2 * Routines for TCP packet disassembly
4 * $Id: packet-tcp.c,v 1.42 1999/11/11 23:13:43 nneul Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
34 #ifdef HAVE_NETINET_IN_H
35 # include <netinet/in.h>
45 #ifdef NEED_SNPRINTF_H
51 # include "snprintf.h"
54 #ifndef __PACKET_IP_H__
55 #include "packet-ip.h"
58 extern FILE* data_out_file;
60 static gchar info_str[COL_MAX_LEN];
63 static int proto_tcp = -1;
64 static int hf_tcp_srcport = -1;
65 static int hf_tcp_dstport = -1;
66 static int hf_tcp_port = -1;
67 static int hf_tcp_seq = -1;
68 static int hf_tcp_ack = -1;
69 static int hf_tcp_hdr_len = -1;
70 static int hf_tcp_flags = -1;
71 static int hf_tcp_flags_urg = -1;
72 static int hf_tcp_flags_ack = -1;
73 static int hf_tcp_flags_push = -1;
74 static int hf_tcp_flags_reset = -1;
75 static int hf_tcp_flags_syn = -1;
76 static int hf_tcp_flags_fin = -1;
77 static int hf_tcp_window_size = -1;
78 static int hf_tcp_checksum = -1;
79 static int hf_tcp_urgent_pointer = -1;
83 #define TCP_PORT_FTPDATA 20
84 #define TCP_PORT_FTP 21
85 #define TCP_PORT_TELNET 23
86 #define TCP_PORT_SMTP 25
87 #define TCP_PORT_HTTP 80
88 #define TCP_PORT_POP 110
89 #define TCP_PORT_NNTP 119
90 #define TCP_PORT_NTP 123
91 #define TCP_PORT_NBSS 139
92 #define TCP_PORT_IMAP 143
93 #define TCP_PORT_BGP 179
94 #define TCP_PORT_PRINTER 515
95 #define TCP_ALT_PORT_HTTP 8080
96 #define TCP_PORT_PPTP 1723
97 #define TCP_PORT_RTSP 554
98 #define TCP_PORT_YHOO 5050
99 #define TCP_PORT_MAPI 1065
101 /* TCP structs and definitions */
103 typedef struct _e_tcphdr {
108 guint8 th_off_x2; /* combines th_off and th_x2 */
125 #define TCPOPT_NOP 1 /* Padding */
126 #define TCPOPT_EOL 0 /* End of options */
127 #define TCPOPT_MSS 2 /* Segment size negotiating */
128 #define TCPOPT_WINDOW 3 /* Window scaling */
129 #define TCPOPT_SACK_PERM 4 /* SACK Permitted */
130 #define TCPOPT_SACK 5 /* SACK Block */
131 #define TCPOPT_ECHO 6
132 #define TCPOPT_ECHOREPLY 7
133 #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
135 #define TCPOPT_CCNEW 12
136 #define TCPOPT_CCECHO 13
142 #define TCPOLEN_MSS 4
143 #define TCPOLEN_WINDOW 3
144 #define TCPOLEN_SACK_PERM 2
145 #define TCPOLEN_SACK_MIN 2
146 #define TCPOLEN_ECHO 6
147 #define TCPOLEN_ECHOREPLY 6
148 #define TCPOLEN_TIMESTAMP 10
150 #define TCPOLEN_CCNEW 6
151 #define TCPOLEN_CCECHO 6
154 tcp_info_append_uint(const char *abbrev, guint32 val) {
159 add_len = snprintf(&info_str[info_len], COL_MAX_LEN - info_len, " %s=%u",
166 dissect_tcpopt_maxseg(const ip_tcp_opt *optp, const u_char *opd,
167 int offset, guint optlen, proto_tree *opt_tree)
169 proto_tree_add_text(opt_tree, offset, optlen,
170 "%s: %u bytes", optp->name, pntohs(opd));
171 tcp_info_append_uint("MSS", pntohs(opd));
175 dissect_tcpopt_wscale(const ip_tcp_opt *optp, const u_char *opd,
176 int offset, guint optlen, proto_tree *opt_tree)
178 proto_tree_add_text(opt_tree, offset, optlen,
179 "%s: %u bytes", optp->name, *opd);
180 tcp_info_append_uint("WS", *opd);
184 dissect_tcpopt_sack(const ip_tcp_opt *optp, const u_char *opd,
185 int offset, guint optlen, proto_tree *opt_tree)
187 proto_tree *field_tree = NULL;
189 guint leftedge, rightedge;
191 tf = proto_tree_add_text(opt_tree, offset, optlen, "%s:", optp->name);
192 offset += 2; /* skip past type and length */
193 optlen -= 2; /* subtract size of type and length */
