2 * Routines for TCP packet disassembly
4 * $Id: packet-tcp.c,v 1.173 2003/02/21 00:22:45 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
34 #include <epan/resolv.h>
38 #include "packet-tcp.h"
39 #include "packet-ip.h"
40 #include "packet-frame.h"
41 #include <epan/conversation.h>
42 #include <epan/strutil.h>
43 #include "reassemble.h"
46 static int tcp_tap = -1;
48 /* Place TCP summary in proto tree */
49 static gboolean tcp_summary_in_tree = TRUE;
52 * Flag to control whether to check the TCP checksum.
54 * In at least some Solaris network traces, there are packets with bad
55 * TCP checksums, but the traffic appears to indicate that the packets
56 * *were* received; the packets were probably sent by the host on which
57 * the capture was being done, on a network interface to which
58 * checksumming was offloaded, so that DLPI supplied an un-checksummed
59 * packet to the capture program but a checksummed packet got put onto
62 static gboolean tcp_check_checksum = TRUE;
64 extern FILE* data_out_file;
66 static int proto_tcp = -1;
67 static int hf_tcp_srcport = -1;
68 static int hf_tcp_dstport = -1;
69 static int hf_tcp_port = -1;
70 static int hf_tcp_seq = -1;
71 static int hf_tcp_nxtseq = -1;
72 static int hf_tcp_ack = -1;
73 static int hf_tcp_hdr_len = -1;
74 static int hf_tcp_flags = -1;
75 static int hf_tcp_flags_cwr = -1;
76 static int hf_tcp_flags_ecn = -1;
77 static int hf_tcp_flags_urg = -1;
78 static int hf_tcp_flags_ack = -1;
79 static int hf_tcp_flags_push = -1;
80 static int hf_tcp_flags_reset = -1;
81 static int hf_tcp_flags_syn = -1;
82 static int hf_tcp_flags_fin = -1;
83 static int hf_tcp_window_size = -1;
84 static int hf_tcp_checksum = -1;
85 static int hf_tcp_checksum_bad = -1;
86 static int hf_tcp_len = -1;
87 static int hf_tcp_urgent_pointer = -1;
88 static int hf_tcp_analysis_flags = -1;
89 static int hf_tcp_analysis_acks_frame = -1;
90 static int hf_tcp_analysis_ack_rtt = -1;
91 static int hf_tcp_analysis_retransmission = -1;
92 static int hf_tcp_analysis_lost_packet = -1;
93 static int hf_tcp_analysis_ack_lost_packet = -1;
94 static int hf_tcp_analysis_keep_alive = -1;
95 static int hf_tcp_analysis_duplicate_ack = -1;
96 static int hf_tcp_analysis_zero_window = -1;
97 static int hf_tcp_analysis_zero_window_probe = -1;
98 static int hf_tcp_analysis_zero_window_violation = -1;
99 static int hf_tcp_segments = -1;
100 static int hf_tcp_segment = -1;
101 static int hf_tcp_segment_overlap = -1;
102 static int hf_tcp_segment_overlap_conflict = -1;
103 static int hf_tcp_segment_multiple_tails = -1;
104 static int hf_tcp_segment_too_long_fragment = -1;
105 static int hf_tcp_segment_error = -1;
107 static gint ett_tcp = -1;
108 static gint ett_tcp_flags = -1;
109 static gint ett_tcp_options = -1;
110 static gint ett_tcp_option_sack = -1;
111 static gint ett_tcp_analysis = -1;
112 static gint ett_tcp_analysis_faults = -1;
113 static gint ett_tcp_segments = -1;
114 static gint ett_tcp_segment = -1;
117 /* not all of the hf_fields below make sense for TCP but we have to provide
118 them anyways to comply with the api (which was aimed for ip fragment
120 static const fragment_items tcp_segment_items = {
125 &hf_tcp_segment_overlap,
126 &hf_tcp_segment_overlap_conflict,
127 &hf_tcp_segment_multiple_tails,
128 &hf_tcp_segment_too_long_fragment,
129 &hf_tcp_segment_error,
133 static dissector_table_t subdissector_table;
134 static heur_dissector_list_t heur_subdissector_list;
135 static dissector_handle_t data_handle;
137 /* TCP structs and definitions */
140 /* **************************************************************************
141 * stuff to analyze TCP sequencenumbers for retransmissions, missing segments,
142 * RTT and reltive sequence numbers.
143 * **************************************************************************/
144 static gboolean tcp_analyze_seq = FALSE;
145 static gboolean tcp_relative_seq = FALSE;
147 static GMemChunk *tcp_unacked_chunk = NULL;
148 static int tcp_unacked_count = 500; /* one for each packet until it is acked*/
150 struct tcp_unacked *next;
156 /* these are used for detection of duplicate acks and nothing else */
161 /* this is to keep track of zero window and zero window probe */
165 /* Idea for gt: either x > y, or y is much bigger (assume wrap) */
166 #define GT_SEQ(x, y) ((gint32)((y) - (x)) < 0)
167 #define LT_SEQ(x, y) ((gint32)((x) - (y)) < 0)
168 #define GE_SEQ(x, y) ((gint32)((y) - (x)) <= 0)
169 #define LE_SEQ(x, y) ((gint32)((x) - (y)) <= 0)
170 #define EQ_SEQ(x, y) ((x) == (y))
172 static GMemChunk *tcp_acked_chunk = NULL;
173 static int tcp_acked_count = 5000; /* one for almost every other segment in the capture */
174 #define TCP_A_RETRANSMISSION 0x01
175 #define TCP_A_LOST_PACKET 0x02
176 #define TCP_A_ACK_LOST_PACKET 0x04
177 #define TCP_A_KEEP_ALIVE 0x08
178 #define TCP_A_DUPLICATE_ACK 0x10
179 #define TCP_A_ZERO_WINDOW 0x20
180 #define TCP_A_ZERO_WINDOW_PROBE 0x40
181 #define TCP_A_ZERO_WINDOW_VIOLATION 0x80
187 static GHashTable *tcp_analyze_acked_table = NULL;
189 static GMemChunk *tcp_rel_seq_chunk = NULL;
190 static int tcp_rel_seq_count = 10000; /* one for each segment in the capture */
195 static GHashTable *tcp_rel_seq_table = NULL;
197 static GMemChunk *tcp_analysis_chunk = NULL;
198 static int tcp_analysis_count = 20; /* one for each conversation */
199 struct tcp_analysis {
200 /* These two structs are managed based on comparing the source
201 * and destination addresses and, if they're equal, comparing
202 * the source and destination ports.
204 * If the source is greater than the destination, then stuff
205 * sent from src is in ual1.
207 * If the source is less than the destination, then stuff
208 * sent from src is in ual2.
210 * XXX - if the addresses and ports are equal, we don't guarantee
213 struct tcp_unacked *ual1; /* UnAcked List 1*/
215 struct tcp_unacked *ual2; /* UnAcked List 2*/
220 tcp_get_relative_seq_ack(guint32 frame, guint32 *seq, guint32 *ack)
222 struct tcp_rel_seq *trs;
224 trs=g_hash_table_lookup(tcp_rel_seq_table, (void *)frame);
229 (*seq) -= trs->seq_base;
230 (*ack) -= trs->ack_base;
233 static struct tcp_acked *
234 tcp_analyze_get_acked_struct(guint32 frame, gboolean createflag)
236 struct tcp_acked *ta;
238 ta=g_hash_table_lookup(tcp_analyze_acked_table, (void *)frame);
239 if((!ta) && createflag){
240 ta=g_mem_chunk_alloc(tcp_acked_chunk);
245 g_hash_table_insert(tcp_analyze_acked_table, (void *)frame, ta);
251 tcp_analyze_sequence_number(packet_info *pinfo, guint32 seq, guint32 ack, guint32 seglen, guint8 flags, guint16 window)
253 conversation_t *conv=NULL;
254 struct tcp_analysis *tcpd=NULL;
256 struct tcp_unacked *ual1=NULL;
257 struct tcp_unacked *ual2=NULL;
258 struct tcp_unacked *ual=NULL;
262 /* Have we seen this conversation before? */
263 if( (conv=find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0)) == NULL){
264 /* No this is a new conversation. */
265 conv=conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
268 /* check if we have any data for this conversation */
269 tcpd=conversation_get_proto_data(conv, proto_tcp);
271 /* No no such data yet. Allocate and init it */
272 tcpd=g_mem_chunk_alloc(tcp_analysis_chunk);
277 conversation_add_proto_data(conv, proto_tcp, tcpd);
280 /* check direction and get ua lists */
281 direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
282 /* if the addresses are equal, match the ports instead */
284 direction= (pinfo->srcport > pinfo->destport)*2-1;
289 base_seq=tcpd->base_seq1;
290 base_ack=tcpd->base_seq2;
294 base_seq=tcpd->base_seq2;
295 base_ack=tcpd->base_seq1;
305 /* handle the sequence numbers */
306 /* if this was a SYN packet, then remove existing list and
307 * put SEQ+1 first the list */
309 for(ual=ual1;ual1;ual1=ual){
311 g_mem_chunk_free(tcp_unacked_chunk, ual1);
313 ual1=g_mem_chunk_alloc(tcp_unacked_chunk);
315 ual1->frame=pinfo->fd->num;
321 ual1->ts.secs=pinfo->fd->abs_secs;
322 ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
329 /* if this is the first segment we see then just add it */
331 ual1=g_mem_chunk_alloc(tcp_unacked_chunk);
333 ual1->frame=pinfo->fd->num;
338 ual1->nextseq=seq+seglen;
339 ual1->ts.secs=pinfo->fd->abs_secs;
340 ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
346 /* if we get past here we know that ual1 points to a segment */
348 /* To handle FIN, just pretend they have a length of 1.
