/* packet-tcp.c
* Routines for TCP packet disassembly
*
- * $Id: packet-tcp.c,v 1.164 2002/11/02 22:00:17 sahlberg Exp $
+ * $Id: packet-tcp.c,v 1.207 2003/09/18 19:19:51 guy Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
#include <glib.h>
#include "in_cksum.h"
+#include <epan/packet.h>
#include <epan/resolv.h>
#include "ipproto.h"
+#include "ip_opts.h"
#include "follow.h"
#include "prefs.h"
#include "packet-tcp.h"
#include <epan/conversation.h>
#include <epan/strutil.h>
#include "reassemble.h"
+#include "tap.h"
+
+static int tcp_tap = -1;
/* Place TCP summary in proto tree */
static gboolean tcp_summary_in_tree = TRUE;
static int hf_tcp_analysis_lost_packet = -1;
static int hf_tcp_analysis_ack_lost_packet = -1;
static int hf_tcp_analysis_keep_alive = -1;
+static int hf_tcp_analysis_keep_alive_ack = -1;
static int hf_tcp_analysis_duplicate_ack = -1;
+static int hf_tcp_analysis_duplicate_ack_num = -1;
+static int hf_tcp_analysis_duplicate_ack_frame = -1;
static int hf_tcp_analysis_zero_window = -1;
static int hf_tcp_analysis_zero_window_probe = -1;
static int hf_tcp_analysis_zero_window_violation = -1;
+static int hf_tcp_reassembled_in = -1;
+static int hf_tcp_segments = -1;
+static int hf_tcp_segment = -1;
+static int hf_tcp_segment_overlap = -1;
+static int hf_tcp_segment_overlap_conflict = -1;
+static int hf_tcp_segment_multiple_tails = -1;
+static int hf_tcp_segment_too_long_fragment = -1;
+static int hf_tcp_segment_error = -1;
+static int hf_tcp_option_mss = -1;
+static int hf_tcp_option_mss_val = -1;
+static int hf_tcp_option_wscale = -1;
+static int hf_tcp_option_wscale_val = -1;
+static int hf_tcp_option_sack_perm = -1;
+static int hf_tcp_option_sack = -1;
+static int hf_tcp_option_sack_sle = -1;
+static int hf_tcp_option_sack_sre = -1;
+static int hf_tcp_option_echo = -1;
+static int hf_tcp_option_echo_reply = -1;
+static int hf_tcp_option_time_stamp = -1;
+static int hf_tcp_option_cc = -1;
+static int hf_tcp_option_ccnew = -1;
+static int hf_tcp_option_ccecho = -1;
+static int hf_tcp_option_md5 = -1;
static gint ett_tcp = -1;
static gint ett_tcp_flags = -1;
static gint ett_tcp_options = -1;
static gint ett_tcp_option_sack = -1;
-static gint ett_tcp_segments = -1;
static gint ett_tcp_analysis = -1;
static gint ett_tcp_analysis_faults = -1;
+static gint ett_tcp_segments = -1;
+static gint ett_tcp_segment = -1;
+
+
+/* not all of the hf_fields below make sense for TCP but we have to provide
+ them anyways to comply with the api (which was aimed for ip fragment
+ reassembly) */
+static const fragment_items tcp_segment_items = {
+ &ett_tcp_segment,
+ &ett_tcp_segments,
+ &hf_tcp_segments,
+ &hf_tcp_segment,
+ &hf_tcp_segment_overlap,
+ &hf_tcp_segment_overlap_conflict,
+ &hf_tcp_segment_multiple_tails,
+ &hf_tcp_segment_too_long_fragment,
+ &hf_tcp_segment_error,
+ &hf_tcp_reassembled_in,
+ "Segments"
+};
static dissector_table_t subdissector_table;
static heur_dissector_list_t heur_subdissector_list;
/* TCP structs and definitions */
-#define TH_FIN 0x01
-#define TH_SYN 0x02
-#define TH_RST 0x04
-#define TH_PUSH 0x08
-#define TH_ACK 0x10
-#define TH_URG 0x20
-#define TH_ECN 0x40
-#define TH_CWR 0x80
-
-
-
/* **************************************************************************
* stuff to analyze TCP sequencenumbers for retransmissions, missing segments,
/* this is to keep track of zero window and zero window probe */
guint32 window;
+
+ guint32 flags;
};
/* Idea for gt: either x > y, or y is much bigger (assume wrap) */
-#define GT_SEQ(x, y) ((gint32)(y - x) < 0)
-#define LT_SEQ(x, y) ((gint32)(x - y) < 0)
-#define GE_SEQ(x, y) ((gint32)(y - x) <= 0)
-#define LE_SEQ(x, y) ((gint32)(x - y) <= 0)
-#define EQ_SEQ(x, y) (x == y)
+#define GT_SEQ(x, y) ((gint32)((y) - (x)) < 0)
+#define LT_SEQ(x, y) ((gint32)((x) - (y)) < 0)
+#define GE_SEQ(x, y) ((gint32)((y) - (x)) <= 0)
+#define LE_SEQ(x, y) ((gint32)((x) - (y)) <= 0)
+#define EQ_SEQ(x, y) ((x) == (y))
static GMemChunk *tcp_acked_chunk = NULL;
static int tcp_acked_count = 5000; /* one for almost every other segment in the capture */
-#define TCP_A_RETRANSMISSION 0x01
-#define TCP_A_LOST_PACKET 0x02
-#define TCP_A_ACK_LOST_PACKET 0x04
-#define TCP_A_KEEP_ALIVE 0x08
-#define TCP_A_DUPLICATE_ACK 0x10
-#define TCP_A_ZERO_WINDOW 0x20
-#define TCP_A_ZERO_WINDOW_PROBE 0x40
-#define TCP_A_ZERO_WINDOW_VIOLATION 0x80
+#define TCP_A_RETRANSMISSION 0x0001
+#define TCP_A_LOST_PACKET 0x0002
+#define TCP_A_ACK_LOST_PACKET 0x0004
+#define TCP_A_KEEP_ALIVE 0x0008
+#define TCP_A_DUPLICATE_ACK 0x0010
+#define TCP_A_ZERO_WINDOW 0x0020
+#define TCP_A_ZERO_WINDOW_PROBE 0x0040
+#define TCP_A_ZERO_WINDOW_VIOLATION 0x0080
+#define TCP_A_KEEP_ALIVE_ACK 0x0100
struct tcp_acked {
guint32 frame_acked;
nstime_t ts;
- guint8 flags;
+ guint16 flags;
+ guint32 dupack_num; /* dup ack number */
+ guint32 dupack_frame; /* dup ack to frame # */
};
static GHashTable *tcp_analyze_acked_table = NULL;
struct tcp_rel_seq {
guint32 seq_base;
guint32 ack_base;
+ gint16 win_scale;
};
static GHashTable *tcp_rel_seq_table = NULL;
guint32 base_seq1;
struct tcp_unacked *ual2; /* UnAcked List 2*/
guint32 base_seq2;
+ gint16 win_scale1;
+ gint16 win_scale2;
+
+ /* these two lists are used to track when PDUs may start
+ inside a segment.
