTP 80
116 #define TCP_PORT_PROXY_HTTP 3128
117 #define TCP_PORT_PROXY_ADMIN_HTTP 3132
118 #define TCP_ALT_PORT_HTTP 8080
119 #define TCP_PORT_HKP 11371
120 #define TCP_PORT_DAAP 3689
122 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
124 #define TCP_PORT_SSDP 1900
125 #define UDP_PORT_SSDP 1900
128 * Protocols implemented atop HTTP.
131 PROTO_HTTP, /* just HTTP */
132 PROTO_SSDP, /* Simple Service Discovery Protocol */
133 PROTO_DAAP /* Digital Audio Access Protocol */
136 typedef void (*RequestDissector)(tvbuff_t*, proto_tree*, int);
139 * Structure holding information from headers needed by main
140 * HTTP dissector code.
144 char *content_type_parameters;
145 long content_length; /* XXX - make it 64-bit? */
146 char *content_encoding;
147 char *transfer_encoding;
150 static int is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
151 RequestDissector *req_dissector, int *req_strlen);
152 static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
153 proto_tree *tree, int offset);
154 static void process_header(tvbuff_t *tvb, int offset, int next_offset,
155 const guchar *line, int linelen, int colon_offset, packet_info *pinfo,
156 proto_tree *tree, headers_t *eh_ptr);
157 static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len);
158 static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb,
159 packet_info *pinfo, gchar *value);
160 static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb,
163 static dissector_table_t port_subdissector_table;
164 static dissector_table_t media_type_subdissector_table;
165 static heur_dissector_list_t heur_subdissector_list;
167 static dissector_handle_t ntlmssp_handle=NULL;
170 /* Return a tvb that contains the binary representation of a base64
174 base64_to_tvb(const char *base64)
177 char *data = g_strdup(base64);
180 len = epan_base64_decode(data);
181 tvb = tvb_new_real_data((const guint8 *)data, len, len);
183 tvb_set_free_cb(tvb, g_free);
189 dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
192 tvbuff_t *ntlmssp_tvb;
194 ntlmssp_tvb = base64_to_tvb(line);
195 tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb);
196 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP Data");
198 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
202 cleanup_headers(void *arg)
204 headers_t *headers = arg;
206 if (headers->content_type != NULL)
207 g_free(headers->content_type);
209 * The content_type_parameters field actually points into the
210 * content_type headers, so don't free it, as that'll double-free
213 if (headers->content_encoding != NULL)
214 g_free(headers->content_encoding);
215 if (headers->transfer_encoding != NULL)
216 g_free(headers->transfer_encoding);
220 * TODO: remove this ugly global variable.
222 * XXX - we leak "http_info_value_t" structures.
223 * XXX - this gets overwritten if there's more than one HTTP request or
224 * reply in the tvbuff.
226 static http_info_value_t *stat_info;
229 dissect_http_message(tvbuff_t *tvb, int offset, packet_info *pinfo,
234 proto_tree *http_tree = NULL;
235 proto_item *ti = NULL;
238 const guchar *linep, *lineend;
240 int first_linelen, linelen;
241 gboolean is_request_or_reply;
242 gboolean saw_req_resp_or_header;
244 http_type_t http_type;
245 proto_item *hdr_item;
246 RequestDissector req_dissector;
248 proto_tree *req_tree;
252 int reported_datalen;
253 dissector_handle_t handle;
257 * Is this a request or response?
259 * Note that "tvb_find_line_end()" will return a value that
260 * is not longer than what's in the buffer, so the
261 * "tvb_get_ptr()" call won't throw an exception.
263 first_linelen = tvb_find_line_end(tvb, offset,
264 tvb_ensure_length_remaining(tvb, offset), &next_offset,
267 * Is the first line a request or response?
269 line = tvb_get_ptr(tvb, offset, first_linelen);
270 http_type = HTTP_OTHERS; /* type not known yet */
271 is_request_or_reply = is_http_request_or_reply((const gchar *)line,
272 first_linelen, &http_type, NULL, NULL);
273 if (is_request_or_reply) {
275 * Yes, it's a request or response.
276 * Do header desegmentation if we've been told to,
277 * and do body desegmentation if we've been told to and
278 * we find a Content-Length header.
280 if (!req_resp_hdrs_do_reassembly(tvb, pinfo,
281 http_desegment_headers, http_desegment_body)) {
283 * More data needed for desegmentation.
289 stat_info = g_malloc(sizeof(http_info_value_t));
290 stat_info->response_code = 0;
291 stat_info->request_method = NULL;
293 switch (pinfo->match_port) {
295 case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
311 if (check_col(pinfo->cinfo, COL_PROTOCOL))
312 col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
313 if (check_col(pinfo->cinfo, COL_INFO)) {
315 * Put the first line from the buffer into the summary
316 * if it's an HTTP request or reply (but leave out the
318 * Otherwise, just call it a continuation.
320 * Note that "tvb_find_line_end()" will return a value that
321 * is not longer than what's in the buffer, so the
322 * "tvb_get_ptr()" call won't throw an exception.
324 line = tvb_get_ptr(tvb, offset, first_linelen);
325 if (is_request_or_reply)
326 col_add_str(pinfo->cinfo, COL_INFO,
327 format_text(line, first_linelen));
329 col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
332 orig_offset = offset;
334 ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
336 http_tree = proto_item_add_subtree(ti, ett_http);
340 * Process the packet data, a line at a time.