349 else the ACK following the FIN-ACK will look like it was
350 outside the window. */
351 if( (!seglen) && (flags&TH_FIN) ){
355 /* if seq is beyond ual1->nextseq we have lost a segment */
356 if (GT_SEQ(seq, ual1->nextseq)) {
357 struct tcp_acked *ta;
359 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
360 ta->flags|=TCP_A_LOST_PACKET;
362 /* just add the segment to the beginning of the list */
363 ual=g_mem_chunk_alloc(tcp_unacked_chunk);
365 ual->frame=pinfo->fd->num;
370 ual->nextseq=seq+seglen;
371 ual->ts.secs=pinfo->fd->abs_secs;
372 ual->ts.nsecs=pinfo->fd->abs_usecs*1000;
378 /* keep-alives are empty semgents with a sequence number -1 of what
381 if( (!seglen) && EQ_SEQ(seq, (ual1->nextseq-1)) ){
382 struct tcp_acked *ta;
384 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
385 ta->flags|=TCP_A_KEEP_ALIVE;
390 /* if this is an empty segment, just skip it all */
395 /* check if the sequence number is lower than expected, i.e. retransmission */
396 if( LT_SEQ(seq, ual1->nextseq )){
397 struct tcp_acked *ta;
399 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
400 ta->flags|=TCP_A_RETRANSMISSION;
402 /* did this segment contain any more data we havent seen yet?
403 * if so we can just increase nextseq
405 if(GT_SEQ((seq+seglen), ual1->nextseq)){
406 ual1->nextseq=seq+seglen;
407 ual1->frame=pinfo->fd->num;
408 ual1->ts.secs=pinfo->fd->abs_secs;
409 ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
414 /* just add the segment to the beginning of the list */
415 ual=g_mem_chunk_alloc(tcp_unacked_chunk);
417 ual->frame=pinfo->fd->num;
422 ual->nextseq=seq+seglen;
423 ual->ts.secs=pinfo->fd->abs_secs;
424 ual->ts.nsecs=pinfo->fd->abs_usecs*1000;
431 /* handle the ack numbers */
433 /* if we dont have the ack flag its not much we can do */
434 if( !(flags&TH_ACK)){
438 /* if we havent seen anything yet in the other direction we dont
439 * know what this one acks */
444 /* if we dont have any real segments in the other direction not
445 * acked yet (as we see from the magic frame==0 entry)
446 * then there is no point in continuing
452 /* if we get here we know ual2 is valid */
454 /* if we are acking beyong what we have seen in the other direction
455 * we must have lost packets. Not much point in keeping the segments
456 * in the other direction either.
458 if( GT_SEQ(ack, ual2->nextseq )){
459 struct tcp_acked *ta;
461 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
462 ta->flags|=TCP_A_ACK_LOST_PACKET;
463 for(ual=ual2;ual2;ual2=ual){
465 g_mem_chunk_free(tcp_unacked_chunk, ual2);
471 /* does this ACK ack all semgents we have seen in the other direction?*/
472 if( EQ_SEQ(ack, ual2->nextseq )){
473 struct tcp_acked *ta;
475 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
476 ta->frame_acked=ual2->frame;
477 ta->ts.secs=pinfo->fd->abs_secs-ual2->ts.secs;
478 ta->ts.nsecs=pinfo->fd->abs_usecs*1000-ual2->ts.nsecs;
480 ta->ts.nsecs+=1000000000;
484 /* its all been ACKed so we dont need to keep them anymore */
485 for(ual=ual2;ual2;ual2=ual){
487 g_mem_chunk_free(tcp_unacked_chunk, ual2);
492 /* ok it only ACKs part of what we have seen. Find out how much
493 * update and remove the ACKed segments
495 for(ual=ual2;ual->next;ual=ual->next){
496 if( GE_SEQ(ack, ual->next->nextseq)){
501 struct tcp_unacked *tmpual=NULL;
502 struct tcp_unacked *ackedual=NULL;
503 struct tcp_acked *ta;
508 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
509 ta->frame_acked=ackedual->frame;
510 ta->ts.secs=pinfo->fd->abs_secs-ackedual->ts.secs;
511 ta->ts.nsecs=pinfo->fd->abs_usecs*1000-ackedual->ts.nsecs;
513 ta->ts.nsecs+=1000000000;
517 /* just delete all ACKed segments */
520 for(ual=tmpual;ual;ual=tmpual){
522 g_mem_chunk_free(tcp_unacked_chunk, ual);
528 /* we might have deleted the entire ual2 list, if this is an ACK,
529 make sure ual2 at least has a dummy entry for the current ACK */
530 if( (!ual2) && (flags&TH_ACK) ){
531 ual2=g_mem_chunk_alloc(tcp_unacked_chunk);
544 /* update the ACK counter and check for
546 /* go to the oldest segment in the list of segments
547 in the other direction */
548 /* XXX we should guarantee ual2 to always be non NULL here
549 so we can skip the ual/ual2 tests */
550 for(ual=ual2;ual&&ual->next;ual=ual->next)
553 /* we only consider this being a potential duplicate ack
554 if the segment length is 0 (ack only segment)
555 and if it acks something previous to oldest segment
556 in the other direction */
557 if((!seglen)&&LE_SEQ(ack,ual->seq)){
558 /* if this is the first ack to keep track of, it is not
560 if(ual->num_acks==0){
562 ual->ack_frame=pinfo->fd->num;
564 /* if this ack is different, store this one
565 instead and forget the previous one(s) */
566 } else if(ual->ack!=ack){
568 ual->ack_frame=pinfo->fd->num;
570 /* this has to be a duplicate ack */
575 /* ok we have found a potential duplicate ack */
577 struct tcp_acked *ta;
578 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
579 ta->flags|=TCP_A_DUPLICATE_ACK;
586 /* check for zero window probes
587 a zero window probe is when a TCP tries to write 1 byte segments
588 where the remote side has advertised a window of 0 bytes.
589 We only do this check if we actually have seen anything from the
590 other side of this connection.
592 We also assume ual still points to the last entry in the ual2
593 list from the section above.
595 At the same time, check for violations, i.e. attempts to write >1
596 byte to a zero-window.
598 /* XXX we should not need to do the ual->frame check here?
599 might be a bug somewhere. look for it later .