+ */
+ struct tcp_next_pdu *pdu_seq1;
+ struct tcp_next_pdu *pdu_seq2;
};
+
+static GMemChunk *tcp_next_pdu_chunk = NULL;
+static int tcp_next_pdu_count = 20;
+struct tcp_next_pdu {
+ struct tcp_next_pdu *next;
+ guint32 seq;
+};
+static GHashTable *tcp_pdu_tracking_table = NULL;
+
+
+static struct tcp_analysis *
+get_tcp_conversation_data(packet_info *pinfo)
+{
+ conversation_t *conv=NULL;
+ struct tcp_analysis *tcpd=NULL;
+
+ /* Have we seen this conversation before? */
+ if( (conv=find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0)) == NULL){
+ /* No this is a new conversation. */
+ conv=conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
+ }
+
+ /* check if we have any data for this conversation */
+ tcpd=conversation_get_proto_data(conv, proto_tcp);
+ if(!tcpd){
+ /* No no such data yet. Allocate and init it */
+ tcpd=g_mem_chunk_alloc(tcp_analysis_chunk);
+ tcpd->ual1=NULL;
+ tcpd->base_seq1=0;
+ tcpd->win_scale1=-1;
+ tcpd->ual2=NULL;
+ tcpd->base_seq2=0;
+ tcpd->win_scale2=-1;
+
+ tcpd->pdu_seq1=NULL;
+ tcpd->pdu_seq2=NULL;
+
+ conversation_add_proto_data(conv, proto_tcp, tcpd);
+ }
+
+ return tcpd;
+}
+
+/* This function is called from the tcp analysis code to provide
+ clues on how the seq and ack numbers are changed.
+ To prevent the next_pdu lists from growing uncontrollable in size we
+ use this function to do the following :
+ IF we see an ACK then we assume that the left edge of the window has changed
+ at least to this point and assuming it is rare with reordering and
+ trailing duplicate/retransmitted segments, we just assume that after
+ we have seen the ACK we will not see any more segments prior to the
+ ACK value.
+ If we will not see any segments prior to the ACK value then we can just
+ delete all next_pdu entries that describe pdu's starting prior to the
+ ACK.
+ If this heuristics is prooved to be too simplistic we can just enhance it
+ later.
+*/
+/* XXX this function should be ehnanced to handle sequence number wrapping */
+/* XXX to handle retransmissions and reordered packets maybe we should only
+ discard entries that are more than (guesstimate) 50kb older than the
+ specified sequence number ?
+*/
static void
-tcp_get_relative_seq_ack(guint32 frame, guint32 *seq, guint32 *ack)
+prune_next_pdu_list(struct tcp_next_pdu **tnp, guint32 seq)
+{
+ struct tcp_next_pdu *tmptnp;
+
+ if(*tnp == NULL){
+ return;
+ }
+
+ for(tmptnp=*tnp;tmptnp;tmptnp=tmptnp->next){
+ if(tmptnp->seq<=seq){
+ struct tcp_next_pdu *oldtnp;
+ oldtnp=tmptnp;
+
+ if(tmptnp==*tnp){
+ tmptnp=tmptnp->next;
+ *tnp=tmptnp;
+ g_mem_chunk_free(tcp_next_pdu_chunk, oldtnp);
+ if(!tmptnp){
+ return;
+ }
+ continue;
+ } else {
+ for(tmptnp=*tnp;tmptnp;tmptnp=tmptnp->next){
+ if(tmptnp->next==oldtnp){
+ tmptnp->next=oldtnp->next;
+ g_mem_chunk_free(tcp_next_pdu_chunk, oldtnp);
+ break;
+ }
+ }
+ if(!tmptnp){
+ return;
+ }
+ }
+ }
+ }
+}
+
+
+/* if we know that a PDU starts inside this segment, return the adjusted
+ offset to where that PDU starts or just return offset back
+ and let TCP try to find out what it can about this segment
+*/
+static int
+scan_for_next_pdu(packet_info *pinfo, int offset, guint32 seq, guint32 nxtseq)
+{
+ struct tcp_analysis *tcpd=NULL;
+ struct tcp_next_pdu *tnp=NULL;
+ int direction;
+
+ if(!pinfo->fd->flags.visited){
+ /* find(or create if needed) the conversation for this tcp session */
+ tcpd=get_tcp_conversation_data(pinfo);
+ /* check direction and get pdu start lists */
+ direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
+ /* if the addresses are equal, match the ports instead */
+ if(direction==0) {
+ direction= (pinfo->srcport > pinfo->destport)*2-1;
+ }
+ if(direction>=0){
+ tnp=tcpd->pdu_seq1;
+ } else {
+ tnp=tcpd->pdu_seq2;
+ }
+
+ /* scan and see if we find any pdus starting inside this tvb */
+ for(;tnp;tnp=tnp->next){
+ /* XXX here we should also try to handle sequence number
+ wrapping
+ */
+ if(seq<tnp->seq && nxtseq>tnp->seq){
+ g_hash_table_insert(tcp_pdu_tracking_table,
+ (void *)pinfo->fd->num, (void *)tnp->seq);
+ offset+=tnp->seq-seq;
+ break;
+ }
+ }
+ } else {
+ guint32 pduseq;
+
+ pduseq=(guint32)g_hash_table_lookup(tcp_pdu_tracking_table, (void *)pinfo->fd->num);
+ if(pduseq){
+ offset+=pduseq-seq;
+ }
+ }
+
+ return offset;
+}
+
+/* if we saw a PDU that extended beyond the end of the segment,
+ use this function to remember where the next pdu starts
+*/
+static void
+pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, guint32 nxtpdu)
+{
+ struct tcp_analysis *tcpd=NULL;
+ struct tcp_next_pdu *tnp=NULL;
+ int direction;
+
+ /* find(or create if needed) the conversation for this tcp session */
+ tcpd=get_tcp_conversation_data(pinfo);
+
+ tnp=g_mem_chunk_alloc(tcp_next_pdu_chunk);
+ tnp->seq=nxtpdu;
+
+ /* check direction and get pdu start list */
+ direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
+ /* if the addresses are equal, match the ports instead */
+ if(direction==0) {
+ direction= (pinfo->srcport > pinfo->destport)*2-1;
+ }
+ if(direction>=0){
+ tnp->next=tcpd->pdu_seq1;
+ tcpd->pdu_seq1=tnp;
+ } else {
+ tnp->next=tcpd->pdu_seq2;
+ tcpd->pdu_seq2=tnp;
+ }
+ /*QQQ
+ Add check for ACKs and purge list of sequence numbers
+ already acked.