195 if (field_tree == NULL) {
196 /* Haven't yet made a subtree out of this option. Do so. */
197 field_tree = proto_item_add_subtree(tf, optp->subtree_index);
200 proto_tree_add_text(field_tree, offset, optlen,
201 "(suboption would go past end of option)");
204 /* XXX - check whether it goes past end of packet */
205 leftedge = pntohl(opd);
209 proto_tree_add_text(field_tree, offset, optlen,
210 "(suboption would go past end of option)");
213 /* XXX - check whether it goes past end of packet */
214 rightedge = pntohl(opd);
217 proto_tree_add_text(field_tree, offset, 8,
218 "left edge = %u, right edge = %u", leftedge, rightedge);
219 tcp_info_append_uint("SLE", leftedge);
220 tcp_info_append_uint("SRE", rightedge);
226 dissect_tcpopt_echo(const ip_tcp_opt *optp, const u_char *opd,
227 int offset, guint optlen, proto_tree *opt_tree)
229 proto_tree_add_text(opt_tree, offset, optlen,
230 "%s: %u", optp->name, pntohl(opd));
231 tcp_info_append_uint("ECHO", pntohl(opd));
235 dissect_tcpopt_timestamp(const ip_tcp_opt *optp, const u_char *opd,
236 int offset, guint optlen, proto_tree *opt_tree)
238 proto_tree_add_text(opt_tree, offset, optlen,
239 "%s: tsval %u, tsecr %u", optp->name, pntohl(opd), pntohl(opd + 4));
240 tcp_info_append_uint("TSV", pntohl(opd));
241 tcp_info_append_uint("TSER", pntohl(opd + 4));
245 dissect_tcpopt_cc(const ip_tcp_opt *optp, const u_char *opd,
246 int offset, guint optlen, proto_tree *opt_tree)
248 proto_tree_add_text(opt_tree, offset, optlen,
249 "%s: %u", optp->name, pntohl(opd));
250 tcp_info_append_uint("CC", pntohl(opd));
253 static const ip_tcp_opt tcpopts[] = {
272 "Maximum segment size",
276 dissect_tcpopt_maxseg
284 dissect_tcpopt_wscale
324 dissect_tcpopt_timestamp
352 #define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
355 static const true_false_string flags_set_truth = {
361 dissect_tcp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
363 proto_tree *tcp_tree = NULL, *field_tree = NULL;
365 gchar flags[64] = "<None>";
366 gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG"};
371 guint packet_max = pi.len;
373 /* To do: Check for {cap len,pkt len} < struct len */
374 /* Avoids alignment problems on many architectures. */
375 memcpy(&th, &pd[offset], sizeof(e_tcphdr));
376 th.th_sport = ntohs(th.th_sport);
377 th.th_dport = ntohs(th.th_dport);
378 th.th_win = ntohs(th.th_win);
379 th.th_sum = ntohs(th.th_sum);
380 th.th_urp = ntohs(th.th_urp);
381 th.th_seq = ntohl(th.th_seq);
382 th.th_ack = ntohl(th.th_ack);
386 if (check_col(fd, COL_PROTOCOL) || tree) {
387 for (i = 0; i < 6; i++) {
389 if (th.th_flags & bpos) {
391 strcpy(&flags[fpos], ", ");
394 strcpy(&flags[fpos], fstr[i]);
401 hlen = hi_nibble(th.th_off_x2) * 4; /* TCP header length, in bytes */
403 if (check_col(fd, COL_PROTOCOL))
404 col_add_str(fd, COL_PROTOCOL, "TCP");
405 if (check_col(fd, COL_INFO)) {
406 /* Copy the data into info_str in case one of the option handling
407 routines needs to append to it. */
408 if (th.th_flags & TH_URG)
409 info_len = snprintf(info_str, COL_MAX_LEN, "%s > %s [%s] Seq=%u Ack=%u Win=%u Urg=%u",
410 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
411 th.th_seq, th.th_ack, th.th_win, th.th_urp);
413 info_len = snprintf(info_str, COL_MAX_LEN, "%s > %s [%s] Seq=%u Ack=%u Win=%u",
414 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
