2 * Routines for HTTP packet disassembly
4 * Guy Harris <guy@alum.mit.edu>
6 * Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net>
7 * Copyright 2002, Tim Potter <tpot@samba.org>
8 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
10 * $Id: packet-http.c,v 1.109 2004/05/10 22:20:24 obiot Exp $
12 * Ethereal - Network traffic analyzer
13 * By Gerald Combs <gerald@ethereal.com>
14 * Copyright 1998 Gerald Combs
16 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License
18 * as published by the Free Software Foundation; either version 2
19 * of the License, or (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/packet.h>
40 #include <epan/strutil.h>
43 #include "req_resp_hdrs.h"
44 #include "packet-http.h"
47 typedef enum _http_type {
56 static int http_tap = -1;
58 static int proto_http = -1;
59 static int hf_http_notification = -1;
60 static int hf_http_response = -1;
61 static int hf_http_request = -1;
62 static int hf_http_basic = -1;
63 static int hf_http_request_method = -1;
64 static int hf_http_response_code = -1;
65 static int hf_http_authorization = -1;
66 static int hf_http_proxy_authenticate = -1;
67 static int hf_http_proxy_authorization = -1;
68 static int hf_http_www_authenticate = -1;
69 static int hf_http_content_type = -1;
70 static int hf_http_content_length = -1;
71 static int hf_http_content_encoding = -1;
72 static int hf_http_transfer_encoding = -1;
74 static gint ett_http = -1;
75 static gint ett_http_ntlmssp = -1;
76 static gint ett_http_request = -1;
77 static gint ett_http_chunked_response = -1;
78 static gint ett_http_chunk_data = -1;
79 static gint ett_http_encoded_entity = -1;
81 static dissector_handle_t data_handle;
82 static dissector_handle_t media_handle;
83 static dissector_handle_t http_handle;
86 * desegmentation of HTTP headers
87 * (when we are over TCP or another protocol providing the desegmentation API)
89 static gboolean http_desegment_headers = FALSE;
92 * desegmentation of HTTP bodies
93 * (when we are over TCP or another protocol providing the desegmentation API)
94 * TODO let the user filter on content-type the bodies he wants desegmented
96 static gboolean http_desegment_body = FALSE;
99 * De-chunking of content-encoding: chunk entity bodies.
101 static gboolean http_dechunk_body = TRUE;
104 * Decompression of zlib encoded entities.
107 static gboolean http_decompress_body = TRUE;
109 static gboolean http_decompress_body = FALSE;
113 #define TCP_PORT_HTTP 80
114 #define TCP_PORT_PROXY_HTTP 3128
115 #define TCP_PORT_PROXY_ADMIN_HTTP 3132
116 #define TCP_ALT_PORT_HTTP 8080
119 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
121 #define TCP_PORT_SSDP 1900
122 #define UDP_PORT_SSDP 1900
125 * Protocols implemented atop HTTP.
128 PROTO_HTTP, /* just HTTP */
129 PROTO_SSDP /* Simple Service Discovery Protocol */
132 typedef void (*RequestDissector)(tvbuff_t*, proto_tree*, int);
135 * Structure holding information from headers needed by main
136 * HTTP dissector code.
140 char *content_type_parameters;
141 long content_length; /* XXX - make it 64-bit? */
142 char *content_encoding;
143 char *transfer_encoding;
146 static int is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
147 RequestDissector *req_dissector, int *req_strlen);
148 static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
149 proto_tree *tree, int offset);
150 static void process_header(tvbuff_t *tvb, int offset, int next_offset,
151 const guchar *line, int linelen, int colon_offset, packet_info *pinfo,
152 proto_tree *tree, headers_t *eh_ptr);
153 static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len);
154 static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb,
155 packet_info *pinfo, gchar *value);
156 static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb,
159 static dissector_table_t port_subdissector_table;
160 static dissector_table_t media_type_subdissector_table;
161 static heur_dissector_list_t heur_subdissector_list;
163 static dissector_handle_t ntlmssp_handle=NULL;
166 /* Return a tvb that contains the binary representation of a base64
170 base64_to_tvb(const char *base64)
173 char *data = g_strdup(base64);
176 len = epan_base64_decode(data);
177 tvb = tvb_new_real_data((const guint8 *)data, len, len);
179 tvb_set_free_cb(tvb, g_free);
185 dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
188 tvbuff_t *ntlmssp_tvb;
190 ntlmssp_tvb = base64_to_tvb(line);
191 tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb);
192 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP Data");
194 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
198 cleanup_headers(void *arg)
200 headers_t *headers = arg;
202 if (headers->content_type != NULL)
203 g_free(headers->content_type);
205 * The content_type_parameters field actually points into the
206 * content_type headers, so don't free it, as that'll double-free
209 if (headers->content_encoding != NULL)
210 g_free(headers->content_encoding);
211 if (headers->transfer_encoding != NULL)
212 g_free(headers->transfer_encoding);
216 * TODO: remove this ugly global variable.
218 * XXX - we leak "http_info_value_t" structures.
219 * XXX - this gets overwritten if there's more than one HTTP request or
220 * reply in the tvbuff.
222 static http_info_value_t *stat_info;
225 dissect_http_message(tvbuff_t *tvb, int offset, packet_info *pinfo,
230 proto_tree *http_tree = NULL;
231 proto_item *ti = NULL;
234 const guchar *linep, *lineend;
236 int first_linelen, linelen;
237 gboolean is_request_or_reply;
238 gboolean saw_req_resp_or_header;
240 http_type_t http_type;
241 proto_item *hdr_item;
242 RequestDissector req_dissector;
244 proto_tree *req_tree;
248 int reported_datalen;
249 dissector_handle_t handle;
253 * Is this a request or response?