342 http_type = HTTP_OTHERS; /* type not known yet */
343 headers.content_type = NULL; /* content type not known yet */
344 headers.content_type_parameters = NULL; /* content type parameters too */
345 headers.content_length = -1; /* content length not known yet */
346 headers.content_encoding = NULL; /* content encoding not known yet */
347 headers.transfer_encoding = NULL; /* transfer encoding not known yet */
348 saw_req_resp_or_header = FALSE; /* haven't seen anything yet */
349 CLEANUP_PUSH(cleanup_headers, &headers);
350 while (tvb_reported_length_remaining(tvb, offset) != 0) {
352 * Find the end of the line.
354 linelen = tvb_find_line_end(tvb, offset,
355 tvb_ensure_length_remaining(tvb, offset), &next_offset,
361 * Get a buffer that refers to the line.
363 line = tvb_get_ptr(tvb, offset, linelen);
364 lineend = line + linelen;
368 * OK, does it look like an HTTP request or response?
370 req_dissector = NULL;
371 is_request_or_reply = is_http_request_or_reply((const gchar *)line,
372 linelen, &http_type, &req_dissector, &req_strlen);
373 if (is_request_or_reply)
377 * No. Does it look like a blank line (as would appear
378 * at the end of an HTTP request)?
381 goto is_http; /* Yes. */
384 * No. Does it look like a header?
387 colon_offset = offset;
388 while (linep < lineend) {
392 * This must be a CHAR to be part of a token; that
393 * means it must be ASCII.
396 break; /* not ASCII, thus not a CHAR */
399 * This mustn't be a CTL to be part of a token.
401 * XXX - what about leading LWS on continuation
405 break; /* CTL, not part of a header */
408 * This mustn't be a SEP to be part of a token;
409 * a ':' ends the token, everything else is an
410 * indication that this isn't a header.
432 * It's a separator, so it's not part of a
433 * token, so it's not a field name for the
434 * beginning of a header.
436 * (We don't have to check for HT; that's
437 * already been ruled out by "iscntrl()".)
443 * This ends the token; we consider this
455 * We haven't seen the colon, but everything else looks
456 * OK for a header line.
458 * If we've already seen an HTTP request or response
459 * line, or a header line, and we're at the end of
460 * the tvbuff, we assume this is an incomplete header
461 * line. (We quit this loop after seeing a blank line,
462 * so if we've seen a request or response line, or a
463 * header line, this is probably more of the request
464 * or response we're presumably seeing. There is some
465 * risk of false positives, but the same applies for
466 * full request or response lines or header lines,
467 * although that's less likely.)
469 * We throw an exception in that case, by checking for
470 * the existence of the next byte after the last one
471 * in the line. If it exists, "tvb_ensure_bytes_exist()"
472 * throws no exception, and we fall through to the
473 * "not HTTP" case. If it doesn't exist,
474 * "tvb_ensure_bytes_exist()" will throw the appropriate
477 if (saw_req_resp_or_header)
478 tvb_ensure_bytes_exist(tvb, offset, linelen + 1);
482 * We don't consider this part of an HTTP request or
483 * reply, so we don't display it.
484 * (Yeah, that means we don't display, say, a text/http
485 * page, but you can get that from the data pane.)
495 * This is a blank line, which means that
496 * whatever follows it isn't part of this
499 proto_tree_add_text(http_tree, tvb, offset,
500 next_offset - offset, "%s",
501 tvb_format_text(tvb, offset, next_offset - offset));
502 offset = next_offset;
507 * Not a blank line - either a request, a reply, or a header
510 saw_req_resp_or_header = TRUE;
511 if (is_request_or_reply) {
513 hdr_item = proto_tree_add_text(http_tree, tvb,
514 offset, next_offset - offset, "%s",
515 tvb_format_text(tvb, offset,
516 next_offset - offset));
518 req_tree = proto_item_add_subtree(
519 hdr_item, ett_http_request);
520 req_dissector(tvb, req_tree,
528 process_header(tvb, offset, next_offset, line, linelen,
529 colon_offset, pinfo, http_tree, &headers);
531 offset = next_offset;
537 case HTTP_NOTIFICATION:
538 proto_tree_add_boolean_hidden(http_tree,
539 hf_http_notification, tvb, 0, 0, 1);
543 proto_tree_add_boolean_hidden(http_tree,
544 hf_http_response, tvb, 0, 0, 1);
548 proto_tree_add_boolean_hidden(http_tree,
549 hf_http_request, tvb, 0, 0, 1);
559 * If a content length was supplied, the amount of data to be
560 * processed as HTTP payload is the minimum of the content
561 * length and the amount of data remaining in the frame.
563 * If no content length was supplied (or if a bad content length
564 * was supplied), the amount of data to be processed is the amount
565 * of data remaining in the frame.
567 * If there was no Content-Length entity header, we should
568 * accumulate all data until the end of the connection.
569 * That'd require that the TCP dissector call subdissectors
570 * for all frames with FIN, even if they contain no data,
571 * which would require subdissectors to deal intelligently
572 * with empty segments.
574 * Acccording to RFC 2616, however, 1xx responses, 204 responses,
575 * and 304 responses MUST NOT include a message body; if no
576 * content length is specified for them, we don't attempt to
579 * XXX - it says the same about responses to HEAD requests;
580 * unless there's a way to determine from the response
581 * whether it's a response to a HEAD request, we have to
582 * keep information about the request and associate that with
583 * the response in order to handle that.