+ */
+}
+
+/* if we saw a window scaling option, store it for future reference
+*/
+static void
+pdu_store_window_scale_option(packet_info *pinfo, guint8 ws)
+{
+ struct tcp_analysis *tcpd=NULL;
+ int direction;
+
+ /* find(or create if needed) the conversation for this tcp session */
+ tcpd=get_tcp_conversation_data(pinfo);
+
+ /* check direction and get pdu start list */
+ direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
+ /* if the addresses are equal, match the ports instead */
+ if(direction==0) {
+ direction= (pinfo->srcport > pinfo->destport)*2-1;
+ }
+ if(direction>=0){
+ tcpd->win_scale1=ws;
+ } else {
+ tcpd->win_scale2=ws;
+ }
+}
+
+static void
+tcp_get_relative_seq_ack(guint32 frame, guint32 *seq, guint32 *ack, guint32 *win)
{
struct tcp_rel_seq *trs;
(*seq) -= trs->seq_base;
(*ack) -= trs->ack_base;
+ if(trs->win_scale!=-1){
+ (*win)<<=trs->win_scale;
+ }
}
static struct tcp_acked *
ta->ts.secs=0;
ta->ts.nsecs=0;
ta->flags=0;
+ ta->dupack_num=0;
+ ta->dupack_frame=0;
g_hash_table_insert(tcp_analyze_acked_table, (void *)frame, ta);
}
return ta;
static void
tcp_analyze_sequence_number(packet_info *pinfo, guint32 seq, guint32 ack, guint32 seglen, guint8 flags, guint16 window)
{
- conversation_t *conv=NULL;
struct tcp_analysis *tcpd=NULL;
int direction;
struct tcp_unacked *ual1=NULL;
struct tcp_unacked *ual2=NULL;
struct tcp_unacked *ual=NULL;
- guint32 base_seq;
- guint32 base_ack;
+ guint32 base_seq=0;
+ guint32 base_ack=0;
+ gint16 win_scale=-1;
+ struct tcp_next_pdu **tnp=NULL;
- /* Have we seen this conversation before? */
- if( (conv=find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0)) == NULL){
- /* No this is a new conversation. */
- conv=conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
- }
-
- /* check if we have any data for this conversation */
- tcpd=conversation_get_proto_data(conv, proto_tcp);
- if(!tcpd){
- /* No no such data yet. Allocate and init it */
- tcpd=g_mem_chunk_alloc(tcp_analysis_chunk);
- tcpd->ual1=NULL;
- tcpd->base_seq1=0;
- tcpd->ual2=NULL;
- tcpd->base_seq2=0;
- conversation_add_proto_data(conv, proto_tcp, tcpd);
- }
+ /* find(or create if needed) the conversation for this tcp session */
+ tcpd=get_tcp_conversation_data(pinfo);
/* check direction and get ua lists */
direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
if(direction>=0){
ual1=tcpd->ual1;
ual2=tcpd->ual2;
+ tnp=&tcpd->pdu_seq2;
base_seq=tcpd->base_seq1;
+ win_scale=tcpd->win_scale1;
base_ack=tcpd->base_seq2;
} else {
ual1=tcpd->ual2;
ual2=tcpd->ual1;
+ tnp=&tcpd->pdu_seq1;
base_seq=tcpd->base_seq2;
+ win_scale=tcpd->win_scale2;
base_ack=tcpd->base_seq1;
}
- if(base_seq==0){
- base_seq=seq;
+ if(tcp_relative_seq){
+ if(base_seq==0){
+ base_seq=seq;
+ }
+ if(base_ack==0){
+ base_ack=ack;
+ }
}
- if(base_ack==0){
- base_ack=ack;
+
+ /* To handle FIN, just add 1 to the length.
+ else the ACK following the FIN-ACK will look like it was
+ outside the window. */
+ if( flags&TH_FIN ){
+ seglen+=1;
}
/* handle the sequence numbers */
ual1->ts.secs=pinfo->fd->abs_secs;
ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
ual1->window=window;
- base_seq=seq;
- base_ack=ack;
+ ual1->flags=0;
+ if(tcp_relative_seq){
+ base_seq=seq;
+ base_ack=ack;
+ }
goto seq_finished;
}
ual1->ts.secs=pinfo->fd->abs_secs;
ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
ual1->window=window;
- base_seq=seq;
+ ual1->flags=0;
+ if(tcp_relative_seq){
+ base_seq=seq;
+ base_ack=ack;
+ }
goto seq_finished;
}
/* if we get past here we know that ual1 points to a segment */
- /* To handle FIN, just pretend they have a length of 1.
- else the ACK following the FIN-ACK will look like it was
- outside the window. */
- if( (!seglen) && (flags&TH_FIN) ){
- seglen=1;
- }
/* if seq is beyond ual1->nextseq we have lost a segment */
if (GT_SEQ(seq, ual1->nextseq)) {
ual->ts.secs=pinfo->fd->abs_secs;
ual->ts.nsecs=pinfo->fd->abs_usecs*1000;
ual->window=window;
+ ual->flags=0;
ual1=ual;
goto seq_finished;
}
- /* keep-alives are empty semgents with a sequence number -1 of what
+ /* keep-alives are empty segments with a sequence number -1 of what
* we would expect.