255 * Note that "tvb_find_line_end()" will return a value that
256 * is not longer than what's in the buffer, so the
257 * "tvb_get_ptr()" call won't throw an exception.
259 first_linelen = tvb_find_line_end(tvb, offset,
260 tvb_ensure_length_remaining(tvb, offset), &next_offset,
263 * Is the first line a request or response?
265 line = tvb_get_ptr(tvb, offset, first_linelen);
266 http_type = HTTP_OTHERS; /* type not known yet */
267 is_request_or_reply = is_http_request_or_reply((const gchar *)line,
268 first_linelen, &http_type, NULL, NULL);
269 if (is_request_or_reply) {
271 * Yes, it's a request or response.
272 * Do header desegmentation if we've been told to,
273 * and do body desegmentation if we've been told to and
274 * we find a Content-Length header.
276 if (!req_resp_hdrs_do_reassembly(tvb, pinfo,
277 http_desegment_headers, http_desegment_body)) {
279 * More data needed for desegmentation.
285 stat_info = g_malloc(sizeof(http_info_value_t));
286 stat_info->response_code = 0;
287 stat_info->request_method = NULL;
289 switch (pinfo->match_port) {
291 case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
302 if (check_col(pinfo->cinfo, COL_PROTOCOL))
303 col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
304 if (check_col(pinfo->cinfo, COL_INFO)) {
306 * Put the first line from the buffer into the summary
307 * if it's an HTTP request or reply (but leave out the
309 * Otherwise, just call it a continuation.
311 * Note that "tvb_find_line_end()" will return a value that
312 * is not longer than what's in the buffer, so the
313 * "tvb_get_ptr()" call won't throw an exception.
315 line = tvb_get_ptr(tvb, offset, first_linelen);
316 if (is_request_or_reply)
317 col_add_str(pinfo->cinfo, COL_INFO,
318 format_text(line, first_linelen));
320 col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
323 orig_offset = offset;
325 ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
327 http_tree = proto_item_add_subtree(ti, ett_http);
331 * Process the packet data, a line at a time.
333 http_type = HTTP_OTHERS; /* type not known yet */
334 headers.content_type = NULL; /* content type not known yet */
335 headers.content_type_parameters = NULL; /* content type parameters too */
336 headers.content_length = -1; /* content length not known yet */
337 headers.content_encoding = NULL; /* content encoding not known yet */
338 headers.transfer_encoding = NULL; /* transfer encoding not known yet */
339 saw_req_resp_or_header = FALSE; /* haven't seen anything yet */
340 CLEANUP_PUSH(cleanup_headers, &headers);
341 while (tvb_reported_length_remaining(tvb, offset) != 0) {
343 * Find the end of the line.
345 linelen = tvb_find_line_end(tvb, offset,
346 tvb_ensure_length_remaining(tvb, offset), &next_offset,
352 * Get a buffer that refers to the line.
354 line = tvb_get_ptr(tvb, offset, linelen);
355 lineend = line + linelen;
359 * OK, does it look like an HTTP request or response?
361 req_dissector = NULL;
362 is_request_or_reply = is_http_request_or_reply((const gchar *)line,
363 linelen, &http_type, &req_dissector, &req_strlen);
364 if (is_request_or_reply)
368 * No. Does it look like a blank line (as would appear
369 * at the end of an HTTP request)?
372 goto is_http; /* Yes. */
375 * No. Does it look like a header?
378 colon_offset = offset;
379 while (linep < lineend) {
383 * This must be a CHAR to be part of a token; that
384 * means it must be ASCII.
387 break; /* not ASCII, thus not a CHAR */
390 * This mustn't be a CTL to be part of a token;
391 * that means it must be printable.
393 * XXX - what about leading LWS on continuation
397 break; /* not printable, not a header */
400 * This mustn't be a SEP to be part of a token;
401 * a ':' ends the token, everything else is an
402 * indication that this isn't a header.
424 * It's a separator, so it's not part of a
425 * token, so it's not a field name for the
426 * beginning of a header.
428 * (We don't have to check for HT; that's
429 * already been ruled out by "isprint()".)
435 * This ends the token; we consider this
447 * We haven't seen the colon, but everything else looks
448 * OK for a header line.
450 * If we've already seen an HTTP request or response
451 * line, or a header line, and we're at the end of
452 * the tvbuff, we assume this is an incomplete header
453 * line. (We quit this loop after seeing a blank line,
454 * so if we've seen a request or response line, or a
455 * header line, this is probably more of the request
456 * or response we're presumably seeing. There is some
457 * risk of false positives, but the same applies for
458 * full request or response lines or header lines,
459 * although that's less likely.)
461 * We throw an exception in that case, by checking for
462 * the existence of the next byte after the last one
463 * in the line. If it exists, "tvb_ensure_bytes_exist()"
464 * throws no exception, and we fall through to the
465 * "not HTTP" case. If it doesn't exist,
466 * "tvb_ensure_bytes_exist()" will throw the appropriate
469 if (saw_req_resp_or_header)
470 tvb_ensure_bytes_exist(tvb, offset, linelen + 1);
474 * We don't consider this part of an HTTP request or
475 * reply, so we don't display it.
476 * (Yeah, that means we don't display, say, a text/http
477 * page, but you can get that from the data pane.)
