2 * Routines for HTTP packet disassembly
4 * Guy Harris <guy@alum.mit.edu>
6 * Copyright 2002, Tim Potter <tpot@samba.org>
7 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
9 * $Id: packet-http.c,v 1.60 2002/12/02 23:43:26 guy Exp $
11 * Ethereal - Network traffic analyzer
12 * By Gerald Combs <gerald@ethereal.com>
13 * Copyright 1998 Gerald Combs
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
38 #include <epan/packet.h>
39 #include <epan/strutil.h>
41 #include "packet-http.h"
43 typedef enum _http_type {
50 static int proto_http = -1;
51 static int hf_http_notification = -1;
52 static int hf_http_response = -1;
53 static int hf_http_request = -1;
55 static gint ett_http = -1;
56 static gint ett_http_ntlmssp = -1;
58 static dissector_handle_t data_handle;
59 static dissector_handle_t http_handle;
61 #define TCP_PORT_HTTP 80
62 #define TCP_PORT_PROXY_HTTP 3128
63 #define TCP_PORT_PROXY_ADMIN_HTTP 3132
64 #define TCP_ALT_PORT_HTTP 8080
67 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
69 #define TCP_PORT_SSDP 1900
70 #define UDP_PORT_SSDP 1900
73 * Protocols implemented atop HTTP.
76 PROTO_HTTP, /* just HTTP */
77 PROTO_SSDP /* Simple Service Discovery Protocol */
80 static int is_http_request_or_reply(const guchar *data, int linelen, http_type_t *type);
82 static dissector_table_t subdissector_table;
83 static heur_dissector_list_t heur_subdissector_list;
85 static dissector_handle_t ntlmssp_handle=NULL;
87 /* Decode a base64 string in-place - simple and slow algorithm.
88 Return length of result. Taken from rproxy/librsync/base64.c by
91 static size_t base64_decode(char *s)
93 static const char b64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
94 int bit_offset, byte_offset, idx, i, n;
95 unsigned char *d = (unsigned char *)s;
100 while (*s && (p=strchr(b64, *s))) {
101 idx = (int)(p - b64);
102 byte_offset = (i*6)/8;
103 bit_offset = (i*6)%8;
104 d[byte_offset] &= ~((1<<(8-bit_offset))-1);
105 if (bit_offset < 3) {
106 d[byte_offset] |= (idx << (2-bit_offset));
109 d[byte_offset] |= (idx >> (bit_offset-2));
110 d[byte_offset+1] = 0;
111 d[byte_offset+1] |= (idx << (8-(bit_offset-2))) & 0xFF;
120 /* Return a tvb that contains the binary representation of a base64
124 base64_to_tvb(const char *base64)
127 char *data = g_strdup(base64);
130 len = base64_decode(data);
131 tvb = tvb_new_real_data(data, len, len);
133 tvb_set_free_cb(tvb, g_free);
139 dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
142 tvbuff_t *ntlmssp_tvb;
144 ntlmssp_tvb = base64_to_tvb(line);
145 tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb);
146 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP Data");
148 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
152 * Some headers that we dissect more deeply - Microsoft's abomination
153 * called NTLMSSP over HTTP.
156 check_ntlmssp_auth(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo,
159 static const char *headers[] = {
160 "Authorization: NTLM ",
161 "Authorization: Negotiate ",
162 "WWW-Authenticate: NTLM ",
163 "WWW-Authenticate: Negotiate ",
164 "Proxy-Authenticate: NTLM ",
165 "Proxy-Authorization: NTLM ",
170 proto_tree *hdr_tree;
172 for (header = &headers[0]; *header != NULL; header++) {
173 hdrlen = strlen(*header);
174 if (strncmp(text, *header, hdrlen) == 0) {
175 if (hdr_item != NULL) {
176 hdr_tree = proto_item_add_subtree(hdr_item,
181 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, text);
189 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
193 proto_tree *http_tree = NULL;
194 proto_item *ti = NULL;
198 const guchar *linep, *lineend;
201 http_type_t http_type;
204 proto_item *hdr_item;
206 switch (pinfo->match_port) {
208 case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
219 if (check_col(pinfo->cinfo, COL_PROTOCOL))
220 col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
221 if (check_col(pinfo->cinfo, COL_INFO)) {
223 * Put the first line from the buffer into the summary
224 * if it's an HTTP request or reply (but leave out the
226 * Otherwise, just call it a continuation.