+ *
+ * Solaris is an exception, Solaris does not really use KeepAlives
+ * according to RFC793, instead they move the left window edge one
+ * byte to the left and makes up a fake byte to fill in this position
+ * of the enlarged window.
+ * This means that Solaris will do "weird" KeepAlives that actually
+ * contains a one-byte segment with "random" junk data which the
+ * Solaris host then will try to transmit, and posisbly retransmit
+ * to the other side. Of course the other side will ignore this junk
+ * byte since it is outside (left of) the window.
+ * This is actually a brilliant trick that gives them, for free,
+ * semi-reliable KeepAlives.
+ * (since normal retransmission will handle any lost keepalive segments
+ * , brilliant)
*/
- if( (!seglen) && EQ_SEQ(seq, (ual1->nextseq-1)) ){
- struct tcp_acked *ta;
-
- ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
- ta->flags|=TCP_A_KEEP_ALIVE;
- goto seq_finished;
+ if( (seglen<=1) && EQ_SEQ(seq, (ual1->nextseq-1)) ){
+ if(!(flags&TH_FIN)){ /* FIN segments are not keepalives */
+ struct tcp_acked *ta;
+
+ ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
+ ta->flags|=TCP_A_KEEP_ALIVE;
+ ual1->flags|=TCP_A_KEEP_ALIVE;
+ goto seq_finished;
+ }
}
ual->ts.secs=pinfo->fd->abs_secs;
ual->ts.nsecs=pinfo->fd->abs_usecs*1000;
ual->window=window;
+ ual->flags=0;
ual1=ual;
seq_finished:
ual=ual2->next;
g_mem_chunk_free(tcp_unacked_chunk, ual2);
}
+ prune_next_pdu_list(tnp, ack-base_ack);
goto ack_finished;
}
ual=ual2->next;
g_mem_chunk_free(tcp_unacked_chunk, ual2);
}
+ prune_next_pdu_list(tnp, ack-base_ack);
goto ack_finished;
}
tmpual=ual->next;
g_mem_chunk_free(tcp_unacked_chunk, ual);
}
-
+ prune_next_pdu_list(tnp, ack-base_ack);
}
ack_finished:
ual2->ts.secs=0;
ual2->ts.nsecs=0;
ual2->window=window;
+ ual2->flags=0;
}
/* update the ACK counter and check for
ual->num_acks++;
}
+ /* is this an ACK to a KeepAlive? */
+ if( (ual->flags&TCP_A_KEEP_ALIVE)
+ && (ack==ual->seq) ){
+ struct tcp_acked *ta;
+ ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
+ ta->flags|=TCP_A_KEEP_ALIVE_ACK;
+ ual->flags^=TCP_A_KEEP_ALIVE;
+ } else if(ual->num_acks>1) {
/* ok we have found a potential duplicate ack */
- if(ual->num_acks>1){
struct tcp_acked *ta;
ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
- ta->flags|=TCP_A_DUPLICATE_ACK;
+ /* keepalives are not dupacks */
+ if( (!(ta->flags&TCP_A_KEEP_ALIVE)) ){
+ ta->flags|=TCP_A_DUPLICATE_ACK;
+ ta->dupack_num=ual->num_acks-1;
+ ta->dupack_frame=ual->ack_frame;
+ }
}
}
trs=g_mem_chunk_alloc(tcp_rel_seq_chunk);
trs->seq_base=base_seq;
trs->ack_base=base_ack;
+ trs->win_scale=win_scale;
g_hash_table_insert(tcp_rel_seq_table, (void *)pinfo->fd->num, trs);
}
}
flags_item = proto_tree_add_item(tree, hf_tcp_analysis_flags, tvb, 0, -1, FALSE);
flags_tree=proto_item_add_subtree(flags_item, ett_tcp_analysis);
if( ta->flags&TCP_A_RETRANSMISSION ){
- proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_retransmission, tvb, 0, 0, TRUE, "This frame is a (suspected) retransmission");
+ proto_tree_add_none_format(flags_tree, hf_tcp_analysis_retransmission, tvb, 0, 0, "This frame is a (suspected) retransmission");
if(check_col(pinfo->cinfo, COL_INFO)){
col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Retransmission] ");
}
}
if( ta->flags&TCP_A_LOST_PACKET ){
- proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_lost_packet, tvb, 0, 0, TRUE, "A segment before this frame was lost");
+ proto_tree_add_none_format(flags_tree, hf_tcp_analysis_lost_packet, tvb, 0, 0, "A segment before this frame was lost");
if(check_col(pinfo->cinfo, COL_INFO)){
col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Previous segment lost] ");
}
}
if( ta->flags&TCP_A_ACK_LOST_PACKET ){
- proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_ack_lost_packet, tvb, 0, 0, TRUE, "This frame ACKs a segment we have not seen (lost?)");
+ proto_tree_add_none_format(flags_tree, hf_tcp_analysis_ack_lost_packet, tvb, 0, 0, "This frame ACKs a segment we have not seen (lost?)");
if(check_col(pinfo->cinfo, COL_INFO)){
col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ACKed lost segment] ");
}
}
if( ta->flags&TCP_A_KEEP_ALIVE ){
- proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_keep_alive, tvb, 0, 0, TRUE, "This is a TCP keep-alive segment");
+ proto_tree_add_none_format(flags_tree, hf_tcp_analysis_keep_alive, tvb, 0, 0, "This is a TCP keep-alive segment");
if(check_col(pinfo->cinfo, COL_INFO)){
col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive] ");
}
}
- if( ta->flags&TCP_A_DUPLICATE_ACK ){
- proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_duplicate_ack, tvb, 0, 0, TRUE, "This is a TCP duplicate ack");
+ if( ta->flags&TCP_A_KEEP_ALIVE_ACK ){