487 * This is a blank line, which means that
488 * whatever follows it isn't part of this
491 proto_tree_add_text(http_tree, tvb, offset,
492 next_offset - offset, "%s",
493 tvb_format_text(tvb, offset, next_offset - offset));
494 offset = next_offset;
499 * Not a blank line - either a request, a reply, or a header
502 saw_req_resp_or_header = TRUE;
503 if (is_request_or_reply) {
505 hdr_item = proto_tree_add_text(http_tree, tvb,
506 offset, next_offset - offset, "%s",
507 tvb_format_text(tvb, offset,
508 next_offset - offset));
510 req_tree = proto_item_add_subtree(
511 hdr_item, ett_http_request);
512 req_dissector(tvb, req_tree,
520 process_header(tvb, offset, next_offset, line, linelen,
521 colon_offset, pinfo, http_tree, &headers);
523 offset = next_offset;
529 case HTTP_NOTIFICATION:
530 proto_tree_add_boolean_hidden(http_tree,
531 hf_http_notification, tvb, 0, 0, 1);
535 proto_tree_add_boolean_hidden(http_tree,
536 hf_http_response, tvb, 0, 0, 1);
540 proto_tree_add_boolean_hidden(http_tree,
541 hf_http_request, tvb, 0, 0, 1);
551 * If a content length was supplied, the amount of data to be
552 * processed as HTTP payload is the minimum of the content
553 * length and the amount of data remaining in the frame.
555 * If no content length was supplied (or if a bad content length
556 * was supplied), the amount of data to be processed is the amount
557 * of data remaining in the frame.
559 * If there was no Content-Length entity header, we should
560 * accumulate all data until the end of the connection.
561 * That'd require that the TCP dissector call subdissectors
562 * for all frames with FIN, even if they contain no data,
563 * which would require subdissectors to deal intelligently
564 * with empty segments.
566 * Acccording to RFC 2616, however, 1xx responses, 204 responses,
567 * and 304 responses MUST NOT include a message body; if no
568 * content length is specified for them, we don't attempt to
571 * XXX - it says the same about responses to HEAD requests;
572 * unless there's a way to determine from the response
573 * whether it's a response to a HEAD request, we have to
574 * keep information about the request and associate that with
575 * the response in order to handle that.
577 datalen = tvb_length_remaining(tvb, offset);
578 if (headers.content_length != -1) {
579 if (datalen > headers.content_length)
580 datalen = headers.content_length;
583 * XXX - limit the reported length in the tvbuff we'll
584 * hand to a subdissector to be no greater than the
587 * We really need both unreassembled and "how long it'd
588 * be if it were reassembled" lengths for tvbuffs, so
589 * that we throw the appropriate exceptions for
590 * "not enough data captured" (running past the length),
591 * "packet needed reassembly" (within the length but
592 * running past the unreassembled length), and
593 * "packet is malformed" (running past the reassembled
596 reported_datalen = tvb_reported_length_remaining(tvb, offset);
597 if (reported_datalen > headers.content_length)
598 reported_datalen = headers.content_length;
600 if ((stat_info->response_code/100) == 1 ||
601 stat_info->response_code == 204 ||
602 stat_info->response_code == 304)
603 datalen = 0; /* no content! */
605 reported_datalen = -1;
610 * There's stuff left over; process it.
613 void *save_private_data = NULL;
614 gint chunks_decoded = 0;
617 * Create a tvbuff for the payload.
619 * The amount of data to be processed that's
620 * available in the tvbuff is "datalen", which
621 * is the minimum of the amount of data left in
622 * the tvbuff and any specified content length.
624 * The amount of data to be processed that's in
625 * this frame, regardless of whether it was
626 * captured or not, is "reported_datalen",
627 * which, if no content length was specified,
628 * is -1, i.e. "to the end of the frame.
630 next_tvb = tvb_new_subset(tvb, offset, datalen,
633 * BEWARE - next_tvb is a subset of another tvb,
634 * so we MUST NOT attempt tvb_free(next_tvb);
638 * Handle *transfer* encodings other than "identity".
640 if (headers.transfer_encoding != NULL &&
641 strcasecmp(headers.transfer_encoding, "identity") != 0) {
642 if (http_dechunk_body &&
643 (strcasecmp(headers.transfer_encoding, "chunked")
646 chunks_decoded = chunked_encoding_dissector(
647 &next_tvb, pinfo, http_tree, 0);
649 if (chunks_decoded <= 0) {
651 * The chunks weren't reassembled,
652 * or there was a single zero
658 * Add a new data source for the
661 tvb_set_child_real_data_tvbuff(tvb,
663 add_new_data_source(pinfo, next_tvb,
664 "De-chunked entity body");
668 * We currently can't handle, for example,
669 * "gzip", "compress", or "deflate" as
670 * *transfer* encodings; just handle them
673 call_dissector(data_handle, next_tvb, pinfo,
679 * At this point, any chunked *transfer* coding has been removed
680 * (the entity body has been dechunked) so it can be presented
681 * for the following operation (*content* encoding), or it has
682 * been been handed off to the data dissector.
684 * Handle *content* encodings other than "identity" (which
685 * shouldn't appear in a Content-Encoding header, but
686 * we handle it in any case).
688 if (headers.content_encoding != NULL &&
689 strcasecmp(headers.content_encoding, "identity") != 0) {
691 * We currently can't handle, for example, "compress";
692 * just handle them as data for now.
694 * After July 7, 2004 the LZW patent expires, so support
695 * might be added then. However, I don't think that
696 * anybody ever really implemented "compress", due to
697 * the aforementioned patent.