228 * Note that "tvb_find_line_end()" will return a value that
229 * is not longer than what's in the buffer, so the
230 * "tvb_get_ptr()" call won't throw an exception.
232 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
234 line = tvb_get_ptr(tvb, offset, linelen);
235 http_type = HTTP_OTHERS; /* type not known yet */
236 if (is_http_request_or_reply(line, linelen, &http_type))
237 col_add_str(pinfo->cinfo, COL_INFO,
238 format_text(line, linelen));
240 col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
244 ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
246 http_tree = proto_item_add_subtree(ti, ett_http);
250 * Process the packet data, a line at a time.
252 http_type = HTTP_OTHERS; /* type not known yet */
253 while (tvb_offset_exists(tvb, offset)) {
255 * Find the end of the line.
257 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
261 * Get a buffer that refers to the line.
263 line = tvb_get_ptr(tvb, offset, linelen);
264 lineend = line + linelen;
267 * OK, does it look like an HTTP request or response?
269 if (is_http_request_or_reply(line, linelen, &http_type))
273 * No. Does it look like a blank line (as would appear
274 * at the end of an HTTP request)?
280 * No. Does it look like a MIME header?
283 while (linep < lineend) {
286 break; /* not printable, not a MIME header */
306 * It's a tspecial, so it's not part of a
307 * token, so it's not a field name for the
308 * beginning of a MIME header.
314 * This ends the token; we consider this
315 * to be a MIME header.
323 * We don't consider this part of an HTTP request or
324 * reply, so we don't display it.
325 * (Yeah, that means we don't display, say, a text/http
326 * page, but you can get that from the data pane.)
334 text = tvb_format_text(tvb, offset, next_offset - offset);
336 hdr_item = proto_tree_add_text(http_tree, tvb, offset,
337 next_offset - offset, "%s", text);
340 check_ntlmssp_auth(hdr_item, tvb, pinfo, text);
341 offset = next_offset;
347 case HTTP_NOTIFICATION:
348 proto_tree_add_boolean_hidden(http_tree,
349 hf_http_notification, tvb, 0, 0, 1);
353 proto_tree_add_boolean_hidden(http_tree,
354 hf_http_response, tvb, 0, 0, 1);
358 proto_tree_add_boolean_hidden(http_tree,
359 hf_http_request, tvb, 0, 0, 1);
368 datalen = tvb_length_remaining(tvb, offset);
370 tvbuff_t *next_tvb = tvb_new_subset(tvb, offset, -1, -1);
373 * OK, has some subdissector asked that they be called
374 * if something was on some particular port?
376 if (dissector_try_port(subdissector_table, pinfo->match_port,
377 next_tvb, pinfo, tree)) {
379 * Yes. Fix up the top-level item so that it
380 * doesn't include the stuff for that protocol.
383 proto_item_set_len(ti, offset);
384 } else if(dissector_try_heuristic(heur_subdissector_list,
385 next_tvb,pinfo,tree)){
387 * Yes. Fix up the top-level item so that it
388 * doesn't include the stuff for that protocol.
391 proto_item_set_len(ti, offset);
393 call_dissector(data_handle,
394 tvb_new_subset(tvb, offset, -1, -1), pinfo,
401 * XXX - this won't handle HTTP 0.9 replies, but they're all data
405 is_http_request_or_reply(const guchar *data, int linelen, http_type_t *type)
407 int isHttpRequestOrReply = FALSE;
410 * From RFC 2774 - An HTTP Extension Framework
412 * Support the command prefix that identifies the presence of
413 * a "mandatory" header.