+ proto_tree_add_none_format(flags_tree, hf_tcp_analysis_keep_alive_ack, tvb, 0, 0, "This is an ACK to a TCP keep-alive segment");
if(check_col(pinfo->cinfo, COL_INFO)){
- col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Duplicate ACK] ");
+ col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive ACK] ");
+ }
+ }
+ if( ta->dupack_num){
+ if( ta->flags&TCP_A_DUPLICATE_ACK ){
+ proto_tree_add_none_format(flags_tree, hf_tcp_analysis_duplicate_ack, tvb, 0, 0, "This is a TCP duplicate ack");
+ if(check_col(pinfo->cinfo, COL_INFO)){
+ col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Dup ACK %d#%d] ", ta->dupack_frame, ta->dupack_num);
+ }
}
+ proto_tree_add_uint(tree, hf_tcp_analysis_duplicate_ack_num,
+ tvb, 0, 0, ta->dupack_num);
+ proto_tree_add_uint(tree, hf_tcp_analysis_duplicate_ack_frame,
+ tvb, 0, 0, ta->dupack_frame);
}
if( ta->flags&TCP_A_ZERO_WINDOW_PROBE ){
- proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_zero_window_probe, tvb, 0, 0, TRUE, "This is a TCP zero-window-probe");
+ proto_tree_add_none_format(flags_tree, hf_tcp_analysis_zero_window_probe, tvb, 0, 0, "This is a TCP zero-window-probe");
if(check_col(pinfo->cinfo, COL_INFO)){
col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindowProbe] ");
}
}
if( ta->flags&TCP_A_ZERO_WINDOW ){
- proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_zero_window, tvb, 0, 0, TRUE, "This is a ZeroWindow segment");
+ proto_tree_add_none_format(flags_tree, hf_tcp_analysis_zero_window, tvb, 0, 0, "This is a ZeroWindow segment");
if(check_col(pinfo->cinfo, COL_INFO)){
col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindow] ");
}
}
if( ta->flags&TCP_A_ZERO_WINDOW_VIOLATION ){
- proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_zero_window_violation, tvb, 0, 0, TRUE, "This is a ZeroWindow violation, attempts to write >1 byte of data to a zero-window");
+ proto_tree_add_none_format(flags_tree, hf_tcp_analysis_zero_window_violation, tvb, 0, 0, "This is a ZeroWindow violation, attempts to write >1 byte of data to a zero-window");
if(check_col(pinfo->cinfo, COL_INFO)){
col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindowViolation] ");
}
g_hash_table_destroy(tcp_rel_seq_table);
tcp_rel_seq_table = NULL;
}
+ if( tcp_pdu_tracking_table ){
+ g_hash_table_foreach_remove(tcp_pdu_tracking_table,
+ free_all_acked, NULL);
+ g_hash_table_destroy(tcp_pdu_tracking_table);
+ tcp_pdu_tracking_table = NULL;
+ }
/*
* Now destroy the chunk from which the conversation table
* structures were allocated.
*/
+ if (tcp_next_pdu_chunk) {
+ g_mem_chunk_destroy(tcp_next_pdu_chunk);
+ tcp_next_pdu_chunk = NULL;
+ }
if (tcp_analysis_chunk) {
g_mem_chunk_destroy(tcp_analysis_chunk);
tcp_analysis_chunk = NULL;
tcp_acked_equal);
tcp_rel_seq_table = g_hash_table_new(tcp_acked_hash,
tcp_acked_equal);
+ tcp_pdu_tracking_table = g_hash_table_new(tcp_acked_hash,
+ tcp_acked_equal);
+ tcp_next_pdu_chunk = g_mem_chunk_new("tcp_next_pdu_chunk",
+ sizeof(struct tcp_next_pdu),
+ tcp_next_pdu_count * sizeof(struct tcp_next_pdu),
+ G_ALLOC_ONLY);
tcp_analysis_chunk = g_mem_chunk_new("tcp_analysis_chunk",
sizeof(struct tcp_analysis),
tcp_analysis_count * sizeof(struct tcp_analysis),
static guint
tcp_segment_hash(gconstpointer k)
{
- tcp_segment_key *key = (tcp_segment_key *)k;
+ const tcp_segment_key *key = (const tcp_segment_key *)k;
return key->seq+key->sport;
}
static gint
tcp_segment_equal(gconstpointer k1, gconstpointer k2)
{
- tcp_segment_key *key1 = (tcp_segment_key *)k1;
- tcp_segment_key *key2 = (tcp_segment_key *)k2;
+ const tcp_segment_key *key1 = (const tcp_segment_key *)k1;
+ const tcp_segment_key *key2 = (const tcp_segment_key *)k2;
return ( ( (key1->seq==key2->seq)
&&(ADDRESSES_EQUAL(key1->src, key2->src))
tcp_fragment_table,
seq - tsk->start_seq,
nxtseq - seq,
- (nxtseq < (tsk->start_seq + tsk->tot_len)) );
+ (LT_SEQ (nxtseq,tsk->start_seq + tsk->tot_len)) );
if(!ipfd_head){
/* fragment_add() returned NULL, This means that
Call the normal subdissector.
*/
decode_tcp_ports(tvb, offset, pinfo, tree,
- sport, dport);
+ sport, dport, 0);
called_dissector = TRUE;
/* Did the subdissector ask us to desegment some more data
/* is it completely desegmented? */
if(ipfd_head){
fragment_data *ipfd;
- proto_tree *st = NULL;
- proto_item *si = NULL;
/*
* Yes, we think it is.
* Note that the last segment may include more than what
* we needed.
*/
- if(nxtseq >= (tsk->start_seq + tsk->tot_len)){
+ if(GE_SEQ(nxtseq, tsk->start_seq + tsk->tot_len)){
/*
* OK, this is the last segment.
* Let's call the subdissector with the desegmented
/* call subdissector */
decode_tcp_ports(next_tvb, 0, pinfo, tree,
- sport, dport);
+ sport, dport, 0);
called_dissector = TRUE;
/*
* end may, in turn, require desegmentation),
* so we show a tree with all segments.