699 tvbuff_t *uncomp_tvb = NULL;
700 proto_item *e_ti = NULL;
701 proto_tree *e_tree = NULL;
703 if (http_decompress_body &&
704 (strcasecmp(headers.content_encoding, "gzip") == 0 ||
705 strcasecmp(headers.content_encoding, "deflate")
708 uncomp_tvb = tvb_uncompress(next_tvb, 0,
709 tvb_length(next_tvb));
713 * Add the encoded entity to the protocol tree
715 e_ti = proto_tree_add_text(http_tree, next_tvb,
716 0, tvb_length(next_tvb),
717 "Content-encoded entity body (%s)",
718 headers.content_encoding);
719 e_tree = proto_item_add_subtree(e_ti,
720 ett_http_encoded_entity);
722 if (uncomp_tvb != NULL) {
724 * Decompression worked
727 /* XXX - Don't free this, since it's possible
728 * that the data was only partially
729 * decompressed, such as when desegmentation
734 next_tvb = uncomp_tvb;
735 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
736 add_new_data_source(pinfo, next_tvb,
737 "Uncompressed entity body");
739 if (chunks_decoded > 1) {
740 tvb_set_child_real_data_tvbuff(tvb,
742 add_new_data_source(pinfo, next_tvb,
743 "Compressed entity body");
745 call_dissector(data_handle, next_tvb, pinfo,
752 * Note that a new data source is added for the entity body
753 * only if it was content-encoded and/or transfer-encoded.
757 * Do subdissector checks.
759 * First, check whether some subdissector asked that they
760 * be called if something was on some particular port.
762 handle = dissector_get_port_handle(port_subdissector_table,
764 if (handle == NULL && headers.content_type != NULL) {
766 * We didn't find any subdissector that
767 * registered for the port, and we have a
768 * Content-Type value. Is there any subdissector
769 * for that content type?
771 save_private_data = pinfo->private_data;
773 * XXX - this won't get freed if the subdissector
774 * throws an exception. Do we really need to
777 if (headers.content_type_parameters)
778 pinfo->private_data = g_strdup(headers.content_type_parameters);
780 pinfo->private_data = NULL;
782 * Calling the string handle for the media type
783 * dissector table will set pinfo->match_string
784 * to headers.content_type for us.
786 pinfo->match_string = headers.content_type;
787 handle = dissector_get_string_handle(
788 media_type_subdissector_table,
789 headers.content_type);
791 * Calling the default media handle otherwise
793 if (handle == NULL) {
794 handle = media_handle;
797 if (handle != NULL) {
799 * We have a subdissector - call it.
801 dissected = call_dissector(handle, next_tvb, pinfo,
805 * We don't have a subdissector - try the heuristic
808 dissected = dissector_try_heuristic(
809 heur_subdissector_list, next_tvb, pinfo, tree);
813 * The subdissector dissected the body.
814 * Fix up the top-level item so that it doesn't
815 * include the stuff for that protocol.
818 proto_item_set_len(ti, offset);
820 call_dissector(data_handle, next_tvb, pinfo,
826 * Do *not* attempt at freeing the private data;
827 * it may be in use by subdissectors.
829 if (save_private_data)
830 pinfo->private_data = save_private_data;
832 * We've processed "datalen" bytes worth of data
833 * (which may be no data at all); advance the
834 * offset past whatever data we've processed.
840 * Clean up any header stuff, by calling and popping the cleanup
843 CLEANUP_CALL_AND_POP;
845 tap_queue_packet(http_tap, pinfo, stat_info);
847 return offset - orig_offset;
850 /* This can be used to dissect an HTTP request until such time
851 * that a more complete dissector is written for that HTTP request.
852 * This simple dissectory only puts http.request_method into a sub-tree.
855 basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int req_strlen)
857 proto_tree_add_item(tree, hf_http_request_method, tvb, 0, req_strlen, FALSE);
861 basic_response_dissector(tvbuff_t *tvb, proto_tree *tree, int resp_strlen)
864 int minor, major, status_code;
866 /* BEWARE - sscanf() only operates on C strings.
867 * The pointer returned by tvb_get_ptr points into the real data,
868 * which is not necessarily NULL terminated. For this reason,
869 * the sscanf() call is only applied to a buffer guaranteed to
870 * only contain a NULL terminated string. */
871 data = g_strndup((const gchar *)tvb_get_ptr(tvb, 5, resp_strlen), resp_strlen);
872 if (sscanf((const gchar *)data, "%d.%d %d", &minor, &major, &status_code) == 3) {
873 proto_tree_add_uint(tree, hf_http_response_code, tvb, 9, 3, status_code);
874 stat_info->response_code = status_code;
880 * Dissect the http data chunks and add them to the tree.
883 chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
884 proto_tree *tree, int offset)
886 guint8 *chunk_string = NULL;
888 gint chunk_offset = 0;
891 gint chunks_decoded = 0;
892 tvbuff_t *tvb = NULL;
893 tvbuff_t *new_tvb = NULL;
894 gint chunked_data_size = 0;
895 proto_tree *subtree = NULL;
896 proto_item *ti = NULL;
898 if (tvb_ptr == NULL || *tvb_ptr == NULL) {
904 datalen = tvb_reported_length_remaining(tvb, offset);
907 ti = proto_tree_add_text(tree, tvb, offset, datalen,
908 "HTTP chunked response");
909 subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
913 while (datalen != 0) {
914 proto_item *chunk_ti = NULL;
915 proto_tree *chunk_subtree = NULL;
916 tvbuff_t *data_tvb = NULL;
919 linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
922 /* Can't get the chunk size line */
926 chunk_string = tvb_get_string(tvb, offset, linelen);
928 if (chunk_string == NULL) {
929 /* Can't get the chunk size line */
936 * We don't care about the extensions.