415 if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
421 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
422 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
424 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
427 if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
428 *type = HTTP_RESPONSE;
429 isHttpRequestOrReply = TRUE; /* response */
431 const guchar * ptr = (const guchar *)data;
434 /* Look for the space following the Method */
435 while (index < linelen) {
444 /* Check the methods that have same length */
448 if (strncmp(data, "GET", index) == 0 ||
449 strncmp(data, "PUT", index) == 0) {
450 *type = HTTP_REQUEST;
451 isHttpRequestOrReply = TRUE;
456 if (strncmp(data, "COPY", index) == 0 ||
457 strncmp(data, "HEAD", index) == 0 ||
458 strncmp(data, "LOCK", index) == 0 ||
459 strncmp(data, "MOVE", index) == 0 ||
460 strncmp(data, "POLL", index) == 0 ||
461 strncmp(data, "POST", index) == 0) {
462 *type = HTTP_REQUEST;
463 isHttpRequestOrReply = TRUE;
468 if (strncmp(data, "BCOPY", index) == 0 ||
469 strncmp(data, "BMOVE", index) == 0 ||
470 strncmp(data, "MKCOL", index) == 0 ||
471 strncmp(data, "TRACE", index) == 0) {
472 *type = HTTP_REQUEST;
473 isHttpRequestOrReply = TRUE;
478 if (strncmp(data, "DELETE", index) == 0 ||
479 strncmp(data, "SEARCH", index) == 0 ||
480 strncmp(data, "UNLOCK", index) == 0) {
481 *type = HTTP_REQUEST;
482 isHttpRequestOrReply = TRUE;
484 else if (strncmp(data, "NOTIFY", index) == 0) {
485 *type = HTTP_NOTIFICATION;
486 isHttpRequestOrReply = TRUE;
491 if (strncmp(data, "BDELETE", index) == 0 ||
492 strncmp(data, "CONNECT", index) == 0 ||
493 strncmp(data, "OPTIONS", index) == 0) {
494 *type = HTTP_REQUEST;
495 isHttpRequestOrReply = TRUE;
500 if (strncmp(data, "PROPFIND", index) == 0) {
501 *type = HTTP_REQUEST;
502 isHttpRequestOrReply = TRUE;
507 if (strncmp(data, "SUBSCRIBE", index) == 0) {
508 *type = HTTP_NOTIFICATION;
509 isHttpRequestOrReply = TRUE;
510 } else if (strncmp(data, "PROPPATCH", index) == 0 ||
511 strncmp(data, "BPROPFIND", index) == 0) {
512 *type = HTTP_REQUEST;
513 isHttpRequestOrReply = TRUE;
518 if (strncmp(data, "BPROPPATCH", index) == 0) {
519 *type = HTTP_REQUEST;
520 isHttpRequestOrReply = TRUE;
525 if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
526 *type = HTTP_NOTIFICATION;
527 isHttpRequestOrReply = TRUE;
536 return isHttpRequestOrReply;
540 proto_register_http(void)
542 static hf_register_info hf[] = {
543 { &hf_http_notification,
544 { "Notification", "http.notification",
545 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
546 "TRUE if HTTP notification", HFILL }},
548 { "Response", "http.response",
549 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
550 "TRUE if HTTP response", HFILL }},
552 { "Request", "http.request",
553 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
554 "TRUE if HTTP request", HFILL }},
556 static gint *ett[] = {
561 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
563 proto_register_field_array(proto_http, hf, array_length(hf));
564 proto_register_subtree_array(ett, array_length(ett));
566 register_dissector("http", dissect_http, proto_http);
567 http_handle = find_dissector("http");
570 * Dissectors shouldn't register themselves in this table;
571 * instead, they should call "http_dissector_add()", and
572 * we'll register the port number they specify as a port
573 * for HTTP, and register them in our subdissector table.
575 * This only works for protocols such as IPP that run over
576 * HTTP on a specific non-HTTP port.
578 subdissector_table = register_dissector_table("http.port",
579 "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
582 * Heuristic dissectors SHOULD register themselves in
583 * this table using the standard heur_dissector_add()
587 register_heur_dissector_list("http",&heur_subdissector_list);
592 * Called by dissectors for protocols that run atop HTTP/TCP.
595 http_dissector_add(guint32 port, dissector_handle_t handle)
598 * Register ourselves as the handler for that port number
601 dissector_add("tcp.port", port, http_handle);
604 * And register them in *our* table for that port.
606 dissector_add("http.port", port, handle);
610 proto_reg_handoff_http(void)
612 data_handle = find_dissector("data");
613 dissector_add("tcp.port", TCP_PORT_HTTP, http_handle);
614 dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle);
615 dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle);
616 dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle);
619 * XXX - is there anything to dissect in the body of an SSDP
620 * request or reply? I.e., should there be an SSDP dissector?
622 dissector_add("tcp.port", TCP_PORT_SSDP, http_handle);
623 dissector_add("udp.port", UDP_PORT_SSDP, http_handle);
625 ntlmssp_handle = find_dissector("ntlmssp");