*/
- si = proto_tree_add_text(tcp_tree, next_tvb,
- 0, -1, "Segments");
- st = proto_item_add_subtree(si, ett_tcp_segments);
- for(ipfd=ipfd_head->next; ipfd; ipfd=ipfd->next){
- proto_tree_add_text(st, next_tvb,
- ipfd->offset, ipfd->len,
- "Frame:%u seq#:%u-%u [%u-%u]",
- ipfd->frame,
- tsk->start_seq + ipfd->offset,
- tsk->start_seq + ipfd->offset + ipfd->len-1,
- ipfd->offset,
- ipfd->offset + ipfd->len - 1);
- }
+ show_fragment_tree(ipfd_head, &tcp_segment_items,
+ tcp_tree, pinfo, next_tvb);
/* Did the subdissector ask us to desegment
some more data? This means that the data
tcp_fragment_table,
tsk->seq - tsk->start_seq,
nxtseq - tsk->start_seq,
- (nxtseq < tsk->start_seq + tsk->tot_len));
+ LT_SEQ (nxtseq, tsk->start_seq + tsk->tot_len));
/* this is the next segment in the sequence we want */
new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
}
if (!called_dissector || pinfo->desegment_len != 0) {
+ if (ipfd_head != NULL && ipfd_head->reassembled_in != 0) {
+ /*
+ * We know what frame this PDU is reassembled in;
+ * let the user know.
+ */
+ proto_tree_add_uint(tcp_tree, hf_tcp_reassembled_in,
+ tvb, 0, 0, ipfd_head->reassembled_in);
+ }
+
/*
* Either we didn't call the subdissector at all (i.e.,
* this is a segment that contains the middle of a
void (*dissect_pdu)(tvbuff_t *, packet_info *, proto_tree *))
{
volatile int offset = 0;
+ int offset_before;
guint length_remaining;
guint plen;
guint length;
* Get the length of the PDU.
*/
plen = (*get_pdu_len)(tvb, offset);
+ if (plen < fixed_len) {
+ /*
+ * The PDU length from the fixed-length portion probably didn't
+ * include the fixed-length portion's length, and was probably so
+ * large that the total length overflowed.
+ *
+ * Report this as an error.
+ */
+ show_reported_bounds_error(tvb, pinfo, tree);
+ return;
+ }
/*
* Can we do reassembly?
* is within the reported length but beyond that third length, with
* that exception getting the "Unreassembled Packet" error.
*/
- if (plen < fixed_len) {
- /*
- * The PDU length from the fixed-length portion probably didn't
- * include the fixed-length portion's length, and was probably so
- * large that the total length overflowed.
- *
- * Report this as an error.
- */
- show_reported_bounds_error(tvb, pinfo, tree);
- return;
- }
length = length_remaining;
if (length > plen)
length = plen;
/*
* Step to the next PDU.
+ * Make sure we don't overflow.
*/
+ offset_before = offset;
offset += plen;
+ if (offset <= offset_before)
+ break;
}
}
guint16 mss;
mss = tvb_get_ntohs(tvb, offset + 2);
- proto_tree_add_text(opt_tree, tvb, offset, optlen,
- "%s: %u bytes", optp->name, mss);
+ proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_mss, tvb, offset,
+ optlen, TRUE);
+ proto_tree_add_uint_format(opt_tree, hf_tcp_option_mss_val, tvb, offset,
+ optlen, mss, "%s: %u bytes", optp->name, mss);
tcp_info_append_uint(pinfo, "MSS", mss);
}
guint8 ws;
ws = tvb_get_guint8(tvb, offset + 2);
- proto_tree_add_text(opt_tree, tvb, offset, optlen,
- "%s: %u (multiply by %u)", optp->name, ws, 1 << ws);
+ proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_wscale, tvb,
+ offset, optlen, TRUE);
+ proto_tree_add_uint_format(opt_tree, hf_tcp_option_wscale_val, tvb,
+ offset, optlen, ws, "%s: %u (multiply by %u)",
+ optp->name, ws, 1 << ws);
tcp_info_append_uint(pinfo, "WS", ws);
+ if(!pinfo->fd->flags.visited && tcp_analyze_seq && tcp_relative_seq){
+ pdu_store_window_scale_option(pinfo, ws);
+ }
}
static void
if (field_tree == NULL) {
/* Haven't yet made a subtree out of this option. Do so. */
field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
+ proto_tree_add_boolean_hidden(field_tree, hf_tcp_option_sack, tvb,
+ offset, optlen, TRUE);
}
if (optlen < 4) {
proto_tree_add_text(field_tree, tvb, offset, optlen,
break;
}
leftedge = tvb_get_ntohl(tvb, offset);
+ proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_sle, tvb,
+ offset, 4, leftedge,
+ "left edge = %u", leftedge);
optlen -= 4;
if (optlen < 4) {
proto_tree_add_text(field_tree, tvb, offset, optlen,
/* XXX - check whether it goes past end of packet */
rightedge = tvb_get_ntohl(tvb, offset + 4);
optlen -= 4;
- proto_tree_add_text(field_tree, tvb, offset, 8,
- "left edge = %u, right edge = %u", leftedge, rightedge);
+ proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_sre, tvb,
+ offset+4, 4, rightedge,
+ "right edge = %u", rightedge);
tcp_info_append_uint(pinfo, "SLE", leftedge);
tcp_info_append_uint(pinfo, "SRE", rightedge);
offset += 8;
guint32 echo;
echo = tvb_get_ntohl(tvb, offset + 2);
+ proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_echo, tvb, offset,
+ optlen, TRUE);
proto_tree_add_text(opt_tree, tvb, offset, optlen,
"%s: %u", optp->name, echo);
tcp_info_append_uint(pinfo, "ECHO", echo);
tsv = tvb_get_ntohl(tvb, offset + 2);
tser = tvb_get_ntohl(tvb, offset + 6);
+ proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_time_stamp, tvb,
+ offset, optlen, TRUE);
proto_tree_add_text(opt_tree, tvb, offset, optlen,
"%s: tsval %u, tsecr %u", optp->name, tsv, tser);
tcp_info_append_uint(pinfo, "TSV", tsv);
guint32 cc;
cc = tvb_get_ntohl(tvb, offset + 2);
+ proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_cc, tvb, offset,
+ optlen, TRUE);
proto_tree_add_text(opt_tree, tvb, offset, optlen,
"%s: %u", optp->name, cc);
tcp_info_append_uint(pinfo, "CC", cc);
/* separated into a stand alone routine to other protocol dissectors */
/* can call to it, ie. socks */
+static gboolean try_heuristic_first = FALSE;
+
void
decode_tcp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
- proto_tree *tree, int src_port, int dst_port)
+ proto_tree *tree, int src_port, int dst_port, guint32 nxtseq)
{
tvbuff_t *next_tvb;
int low_port, high_port;
+/*qqq see if it is an unaligned PDU */
+ if(nxtseq && tcp_analyze_seq && (!tcp_desegment)){
+ guint32 seq;
+ seq=nxtseq-tvb_reported_length_remaining(tvb, offset);
+ offset=scan_for_next_pdu(pinfo, offset, seq, nxtseq);
+ }
+
next_tvb = tvb_new_subset(tvb, offset, -1, -1);
/* determine if this packet is part of a conversation and call dissector */
if (try_conversation_dissector(&pinfo->src, &pinfo->dst, PT_TCP,
src_port, dst_port, next_tvb, pinfo, tree))
- return;
+ goto end_decode_tcp_ports;
+
+ if (try_heuristic_first) {
+ /* do lookup with the heuristic subdissector table */
+ if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
+ goto end_decode_tcp_ports;
+ }
/* Do lookups with the subdissector table.