938 if ((c = strchr(c, ';'))) {
942 if (sscanf(chunk_string, "%x", &chunk_size) != 1) {
943 g_free(chunk_string);
947 g_free(chunk_string);
950 if (chunk_size > datalen) {
952 * The chunk size is more than what's in the tvbuff,
953 * so either the user hasn't enabled decoding, or all
954 * of the segments weren't captured.
956 chunk_size = datalen;
957 }/* else if (new_tvb == NULL) {
958 new_tvb = tvb_new_composite();
963 if (new_tvb != NULL && chunk_size != 0) {
964 tvbuff_t *chunk_tvb = NULL;
966 chunk_tvb = tvb_new_subset(tvb, chunk_offset,
967 chunk_size, datalen);
969 tvb_composite_append(new_tvb, chunk_tvb);
974 chunked_data_size += chunk_size;
976 if (chunk_size != 0) {
977 guint8 *raw_data = g_malloc(chunked_data_size);
980 if (new_tvb != NULL) {
981 raw_len = tvb_length_remaining(new_tvb, 0);
982 tvb_memcpy(new_tvb, raw_data, 0, raw_len);
987 tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len),
988 chunk_offset, chunk_size);
990 new_tvb = tvb_new_real_data(raw_data,
991 chunked_data_size, chunked_data_size);
992 tvb_set_free_cb(new_tvb, g_free);
997 if (chunk_size == 0) {
998 chunk_ti = proto_tree_add_text(subtree, tvb,
1000 chunk_offset - offset + chunk_size + 2,
1001 "Data chunk (last chunk)");
1003 chunk_ti = proto_tree_add_text(subtree, tvb,
1005 chunk_offset - offset + chunk_size + 2,
1006 "Data chunk (%u octets)", chunk_size);
1009 chunk_subtree = proto_item_add_subtree(chunk_ti,
1010 ett_http_chunk_data);
1012 proto_tree_add_text(chunk_subtree, tvb, offset,
1013 chunk_offset - offset, "Chunk size: %u octets",
1016 data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size,
1020 if (chunk_size > 0) {
1021 call_dissector(data_handle, data_tvb, pinfo,
1025 proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
1026 chunk_size, 2, "Chunk boundary");
1030 offset = chunk_offset + chunk_size + 2;
1031 datalen = tvb_reported_length_remaining(tvb, offset);
1034 if (new_tvb != NULL) {
1036 /* Placeholder for the day that composite tvbuffer's will work.
1037 tvb_composite_finalize(new_tvb);
1038 / * tvb_set_reported_length(new_tvb, chunked_data_size); * /
1042 * XXX - Don't free this, since the tvbuffer that was passed
1043 * may be used if the data spans multiple frames and reassembly
1052 * We didn't create a new tvb, so don't allow sub dissectors
1053 * try to decode the non-existant entity body.
1055 chunks_decoded = -1;
1058 return chunks_decoded;
1064 * XXX - this won't handle HTTP 0.9 replies, but they're all data
1068 is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
1069 RequestDissector *req_dissector, int *req_strlen)
1071 int isHttpRequestOrReply = FALSE;
1075 * From RFC 2774 - An HTTP Extension Framework
1077 * Support the command prefix that identifies the presence of
1078 * a "mandatory" header.
1080 if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
1087 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
1088 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
1090 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
1093 if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
1094 *type = HTTP_RESPONSE;
1095 isHttpRequestOrReply = TRUE; /* response */
1096 if (req_dissector) {
1097 *req_dissector = basic_response_dissector;
1098 *req_strlen = linelen - 5;
1101 const guchar * ptr = (const guchar *)data;
1104 /* Look for the space following the Method */
1105 while (index < linelen) {
1114 /* Check the methods that have same length */
1118 if (strncmp(data, "GET", index) == 0 ||
1119 strncmp(data, "PUT", index) == 0) {
1120 *type = HTTP_REQUEST;
1121 isHttpRequestOrReply = TRUE;
1123 else if (strncmp(data, "ICY", index) == 0) {
1124 *type = HTTP_RESPONSE;
1125 isHttpRequestOrReply = TRUE;
1130 if (strncmp(data, "COPY", index) == 0 ||
1131 strncmp(data, "HEAD", index) == 0 ||
1132 strncmp(data, "LOCK", index) == 0 ||
1133 strncmp(data, "MOVE", index) == 0 ||
1134 strncmp(data, "POLL", index) == 0 ||
1135 strncmp(data, "POST", index) == 0) {
1136 *type = HTTP_REQUEST;
1137 isHttpRequestOrReply = TRUE;
1142 if (strncmp(data, "BCOPY", index) == 0 ||
1143 strncmp(data, "BMOVE", index) == 0 ||
1144 strncmp(data, "MKCOL", index) == 0 ||
1145 strncmp(data, "TRACE", index) == 0) {
1146 *type = HTTP_REQUEST;
1147 isHttpRequestOrReply = TRUE;
1152 if (strncmp(data, "DELETE", index) == 0 ||
1153 strncmp(data, "SEARCH", index) == 0 ||
1154 strncmp(data, "UNLOCK", index) == 0) {
1155 *type = HTTP_REQUEST;
1156 isHttpRequestOrReply = TRUE;