601 if(ual2&&(ual->frame)){
602 if((seglen==1)&&(ual->window==0)){
603 struct tcp_acked *ta;
604 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
605 ta->flags|=TCP_A_ZERO_WINDOW_PROBE;
607 if((seglen>1)&&(ual->window==0)){
608 struct tcp_acked *ta;
609 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
610 ta->flags|=TCP_A_ZERO_WINDOW_VIOLATION;
614 /* check for zero window */
616 struct tcp_acked *ta;
617 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
618 ta->flags|=TCP_A_ZERO_WINDOW;
622 /* store the lists back in our struct */
625 * XXX - if direction == 0, that'll be true for packets
626 * from both sides of the connection, so this won't
629 * That'd be a connection from a given port on a machine
630 * to that same port on the same machine; does that ever
635 tcpd->base_seq1=base_seq;
639 tcpd->base_seq2=base_seq;
643 if(tcp_relative_seq){
644 struct tcp_rel_seq *trs;
645 /* remember relative seq/ack number base for this packet */
646 trs=g_mem_chunk_alloc(tcp_rel_seq_chunk);
647 trs->seq_base=base_seq;
648 trs->ack_base=base_ack;
649 g_hash_table_insert(tcp_rel_seq_table, (void *)pinfo->fd->num, trs);
654 tcp_print_sequence_number_analysis(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree)
656 struct tcp_acked *ta;
660 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, FALSE);
665 item=proto_tree_add_text(parent_tree, tvb, 0, 0, "SEQ/ACK analysis");
666 tree=proto_item_add_subtree(item, ett_tcp_analysis);
668 /* encapsulate all proto_tree_add_xxx in ifs so we only print what
669 data we actually have */
671 proto_tree_add_uint(tree, hf_tcp_analysis_acks_frame,
672 tvb, 0, 0, ta->frame_acked);
674 if( ta->ts.secs || ta->ts.nsecs ){
675 proto_tree_add_time(tree, hf_tcp_analysis_ack_rtt,
680 proto_item *flags_item=NULL;
681 proto_tree *flags_tree=NULL;
683 flags_item = proto_tree_add_item(tree, hf_tcp_analysis_flags, tvb, 0, -1, FALSE);
684 flags_tree=proto_item_add_subtree(flags_item, ett_tcp_analysis);
685 if( ta->flags&TCP_A_RETRANSMISSION ){
686 proto_tree_add_none_format(flags_tree, hf_tcp_analysis_retransmission, tvb, 0, 0, "This frame is a (suspected) retransmission");
687 if(check_col(pinfo->cinfo, COL_INFO)){
688 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Retransmission] ");
691 if( ta->flags&TCP_A_LOST_PACKET ){
692 proto_tree_add_none_format(flags_tree, hf_tcp_analysis_lost_packet, tvb, 0, 0, "A segment before this frame was lost");
693 if(check_col(pinfo->cinfo, COL_INFO)){
694 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Previous segment lost] ");
697 if( ta->flags&TCP_A_ACK_LOST_PACKET ){
698 proto_tree_add_none_format(flags_tree, hf_tcp_analysis_ack_lost_packet, tvb, 0, 0, "This frame ACKs a segment we have not seen (lost?)");
699 if(check_col(pinfo->cinfo, COL_INFO)){
700 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ACKed lost segment] ");
703 if( ta->flags&TCP_A_KEEP_ALIVE ){
704 proto_tree_add_none_format(flags_tree, hf_tcp_analysis_keep_alive, tvb, 0, 0, "This is a TCP keep-alive segment");
705 if(check_col(pinfo->cinfo, COL_INFO)){
706 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive] ");
709 if( ta->flags&TCP_A_DUPLICATE_ACK ){
710 proto_tree_add_none_format(flags_tree, hf_tcp_analysis_duplicate_ack, tvb, 0, 0, "This is a TCP duplicate ack");
711 if(check_col(pinfo->cinfo, COL_INFO)){
712 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Duplicate ACK] ");
715 if( ta->flags&TCP_A_ZERO_WINDOW_PROBE ){
716 proto_tree_add_none_format(flags_tree, hf_tcp_analysis_zero_window_probe, tvb, 0, 0, "This is a TCP zero-window-probe");
717 if(check_col(pinfo->cinfo, COL_INFO)){
718 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindowProbe] ");
721 if( ta->flags&TCP_A_ZERO_WINDOW ){
722 proto_tree_add_none_format(flags_tree, hf_tcp_analysis_zero_window, tvb, 0, 0, "This is a ZeroWindow segment");
723 if(check_col(pinfo->cinfo, COL_INFO)){
724 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindow] ");
727 if( ta->flags&TCP_A_ZERO_WINDOW_VIOLATION ){
728 proto_tree_add_none_format(flags_tree, hf_tcp_analysis_zero_window_violation, tvb, 0, 0, "This is a ZeroWindow violation, attempts to write >1 byte of data to a zero-window");
729 if(check_col(pinfo->cinfo, COL_INFO)){
730 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindowViolation] ");
738 /* Do we still need to do this ...remove_all() even though we dont need
739 * to do anything special? The glib docs are not clear on this and
740 * its better safe than sorry
743 free_all_acked(gpointer key_arg _U_, gpointer value _U_, gpointer user_data _U_)
749 tcp_acked_hash(gconstpointer k)
751 guint32 frame = (guint32)k;
756 tcp_acked_equal(gconstpointer k1, gconstpointer k2)
758 guint32 frame1 = (guint32)k1;
759 guint32 frame2 = (guint32)k2;
761 return frame1==frame2;
765 tcp_analyze_seq_init(void)
767 /* first destroy the tables */
768 if( tcp_analyze_acked_table ){
769 g_hash_table_foreach_remove(tcp_analyze_acked_table,
770 free_all_acked, NULL);
771 g_hash_table_destroy(tcp_analyze_acked_table);
772 tcp_analyze_acked_table = NULL;
774 if( tcp_rel_seq_table ){
775 g_hash_table_foreach_remove(tcp_rel_seq_table,
776 free_all_acked, NULL);
777 g_hash_table_destroy(tcp_rel_seq_table);
778 tcp_rel_seq_table = NULL;
782 * Now destroy the chunk from which the conversation table
783 * structures were allocated.
785 if (tcp_analysis_chunk) {
786 g_mem_chunk_destroy(tcp_analysis_chunk);
787 tcp_analysis_chunk = NULL;
789 if (tcp_unacked_chunk) {
790 g_mem_chunk_destroy(tcp_unacked_chunk);
791 tcp_unacked_chunk = NULL;
793 if (tcp_acked_chunk) {
794 g_mem_chunk_destroy(tcp_acked_chunk);
795 tcp_acked_chunk = NULL;
797 if (tcp_rel_seq_chunk) {
798 g_mem_chunk_destroy(tcp_rel_seq_chunk);
799 tcp_rel_seq_chunk = NULL;
803 tcp_analyze_acked_table = g_hash_table_new(tcp_acked_hash,
805 tcp_rel_seq_table = g_hash_table_new(tcp_acked_hash,
807 tcp_analysis_chunk = g_mem_chunk_new("tcp_analysis_chunk",
808 sizeof(struct tcp_analysis),
809 tcp_analysis_count * sizeof(struct tcp_analysis),
811 tcp_unacked_chunk = g_mem_chunk_new("tcp_unacked_chunk",
812 sizeof(struct tcp_unacked),
813 tcp_unacked_count * sizeof(struct tcp_unacked),
815 tcp_acked_chunk = g_mem_chunk_new("tcp_acked_chunk",
816 sizeof(struct tcp_acked),
817 tcp_acked_count * sizeof(struct tcp_acked),
819 if(tcp_relative_seq){
820 tcp_rel_seq_chunk = g_mem_chunk_new("tcp_rel_seq_chunk",
821 sizeof(struct tcp_rel_seq),
822 tcp_rel_seq_count * sizeof(struct tcp_rel_seq),
829 /* **************************************************************************
830 * End of tcp sequence number analysis
831 * **************************************************************************/
836 /* Minimum TCP header length. */
837 #define TCPH_MIN_LEN 20
843 #define TCPOPT_NOP 1 /* Padding */
844 #define TCPOPT_EOL 0 /* End of options */
845 #define TCPOPT_MSS 2 /* Segment size negotiating */
846 #define TCPOPT_WINDOW 3 /* Window scaling */
847 #define TCPOPT_SACK_PERM 4 /* SACK Permitted */
848 #define TCPOPT_SACK 5 /* SACK Block */
849 #define TCPOPT_ECHO 6
850 #define TCPOPT_ECHOREPLY 7
851 #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
853 #define TCPOPT_CCNEW 12
854 #define TCPOPT_CCECHO 13
855 #define TCPOPT_MD5 19 /* RFC2385 */
861 #define TCPOLEN_MSS 4
862 #define TCPOLEN_WINDOW 3
863 #define TCPOLEN_SACK_PERM 2
864 #define TCPOLEN_SACK_MIN 2
865 #define TCPOLEN_ECHO 6
866 #define TCPOLEN_ECHOREPLY 6
867 #define TCPOLEN_TIMESTAMP 10
869 #define TCPOLEN_CCNEW 6
870 #define TCPOLEN_CCECHO 6
871 #define TCPOLEN_MD5 18
875 /* Desegmentation of TCP streams */
876 /* table to hold defragmented TCP streams */
877 static GHashTable *tcp_fragment_table = NULL;
879 tcp_fragment_init(void)
881 fragment_table_init(&tcp_fragment_table);
884 /* functions to trace tcp segments */
885 /* Enable desegmenting of TCP streams */
886 static gboolean tcp_desegment = FALSE;
888 static GHashTable *tcp_segment_table = NULL;
889 static GMemChunk *tcp_segment_key_chunk = NULL;
890 static int tcp_segment_init_count = 200;
891 static GMemChunk *tcp_segment_address_chunk = NULL;
892 static int tcp_segment_address_init_count = 500;
894 typedef struct _tcp_segment_key {
895 /* for own bookkeeping inside packet-tcp.c */
908 free_all_segments(gpointer key_arg, gpointer value _U_, gpointer user_data _U_)
910 tcp_segment_key *key = key_arg;
912 if((key->src)&&(key->src->data)){
913 g_free((gpointer)key->src->data);
917 if((key->dst)&&(key->dst->data)){
918 g_free((gpointer)key->dst->data);
926 tcp_segment_hash(gconstpointer k)
928 const tcp_segment_key *key = (const tcp_segment_key *)k;
930 return key->seq+key->sport;
934 tcp_segment_equal(gconstpointer k1, gconstpointer k2)
936 const tcp_segment_key *key1 = (const tcp_segment_key *)k1;
937 const tcp_segment_key *key2 = (const tcp_segment_key *)k2;
939 return ( ( (key1->seq==key2->seq)
940 &&(ADDRESSES_EQUAL(key1->src, key2->src))
941 &&(ADDRESSES_EQUAL(key1->dst, key2->dst))
942 &&(key1->sport==key2->sport)
943 &&(key1->dport==key2->dport)
948 tcp_desegment_init(void)
951 * Free this before freeing any memory chunks; those
952 * chunks contain data we'll look at in "free_all_segments()".