We try the port number with the lower value first, followed by the
}
if (low_port != 0 &&
dissector_try_port(subdissector_table, low_port, next_tvb, pinfo, tree))
- return;
+ goto end_decode_tcp_ports;
if (high_port != 0 &&
dissector_try_port(subdissector_table, high_port, next_tvb, pinfo, tree))
- return;
+ goto end_decode_tcp_ports;
- /* do lookup with the heuristic subdissector table */
- if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
- return;
+ if (!try_heuristic_first) {
+ /* do lookup with the heuristic subdissector table */
+ if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
+ goto end_decode_tcp_ports;
+ }
/* Oh, well, we don't know this; dissect it as data. */
call_dissector(data_handle,next_tvb, pinfo, tree);
+ return;
+
+end_decode_tcp_ports:
+ /* if !visited, check want_pdu_tracking and store it in table */
+ /* XXX fix nxtseq so that it always has valid content and skip the ==0 check */
+ if((!pinfo->fd->flags.visited) && nxtseq && tcp_analyze_seq && pinfo->want_pdu_tracking){
+ pdu_store_sequencenumber_of_next_pdu(pinfo, nxtseq+pinfo->bytes_until_next_pdu);
+ }
+
}
static void
dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
- guint16 th_sport;
- guint16 th_dport;
- guint32 th_seq;
- guint32 th_ack;
guint8 th_off_x2; /* combines th_off and th_x2 */
- guint8 th_flags;
- guint16 th_win;
guint16 th_sum;
guint16 th_urp;
proto_tree *tcp_tree = NULL, *field_tree = NULL;
gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECN", "CWR" };
gint fpos = 0, i;
guint bpos;
- guint hlen;
guint optlen;
- guint32 seglen;
- guint32 nxtseq;
- guint len;
+ guint32 nxtseq = 0;
guint reported_len;
vec_t cksum_vec[4];
guint32 phdr[2];
gboolean desegment_ok;
struct tcpinfo tcpinfo;
gboolean save_fragmented;
+ static struct tcpheader tcphstruct[4], *tcph;
+ static int tcph_count=0;
+
+ tcph_count++;
+ if(tcph_count>=4){
+ tcph_count=0;
+ }
+ tcph=&tcphstruct[tcph_count];
+ SET_ADDRESS(&tcph->ip_src, pinfo->src.type, pinfo->src.len, pinfo->src.data);
+ SET_ADDRESS(&tcph->ip_dst, pinfo->dst.type, pinfo->dst.len, pinfo->dst.data);
if (check_col(pinfo->cinfo, COL_PROTOCOL))
col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
if (check_col(pinfo->cinfo, COL_INFO))
col_clear(pinfo->cinfo, COL_INFO);
- th_sport = tvb_get_ntohs(tvb, offset);
- th_dport = tvb_get_ntohs(tvb, offset + 2);
+ tcph->th_sport = tvb_get_ntohs(tvb, offset);
+ tcph->th_dport = tvb_get_ntohs(tvb, offset + 2);
if (check_col(pinfo->cinfo, COL_INFO)) {
col_append_fstr(pinfo->cinfo, COL_INFO, "%s > %s",
- get_tcp_port(th_sport), get_tcp_port(th_dport));
+ get_tcp_port(tcph->th_sport), get_tcp_port(tcph->th_dport));
}
if (tree) {
if (tcp_summary_in_tree) {
ti = proto_tree_add_protocol_format(tree, proto_tcp, tvb, 0, -1,
"Transmission Control Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
- get_tcp_port(th_sport), th_sport,
- get_tcp_port(th_dport), th_dport);
+ get_tcp_port(tcph->th_sport), tcph->th_sport,
+ get_tcp_port(tcph->th_dport), tcph->th_dport);
}
else {
ti = proto_tree_add_item(tree, proto_tcp, tvb, 0, -1, FALSE);
}
tcp_tree = proto_item_add_subtree(ti, ett_tcp);
- proto_tree_add_uint_format(tcp_tree, hf_tcp_srcport, tvb, offset, 2, th_sport,
- "Source port: %s (%u)", get_tcp_port(th_sport), th_sport);
- proto_tree_add_uint_format(tcp_tree, hf_tcp_dstport, tvb, offset + 2, 2, th_dport,
- "Destination port: %s (%u)", get_tcp_port(th_dport), th_dport);
- proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset, 2, th_sport);
- proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset + 2, 2, th_dport);
+ proto_tree_add_uint_format(tcp_tree, hf_tcp_srcport, tvb, offset, 2, tcph->th_sport,
+ "Source port: %s (%u)", get_tcp_port(tcph->th_sport), tcph->th_sport);
+ proto_tree_add_uint_format(tcp_tree, hf_tcp_dstport, tvb, offset + 2, 2, tcph->th_dport,
+ "Destination port: %s (%u)", get_tcp_port(tcph->th_dport), tcph->th_dport);
+ proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset, 2, tcph->th_sport);
+ proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset + 2, 2, tcph->th_dport);
}
/* Set the source and destination port numbers as soon as we get them,
so that they're available to the "Follow TCP Stream" code even if
we throw an exception dissecting the rest of the TCP header. */
pinfo->ptype = PT_TCP;
- pinfo->srcport = th_sport;
- pinfo->destport = th_dport;
+ pinfo->srcport = tcph->th_sport;
+ pinfo->destport = tcph->th_dport;
- th_seq = tvb_get_ntohl(tvb, offset + 4);
- th_ack = tvb_get_ntohl(tvb, offset + 8);
+ tcph->th_seq = tvb_get_ntohl(tvb, offset + 4);
+ tcph->th_ack = tvb_get_ntohl(tvb, offset + 8);
th_off_x2 = tvb_get_guint8(tvb, offset + 12);
- th_flags = tvb_get_guint8(tvb, offset + 13);
- th_win = tvb_get_ntohs(tvb, offset + 14);
- hlen = hi_nibble(th_off_x2) * 4; /* TCP header length, in bytes */
+ tcph->th_flags = tvb_get_guint8(tvb, offset + 13);
+ tcph->th_win = tvb_get_ntohs(tvb, offset + 14);
+ tcph->th_hlen = hi_nibble(th_off_x2) * 4; /* TCP header length, in bytes */
+ /*
+ * If we've been handed an IP fragment, we don't know how big the TCP
+ * segment is, so don't do anything that requires that we know that.