585 datalen = tvb_length_remaining(tvb, offset);
586 if (headers.content_length != -1) {
587 if (datalen > headers.content_length)
588 datalen = headers.content_length;
591 * XXX - limit the reported length in the tvbuff we'll
592 * hand to a subdissector to be no greater than the
595 * We really need both unreassembled and "how long it'd
596 * be if it were reassembled" lengths for tvbuffs, so
597 * that we throw the appropriate exceptions for
598 * "not enough data captured" (running past the length),
599 * "packet needed reassembly" (within the length but
600 * running past the unreassembled length), and
601 * "packet is malformed" (running past the reassembled
604 reported_datalen = tvb_reported_length_remaining(tvb, offset);
605 if (reported_datalen > headers.content_length)
606 reported_datalen = headers.content_length;
608 if ((stat_info->response_code/100) == 1 ||
609 stat_info->response_code == 204 ||
610 stat_info->response_code == 304)
611 datalen = 0; /* no content! */
613 reported_datalen = -1;
618 * There's stuff left over; process it.
621 void *save_private_data = NULL;
622 gint chunks_decoded = 0;
625 * Create a tvbuff for the payload.
627 * The amount of data to be processed that's
628 * available in the tvbuff is "datalen", which
629 * is the minimum of the amount of data left in
630 * the tvbuff and any specified content length.
632 * The amount of data to be processed that's in
633 * this frame, regardless of whether it was
634 * captured or not, is "reported_datalen",
635 * which, if no content length was specified,
636 * is -1, i.e. "to the end of the frame.
638 next_tvb = tvb_new_subset(tvb, offset, datalen,
641 * BEWARE - next_tvb is a subset of another tvb,
642 * so we MUST NOT attempt tvb_free(next_tvb);
646 * Handle *transfer* encodings other than "identity".
648 if (headers.transfer_encoding != NULL &&
649 strcasecmp(headers.transfer_encoding, "identity") != 0) {
650 if (http_dechunk_body &&
651 (strcasecmp(headers.transfer_encoding, "chunked")
654 chunks_decoded = chunked_encoding_dissector(
655 &next_tvb, pinfo, http_tree, 0);
657 if (chunks_decoded <= 0) {
659 * The chunks weren't reassembled,
660 * or there was a single zero
666 * Add a new data source for the
669 tvb_set_child_real_data_tvbuff(tvb,
671 add_new_data_source(pinfo, next_tvb,
672 "De-chunked entity body");
676 * We currently can't handle, for example,
677 * "gzip", "compress", or "deflate" as
678 * *transfer* encodings; just handle them
681 call_dissector(data_handle, next_tvb, pinfo,
687 * At this point, any chunked *transfer* coding has been removed
688 * (the entity body has been dechunked) so it can be presented
689 * for the following operation (*content* encoding), or it has
690 * been been handed off to the data dissector.
692 * Handle *content* encodings other than "identity" (which
693 * shouldn't appear in a Content-Encoding header, but
694 * we handle it in any case).
696 if (headers.content_encoding != NULL &&
697 strcasecmp(headers.content_encoding, "identity") != 0) {
699 * We currently can't handle, for example, "compress";
700 * just handle them as data for now.
702 * After July 7, 2004 the LZW patent expires, so support
703 * might be added then. However, I don't think that
704 * anybody ever really implemented "compress", due to
705 * the aforementioned patent.
707 tvbuff_t *uncomp_tvb = NULL;
708 proto_item *e_ti = NULL;
709 proto_tree *e_tree = NULL;
711 if (http_decompress_body &&
712 (strcasecmp(headers.content_encoding, "gzip") == 0 ||
713 strcasecmp(headers.content_encoding, "deflate")
716 uncomp_tvb = tvb_uncompress(next_tvb, 0,
717 tvb_length(next_tvb));
721 * Add the encoded entity to the protocol tree
723 e_ti = proto_tree_add_text(http_tree, next_tvb,
724 0, tvb_length(next_tvb),
725 "Content-encoded entity body (%s)",
726 headers.content_encoding);
727 e_tree = proto_item_add_subtree(e_ti,
728 ett_http_encoded_entity);
730 if (uncomp_tvb != NULL) {
732 * Decompression worked
735 /* XXX - Don't free this, since it's possible
736 * that the data was only partially
737 * decompressed, such as when desegmentation
742 next_tvb = uncomp_tvb;
743 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
744 add_new_data_source(pinfo, next_tvb,
745 "Uncompressed entity body");
747 if (chunks_decoded > 1) {
748 tvb_set_child_real_data_tvbuff(tvb,
750 add_new_data_source(pinfo, next_tvb,
751 "Compressed entity body");
753 call_dissector(data_handle, next_tvb, pinfo,
760 * Note that a new data source is added for the entity body
761 * only if it was content-encoded and/or transfer-encoded.
765 * Do subdissector checks.
767 * First, check whether some subdissector asked that they
768 * be called if something was on some particular port.
770 handle = dissector_get_port_handle(port_subdissector_table,
772 if (handle == NULL && headers.content_type != NULL) {
774 * We didn't find any subdissector that
775 * registered for the port, and we have a
776 * Content-Type value. Is there any subdissector
777 * for that content type?
779 save_private_data = pinfo->private_data;
781 * XXX - this won't get freed if the subdissector
782 * throws an exception. Do we really need to
785 if (headers.content_type_parameters)
786 pinfo->private_data = g_strdup(headers.content_type_parameters);
788 pinfo->private_data = NULL;
790 * Calling the string handle for the media type
791 * dissector table will set pinfo->match_string
792 * to headers.content_type for us.