415 th.th_seq, th.th_ack, th.th_win);
416 /* The info column is actually written after the options are decoded */
420 ti = proto_tree_add_item(tree, proto_tcp, offset, hlen, NULL);
421 tcp_tree = proto_item_add_subtree(ti, ETT_TCP);
422 proto_tree_add_item_format(tcp_tree, hf_tcp_srcport, offset, 2, th.th_sport,
423 "Source port: %s (%u)", get_tcp_port(th.th_sport), th.th_sport);
424 proto_tree_add_item_format(tcp_tree, hf_tcp_dstport, offset + 2, 2, th.th_dport,
425 "Destination port: %s (%u)", get_tcp_port(th.th_dport), th.th_dport);
426 proto_tree_add_item_hidden(tcp_tree, hf_tcp_port, offset, 2, th.th_sport);
427 proto_tree_add_item_hidden(tcp_tree, hf_tcp_port, offset + 2, 2, th.th_dport);
428 proto_tree_add_item(tcp_tree, hf_tcp_seq, offset + 4, 4, th.th_seq);
429 if (th.th_flags & TH_ACK)
430 proto_tree_add_item(tcp_tree, hf_tcp_ack, offset + 8, 4, th.th_ack);
431 proto_tree_add_item_format(tcp_tree, hf_tcp_hdr_len, offset + 12, 1, hlen,
432 "Header length: %u bytes", hlen);
433 tf = proto_tree_add_item_format(tcp_tree, hf_tcp_flags, offset + 13, 1,
434 th.th_flags, "Flags: 0x%04x (%s)", th.th_flags, flags);
435 field_tree = proto_item_add_subtree(tf, ETT_TCP_FLAGS);
436 proto_tree_add_item(field_tree, hf_tcp_flags_urg, offset + 13, 1, th.th_flags);
437 proto_tree_add_item(field_tree, hf_tcp_flags_ack, offset + 13, 1, th.th_flags);
438 proto_tree_add_item(field_tree, hf_tcp_flags_push, offset + 13, 1, th.th_flags);
439 proto_tree_add_item(field_tree, hf_tcp_flags_reset, offset + 13, 1, th.th_flags);
440 proto_tree_add_item(field_tree, hf_tcp_flags_syn, offset + 13, 1, th.th_flags);
441 proto_tree_add_item(field_tree, hf_tcp_flags_fin, offset + 13, 1, th.th_flags);
442 proto_tree_add_item(tcp_tree, hf_tcp_window_size, offset + 14, 2, th.th_win);
443 proto_tree_add_item(tcp_tree, hf_tcp_checksum, offset + 16, 2, th.th_sum);
444 if (th.th_flags & TH_URG)
445 proto_tree_add_item(tcp_tree, hf_tcp_urgent_pointer, offset + 18, 2, th.th_urp);
448 /* Decode TCP options, if any. */
449 if (tree && hlen > sizeof (e_tcphdr)) {
450 /* There's more than just the fixed-length header. Decode the
452 optlen = hlen - sizeof (e_tcphdr); /* length of options, in bytes */
453 tf = proto_tree_add_text(tcp_tree, offset + 20, optlen,
454 "Options: (%d bytes)", optlen);
455 field_tree = proto_item_add_subtree(tf, ETT_TCP_OPTIONS);
456 dissect_ip_tcp_options(&pd[offset + 20], offset + 20, optlen,
457 tcpopts, N_TCP_OPTS, TCPOPT_EOL, field_tree);
460 if (check_col(fd, COL_INFO))
461 col_add_str(fd, COL_INFO, info_str);
463 /* Skip over header + options */
467 pi.srcport = th.th_sport;
468 pi.destport = th.th_dport;
470 /* Check the packet length to see if there's more data
471 (it could be an ACK-only packet) */
472 if (packet_max > offset) {
473 /* XXX - this should be handled the way UDP handles this, with a table
474 of port numbers to which stuff can be added */
475 #define PORT_IS(port) (th.th_sport == port || th.th_dport == port)
476 if (PORT_IS(TCP_PORT_PRINTER))
477 dissect_lpd(pd, offset, fd, tree);
478 else if (PORT_IS(TCP_PORT_TELNET)) {
479 pi.match_port = TCP_PORT_TELNET;
480 dissect_telnet(pd, offset, fd, tree);
481 } else if (PORT_IS(TCP_PORT_FTPDATA)) {
482 pi.match_port = TCP_PORT_FTPDATA;
483 dissect_ftpdata(pd, offset, fd, tree);
484 } else if (PORT_IS(TCP_PORT_FTP)) {
485 pi.match_port = TCP_PORT_FTP;