954 if(tcp_segment_table){
955 g_hash_table_foreach_remove(tcp_segment_table,
956 free_all_segments, NULL);
957 g_hash_table_destroy(tcp_segment_table);
958 tcp_segment_table = NULL;
961 if(tcp_segment_key_chunk){
962 g_mem_chunk_destroy(tcp_segment_key_chunk);
963 tcp_segment_key_chunk = NULL;
965 if(tcp_segment_address_chunk){
966 g_mem_chunk_destroy(tcp_segment_address_chunk);
967 tcp_segment_address_chunk = NULL;
970 /* dont allocate any hash table or memory chunks unless the user
971 really uses this option
977 tcp_segment_table = g_hash_table_new(tcp_segment_hash,
980 tcp_segment_key_chunk = g_mem_chunk_new("tcp_segment_key_chunk",
981 sizeof(tcp_segment_key),
982 tcp_segment_init_count*sizeof(tcp_segment_key),
985 tcp_segment_address_chunk = g_mem_chunk_new("tcp_segment_address_chunk",
987 tcp_segment_address_init_count*sizeof(address),
992 desegment_tcp(tvbuff_t *tvb, packet_info *pinfo, int offset,
993 guint32 seq, guint32 nxtseq,
994 guint32 sport, guint32 dport,
995 proto_tree *tree, proto_tree *tcp_tree)
997 struct tcpinfo *tcpinfo = pinfo->private_data;
998 fragment_data *ipfd_head=NULL;
999 tcp_segment_key old_tsk, *tsk;
1000 gboolean must_desegment = FALSE;
1001 gboolean called_dissector = FALSE;
1007 * Initialize these to assume no desegmentation.
1008 * If that's not the case, these will be set appropriately
1009 * by the subdissector.
1011 pinfo->desegment_offset = 0;
1012 pinfo->desegment_len = 0;
1015 * Initialize this to assume that this segment will just be
1016 * added to the middle of a desegmented chunk of data, so
1017 * that we should show it all as data.
1018 * If that's not the case, it will be set appropriately.
1020 deseg_offset = offset;
1022 /* First we must check if this TCP segment should be desegmented.
1023 This is only to check if we should desegment this packet,
1024 so we dont spend time doing COPY_ADDRESS/g_free.
1025 We just "borrow" some address structures from pinfo instead. Cheaper.
1027 old_tsk.src = &pinfo->src;
1028 old_tsk.dst = &pinfo->dst;
1029 old_tsk.sport = sport;
1030 old_tsk.dport = dport;
1032 tsk = g_hash_table_lookup(tcp_segment_table, &old_tsk);
1035 /* OK, this segment was found, which means it continues
1036 a higher-level PDU. This means we must desegment it.
1037 Add it to the defragmentation lists.
1039 ipfd_head = fragment_add(tvb, offset, pinfo, tsk->first_frame,
1041 seq - tsk->start_seq,
1043 (LT_SEQ (nxtseq,tsk->start_seq + tsk->tot_len)) );
1046 /* fragment_add() returned NULL, This means that
1047 desegmentation is not completed yet.
1048 (its like defragmentation but we know we will
1049 always add the segments in order).
1050 XXX - no, we don't; there is no guarantee that
1051 TCP segments are in order on the wire.
1053 we must add next segment to our table so we will
1056 tcp_segment_key *new_tsk;
1058 new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
1059 memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
1060 new_tsk->seq=nxtseq;
1061 g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
1064 /* This segment was not found in our table, so it doesn't
1065 contain a continuation of a higher-level PDU.
1066 Call the normal subdissector.
1068 decode_tcp_ports(tvb, offset, pinfo, tree,
1070 called_dissector = TRUE;
1072 /* Did the subdissector ask us to desegment some more data
1073 before it could handle the packet?
1074 If so we have to create some structures in our table but
1075 this is something we only do the first time we see this
1078 if(pinfo->desegment_len) {
1079 if (!pinfo->fd->flags.visited)
1080 must_desegment = TRUE;
1083 * Set "deseg_offset" to the offset in "tvb"
1084 * of the first byte of data that the
1085 * subdissector didn't process.
1087 deseg_offset = offset + pinfo->desegment_offset;
1090 /* Either no desegmentation is necessary, or this is
1091 segment contains the beginning but not the end of
1092 a higher-level PDU and thus isn't completely
1098 /* is it completely desegmented? */
1100 fragment_data *ipfd;
1103 * Yes, we think it is.
1104 * We only call subdissector for the last segment.
1105 * Note that the last segment may include more than what
1108 if(GE_SEQ(nxtseq, tsk->start_seq + tsk->tot_len)){
1110 * OK, this is the last segment.
1111 * Let's call the subdissector with the desegmented
1117 /* create a new TVB structure for desegmented data */
1118 next_tvb = tvb_new_real_data(ipfd_head->data,
1119 ipfd_head->datalen, ipfd_head->datalen);
1121 /* add this tvb as a child to the original one */
1122 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1124 /* add desegmented data to the data source list */
1125 add_new_data_source(pinfo, next_tvb, "Desegmented");
1128 * Supply the sequence number of the first of the
1129 * reassembled bytes.
1131 tcpinfo->seq = tsk->start_seq;
1133 /* indicate that this is reassembled data */
1134 tcpinfo->is_reassembled = TRUE;
1136 /* call subdissector */
1137 decode_tcp_ports(next_tvb, 0, pinfo, tree,
1139 called_dissector = TRUE;
1142 * OK, did the subdissector think it was completely
1143 * desegmented, or does it think we need even more
1146 old_len=(int)(tvb_reported_length(next_tvb)-tvb_reported_length_remaining(tvb, offset));
1147 if(pinfo->desegment_len &&
1148 pinfo->desegment_offset<=old_len){
1149 tcp_segment_key *new_tsk;
1152 * "desegment_len" isn't 0, so it needs more
1153 * data for something - and "desegment_offset"
1154 * is before "old_len", so it needs more data
1155 * to dissect the stuff we thought was
1156 * completely desegmented (as opposed to the
1157 * stuff at the beginning being completely
1158 * desegmented, but the stuff at the end
1159 * being a new higher-level PDU that also
1160 * needs desegmentation).
1162 fragment_set_partial_reassembly(pinfo,tsk->first_frame,tcp_fragment_table);
1163 tsk->tot_len = tvb_reported_length(next_tvb) + pinfo->desegment_len;
1166 * Update tsk structure.
1167 * Can ask ->next->next because at least there's a hdr and one
1168 * entry in fragment_add()
1170 for(ipfd=ipfd_head->next; ipfd->next; ipfd=ipfd->next){
1171 old_tsk.seq = tsk->start_seq + ipfd->offset;
1172 new_tsk = g_hash_table_lookup(tcp_segment_table, &old_tsk);
1173 new_tsk->tot_len = tsk->tot_len;
1176 /* this is the next segment in the sequence we want */
1177 new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
1178 memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
1179 new_tsk->seq = nxtseq;
1180 g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
1183 * Show the stuff in this TCP segment as
1184 * just raw TCP segment data.
1187 tvb_reported_length_remaining(tvb, offset);
1188 proto_tree_add_text(tcp_tree, tvb, offset, -1,
1189 "TCP segment data (%u byte%s)", nbytes,
1190 plurality(nbytes, "", "s"));
1193 * The subdissector thought it was completely
1194 * desegmented (although the stuff at the
1195 * end may, in turn, require desegmentation),
1196 * so we show a tree with all segments.
1198 show_fragment_tree(ipfd_head, &tcp_segment_items,
1199 tcp_tree, pinfo, next_tvb);
1201 /* Did the subdissector ask us to desegment
1202 some more data? This means that the data
1203 at the beginning of this segment completed
1204 a higher-level PDU, but the data at the
1205 end of this segment started a higher-level
1206 PDU but didn't complete it.
1208 If so, we have to create some structures
1209 in our table, but this is something we
1210 only do the first time we see this packet.
1212 if(pinfo->desegment_len) {
1213 if (!pinfo->fd->flags.visited)
1214 must_desegment = TRUE;
1216 /* The stuff we couldn't dissect
1217 must have come from this segment,
1218 so it's all in "tvb".
1220 "pinfo->desegment_offset" is
1221 relative to the beginning of
1222 "next_tvb"; we want an offset
1223 relative to the beginning of "tvb".
1225 First, compute the offset relative
1226 to the *end* of "next_tvb" - i.e.,
1227 the number of bytes before the end
1228 of "next_tvb" at which the
1229 subdissector stopped. That's the
1230 length of "next_tvb" minus the
1231 offset, relative to the beginning
1232 of "next_tvb, at which the
1233 subdissector stopped.
1236 ipfd_head->datalen - pinfo->desegment_offset;
1238 /* "tvb" and "next_tvb" end at the
1239 same byte of data, so the offset
1240 relative to the end of "next_tvb"
1241 of the byte at which we stopped
1242 is also the offset relative to
1243 the end of "tvb" of the byte at
1246 Convert that back into an offset
1247 relative to the beginninng of
1248 "tvb", by taking the length of
1249 "tvb" and subtracting the offset
1250 relative to the end.