794 pinfo->match_string = headers.content_type;
795 handle = dissector_get_string_handle(
796 media_type_subdissector_table,
797 headers.content_type);
799 * Calling the default media handle otherwise
801 if (handle == NULL) {
802 handle = media_handle;
805 if (handle != NULL) {
807 * We have a subdissector - call it.
809 dissected = call_dissector(handle, next_tvb, pinfo,
813 * We don't have a subdissector - try the heuristic
816 dissected = dissector_try_heuristic(
817 heur_subdissector_list, next_tvb, pinfo, tree);
821 * The subdissector dissected the body.
822 * Fix up the top-level item so that it doesn't
823 * include the stuff for that protocol.
826 proto_item_set_len(ti, offset);
828 call_dissector(data_handle, next_tvb, pinfo,
834 * Do *not* attempt at freeing the private data;
835 * it may be in use by subdissectors.
837 if (save_private_data)
838 pinfo->private_data = save_private_data;
840 * We've processed "datalen" bytes worth of data
841 * (which may be no data at all); advance the
842 * offset past whatever data we've processed.
848 * Clean up any header stuff, by calling and popping the cleanup
851 CLEANUP_CALL_AND_POP;
853 tap_queue_packet(http_tap, pinfo, stat_info);
855 return offset - orig_offset;
858 /* This can be used to dissect an HTTP request until such time
859 * that a more complete dissector is written for that HTTP request.
860 * This simple dissectory only puts http.request_method into a sub-tree.
863 basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int req_strlen)
865 proto_tree_add_item(tree, hf_http_request_method, tvb, 0, req_strlen, FALSE);
869 basic_response_dissector(tvbuff_t *tvb, proto_tree *tree, int resp_strlen)
872 int minor, major, status_code;
874 /* BEWARE - sscanf() only operates on C strings.
875 * The pointer returned by tvb_get_ptr points into the real data,
876 * which is not necessarily NULL terminated. For this reason,
877 * the sscanf() call is only applied to a buffer guaranteed to
878 * only contain a NULL terminated string. */
879 data = g_strndup((const gchar *)tvb_get_ptr(tvb, 5, resp_strlen), resp_strlen);
880 if (sscanf((const gchar *)data, "%d.%d %d", &minor, &major, &status_code) == 3) {
881 proto_tree_add_uint(tree, hf_http_response_code, tvb, 9, 3, status_code);
882 stat_info->response_code = status_code;
888 * Dissect the http data chunks and add them to the tree.
891 chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
892 proto_tree *tree, int offset)
894 guint8 *chunk_string = NULL;
896 gint chunk_offset = 0;
899 gint chunks_decoded = 0;
900 tvbuff_t *tvb = NULL;
901 tvbuff_t *new_tvb = NULL;
902 gint chunked_data_size = 0;
903 proto_tree *subtree = NULL;
904 proto_item *ti = NULL;
906 if (tvb_ptr == NULL || *tvb_ptr == NULL) {
912 datalen = tvb_reported_length_remaining(tvb, offset);
915 ti = proto_tree_add_text(tree, tvb, offset, datalen,
916 "HTTP chunked response");
917 subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
921 while (datalen != 0) {
922 proto_item *chunk_ti = NULL;
923 proto_tree *chunk_subtree = NULL;
924 tvbuff_t *data_tvb = NULL;
927 linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
930 /* Can't get the chunk size line */
934 chunk_string = tvb_get_string(tvb, offset, linelen);
936 if (chunk_string == NULL) {
937 /* Can't get the chunk size line */
944 * We don't care about the extensions.
946 if ((c = strchr(c, ';'))) {
950 if (sscanf(chunk_string, "%x", &chunk_size) != 1) {
951 g_free(chunk_string);
955 g_free(chunk_string);
958 if (chunk_size > datalen) {
960 * The chunk size is more than what's in the tvbuff,
961 * so either the user hasn't enabled decoding, or all
962 * of the segments weren't captured.
964 chunk_size = datalen;
965 }/* else if (new_tvb == NULL) {
966 new_tvb = tvb_new_composite();
971 if (new_tvb != NULL && chunk_size != 0) {
972 tvbuff_t *chunk_tvb = NULL;
974 chunk_tvb = tvb_new_subset(tvb, chunk_offset,
975 chunk_size, datalen);
977 tvb_composite_append(new_tvb, chunk_tvb);
982 chunked_data_size += chunk_size;
984 if (chunk_size != 0) {
985 guint8 *raw_data = g_malloc(chunked_data_size);
988 if (new_tvb != NULL) {
989 raw_len = tvb_length_remaining(new_tvb, 0);
990 tvb_memcpy(new_tvb, raw_data, 0, raw_len);
995 tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len),
996 chunk_offset, chunk_size);
998 new_tvb = tvb_new_real_data(raw_data,
999 chunked_data_size, chunked_data_size);
1000 tvb_set_free_cb(new_tvb, g_free);
1005 if (chunk_size == 0) {
1006 chunk_ti = proto_tree_add_text(subtree, tvb,
1008 chunk_offset - offset + chunk_size + 2,
1009 "Data chunk (last chunk)");
1011 chunk_ti = proto_tree_add_text(subtree, tvb,
1013 chunk_offset - offset + chunk_size + 2,
1014 "Data chunk (%u octets)", chunk_size);
1017 chunk_subtree = proto_item_add_subtree(chunk_ti,
1018 ett_http_chunk_data);
1020 proto_tree_add_text(chunk_subtree, tvb, offset,
1021 chunk_offset - offset, "Chunk size: %u octets",
1024 data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size,
1028 if (chunk_size > 0) {
1029 call_dissector(data_handle, data_tvb, pinfo,
1033 proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
1034 chunk_size, 2, "Chunk boundary");
1038 offset = chunk_offset + chunk_size + 2;
1039 datalen = tvb_reported_length_remaining(tvb, offset);
1042 if (new_tvb != NULL) {
1044 /* Placeholder for the day that composite tvbuffer's will work.