486 dissect_ftp(pd, offset, fd, tree);
487 } else if (PORT_IS(TCP_PORT_POP)) {
488 pi.match_port = TCP_PORT_POP;
489 dissect_pop(pd, offset, fd, tree);
490 } else if (PORT_IS(TCP_PORT_IMAP)) {
491 pi.match_port = TCP_PORT_IMAP;
492 dissect_imap(pd, offset, fd, tree);
493 } else if (PORT_IS(TCP_PORT_NNTP)) {
494 pi.match_port = TCP_PORT_NNTP;
495 dissect_nntp(pd, offset, fd, tree);
496 } else if (PORT_IS(TCP_PORT_NTP)) {
497 pi.match_port = TCP_PORT_NTP;
498 dissect_ntp(pd, offset, fd, tree);
499 } else if (PORT_IS(TCP_PORT_PPTP)) {
500 pi.match_port = TCP_PORT_PPTP;
501 dissect_pptp(pd, offset, fd, tree);
502 } else if (PORT_IS(TCP_PORT_HTTP) || PORT_IS(TCP_ALT_PORT_HTTP)
504 dissect_http(pd, offset, fd, tree);
505 else if (PORT_IS(TCP_PORT_NBSS)) {
506 pi.match_port = TCP_PORT_NBSS;
507 dissect_nbss(pd, offset, fd, tree);
508 } else if (PORT_IS(TCP_PORT_RTSP))
509 dissect_rtsp(pd, offset, fd, tree);
510 else if (PORT_IS(TCP_PORT_BGP)) {
511 pi.match_port = TCP_PORT_BGP;
512 dissect_bgp(pd, offset, fd, tree);
513 } else if (PORT_IS(TCP_PORT_MAPI)) {
514 pi.match_port = TCP_PORT_MAPI;
515 dissect_mapi(pd, offset, fd, tree);
517 /* check existence of high level protocols */
519 if (memcmp(&pd[offset], "GIOP", 4) == 0) {
520 dissect_giop(pd, offset, fd, tree);
522 else if ( PORT_IS(TCP_PORT_YHOO) &&
523 (memcmp(&pd[offset], "YPNS", 4) == 0 ||
524 memcmp(&pd[offset], "YHOO", 4) == 0 )) {
525 dissect_yhoo(pd, offset, fd, tree);
528 dissect_data(pd, offset, fd, tree);
533 if( data_out_file ) {
534 reassemble_tcp( th.th_seq, /* sequence number */
535 ( pi.len - offset ), /* data length */
536 ( pd+offset ), /* data */
537 ( pi.captured_len - offset ), /* captured data length */
538 ( th.th_flags & TH_SYN ), /* is syn set? */
547 proto_register_tcp(void)
549 static hf_register_info hf[] = {
552 { "Source Port", "tcp.srcport", FT_UINT16, BASE_DEC, NULL, 0x0,
556 { "Destination Port", "tcp.dstport", FT_UINT16, BASE_DEC, NULL, 0x0,
560 { "Source or Destination Port", "tcp.port", FT_UINT16, BASE_DEC, NULL, 0x0,
564 { "Sequence number", "tcp.seq", FT_UINT32, BASE_DEC, NULL, 0x0,
568 { "Acknowledgement number", "tcp.ack", FT_UINT32, BASE_DEC, NULL, 0x0,
572 { "Header Length", "tcp.hdr_len", FT_UINT8, BASE_DEC, NULL, 0x0,
576 { "Flags", "tcp.flags", FT_UINT8, BASE_HEX, NULL, 0x0,
580 { "Urgent", "tcp.flags.urg", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_URG,
584 { "Acknowledgment", "tcp.flags.ack", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ACK,
587 { &hf_tcp_flags_push,
588 { "Push", "tcp.flags.push", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_PUSH,
591 { &hf_tcp_flags_reset,
592 { "Reset", "tcp.flags.reset", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_RST,
596 { "Syn", "tcp.flags.syn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_SYN,
600 { "Fin", "tcp.flags.fin", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_FIN,
603 { &hf_tcp_window_size,
604 { "Window size", "tcp.window_size", FT_UINT16, BASE_DEC, NULL, 0x0,
608 { "Checksum", "tcp.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
611 { &hf_tcp_urgent_pointer,
612 { "Urgent pointer", "tcp.urgent_pointer", FT_UINT16, BASE_DEC, NULL, 0x0,
616 proto_tcp = proto_register_protocol ("Transmission Control Protocol", "tcp");
617 proto_register_field_array(proto_tcp, hf, array_length(hf));