1252 deseg_offset=tvb_reported_length(tvb) - deseg_offset;
1258 if (must_desegment) {
1259 tcp_segment_key *tsk, *new_tsk;
1262 * The sequence number at which the stuff to be desegmented
1263 * starts is the sequence number of the byte at an offset
1264 * of "deseg_offset" into "tvb".
1266 * The sequence number of the byte at an offset of "offset"
1267 * is "seq", i.e. the starting sequence number of this
1268 * segment, so the sequence number of the byte at
1269 * "deseg_offset" is "seq + (deseg_offset - offset)".
1271 deseg_seq = seq + (deseg_offset - offset);
1274 * XXX - how do we detect out-of-order transmissions?
1275 * We can't just check for "nxtseq" being greater than
1276 * "tsk->start_seq"; for now, we check for the difference
1277 * being less than a megabyte, but this is a really
1278 * gross hack - we really need to handle out-of-order
1279 * transmissions correctly.
1281 if ((nxtseq - deseg_seq) <= 1024*1024) {
1282 /* OK, subdissector wants us to desegment
1283 some data before it can process it. Add
1284 what remains of this packet and set
1285 up next packet/sequence number as well.
1287 We must remember this segment
1289 tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
1290 tsk->src = g_mem_chunk_alloc(tcp_segment_address_chunk);
1291 COPY_ADDRESS(tsk->src, &pinfo->src);
1292 tsk->dst = g_mem_chunk_alloc(tcp_segment_address_chunk);
1293 COPY_ADDRESS(tsk->dst, &pinfo->dst);
1294 tsk->seq = deseg_seq;
1295 tsk->start_seq = tsk->seq;
1296 tsk->tot_len = nxtseq - tsk->start_seq + pinfo->desegment_len;
1297 tsk->first_frame = pinfo->fd->num;
1300 g_hash_table_insert(tcp_segment_table, tsk, tsk);
1302 /* Add portion of segment unprocessed by the subdissector
1303 to defragmentation lists */
1304 fragment_add(tvb, deseg_offset, pinfo, tsk->first_frame,
1306 tsk->seq - tsk->start_seq,
1307 nxtseq - tsk->start_seq,
1308 LT_SEQ (nxtseq, tsk->start_seq + tsk->tot_len));
1310 /* this is the next segment in the sequence we want */
1311 new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
1312 memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
1313 new_tsk->seq = nxtseq;
1314 g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
1318 if (!called_dissector || pinfo->desegment_len != 0) {
1320 * Either we didn't call the subdissector at all (i.e.,
1321 * this is a segment that contains the middle of a
1322 * higher-level PDU, but contains neither the beginning
1323 * nor the end), or the subdissector couldn't dissect it
1324 * all, as some data was missing (i.e., it set
1325 * "pinfo->desegment_len" to the amount of additional
1328 if (pinfo->desegment_offset == 0) {
1330 * It couldn't, in fact, dissect any of it (the
1331 * first byte it couldn't dissect is at an offset
1332 * of "pinfo->desegment_offset" from the beginning
1333 * of the payload, and that's 0).
1334 * Just mark this as TCP.
1336 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
1337 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
1339 if (check_col(pinfo->cinfo, COL_INFO)){
1340 col_set_str(pinfo->cinfo, COL_INFO, "[Desegmented TCP]");
1345 * Show what's left in the packet as just raw TCP segment
1347 * XXX - remember what protocol the last subdissector
1348 * was, and report it as a continuation of that, instead?
1350 nbytes = tvb_reported_length_remaining(tvb, deseg_offset);
1351 proto_tree_add_text(tcp_tree, tvb, deseg_offset, -1,
1352 "TCP segment data (%u byte%s)", nbytes,
1353 plurality(nbytes, "", "s"));
1355 pinfo->can_desegment=0;
1356 pinfo->desegment_offset = 0;
1357 pinfo->desegment_len = 0;
1361 * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
1362 * consists of a fixed-length chunk of data that contains enough information
1363 * to determine the length of the PDU, followed by rest of the PDU.
1365 * The first three arguments are the arguments passed to the dissector
1366 * that calls this routine.
1368 * "proto_desegment" is the dissector's flag controlling whether it should
1369 * desegment PDUs that cross TCP segment boundaries.
1371 * "fixed_len" is the length of the fixed-length part of the PDU.
1373 * "get_pdu_len()" is a routine called to get the length of the PDU from
1374 * the fixed-length part of the PDU; it's passed "tvb" and "offset".
1376 * "dissect_pdu()" is the routine to dissect a PDU.
1379 tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
1380 gboolean proto_desegment, guint fixed_len,
1381 guint (*get_pdu_len)(tvbuff_t *, int),
1382 void (*dissect_pdu)(tvbuff_t *, packet_info *, proto_tree *))
1384 volatile int offset = 0;
1386 guint length_remaining;
1391 while (tvb_reported_length_remaining(tvb, offset) != 0) {
1393 * We use "tvb_ensure_length_remaining()" to make sure there actually
1394 * *is* data remaining. The protocol we're handling could conceivably
1395 * consists of a sequence of fixed-length PDUs, and therefore the
1396 * "get_pdu_len" routine might not actually fetch anything from
1397 * the tvbuff, and thus might not cause an exception to be thrown if
1398 * we've run past the end of the tvbuff.
1400 * This means we're guaranteed that "length_remaining" is positive.
1402 length_remaining = tvb_ensure_length_remaining(tvb, offset);
1405 * Can we do reassembly?
1407 if (proto_desegment && pinfo->can_desegment) {
1409 * Yes - is the fixed-length part of the PDU split across segment
1412 if (length_remaining < fixed_len) {
1414 * Yes. Tell the TCP dissector where the data for this message
1415 * starts in the data it handed us, and how many more bytes we
1418 pinfo->desegment_offset = offset;
1419 pinfo->desegment_len = fixed_len - length_remaining;
1425 * Get the length of the PDU.
1427 plen = (*get_pdu_len)(tvb, offset);
1428 if (plen < fixed_len) {
1430 * The PDU length from the fixed-length portion probably didn't
1431 * include the fixed-length portion's length, and was probably so
1432 * large that the total length overflowed.
1434 * Report this as an error.
1436 show_reported_bounds_error(tvb, pinfo, tree);
1441 * Can we do reassembly?
1443 if (proto_desegment && pinfo->can_desegment) {
1445 * Yes - is the PDU split across segment boundaries?
1447 if (length_remaining < plen) {
1449 * Yes. Tell the TCP dissector where the data for this message
1450 * starts in the data it handed us, and how many more bytes we
1453 pinfo->desegment_offset = offset;
1454 pinfo->desegment_len = plen - length_remaining;
1460 * Construct a tvbuff containing the amount of the payload we have
1461 * available. Make its reported length the amount of data in the PDU.
1463 * XXX - if reassembly isn't enabled. the subdissector will throw a
1464 * BoundsError exception, rather than a ReportedBoundsError exception.
1465 * We really want a tvbuff where the length is "length", the reported
1466 * length is "plen", and the "if the snapshot length were infinite"
1467 * length is the minimum of the reported length of the tvbuff handed
1468 * to us and "plen", with a new type of exception thrown if the offset
1469 * is within the reported length but beyond that third length, with
1470 * that exception getting the "Unreassembled Packet" error.
1472 length = length_remaining;
1475 next_tvb = tvb_new_subset(tvb, offset, length, plen);
1480 * Catch the ReportedBoundsError exception; if this particular message
1481 * happens to get a ReportedBoundsError exception, that doesn't mean
1482 * that we should stop dissecting PDUs within this frame or chunk of
1485 * If it gets a BoundsError, we can stop, as there's nothing more to
1486 * see, so we just re-throw it.
1489 (*dissect_pdu)(next_tvb, pinfo, tree);
1491 CATCH(BoundsError) {
1494 CATCH(ReportedBoundsError) {
1495 show_reported_bounds_error(tvb, pinfo, tree);
1500 * Step to the next PDU.
1501 * Make sure we don't overflow.
