2 * Routines for ftp packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * Copyright 2001, Juan Toledo <toledo@users.sourceforge.net> (Passive FTP)
6 * $Id: packet-ftp.c,v 1.41 2002/01/24 09:20:47 guy Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
37 #ifdef HAVE_SYS_TYPES_H
38 # include <sys/types.h>
41 #ifdef HAVE_NETINET_IN_H
42 # include <netinet/in.h>
47 #include <epan/packet.h>
48 #include <epan/strutil.h>
49 #include <epan/conversation.h>
51 static int proto_ftp = -1;
52 static int proto_ftp_data = -1;
53 static int hf_ftp_response = -1;
54 static int hf_ftp_request = -1;
55 static int hf_ftp_request_command = -1;
56 static int hf_ftp_request_data = -1;
57 static int hf_ftp_response_code = -1;
58 static int hf_ftp_response_data = -1;
60 static gint ett_ftp = -1;
61 static gint ett_ftp_data = -1;
63 static dissector_handle_t ftpdata_handle;
65 #define TCP_PORT_FTPDATA 20
66 #define TCP_PORT_FTP 21
69 dissect_ftpdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);
72 * Handle a response to a PASV command.
74 * We ignore the IP address in the reply, and use the address from which
77 * XXX - are there cases where they differ? What if the FTP server is
78 * behind a NAT box, so that the address it puts into the reply isn't
79 * the address at which you should contact it? Do all NAT boxes detect
80 * FTP PASV replies and rewrite the address? (I suspect not.)
82 * RFC 959 doesn't say much about the syntax of the 227 reply.
84 * A proposal from Dan Bernstein at
86 * http://cr.yp.to/ftp/retr.html
88 * "recommend[s] that clients use the following strategy to parse the
89 * response line: look for the first digit after the initial space; look
90 * for the fourth comma after that digit; read two (possibly negative)
91 * integers, separated by a comma; the TCP port number is p1*256+p2, where
92 * p1 is the first integer modulo 256 and p2 is the second integer modulo
95 * wget 1.5.3 looks for a digit, although it doesn't handle negative
98 * The FTP code in the source of the cURL library, at
100 * http://curl.haxx.se/lxr/source/lib/ftp.c
102 * says that cURL "now scans for a sequence of six comma-separated numbers
103 * and will take them as IP+port indicators"; it loops, doing "sscanf"s
104 * looking for six numbers separated by commas, stepping the start pointer
105 * in the scanf one character at a time - i.e., it tries rather exhaustively.
107 * An optimization would be to scan for a digit, and start there, and if
108 * the scanf doesn't find six values, scan for the next digit and try
109 * again; this will probably succeed on the first try.
111 * The cURL code also says that "found reply-strings include":
113 * "227 Entering Passive Mode (127,0,0,1,4,51)"
114 * "227 Data transfer will passively listen to 127,0,0,1,4,51"
115 * "227 Entering passive mode. 127,0,0,1,4,51"
117 * so it appears that you can't assume there are parentheses around
118 * the address and port number.
121 handle_pasv_response(const u_char *line, int linelen, packet_info *pinfo)
127 int address[4], port[2];
129 conversation_t *conversation;
132 * Copy the rest of the line into a null-terminated buffer.
134 args = g_malloc(linelen + 1);
135 memcpy(args, line, linelen);
136 args[linelen] = '\0';
143 while ((c = *p) != '\0' && !isdigit(c))
148 * We ran out of text without finding anything.
154 * See if we have six numbers.
156 i = sscanf(p, "%d,%d,%d,%d,%d,%d",
157 &address[0], &address[1], &address[2], &address[3],
162 * Set up a conversation, to be dissected as FTP data.
164 server_port = ((port[0] & 0xFF)<<8) | (port[1] & 0xFF);
167 * XXX - should this call to "find_conversation()"
168 * just use "pinfo->src" and "server_port", and
169 * wildcard everything else?
171 conversation = find_conversation(&pinfo->src,
172 &pinfo->dst, PT_TCP, server_port, 0, NO_PORT_B);
173 if (conversation == NULL) {
175 * XXX - should this call to
176 * "conversation_new()" just use "pinfo->src"
177 * and "server_port", and wildcard everything
180 * XXX - what if we did find a conversation?
181 * As we create it only on the first pass
182 * through the packets, if we find one, it's
183 * presumably an unrelated conversation.
184 * Should we remove the old one from the hash
185 * table and put this one in its place?
186 * Can the conversaton code handle
187 * conversations not in the hash table?
189 conversation = conversation_new(&pinfo->src,
190 &pinfo->dst, PT_TCP, server_port, 0,
192 conversation_set_dissector(conversation,
199 * Well, that didn't work. Skip the first number we found,
202 while ((c = *p) != '\0' && isdigit(c))
210 dissect_ftp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
213 proto_tree *ftp_tree = NULL;
217 gboolean is_pasv_response = FALSE;
221 const u_char *next_token;
223 if (pinfo->match_port == pinfo->destport)
228 if (check_col(pinfo->cinfo, COL_PROTOCOL))
229 col_set_str(pinfo->cinfo, COL_PROTOCOL, "FTP");
232 * Find the end of the first line.
234 * Note that "tvb_find_line_end()" will return a value that is
235 * not longer than what's in the buffer, so the "tvb_get_ptr()"
236 * call won't throw an exception.
238 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset);
239 line = tvb_get_ptr(tvb, offset, linelen);
241 if (check_col(pinfo->cinfo, COL_INFO)) {
243 * Put the first line from the buffer into the summary
244 * (but leave out the line terminator).