1045 tvb_composite_finalize(new_tvb);
1046 / * tvb_set_reported_length(new_tvb, chunked_data_size); * /
1050 * XXX - Don't free this, since the tvbuffer that was passed
1051 * may be used if the data spans multiple frames and reassembly
1060 * We didn't create a new tvb, so don't allow sub dissectors
1061 * try to decode the non-existant entity body.
1063 chunks_decoded = -1;
1066 return chunks_decoded;
1072 * XXX - this won't handle HTTP 0.9 replies, but they're all data
1076 is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
1077 RequestDissector *req_dissector, int *req_strlen)
1079 int isHttpRequestOrReply = FALSE;
1083 * From RFC 2774 - An HTTP Extension Framework
1085 * Support the command prefix that identifies the presence of
1086 * a "mandatory" header.
1088 if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
1095 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
1096 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
1098 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
1101 if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
1102 *type = HTTP_RESPONSE;
1103 isHttpRequestOrReply = TRUE; /* response */
1104 if (req_dissector) {
1105 *req_dissector = basic_response_dissector;
1106 *req_strlen = linelen - 5;
1109 const guchar * ptr = (const guchar *)data;
1112 /* Look for the space following the Method */
1113 while (index < linelen) {
1122 /* Check the methods that have same length */
1126 if (strncmp(data, "GET", index) == 0 ||
1127 strncmp(data, "PUT", index) == 0) {
1128 *type = HTTP_REQUEST;
1129 isHttpRequestOrReply = TRUE;
1131 else if (strncmp(data, "ICY", index) == 0) {
1132 *type = HTTP_RESPONSE;
1133 isHttpRequestOrReply = TRUE;
1138 if (strncmp(data, "COPY", index) == 0 ||
1139 strncmp(data, "HEAD", index) == 0 ||
1140 strncmp(data, "LOCK", index) == 0 ||
1141 strncmp(data, "MOVE", index) == 0 ||
1142 strncmp(data, "POLL", index) == 0 ||
1143 strncmp(data, "POST", index) == 0) {
1144 *type = HTTP_REQUEST;
1145 isHttpRequestOrReply = TRUE;
1150 if (strncmp(data, "BCOPY", index) == 0 ||
1151 strncmp(data, "BMOVE", index) == 0 ||
1152 strncmp(data, "MKCOL", index) == 0 ||
1153 strncmp(data, "TRACE", index) == 0 ||
1154 strncmp(data, "LABEL", index) == 0 || /* RFC 3253 8.2 */
1155 strncmp(data, "MERGE", index) == 0) { /* RFC 3253 11.2 */
1156 *type = HTTP_REQUEST;
1157 isHttpRequestOrReply = TRUE;
1162 if (strncmp(data, "DELETE", index) == 0 ||
1163 strncmp(data, "SEARCH", index) == 0 ||
1164 strncmp(data, "UNLOCK", index) == 0 ||
1165 strncmp(data, "REPORT", index) == 0 || /* RFC 3253 3.6 */
1166 strncmp(data, "UPDATE", index) == 0) { /* RFC 3253 7.1 */
1167 *type = HTTP_REQUEST;
1168 isHttpRequestOrReply = TRUE;
1170 else if (strncmp(data, "NOTIFY", index) == 0) {
1171 *type = HTTP_NOTIFICATION;
1172 isHttpRequestOrReply = TRUE;
1177 if (strncmp(data, "BDELETE", index) == 0 ||
1178 strncmp(data, "CONNECT", index) == 0 ||
1179 strncmp(data, "OPTIONS", index) == 0 ||
1180 strncmp(data, "CHECKIN", index) == 0) { /* RFC 3253 4.4, 9.4 */
1181 *type = HTTP_REQUEST;
1182 isHttpRequestOrReply = TRUE;
1187 if (strncmp(data, "PROPFIND", index) == 0 ||
1188 strncmp(data, "CHECKOUT", index) == 0) { /* RFC 3253 4.3, 9.3 */
1189 *type = HTTP_REQUEST;
1190 isHttpRequestOrReply = TRUE;
1195 if (strncmp(data, "SUBSCRIBE", index) == 0) {
1196 *type = HTTP_NOTIFICATION;
1197 isHttpRequestOrReply = TRUE;
1198 } else if (strncmp(data, "PROPPATCH", index) == 0 ||
1199 strncmp(data, "BPROPFIND", index) == 0) {
1200 *type = HTTP_REQUEST;
1201 isHttpRequestOrReply = TRUE;
1206 if (strncmp(data, "BPROPPATCH", index) == 0 ||
1207 strncmp(data, "UNCHECKOUT", index) == 0 || /* RFC 3253 4.5 */
1208 strncmp(data, "MKACTIVITY", index) == 0) { /* RFC 3253 13.5 */
1209 *type = HTTP_REQUEST;
1210 isHttpRequestOrReply = TRUE;
1215 if (strncmp(data, "MKWORKSPACE", index) == 0) { /* RFC 3253 6.3 */
1216 *type = HTTP_REQUEST;
1217 isHttpRequestOrReply = TRUE;