1503 offset_before = offset;
1505 if (offset <= offset_before)
1511 tcp_info_append_uint(packet_info *pinfo, const char *abbrev, guint32 val)
1513 if (check_col(pinfo->cinfo, COL_INFO))
1514 col_append_fstr(pinfo->cinfo, COL_INFO, " %s=%u", abbrev, val);
1518 dissect_tcpopt_maxseg(const ip_tcp_opt *optp, tvbuff_t *tvb,
1519 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1523 mss = tvb_get_ntohs(tvb, offset + 2);
1524 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1525 "%s: %u bytes", optp->name, mss);
1526 tcp_info_append_uint(pinfo, "MSS", mss);
1530 dissect_tcpopt_wscale(const ip_tcp_opt *optp, tvbuff_t *tvb,
1531 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1535 ws = tvb_get_guint8(tvb, offset + 2);
1536 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1537 "%s: %u (multiply by %u)", optp->name, ws, 1 << ws);
1538 tcp_info_append_uint(pinfo, "WS", ws);
1542 dissect_tcpopt_sack(const ip_tcp_opt *optp, tvbuff_t *tvb,
1543 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1545 proto_tree *field_tree = NULL;
1547 guint leftedge, rightedge;
1549 tf = proto_tree_add_text(opt_tree, tvb, offset, optlen, "%s:", optp->name);
1550 offset += 2; /* skip past type and length */
1551 optlen -= 2; /* subtract size of type and length */
1552 while (optlen > 0) {
1553 if (field_tree == NULL) {
1554 /* Haven't yet made a subtree out of this option. Do so. */
1555 field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
1558 proto_tree_add_text(field_tree, tvb, offset, optlen,
1559 "(suboption would go past end of option)");
1562 leftedge = tvb_get_ntohl(tvb, offset);
1565 proto_tree_add_text(field_tree, tvb, offset, optlen,
1566 "(suboption would go past end of option)");
1569 /* XXX - check whether it goes past end of packet */
1570 rightedge = tvb_get_ntohl(tvb, offset + 4);
1572 proto_tree_add_text(field_tree, tvb, offset, 8,
1573 "left edge = %u, right edge = %u", leftedge, rightedge);
1574 tcp_info_append_uint(pinfo, "SLE", leftedge);
1575 tcp_info_append_uint(pinfo, "SRE", rightedge);
1581 dissect_tcpopt_echo(const ip_tcp_opt *optp, tvbuff_t *tvb,
1582 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1586 echo = tvb_get_ntohl(tvb, offset + 2);
1587 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1588 "%s: %u", optp->name, echo);
1589 tcp_info_append_uint(pinfo, "ECHO", echo);
1593 dissect_tcpopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
1594 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1598 tsv = tvb_get_ntohl(tvb, offset + 2);
1599 tser = tvb_get_ntohl(tvb, offset + 6);
1600 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1601 "%s: tsval %u, tsecr %u", optp->name, tsv, tser);
1602 tcp_info_append_uint(pinfo, "TSV", tsv);
1603 tcp_info_append_uint(pinfo, "TSER", tser);
1607 dissect_tcpopt_cc(const ip_tcp_opt *optp, tvbuff_t *tvb,
1608 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1612 cc = tvb_get_ntohl(tvb, offset + 2);
1613 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1614 "%s: %u", optp->name, cc);
1615 tcp_info_append_uint(pinfo, "CC", cc);
1618 static const ip_tcp_opt tcpopts[] = {
1637 "Maximum segment size",
1641 dissect_tcpopt_maxseg
1649 dissect_tcpopt_wscale
1662 &ett_tcp_option_sack,
1689 dissect_tcpopt_timestamp
1717 "TCP MD5 signature",
1725 #define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
1727 /* Determine if there is a sub-dissector and call it. This has been */
1728 /* separated into a stand alone routine to other protocol dissectors */
1729 /* can call to it, ie. socks */
1732 decode_tcp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
1733 proto_tree *tree, int src_port, int dst_port)
1736 int low_port, high_port;
1738 next_tvb = tvb_new_subset(tvb, offset, -1, -1);
1740 /* determine if this packet is part of a conversation and call dissector */
1741 /* for the conversation if available */
1743 if (try_conversation_dissector(&pinfo->src, &pinfo->dst, PT_TCP,
1744 src_port, dst_port, next_tvb, pinfo, tree))
1747 /* Do lookups with the subdissector table.
1748 We try the port number with the lower value first, followed by the
1749 port number with the higher value. This means that, for packets
1750 where a dissector is registered for *both* port numbers:
1752 1) we pick the same dissector for traffic going in both directions;
1754 2) we prefer the port number that's more likely to be the right
1755 one (as that prefers well-known ports to reserved ports);
1757 although there is, of course, no guarantee that any such strategy
1758 will always pick the right port number.
1760 XXX - we ignore port numbers of 0, as some dissectors use a port
1761 number of 0 to disable the port. */
1762 if (src_port > dst_port) {
1763 low_port = dst_port;
1764 high_port = src_port;
1766 low_port = src_port;
1767 high_port = dst_port;
1769 if (low_port != 0 &&
1770 dissector_try_port(subdissector_table, low_port, next_tvb, pinfo, tree))
1772 if (high_port != 0 &&
1773 dissector_try_port(subdissector_table, high_port, next_tvb, pinfo, tree))
1776 /* do lookup with the heuristic subdissector table */
1777 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
1780 /* Oh, well, we don't know this; dissect it as data. */
1781 call_dissector(data_handle,next_tvb, pinfo, tree);
1786 dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1788 guint8 th_off_x2; /* combines th_off and th_x2 */
1791 proto_tree *tcp_tree = NULL, *field_tree = NULL;
1792 proto_item *ti = NULL, *tf;
1794 gchar flags[64] = "<None>";
1795 gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECN", "CWR" };
1804 guint16 computed_cksum;
1805 guint length_remaining;
1806 gboolean desegment_ok;
1807 struct tcpinfo tcpinfo;
1808 gboolean save_fragmented;
1809 static struct tcpheader tcphstruct[4], *tcph;
1810 static int tcph_count=0;
1816 tcph=&tcphstruct[tcph_count];
1819 if (check_col(pinfo->cinfo, COL_PROTOCOL))
1820 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
1822 /* Clear out the Info column. */
1823 if (check_col(pinfo->cinfo, COL_INFO))
1824 col_clear(pinfo->cinfo, COL_INFO);
1826 tcph->th_sport = tvb_get_ntohs(tvb, offset);
1827 tcph->th_dport = tvb_get_ntohs(tvb, offset + 2);
1828 if (check_col(pinfo->cinfo, COL_INFO)) {
1829 col_append_fstr(pinfo->cinfo, COL_INFO, "%s > %s",
1830 get_tcp_port(tcph->th_sport), get_tcp_port(tcph->th_dport));
1833 if (tcp_summary_in_tree) {
1834 ti = proto_tree_add_protocol_format(tree, proto_tcp, tvb, 0, -1,
1835 "Transmission Control Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
1836 get_tcp_port(tcph->th_sport), tcph->th_sport,
1837 get_tcp_port(tcph->th_dport), tcph->th_dport);
1840 ti = proto_tree_add_item(tree, proto_tcp, tvb, 0, -1, FALSE);
1842 tcp_tree = proto_item_add_subtree(ti, ett_tcp);
1843 proto_tree_add_uint_format(tcp_tree, hf_tcp_srcport, tvb, offset, 2, tcph->th_sport,
1844 "Source port: %s (%u)", get_tcp_port(tcph->th_sport), tcph->th_sport);
1845 proto_tree_add_uint_format(tcp_tree, hf_tcp_dstport, tvb, offset + 2, 2, tcph->th_dport,
1846 "Destination port: %s (%u)", get_tcp_port(tcph->th_dport), tcph->th_dport);
1847 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset, 2, tcph->th_sport);
1848 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset + 2, 2, tcph->th_dport);
1851 /* Set the source and destination port numbers as soon as we get them,
1852 so that they're available to the "Follow TCP Stream" code even if
1853 we throw an exception dissecting the rest of the TCP header. */
1854 pinfo->ptype = PT_TCP;
1855 pinfo->srcport = tcph->th_sport;
1856 pinfo->destport = tcph->th_dport;
1858 tcph->th_seq = tvb_get_ntohl(tvb, offset + 4);
1859 tcph->th_ack = tvb_get_ntohl(tvb, offset + 8);
1860 th_off_x2 = tvb_get_guint8(tvb, offset + 12);
1861 tcph->th_flags = tvb_get_guint8(tvb, offset + 13);
1862 tcph->th_win = tvb_get_ntohs(tvb, offset + 14);
1863 tcph->th_hlen = hi_nibble(th_off_x2) * 4; /* TCP header length, in bytes */
1865 reported_len = tvb_reported_length(tvb);
1866 len = tvb_length(tvb);
1868 /* Compute the length of data in this segment. */
1869 tcph->th_seglen = reported_len - tcph->th_hlen;
1871 if (tree) { /* Add the seglen as an invisible field */
1873 proto_tree_add_uint_hidden(ti, hf_tcp_len, tvb, offset, 4, tcph->th_seglen);
1877 /* handle TCP seq# analysis parse all new segments we see */
1878 if(tcp_analyze_seq){
1879 if(!(pinfo->fd->flags.visited)){
1880 tcp_analyze_sequence_number(pinfo, tcph->th_seq, tcph->th_ack, tcph->th_seglen, tcph->th_flags, tcph->th_win);