1158 else if (strncmp(data, "NOTIFY", index) == 0) {
1159 *type = HTTP_NOTIFICATION;
1160 isHttpRequestOrReply = TRUE;
1165 if (strncmp(data, "BDELETE", index) == 0 ||
1166 strncmp(data, "CONNECT", index) == 0 ||
1167 strncmp(data, "OPTIONS", index) == 0) {
1168 *type = HTTP_REQUEST;
1169 isHttpRequestOrReply = TRUE;
1174 if (strncmp(data, "PROPFIND", index) == 0) {
1175 *type = HTTP_REQUEST;
1176 isHttpRequestOrReply = TRUE;
1181 if (strncmp(data, "SUBSCRIBE", index) == 0) {
1182 *type = HTTP_NOTIFICATION;
1183 isHttpRequestOrReply = TRUE;
1184 } else if (strncmp(data, "PROPPATCH", index) == 0 ||
1185 strncmp(data, "BPROPFIND", index) == 0) {
1186 *type = HTTP_REQUEST;
1187 isHttpRequestOrReply = TRUE;
1192 if (strncmp(data, "BPROPPATCH", index) == 0) {
1193 *type = HTTP_REQUEST;
1194 isHttpRequestOrReply = TRUE;
1199 if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
1200 *type = HTTP_NOTIFICATION;
1201 isHttpRequestOrReply = TRUE;
1209 if (isHttpRequestOrReply && req_dissector) {
1210 *req_dissector = basic_request_dissector;
1211 *req_strlen = index + prefix_len;
1213 if (isHttpRequestOrReply && req_dissector) {
1214 if (!stat_info->request_method)
1215 stat_info->request_method = g_malloc( index+1 );
1216 strncpy( stat_info->request_method, data, index);
1217 stat_info->request_method[index] = '\0';
1221 return isHttpRequestOrReply;
1233 #define HDR_NO_SPECIAL 0
1234 #define HDR_AUTHORIZATION 1
1235 #define HDR_AUTHENTICATE 2
1236 #define HDR_CONTENT_TYPE 3
1237 #define HDR_CONTENT_LENGTH 4
1238 #define HDR_CONTENT_ENCODING 5
1239 #define HDR_TRANSFER_ENCODING 6
1241 static const header_info headers[] = {
1242 { "Authorization", &hf_http_authorization, HDR_AUTHORIZATION },
1243 { "Proxy-Authorization", &hf_http_proxy_authorization, HDR_AUTHORIZATION },
1244 { "Proxy-Authenticate", &hf_http_proxy_authenticate, HDR_AUTHENTICATE },
1245 { "WWW-Authenticate", &hf_http_www_authenticate, HDR_AUTHENTICATE },
1246 { "Content-Type", &hf_http_content_type, HDR_CONTENT_TYPE },
1247 { "Content-Length", &hf_http_content_length, HDR_CONTENT_LENGTH },
1248 { "Content-Encoding", &hf_http_content_encoding, HDR_CONTENT_ENCODING },
1249 { "Transfer-Encoding", &hf_http_transfer_encoding, HDR_TRANSFER_ENCODING },
1253 process_header(tvbuff_t *tvb, int offset, int next_offset,
1254 const guchar *line, int linelen, int colon_offset,
1255 packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr)
1258 int line_end_offset;
1267 proto_item *hdr_item;
1270 len = next_offset - offset;
1271 line_end_offset = offset + linelen;
1272 header_len = colon_offset - offset;
1273 hf_index = find_header_hf_value(tvb, offset, header_len);
1275 if (hf_index == -1) {
1277 * Not a header we know anything about. Just put it into
1281 proto_tree_add_text(tree, tvb, offset, len,
1282 "%s", format_text(line, len));
1286 * Skip whitespace after the colon.
1288 value_offset = colon_offset + 1;
1289 while (value_offset < line_end_offset
1290 && ((c = line[value_offset - offset]) == ' ' || c == '\t'))
1296 value_len = line_end_offset - value_offset;
1297 value = g_malloc(value_len + 1);
1298 memcpy(value, &line[value_offset - offset], value_len);
1299 value[value_len] = '\0';
1300 CLEANUP_PUSH(g_free, value);
1303 * Add it to the protocol tree as a particular field,
1304 * but display the line as is.
1307 hdr_item = proto_tree_add_string_format(tree,
1308 *headers[hf_index].hf, tvb, offset, len,
1309 value, "%s", format_text(line, len));
1314 * Do any special processing that particular headers
1317 switch (headers[hf_index].special) {
1319 case HDR_AUTHORIZATION:
1320 if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
1321 break; /* dissected NTLMSSP */
1322 check_auth_basic(hdr_item, tvb, value);
1325 case HDR_AUTHENTICATE:
1326 check_auth_ntlmssp(hdr_item, tvb, pinfo, value);
1329 case HDR_CONTENT_TYPE:
1330 if (eh_ptr->content_type != NULL)
1331 g_free(eh_ptr->content_type);
1332 eh_ptr->content_type = g_malloc(value_len + 1);
1333 for (i = 0; i < value_len; i++) {
1335 if (c == ';' || isspace(c)) {
1337 * End of subtype - either
1338 * white space or a ";"
1339 * separating the subtype from
1346 * Map the character to lower case;
1347 * content types are case-insensitive.
1349 eh_ptr->content_type[i] = tolower(c);
1351 eh_ptr->content_type[i] = '\0';
1353 * Now find the start of the optional parameters;
1354 * skip the optional white space and the semicolon
1355 * if this has not been done before.