1218 } else if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
1219 *type = HTTP_NOTIFICATION;
1220 isHttpRequestOrReply = TRUE;
1225 if (strncmp(data, "VERSION-CONTROL", index) == 0) { /* RFC 3253 3.5 */
1226 *type = HTTP_REQUEST;
1227 isHttpRequestOrReply = TRUE;
1232 if (strncmp(data, "BASELINE-CONTROL", index) == 0) { /* RFC 3253 12.6 */
1233 *type = HTTP_REQUEST;
1234 isHttpRequestOrReply = TRUE;
1242 if (isHttpRequestOrReply && req_dissector) {
1243 *req_dissector = basic_request_dissector;
1244 *req_strlen = index + prefix_len;
1246 if (isHttpRequestOrReply && req_dissector) {
1247 if (!stat_info->request_method)
1248 stat_info->request_method = g_malloc( index+1 );
1249 strncpy( stat_info->request_method, data, index);
1250 stat_info->request_method[index] = '\0';
1254 return isHttpRequestOrReply;
1266 #define HDR_NO_SPECIAL 0
1267 #define HDR_AUTHORIZATION 1
1268 #define HDR_AUTHENTICATE 2
1269 #define HDR_CONTENT_TYPE 3
1270 #define HDR_CONTENT_LENGTH 4
1271 #define HDR_CONTENT_ENCODING 5
1272 #define HDR_TRANSFER_ENCODING 6
1274 static const header_info headers[] = {
1275 { "Authorization", &hf_http_authorization, HDR_AUTHORIZATION },
1276 { "Proxy-Authorization", &hf_http_proxy_authorization, HDR_AUTHORIZATION },
1277 { "Proxy-Authenticate", &hf_http_proxy_authenticate, HDR_AUTHENTICATE },
1278 { "WWW-Authenticate", &hf_http_www_authenticate, HDR_AUTHENTICATE },
1279 { "Content-Type", &hf_http_content_type, HDR_CONTENT_TYPE },
1280 { "Content-Length", &hf_http_content_length, HDR_CONTENT_LENGTH },
1281 { "Content-Encoding", &hf_http_content_encoding, HDR_CONTENT_ENCODING },
1282 { "Transfer-Encoding", &hf_http_transfer_encoding, HDR_TRANSFER_ENCODING },
1286 process_header(tvbuff_t *tvb, int offset, int next_offset,
1287 const guchar *line, int linelen, int colon_offset,
1288 packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr)
1291 int line_end_offset;
1300 proto_item *hdr_item;
1303 len = next_offset - offset;
1304 line_end_offset = offset + linelen;
1305 header_len = colon_offset - offset;
1306 hf_index = find_header_hf_value(tvb, offset, header_len);
1308 if (hf_index == -1) {
1310 * Not a header we know anything about. Just put it into
1314 proto_tree_add_text(tree, tvb, offset, len,
1315 "%s", format_text(line, len));
1319 * Skip whitespace after the colon.
1321 value_offset = colon_offset + 1;
1322 while (value_offset < line_end_offset
1323 && ((c = line[value_offset - offset]) == ' ' || c == '\t'))
1329 value_len = line_end_offset - value_offset;
1330 value = g_malloc(value_len + 1);
1331 memcpy(value, &line[value_offset - offset], value_len);
1332 value[value_len] = '\0';
1333 CLEANUP_PUSH(g_free, value);
1336 * Add it to the protocol tree as a particular field,
1337 * but display the line as is.
1340 hdr_item = proto_tree_add_string_format(tree,
1341 *headers[hf_index].hf, tvb, offset, len,
1342 value, "%s", format_text(line, len));
1347 * Do any special processing that particular headers
1350 switch (headers[hf_index].special) {
1352 case HDR_AUTHORIZATION:
1353 if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
1354 break; /* dissected NTLMSSP */
1355 check_auth_basic(hdr_item, tvb, value);
1358 case HDR_AUTHENTICATE:
1359 check_auth_ntlmssp(hdr_item, tvb, pinfo, value);
1362 case HDR_CONTENT_TYPE:
1363 if (eh_ptr->content_type != NULL)
1364 g_free(eh_ptr->content_type);
1365 eh_ptr->content_type = g_malloc(value_len + 1);
1366 for (i = 0; i < value_len; i++) {
1368 if (c == ';' || isspace(c)) {
1370 * End of subtype - either
1371 * white space or a ";"
1372 * separating the subtype from
1379 * Map the character to lower case;
1380 * content types are case-insensitive.
1382 eh_ptr->content_type[i] = tolower(c);
1384 eh_ptr->content_type[i] = '\0';
1386 * Now find the start of the optional parameters;
1387 * skip the optional white space and the semicolon
1388 * if this has not been done before.