1882 if(tcp_relative_seq){
1883 tcp_get_relative_seq_ack(pinfo->fd->num, &(tcph->th_seq), &(tcph->th_ack));
1888 /* Compute the sequence number of next octet after this segment. */
1889 nxtseq = tcph->th_seq + tcph->th_seglen;
1891 if (check_col(pinfo->cinfo, COL_INFO) || tree) {
1892 for (i = 0; i < 8; i++) {
1894 if (tcph->th_flags & bpos) {
1896 strcpy(&flags[fpos], ", ");
1899 strcpy(&flags[fpos], fstr[i]);
1906 if (check_col(pinfo->cinfo, COL_INFO)) {
1907 col_append_fstr(pinfo->cinfo, COL_INFO, " [%s] Seq=%u Ack=%u Win=%u",
1908 flags, tcph->th_seq, tcph->th_ack, tcph->th_win);
1912 if (tcp_summary_in_tree)
1913 proto_item_append_text(ti, ", Seq: %u", tcph->th_seq);
1914 proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq);
1917 if (tcph->th_hlen < TCPH_MIN_LEN) {
1918 /* Give up at this point; we put the source and destination port in
1919 the tree, before fetching the header length, so that they'll
1920 show up if this is in the failing packet in an ICMP error packet,
1921 but it's now time to give up if the header length is bogus. */
1922 if (check_col(pinfo->cinfo, COL_INFO))
1923 col_append_fstr(pinfo->cinfo, COL_INFO, ", bogus TCP header length (%u, must be at least %u)",
1924 tcph->th_hlen, TCPH_MIN_LEN);
1926 proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, tcph->th_hlen,
1927 "Header length: %u bytes (bogus, must be at least %u)", tcph->th_hlen,
1934 if (tcp_summary_in_tree)
1935 proto_item_append_text(ti, ", Ack: %u, Len: %u", tcph->th_ack, tcph->th_seglen);
1936 proto_item_set_len(ti, tcph->th_hlen);
1937 if (nxtseq != tcph->th_seq)
1938 proto_tree_add_uint(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq);
1939 if (tcph->th_flags & TH_ACK)
1940 proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, tcph->th_ack);
1941 proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, tcph->th_hlen,
1942 "Header length: %u bytes", tcph->th_hlen);
1943 tf = proto_tree_add_uint_format(tcp_tree, hf_tcp_flags, tvb, offset + 13, 1,
1944 tcph->th_flags, "Flags: 0x%04x (%s)", tcph->th_flags, flags);
1945 field_tree = proto_item_add_subtree(tf, ett_tcp_flags);
1946 proto_tree_add_boolean(field_tree, hf_tcp_flags_cwr, tvb, offset + 13, 1, tcph->th_flags);
1947 proto_tree_add_boolean(field_tree, hf_tcp_flags_ecn, tvb, offset + 13, 1, tcph->th_flags);
1948 proto_tree_add_boolean(field_tree, hf_tcp_flags_urg, tvb, offset + 13, 1, tcph->th_flags);
1949 proto_tree_add_boolean(field_tree, hf_tcp_flags_ack, tvb, offset + 13, 1, tcph->th_flags);
1950 proto_tree_add_boolean(field_tree, hf_tcp_flags_push, tvb, offset + 13, 1, tcph->th_flags);
1951 proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, tcph->th_flags);
1952 proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, tcph->th_flags);
1953 proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, tcph->th_flags);
1954 proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, tcph->th_win);
1957 /* Supply the sequence number of the first byte. */
1958 tcpinfo.seq = tcph->th_seq;
1960 /* Assume we'll pass un-reassembled data to subdissectors. */
1961 tcpinfo.is_reassembled = FALSE;
1963 pinfo->private_data = &tcpinfo;
1966 * Assume, initially, that we can't desegment.
1968 pinfo->can_desegment = 0;
1970 th_sum = tvb_get_ntohs(tvb, offset + 16);
1971 if (!pinfo->fragmented && len >= reported_len) {
1972 /* The packet isn't part of an un-reassembled fragmented datagram
1973 and isn't truncated. This means we have all the data, and thus
1974 can checksum it and, unless it's being returned in an error
1975 packet, are willing to allow subdissectors to request reassembly
1978 if (tcp_check_checksum) {
1979 /* We haven't turned checksum checking off; checksum it. */
1981 /* Set up the fields of the pseudo-header. */
1982 cksum_vec[0].ptr = pinfo->src.data;
1983 cksum_vec[0].len = pinfo->src.len;
1984 cksum_vec[1].ptr = pinfo->dst.data;
1985 cksum_vec[1].len = pinfo->dst.len;
1986 cksum_vec[2].ptr = (const guint8 *)&phdr;
1987 switch (pinfo->src.type) {
1990 phdr[0] = g_htonl((IP_PROTO_TCP<<16) + reported_len);
1991 cksum_vec[2].len = 4;
1995 phdr[0] = g_htonl(reported_len);
1996 phdr[1] = g_htonl(IP_PROTO_TCP);
1997 cksum_vec[2].len = 8;
2001 /* TCP runs only atop IPv4 and IPv6.... */
2002 g_assert_not_reached();
2005 cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, len);
2006 cksum_vec[3].len = reported_len;
2007 computed_cksum = in_cksum(&cksum_vec[0], 4);
2008 if (computed_cksum == 0) {
2009 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2010 offset + 16, 2, th_sum, "Checksum: 0x%04x (correct)", th_sum);
2012 /* Checksum is valid, so we're willing to desegment it. */
2013 desegment_ok = TRUE;
2015 proto_tree_add_boolean_hidden(tcp_tree, hf_tcp_checksum_bad, tvb,
2016 offset + 16, 2, TRUE);
2017 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2018 offset + 16, 2, th_sum,
2019 "Checksum: 0x%04x (incorrect, should be 0x%04x)", th_sum,
2020 in_cksum_shouldbe(th_sum, computed_cksum));
2022 /* Checksum is invalid, so we're not willing to desegment it. */
2023 desegment_ok = FALSE;
2026 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2027 offset + 16, 2, th_sum, "Checksum: 0x%04x", th_sum);
2029 /* We didn't check the checksum, and don't care if it's valid,
2030 so we're willing to desegment it. */
2031 desegment_ok = TRUE;
2034 /* We don't have all the packet data, so we can't checksum it... */
2035 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
2036 offset + 16, 2, th_sum, "Checksum: 0x%04x", th_sum);
2038 /* ...and aren't willing to desegment it. */
2039 desegment_ok = FALSE;
2043 /* We're willing to desegment this. Is desegmentation enabled? */
2044 if (tcp_desegment) {
2045 /* Yes - is this segment being returned in an error packet? */
2046 if (!pinfo->in_error_pkt) {
2047 /* No - indicate that we will desegment.
2048 We do NOT want to desegment segments returned in error
2049 packets, as they're not part of a TCP connection. */
2050 pinfo->can_desegment = 2;
2055 if (tcph->th_flags & TH_URG) {
2056 th_urp = tvb_get_ntohs(tvb, offset + 18);
2057 /* Export the urgent pointer, for the benefit of protocols such as
2059 tcpinfo.urgent = TRUE;
2060 tcpinfo.urgent_pointer = th_urp;
2061 if (check_col(pinfo->cinfo, COL_INFO))
2062 col_append_fstr(pinfo->cinfo, COL_INFO, " Urg=%u", th_urp);
2063 if (tcp_tree != NULL)
2064 proto_tree_add_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, th_urp);
2066 tcpinfo.urgent = FALSE;
2068 if (check_col(pinfo->cinfo, COL_INFO))
2069 col_append_fstr(pinfo->cinfo, COL_INFO, " Len=%u", tcph->th_seglen);
2071 /* Decode TCP options, if any. */
2072 if (tree && tcph->th_hlen > TCPH_MIN_LEN) {
2073 /* There's more than just the fixed-length header. Decode the
2075 optlen = tcph->th_hlen - TCPH_MIN_LEN; /* length of options, in bytes */
2076 tf = proto_tree_add_text(tcp_tree, tvb, offset + 20, optlen,
2077 "Options: (%u bytes)", optlen);
2078 field_tree = proto_item_add_subtree(tf, ett_tcp_options);
2079 dissect_ip_tcp_options(tvb, offset + 20, optlen,
2080 tcpopts, N_TCP_OPTS, TCPOPT_EOL, pinfo, field_tree);
2083 /* Skip over header + options */
2084 offset += tcph->th_hlen;
2086 /* Check the packet length to see if there's more data
2087 (it could be an ACK-only packet) */
2088 length_remaining = tvb_length_remaining(tvb, offset);
2090 if( data_out_file ) {
2091 reassemble_tcp( tcph->th_seq, /* sequence number */
2092 tcph->th_seglen, /* data length */
2093 tvb_get_ptr(tvb, offset, length_remaining), /* data */
2094 length_remaining, /* captured data length */
2095 ( tcph->th_flags & TH_SYN ), /* is syn set? */
2102 if (length_remaining != 0) {
2103 if (tcph->th_flags & TH_RST) {
2107 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
2109 * A TCP SHOULD allow a received RST segment to include data.
2112 * It has been suggested that a RST segment could contain
2113 * ASCII text that encoded and explained the cause of the
2114 * RST. No standard has yet been established for such
2117 * so for segments with RST we just display the data as text.
2119 proto_tree_add_text(tcp_tree, tvb, offset, length_remaining,
2121 tvb_format_text(tvb, offset, length_remaining));
2123 /* Can we desegment this segment? */
2124 if (pinfo->can_desegment) {
2126 desegment_tcp(tvb, pinfo, offset, tcph->th_seq, nxtseq, tcph->th_sport, tcph->th_dport, tree, tcp_tree);
2128 /* No - just call the subdissector.