1358 while (i < value_len) {
1360 if (c == ';' || isspace(c))
1361 /* Skip till start of parameters */
1367 eh_ptr->content_type_parameters = value + i;
1369 eh_ptr->content_type_parameters = NULL;
1372 case HDR_CONTENT_LENGTH:
1373 eh_ptr->content_length = strtol(value, &p, 10);
1375 if (eh_ptr->content_length < 0 || p == value ||
1376 (*up != '\0' && !isspace(*up)))
1377 eh_ptr->content_length = -1; /* not valid */
1380 case HDR_CONTENT_ENCODING:
1381 if (eh_ptr->content_encoding != NULL)
1382 g_free(eh_ptr->content_encoding);
1383 eh_ptr->content_encoding = g_malloc(value_len + 1);
1384 memcpy(eh_ptr->content_encoding, value, value_len);
1385 eh_ptr->content_encoding[value_len] = '\0';
1388 case HDR_TRANSFER_ENCODING:
1389 if (eh_ptr->transfer_encoding != NULL)
1390 g_free(eh_ptr->transfer_encoding);
1391 eh_ptr->transfer_encoding = g_malloc(value_len + 1);
1392 memcpy(eh_ptr->transfer_encoding, value, value_len);
1393 eh_ptr->transfer_encoding[value_len] = '\0';
1398 * Free the value, by calling and popping the cleanup
1401 CLEANUP_CALL_AND_POP;
1405 /* Returns index of header tag in headers */
1407 find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len)
1411 for (i = 0; i < array_length(headers); i++) {
1412 if (header_len == strlen(headers[i].name) &&
1413 tvb_strncaseeql(tvb, offset,
1414 headers[i].name, header_len) == 0)
1422 * Dissect Microsoft's abomination called NTLMSSP over HTTP.
1425 check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo,
1428 static const char *ntlm_headers[] = {
1433 const char **header;
1435 proto_tree *hdr_tree;
1438 * Check for NTLM credentials and challenge; those can
1439 * occur with WWW-Authenticate.
1441 for (header = &ntlm_headers[0]; *header != NULL; header++) {
1442 hdrlen = strlen(*header);
1443 if (strncmp(value, *header, hdrlen) == 0) {
1444 if (hdr_item != NULL) {
1445 hdr_tree = proto_item_add_subtree(hdr_item,
1450 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, value);
1458 * Dissect HTTP Basic authorization.
1461 check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value)
1463 static const char *basic_headers[] = {
1467 const char **header;
1469 proto_tree *hdr_tree;
1472 for (header = &basic_headers[0]; *header != NULL; header++) {
1473 hdrlen = strlen(*header);
1474 if (strncmp(value, *header, hdrlen) == 0) {
1475 if (hdr_item != NULL) {
1476 hdr_tree = proto_item_add_subtree(hdr_item,
1482 len = epan_base64_decode(value);
1484 proto_tree_add_string(hdr_tree, hf_http_basic, tvb,
1494 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1499 while (tvb_reported_length_remaining(tvb, offset) != 0) {
1500 len = dissect_http_message(tvb, offset, pinfo, tree);
1506 * OK, we've set the Protocol and Info columns for the
1507 * first HTTP message; make the columns non-writable,
1508 * so that we don't change it for subsequent HTTP messages.
1510 col_set_writable(pinfo->cinfo, FALSE);
1515 dissect_http_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1517 dissect_http_message(tvb, 0, pinfo, tree);
1521 proto_register_http(void)
1523 static hf_register_info hf[] = {
1524 { &hf_http_notification,
1525 { "Notification", "http.notification",
1526 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1527 "TRUE if HTTP notification", HFILL }},
1528 { &hf_http_response,
1529 { "Response", "http.response",
1530 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1531 "TRUE if HTTP response", HFILL }},
1533 { "Request", "http.request",
1534 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1535 "TRUE if HTTP request", HFILL }},
1537 { "Credentials", "http.authbasic",
1538 FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
1539 { &hf_http_request_method,
1540 { "Request Method", "http.request.method",
1541 FT_STRING, BASE_NONE, NULL, 0x0,
1542 "HTTP Request Method", HFILL }},
1543 { &hf_http_response_code,
1544 { "Response Code", "http.response.code",
1545 FT_UINT16, BASE_DEC, NULL, 0x0,
1546 "HTTP Response Code", HFILL }},
1547 { &hf_http_authorization,
1548 { "Authorization", "http.authorization",
1549 FT_STRING, BASE_NONE, NULL, 0x0,
1550 "HTTP Authorization header", HFILL }},
1551 { &hf_http_proxy_authenticate,
1552 { "Proxy-Authenticate", "http.proxy_authenticate",
1553 FT_STRING, BASE_NONE, NULL, 0x0,
1554 "HTTP Proxy-Authenticate header", HFILL }},
1555 { &hf_http_proxy_authorization,
1556 { "Proxy-Authorization", "http.proxy_authorization",
1557 FT_STRING, BASE_NONE, NULL, 0x0,
1558 "HTTP Proxy-Authorization header", HFILL }},
1559 { &hf_http_www_authenticate,
1560 { "WWW-Authenticate", "http.www_authenticate",
1561 FT_STRING, BASE_NONE, NULL, 0x0,
1562 "HTTP WWW-Authenticate header", HFILL }},
1563 { &hf_http_content_type,
1564 { "Content-Type", "http.content_type",
1565 FT_STRING, BASE_NONE, NULL, 0x0,
1566 "HTTP Content-Type header", HFILL }},
1567 { &hf_http_content_length,
1568 { "Content-Length", "http.content_length",
1569 FT_STRING, BASE_NONE, NULL, 0x0,
1570 "HTTP Content-Length header", HFILL }},
1571 { &hf_http_content_encoding,
1572 { "Content-Encoding", "http.content_encoding",
1573 FT_STRING, BASE_NONE, NULL, 0x0,
1574 "HTTP Content-Encoding header", HFILL }},
1575 { &hf_http_transfer_encoding,
1576 { "Transfer-Encoding", "http.transfer_encoding",
1577 FT_STRING, BASE_NONE, NULL, 0x0,