246 col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
247 is_request ? "Request" : "Response",
248 format_text(line, linelen));
252 ti = proto_tree_add_item(tree, proto_ftp, tvb, offset, -1,
254 ftp_tree = proto_item_add_subtree(ti, ett_ftp);
257 proto_tree_add_boolean_hidden(ftp_tree,
258 hf_ftp_request, tvb, 0, 0, TRUE);
259 proto_tree_add_boolean_hidden(ftp_tree,
260 hf_ftp_response, tvb, 0, 0, FALSE);
262 proto_tree_add_boolean_hidden(ftp_tree,
263 hf_ftp_request, tvb, 0, 0, FALSE);
264 proto_tree_add_boolean_hidden(ftp_tree,
265 hf_ftp_response, tvb, 0, 0, TRUE);
270 * Extract the first token, and, if there is a first
271 * token, add it as the request or reply code.
273 tokenlen = get_token_len(line, line + linelen, &next_token);
277 proto_tree_add_string_format(ftp_tree,
278 hf_ftp_request_command, tvb, offset,
279 tokenlen, line, "Request: %s",
280 format_text(line, tokenlen));
284 * This is a response; see if it's a passive-mode
287 * XXX - check for "229" responses to EPSV
288 * commands, to handle IPv6, as per RFC 2428?
290 * XXX - does anybody do FOOBAR, as per RFC 1639,
291 * or has that been supplanted by RFC 2428?
294 strncmp("227", line, tokenlen) == 0)
295 is_pasv_response = TRUE;
297 proto_tree_add_uint_format(ftp_tree,
298 hf_ftp_response_code, tvb, offset,
299 tokenlen, atoi(line), "Response: %s",
300 format_text(line, tokenlen));
303 offset += next_token - line;
304 linelen -= next_token - line;
308 * If this is a PASV response, handle it if we haven't
309 * already processed this frame.
311 if (!pinfo->fd->flags.visited && is_pasv_response) {
313 * We haven't processed this frame, and it contains
314 * a PASV response; set up a conversation for the
317 handle_pasv_response(line, linelen, pinfo);
323 * Add the rest of the first line as request or
328 proto_tree_add_string_format(ftp_tree,
329 hf_ftp_request_data, tvb, offset,
330 linelen, line, "Request Arg: %s",
331 format_text(line, linelen));
333 proto_tree_add_string_format(ftp_tree,
334 hf_ftp_response_data, tvb, offset,
335 linelen, line, "Response Arg: %s",
336 format_text(line, linelen));
339 offset = next_offset;
342 * Show the rest of the request or response as text,
345 while (tvb_offset_exists(tvb, offset)) {
347 * Find the end of the line.
349 linelen = tvb_find_line_end(tvb, offset, -1,
355 proto_tree_add_text(ftp_tree, tvb, offset,
356 next_offset - offset, "%s",
357 tvb_format_text(tvb, offset, next_offset - offset));
358 offset = next_offset;
364 dissect_ftpdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
366 proto_tree *ti, *ftp_data_tree;
369 if (check_col(pinfo->cinfo, COL_PROTOCOL))
370 col_set_str(pinfo->cinfo, COL_PROTOCOL, "FTP-DATA");
372 if (check_col(pinfo->cinfo, COL_INFO)) {
373 col_add_fstr(pinfo->cinfo, COL_INFO, "FTP Data: %u bytes",
378 data_length = tvb_length(tvb);
380 ti = proto_tree_add_item(tree, proto_ftp_data, tvb, 0,
382 ftp_data_tree = proto_item_add_subtree(ti, ett_ftp_data);
385 * XXX - if this is binary data, it'll produce
386 * a *really* long line.
388 proto_tree_add_text(ftp_data_tree, tvb, 0, data_length,
389 "FTP Data: %s", tvb_format_text(tvb, 0, data_length));
394 proto_register_ftp(void)
396 static hf_register_info hf[] = {
398 { "Response", "ftp.response",
399 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
400 "TRUE if FTP response", HFILL }},
403 { "Request", "ftp.request",
404 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
405 "TRUE if FTP request", HFILL }},
407 { &hf_ftp_request_command,
408 { "Request command", "ftp.request.command",
409 FT_STRING, BASE_NONE, NULL, 0x0,
412 { &hf_ftp_request_data,
413 { "Request data", "ftp.request.data",
414 FT_STRING, BASE_NONE, NULL, 0x0,
417 { &hf_ftp_response_code,
418 { "Response code", "ftp.response.code",
419 FT_UINT8, BASE_DEC, NULL, 0x0,
422 { &hf_ftp_response_data,
423 { "Response data", "ftp.reponse.data",
424 FT_STRING, BASE_NONE, NULL, 0x0,
427 static gint *ett[] = {
432 proto_ftp = proto_register_protocol("File Transfer Protocol (FTP)", "FTP",
434 proto_ftp_data = proto_register_protocol("FTP Data", "FTP-DATA", "ftp-data");
435 proto_register_field_array(proto_ftp, hf, array_length(hf));
436 proto_register_subtree_array(ett, array_length(ett));
438 ftpdata_handle = create_dissector_handle(dissect_ftpdata, proto_ftp_data);
442 proto_reg_handoff_ftp(void)
444 dissector_handle_t ftpdata_handle, ftp_handle;
446 ftpdata_handle = create_dissector_handle(dissect_ftpdata, proto_ftp_data);
447 dissector_add("tcp.port", TCP_PORT_FTPDATA, ftpdata_handle);
448 ftp_handle = create_dissector_handle(dissect_ftp, proto_ftp);
449 dissector_add("tcp.port", TCP_PORT_FTP, ftp_handle);