2129 Mark this as fragmented, so if somebody throws an exception,
2130 we don't report it as a malformed frame. */
2131 save_fragmented = pinfo->fragmented;
2132 pinfo->fragmented = TRUE;
2133 decode_tcp_ports(tvb, offset, pinfo, tree, tcph->th_sport, tcph->th_dport);
2134 pinfo->fragmented = save_fragmented;
2139 /* handle TCP seq# analysis, print any extra SEQ/ACK data for this segment*/
2140 if(tcp_analyze_seq){
2141 tcp_print_sequence_number_analysis(pinfo, tvb, tcp_tree);
2143 tap_queue_packet(tcp_tap, pinfo, tcph);
2147 proto_register_tcp(void)
2149 static hf_register_info hf[] = {
2152 { "Source Port", "tcp.srcport", FT_UINT16, BASE_DEC, NULL, 0x0,
2156 { "Destination Port", "tcp.dstport", FT_UINT16, BASE_DEC, NULL, 0x0,
2160 { "Source or Destination Port", "tcp.port", FT_UINT16, BASE_DEC, NULL, 0x0,
2164 { "Sequence number", "tcp.seq", FT_UINT32, BASE_DEC, NULL, 0x0,
2168 { "Next sequence number", "tcp.nxtseq", FT_UINT32, BASE_DEC, NULL, 0x0,
2172 { "Acknowledgement number", "tcp.ack", FT_UINT32, BASE_DEC, NULL, 0x0,
2176 { "Header Length", "tcp.hdr_len", FT_UINT8, BASE_DEC, NULL, 0x0,
2180 { "Flags", "tcp.flags", FT_UINT8, BASE_HEX, NULL, 0x0,
2183 { &hf_tcp_flags_cwr,
2184 { "Congestion Window Reduced (CWR)", "tcp.flags.cwr", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_CWR,
2187 { &hf_tcp_flags_ecn,
2188 { "ECN-Echo", "tcp.flags.ecn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ECN,
2191 { &hf_tcp_flags_urg,
2192 { "Urgent", "tcp.flags.urg", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_URG,
2195 { &hf_tcp_flags_ack,
2196 { "Acknowledgment", "tcp.flags.ack", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ACK,
2199 { &hf_tcp_flags_push,
2200 { "Push", "tcp.flags.push", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_PUSH,
2203 { &hf_tcp_flags_reset,
2204 { "Reset", "tcp.flags.reset", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_RST,
2207 { &hf_tcp_flags_syn,
2208 { "Syn", "tcp.flags.syn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_SYN,
2211 { &hf_tcp_flags_fin,
2212 { "Fin", "tcp.flags.fin", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_FIN,
2215 { &hf_tcp_window_size,
2216 { "Window size", "tcp.window_size", FT_UINT16, BASE_DEC, NULL, 0x0,
2220 { "Checksum", "tcp.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
2223 { &hf_tcp_checksum_bad,
2224 { "Bad Checksum", "tcp.checksum_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2227 { &hf_tcp_analysis_flags,
2228 { "TCP Analysis Flags", "tcp.analysis.flags", FT_NONE, BASE_NONE, NULL, 0x0,
2229 "This frame has some of the TCP analysis flags set", HFILL }},
2231 { &hf_tcp_analysis_retransmission,
2232 { "Retransmission", "tcp.analysis.retransmission", FT_NONE, BASE_NONE, NULL, 0x0,
2233 "This frame is a suspected TCP retransmission", HFILL }},
2235 { &hf_tcp_analysis_lost_packet,
2236 { "Previous Segment Lost", "tcp.analysis.lost_segment", FT_NONE, BASE_NONE, NULL, 0x0,
2237 "A segment before this one was lost from the capture", HFILL }},
2239 { &hf_tcp_analysis_ack_lost_packet,
2240 { "ACKed Lost Packet", "tcp.analysis.ack_lost_segment", FT_NONE, BASE_NONE, NULL, 0x0,
2241 "This frame ACKs a lost segment", HFILL }},
2243 { &hf_tcp_analysis_keep_alive,
2244 { "Keep Alive", "tcp.analysis.keep_alive", FT_NONE, BASE_NONE, NULL, 0x0,
2245 "This is a keep-alive segment", HFILL }},
2247 { &hf_tcp_analysis_duplicate_ack,
2248 { "Duplicate ACK", "tcp.analysis.duplicate_ack", FT_NONE, BASE_NONE, NULL, 0x0,
2249 "This is a duplicate ACK", HFILL }},
2251 { &hf_tcp_analysis_zero_window_violation,
2252 { "Zero Window Violation", "tcp.analysis.zero_window_violation", FT_NONE, BASE_NONE, NULL, 0x0,
2253 "This is a zero-window violation, an attempt to write >1 byte to a zero-window", HFILL }},
2255 { &hf_tcp_analysis_zero_window_probe,
2256 { "Zero Window Probe", "tcp.analysis.zero_window_probe", FT_NONE, BASE_NONE, NULL, 0x0,
2257 "This is a zero-window-probe", HFILL }},
2259 { &hf_tcp_analysis_zero_window,
2260 { "Zero Window", "tcp.analysis.zero_window", FT_NONE, BASE_NONE, NULL, 0x0,
2261 "This is a Zero-Window", HFILL }},
2264 { "TCP Segment Len", "tcp.len", FT_UINT32, BASE_DEC, NULL, 0x0,
2267 { &hf_tcp_analysis_acks_frame,
2268 { "This is an ACK to the segment in frame", "tcp.analysis.acks_frame", FT_UINT32, BASE_DEC, NULL, 0x0,
2269 "Which previous segment is this an ACK for", HFILL}},
2271 { &hf_tcp_analysis_ack_rtt,
2272 { "The RTT to ACK the segment was", "tcp.analysis.ack_rtt", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
2273 "How long time it took to ACK the segment (RTT)", HFILL}},
2275 { &hf_tcp_urgent_pointer,
2276 { "Urgent pointer", "tcp.urgent_pointer", FT_UINT16, BASE_DEC, NULL, 0x0,
2279 { &hf_tcp_segment_overlap,
2280 { "Segment overlap", "tcp.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2281 "Segment overlaps with other segments", HFILL }},
2283 { &hf_tcp_segment_overlap_conflict,
2284 { "Conflicting data in segment overlap", "tcp.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2285 "Overlapping segments contained conflicting data", HFILL }},
2287 { &hf_tcp_segment_multiple_tails,
2288 { "Multiple tail segments found", "tcp.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2289 "Several tails were found when desegmenting the pdu", HFILL }},
2291 { &hf_tcp_segment_too_long_fragment,
2292 { "Segment too long", "tcp.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2293 "Segment contained data past end of the pdu", HFILL }},
2295 { &hf_tcp_segment_error,
2296 { "Desegmentation error", "tcp.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
2297 "Desegmentation error due to illegal segments", HFILL }},
2300 { "TCP Segment", "tcp.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
2301 "TCP Segment", HFILL }},
2304 { "TCP Segments", "tcp.segments", FT_NONE, BASE_NONE, NULL, 0x0,
2305 "TCP Segments", HFILL }},
2307 static gint *ett[] = {
2311 &ett_tcp_option_sack,
2312 &ett_tcp_analysis_faults,
2317 module_t *tcp_module;
2319 proto_tcp = proto_register_protocol("Transmission Control Protocol",
2321 proto_register_field_array(proto_tcp, hf, array_length(hf));
2322 proto_register_subtree_array(ett, array_length(ett));
2324 /* subdissector code */
2325 subdissector_table = register_dissector_table("tcp.port",
2326 "TCP port", FT_UINT16, BASE_DEC);
2327 register_heur_dissector_list("tcp", &heur_subdissector_list);
2329 /* Register configuration preferences */
2330 tcp_module = prefs_register_protocol(proto_tcp, NULL);
2331 prefs_register_bool_preference(tcp_module, "summary_in_tree",
2332 "Show TCP summary in protocol tree",
2333 "Whether the TCP summary line should be shown in the protocol tree",
2334 &tcp_summary_in_tree);
2335 prefs_register_bool_preference(tcp_module, "check_checksum",
2336 "Check the validity of the TCP checksum when possible",
2337 "Whether to check the validity of the TCP checksum",
2338 &tcp_check_checksum);
2339 prefs_register_bool_preference(tcp_module, "desegment_tcp_streams",
2340 "Allow subdissector to desegment TCP streams",
2341 "Whether subdissector can request TCP streams to be desegmented",
2343 prefs_register_bool_preference(tcp_module, "analyze_sequence_numbers",
2344 "Analyze TCP sequence numbers",
2345 "Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT",
2347 prefs_register_bool_preference(tcp_module, "relative_sequence_numbers",
2348 "Use relative sequence numbers",
2349 "Make the TCP dissector use relative sequence numbers instead of absolute ones. To use this option you must also enable \"Analyze TCP sequence numbers\".",
2352 register_init_routine(tcp_analyze_seq_init);
2353 register_init_routine(tcp_desegment_init);
2354 register_init_routine(tcp_fragment_init);
2358 proto_reg_handoff_tcp(void)
2360 dissector_handle_t tcp_handle;
2362 tcp_handle = create_dissector_handle(dissect_tcp, proto_tcp);
2363 dissector_add("ip.proto", IP_PROTO_TCP, tcp_handle);
2364 data_handle = find_dissector("data");
2365 tcp_tap = register_tap("tcp");