1578 "HTTP Transfer-Encoding header", HFILL }},
1580 static gint *ett[] = {
1584 &ett_http_chunked_response,
1585 &ett_http_chunk_data,
1586 &ett_http_encoded_entity,
1588 module_t *http_module;
1590 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
1592 proto_register_field_array(proto_http, hf, array_length(hf));
1593 proto_register_subtree_array(ett, array_length(ett));
1594 http_module = prefs_register_protocol(proto_http, NULL);
1595 prefs_register_bool_preference(http_module, "desegment_headers",
1596 "Desegment all HTTP headers spanning multiple TCP segments",
1597 "Whether the HTTP dissector should desegment all headers "
1598 "of a request spanning multiple TCP segments",
1599 &http_desegment_headers);
1600 prefs_register_bool_preference(http_module, "desegment_body",
1601 "Desegment HTTP bodies spanning multiple TCP segments",
1602 "Whether the HTTP dissector should use the "
1603 "\"Content-length:\" value, if present, to desegment "
1604 "the body of a request spanning multiple TCP segments, "
1605 "and desegment chunked data spanning multiple TCP segments",
1606 &http_desegment_body);
1607 prefs_register_bool_preference(http_module, "dechunk_body",
1608 "Reassemble chunked transfer-coded bodies",
1609 "Whether to reassemble bodies of entities that are transfered "
1610 "using the \"Transfer-Encoding: chunked\" method",
1611 &http_dechunk_body);
1613 prefs_register_bool_preference(http_module, "decompress_body",
1614 "Uncompress entity bodies",
1615 "Whether to uncompress entity bodies that are compressed "
1616 "using \"Content-Encoding: \"",
1617 &http_decompress_body);
1620 http_handle = create_dissector_handle(dissect_http, proto_http);
1623 * Dissectors shouldn't register themselves in this table;
1624 * instead, they should call "http_dissector_add()", and
1625 * we'll register the port number they specify as a port
1626 * for HTTP, and register them in our subdissector table.
1628 * This only works for protocols such as IPP that run over
1629 * HTTP on a specific non-HTTP port.
1631 port_subdissector_table = register_dissector_table("http.port",
1632 "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
1635 * Dissectors can register themselves in this table.
1636 * It's just "media_type", not "http.content_type", because
1637 * it's an Internet media type, usable by other protocols as well.
1639 media_type_subdissector_table =
1640 register_dissector_table("media_type",
1641 "Internet media type", FT_STRING, BASE_NONE);
1644 * Heuristic dissectors SHOULD register themselves in
1645 * this table using the standard heur_dissector_add()
1648 register_heur_dissector_list("http", &heur_subdissector_list);
1651 * Register for tapping
1653 http_tap = register_tap("http");
1657 * Called by dissectors for protocols that run atop HTTP/TCP.
1660 http_dissector_add(guint32 port, dissector_handle_t handle)
1663 * Register ourselves as the handler for that port number
1666 dissector_add("tcp.port", port, http_handle);
1669 * And register them in *our* table for that port.
1671 dissector_add("http.port", port, handle);
1675 proto_reg_handoff_http(void)
1677 dissector_handle_t http_udp_handle;
1679 data_handle = find_dissector("data");
1680 media_handle = find_dissector("media");
1682 dissector_add("tcp.port", TCP_PORT_HTTP, http_handle);
1683 dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle);
1684 dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle);
1685 dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle);
1688 * XXX - is there anything to dissect in the body of an SSDP
1689 * request or reply? I.e., should there be an SSDP dissector?
1691 dissector_add("tcp.port", TCP_PORT_SSDP, http_handle);
1692 http_udp_handle = create_dissector_handle(dissect_http_udp, proto_http);
1693 dissector_add("udp.port", UDP_PORT_SSDP, http_udp_handle);
1695 ntlmssp_handle = find_dissector("ntlmssp");
1699 * Content-Type: message/http
1702 static gint proto_message_http = -1;
1703 static gint ett_message_http = -1;
1704 static dissector_handle_t message_http_handle;
1707 dissect_message_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1709 proto_tree *subtree;
1711 gint offset = 0, next_offset;
1714 if (check_col(pinfo->cinfo, COL_INFO))
1715 col_append_str(pinfo->cinfo, COL_INFO, " (message/http)");
1717 ti = proto_tree_add_item(tree, proto_message_http,
1719 subtree = proto_item_add_subtree(ti, ett_message_http);
1720 while (tvb_reported_length_remaining(tvb, offset) != 0) {
1721 len = tvb_find_line_end(tvb, offset,
1722 tvb_ensure_length_remaining(tvb, offset),
1723 &next_offset, FALSE);
1726 proto_tree_add_text(subtree, tvb, offset, next_offset - offset,
1727 "%s", tvb_format_text(tvb, offset, len));
1728 offset = next_offset;
1734 proto_register_message_http(void)
1736 static gint *ett[] = {
1740 proto_message_http = proto_register_protocol(
1741 "Media Type: message/http",
1745 proto_register_subtree_array(ett, array_length(ett));
1746 message_http_handle = create_dissector_handle(dissect_message_http,
1747 proto_message_http);
1751 proto_reg_handoff_message_http(void)
1753 message_http_handle = create_dissector_handle(dissect_message_http,
1754 proto_message_http);
1756 dissector_add_string("media_type", "message/http", message_http_handle);