1391 while (i < value_len) {
1393 if (c == ';' || isspace(c))
1394 /* Skip till start of parameters */
1400 eh_ptr->content_type_parameters = value + i;
1402 eh_ptr->content_type_parameters = NULL;
1405 case HDR_CONTENT_LENGTH:
1406 eh_ptr->content_length = strtol(value, &p, 10);
1408 if (eh_ptr->content_length < 0 || p == value ||
1409 (*up != '\0' && !isspace(*up)))
1410 eh_ptr->content_length = -1; /* not valid */
1413 case HDR_CONTENT_ENCODING:
1414 if (eh_ptr->content_encoding != NULL)
1415 g_free(eh_ptr->content_encoding);
1416 eh_ptr->content_encoding = g_malloc(value_len + 1);
1417 memcpy(eh_ptr->content_encoding, value, value_len);
1418 eh_ptr->content_encoding[value_len] = '\0';
1421 case HDR_TRANSFER_ENCODING:
1422 if (eh_ptr->transfer_encoding != NULL)
1423 g_free(eh_ptr->transfer_encoding);
1424 eh_ptr->transfer_encoding = g_malloc(value_len + 1);
1425 memcpy(eh_ptr->transfer_encoding, value, value_len);
1426 eh_ptr->transfer_encoding[value_len] = '\0';
1431 * Free the value, by calling and popping the cleanup
1434 CLEANUP_CALL_AND_POP;
1438 /* Returns index of header tag in headers */
1440 find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len)
1444 for (i = 0; i < array_length(headers); i++) {
1445 if (header_len == strlen(headers[i].name) &&
1446 tvb_strncaseeql(tvb, offset,
1447 headers[i].name, header_len) == 0)
1455 * Dissect Microsoft's abomination called NTLMSSP over HTTP.
1458 check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo,
1461 static const char *ntlm_headers[] = {
1466 const char **header;
1468 proto_tree *hdr_tree;
1471 * Check for NTLM credentials and challenge; those can
1472 * occur with WWW-Authenticate.
1474 for (header = &ntlm_headers[0]; *header != NULL; header++) {
1475 hdrlen = strlen(*header);
1476 if (strncmp(value, *header, hdrlen) == 0) {
1477 if (hdr_item != NULL) {
1478 hdr_tree = proto_item_add_subtree(hdr_item,
1483 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, value);
1491 * Dissect HTTP Basic authorization.
1494 check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value)
1496 static const char *basic_headers[] = {
1500 const char **header;
1502 proto_tree *hdr_tree;
1505 for (header = &basic_headers[0]; *header != NULL; header++) {
1506 hdrlen = strlen(*header);
1507 if (strncmp(value, *header, hdrlen) == 0) {
1508 if (hdr_item != NULL) {
1509 hdr_tree = proto_item_add_subtree(hdr_item,
1515 len = epan_base64_decode(value);
1517 proto_tree_add_string(hdr_tree, hf_http_basic, tvb,
1527 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1532 while (tvb_reported_length_remaining(tvb, offset) != 0) {
1533 len = dissect_http_message(tvb, offset, pinfo, tree);
1539 * OK, we've set the Protocol and Info columns for the
1540 * first HTTP message; make the columns non-writable,
1541 * so that we don't change it for subsequent HTTP messages.
1543 col_set_writable(pinfo->cinfo, FALSE);
1548 dissect_http_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1550 dissect_http_message(tvb, 0, pinfo, tree);
1554 proto_register_http(void)
1556 static hf_register_info hf[] = {
1557 { &hf_http_notification,
1558 { "Notification", "http.notification",
1559 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1560 "TRUE if HTTP notification", HFILL }},
1561 { &hf_http_response,
1562 { "Response", "http.response",
1563 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1564 "TRUE if HTTP response", HFILL }},
1566 { "Request", "http.request",
1567 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1568 "TRUE if HTTP request", HFILL }},
1570 { "Credentials", "http.authbasic",
1571 FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
1572 { &hf_http_request_method,
1573 { "Request Method", "http.request.method",
1574 FT_STRING, BASE_NONE, NULL, 0x0,
1575 "HTTP Request Method", HFILL }},
1576 { &hf_http_response_code,
1577 { "Response Code", "http.response.code",
1578 FT_UINT16, BASE_DEC, NULL, 0x0,
1579 "HTTP Response Code", HFILL }},
1580 { &hf_http_authorization,
1581 { "Authorization", "http.authorization",
1582 FT_STRING, BASE_NONE, NULL, 0x0,
1583 "HTTP Authorization header", HFILL }},
1584 { &hf_http_proxy_authenticate,
1585 { "Proxy-Authenticate", "http.proxy_authenticate",
1586 FT_STRING, BASE_NONE, NULL, 0x0,
1587 "HTTP Proxy-Authenticate header", HFILL }},
1588 { &hf_http_proxy_authorization,
1589 { "Proxy-Authorization", "http.proxy_authorization",
1590 FT_STRING, BASE_NONE, NULL, 0x0,
1591 "HTTP Proxy-Authorization header", HFILL }},
1592 { &hf_http_www_authenticate,
1593 { "WWW-Authenticate", "http.www_authenticate",
1594 FT_STRING, BASE_NONE, NULL, 0x0,
1595 "HTTP WWW-Authenticate header", HFILL }},
1596 { &hf_http_content_type,
1597 { "Content-Type", "http.content_type",
1598 FT_STRING, BASE_NONE, NULL, 0x0,
1599 "HTTP Content-Type header", HFILL }},
1600 { &hf_http_content_length,
1601 { "Content-Length", "http.content_length",
1602 FT_STRING, BASE_NONE, NULL, 0x0,
1603 "HTTP Content-Length header", HFILL }},
1604 { &hf_http_content_encoding,
1605 { "Content-Encoding", "http.content_encoding",
1606 FT_STRING, BASE_NONE, NULL, 0x0,
1607 "HTTP Content-Encoding header", HFILL }},
1608 { &hf_http_transfer_encoding,
1609 { "Transfer-Encoding", "http.transfer_encoding",
1610 FT_STRING, BASE_NONE, NULL, 0x0,
1611 "HTTP Transfer-Encoding header", HFILL }},
1613 static gint *ett[] = {
1617 &ett_http_chunked_response,
1618 &ett_http_chunk_data,
1619 &ett_http_encoded_entity,
1621 module_t *http_module;
1623 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
1625 proto_register_field_array(proto_http, hf, array_length(hf));
1626 proto_register_subtree_array(ett, array_length(ett));
1627 http_module = prefs_register_protocol(proto_http, NULL);
1628 prefs_register_bool_preference(http_module, "desegment_headers",
1629 "Reassemble HTTP headers spanning multiple TCP segments",
1630 "Whether the HTTP dissector should reassemble headers "
1631 "of a request spanning multiple TCP segments. "
1632 "To use this option, you must also enable "
1633 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
1634 &http_desegment_headers);
1635 prefs_register_bool_preference(http_module, "desegment_body",
1636 "Reassemble HTTP bodies spanning multiple TCP segments",
1637 "Whether the HTTP dissector should use the "
1638 "\"Content-length:\" value, if present, to reassemble "
1639 "the body of a request spanning multiple TCP segments, "
1640 "and reassemble chunked data spanning multiple TCP segments. "
1641 "To use this option, you must also enable "
1642 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
1643 &http_desegment_body);
1644 prefs_register_bool_preference(http_module, "dechunk_body",
1645 "Reassemble chunked transfer-coded bodies",
1646 "Whether to reassemble bodies of entities that are transfered "
1647 "using the \"Transfer-Encoding: chunked\" method",
1648 &http_dechunk_body);
1650 prefs_register_bool_preference(http_module, "decompress_body",
1651 "Uncompress entity bodies",
1652 "Whether to uncompress entity bodies that are compressed "
1653 "using \"Content-Encoding: \"",
1654 &http_decompress_body);
1657 http_handle = create_dissector_handle(dissect_http, proto_http);
1660 * Dissectors shouldn't register themselves in this table;
1661 * instead, they should call "http_dissector_add()", and
1662 * we'll register the port number they specify as a port
1663 * for HTTP, and register them in our subdissector table.
1665 * This only works for protocols such as IPP that run over
1666 * HTTP on a specific non-HTTP port.
1668 port_subdissector_table = register_dissector_table("http.port",
1669 "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
1672 * Dissectors can register themselves in this table.
1673 * It's just "media_type", not "http.content_type", because
1674 * it's an Internet media type, usable by other protocols as well.
1676 media_type_subdissector_table =
1677 register_dissector_table("media_type",
1678 "Internet media type", FT_STRING, BASE_NONE);
1681 * Heuristic dissectors SHOULD register themselves in
1682 * this table using the standard heur_dissector_add()
1685 register_heur_dissector_list("http", &heur_subdissector_list);
1688 * Register for tapping
1690 http_tap = register_tap("http");
1694 * Called by dissectors for protocols that run atop HTTP/TCP.
1697 http_dissector_add(guint32 port, dissector_handle_t handle)
1700 * Register ourselves as the handler for that port number
1703 dissector_add("tcp.port", port, http_handle);
1706 * And register them in *our* table for that port.
1708 dissector_add("http.port", port, handle);
1712 proto_reg_handoff_http(void)
1714 dissector_handle_t http_udp_handle;
1716 data_handle = find_dissector("data");
1717 media_handle = find_dissector("media");
1719 dissector_add("tcp.port", TCP_PORT_HTTP, http_handle);
1720 dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle);
1721 dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle);
1722 dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle);
1723 dissector_add("tcp.port", TCP_PORT_HKP, http_handle);
1726 * XXX - is there anything to dissect in the body of an SSDP
1727 * request or reply? I.e., should there be an SSDP dissector?
1729 dissector_add("tcp.port", TCP_PORT_SSDP, http_handle);
1730 http_udp_handle = create_dissector_handle(dissect_http_udp, proto_http);
1731 dissector_add("udp.port", UDP_PORT_SSDP, http_udp_handle);
1733 ntlmssp_handle = find_dissector("ntlmssp");
1737 * Content-Type: message/http
1740 static gint proto_message_http = -1;
1741 static gint ett_message_http = -1;
1742 static dissector_handle_t message_http_handle;
1745 dissect_message_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1747 proto_tree *subtree;
1749 gint offset = 0, next_offset;
1752 if (check_col(pinfo->cinfo, COL_INFO))
1753 col_append_str(pinfo->cinfo, COL_INFO, " (message/http)");
1755 ti = proto_tree_add_item(tree, proto_message_http,
1757 subtree = proto_item_add_subtree(ti, ett_message_http);
1758 while (tvb_reported_length_remaining(tvb, offset) != 0) {
1759 len = tvb_find_line_end(tvb, offset,
1760 tvb_ensure_length_remaining(tvb, offset),
1761 &next_offset, FALSE);
1764 proto_tree_add_text(subtree, tvb, offset, next_offset - offset,
1765 "%s", tvb_format_text(tvb, offset, len));
1766 offset = next_offset;
1772 proto_register_message_http(void)
1774 static gint *ett[] = {
1778 proto_message_http = proto_register_protocol(
1779 "Media Type: message/http",
1783 proto_register_subtree_array(ett, array_length(ett));
1784 message_http_handle = create_dissector_handle(dissect_message_http,
1785 proto_message_http);
1789 proto_reg_handoff_message_http(void)
1791 message_http_handle = create_dissector_handle(dissect_message_http,
1792 proto_message_http);
1794 dissector_add_string("media_type", "message/http", message_http_handle);