+ *
+ * The same applies if we're part of an error packet. (XXX - if the
+ * ICMP and ICMPv6 dissectors could set a "this is how big the IP
+ * header says it is" length in the tvbuff, we could use that; such
+ * a length might also be useful for handling packets where the IP
+ * length is bigger than the actual data available in the frame; the
+ * dissectors should trust that length, and then throw a
+ * ReportedBoundsError exception when they go past the end of the frame.)
+ *
+ * We also can't determine the segment length if the reported length
+ * of the TCP packet is less than the TCP header length.
+ */
reported_len = tvb_reported_length(tvb);
- len = tvb_length(tvb);
-
- /* Compute the length of data in this segment. */
- seglen = reported_len - hlen;
- if (tree) { /* Add the seglen as an invisible field */
+ if (!pinfo->fragmented && !pinfo->in_error_pkt) {
+ if (reported_len < tcph->th_hlen) {
+ proto_tree_add_text(tcp_tree, tvb, offset, 0,
+ "Short segment. Segment/fragment does not contain a full TCP header"
+ " (might be NMAP or someone else deliberately sending unusual packets)");
+ tcph->th_have_seglen = FALSE;
+ } else {
+ /* Compute the length of data in this segment. */
+ tcph->th_seglen = reported_len - tcph->th_hlen;
+ tcph->th_have_seglen = TRUE;
- proto_tree_add_uint_hidden(ti, hf_tcp_len, tvb, offset, 4, seglen);
+ if (tree) { /* Add the seglen as an invisible field */
- }
+ proto_tree_add_uint_hidden(ti, hf_tcp_len, tvb, offset, 4, tcph->th_seglen);
- /* handle TCP seq# analysis parse all new segments we see */
- if(tcp_analyze_seq){
- if(!(pinfo->fd->flags.visited)){
- tcp_analyze_sequence_number(pinfo, th_seq, th_ack, seglen, th_flags, th_win);
- }
- if(tcp_relative_seq){
- tcp_get_relative_seq_ack(pinfo->fd->num, &th_seq, &th_ack);
}
- }
+ /* handle TCP seq# analysis parse all new segments we see */
+ if(tcp_analyze_seq){
+ if(!(pinfo->fd->flags.visited)){
+ tcp_analyze_sequence_number(pinfo, tcph->th_seq, tcph->th_ack, tcph->th_seglen, tcph->th_flags, tcph->th_win);
+ }
+ if(tcp_relative_seq){
+ tcp_get_relative_seq_ack(pinfo->fd->num, &(tcph->th_seq), &(tcph->th_ack), &(tcph->th_win));
+ }
+ }
- /* Compute the sequence number of next octet after this segment. */
- nxtseq = th_seq + seglen;
+ /* Compute the sequence number of next octet after this segment. */
+ nxtseq = tcph->th_seq + tcph->th_seglen;
+ }
+ } else
+ tcph->th_have_seglen = FALSE;
if (check_col(pinfo->cinfo, COL_INFO) || tree) {
for (i = 0; i < 8; i++) {
bpos = 1 << i;
- if (th_flags & bpos) {
+ if (tcph->th_flags & bpos) {
if (fpos) {
strcpy(&flags[fpos], ", ");
fpos += 2;
if (check_col(pinfo->cinfo, COL_INFO)) {
col_append_fstr(pinfo->cinfo, COL_INFO, " [%s] Seq=%u Ack=%u Win=%u",
- flags, th_seq, th_ack, th_win);
+ flags, tcph->th_seq, tcph->th_ack, tcph->th_win);
}
if (tree) {
- if (tcp_summary_in_tree)
- proto_item_append_text(ti, ", Seq: %u", th_seq);
- proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, th_seq);
+ if (tcp_summary_in_tree) {
+ proto_item_append_text(ti, ", Seq: %u", tcph->th_seq);
+ }
+ proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq);
}
- if (hlen < TCPH_MIN_LEN) {
+ if (tcph->th_hlen < TCPH_MIN_LEN) {
/* Give up at this point; we put the source and destination port in
the tree, before fetching the header length, so that they'll
show up if this is in the failing packet in an ICMP error packet,
but it's now time to give up if the header length is bogus. */
if (check_col(pinfo->cinfo, COL_INFO))
col_append_fstr(pinfo->cinfo, COL_INFO, ", bogus TCP header length (%u, must be at least %u)",
- hlen, TCPH_MIN_LEN);
+ tcph->th_hlen, TCPH_MIN_LEN);
if (tree) {
- proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, hlen,
- "Header length: %u bytes (bogus, must be at least %u)", hlen,
+ proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, tcph->th_hlen,
+ "Header length: %u bytes (bogus, must be at least %u)", tcph->th_hlen,
TCPH_MIN_LEN);
}
return;
}
if (tree) {
- if (tcp_summary_in_tree)
- proto_item_append_text(ti, ", Ack: %u, Len: %u", th_ack, seglen);
- proto_item_set_len(ti, hlen);
- if (nxtseq != th_seq)
- proto_tree_add_uint(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq);
- if (th_flags & TH_ACK)
- proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, th_ack);
- proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, hlen,
- "Header length: %u bytes", hlen);
+ if (tcp_summary_in_tree) {
+ proto_item_append_text(ti, ", Ack: %u", tcph->th_ack);
+ if (tcph->th_have_seglen)
+ proto_item_append_text(ti, ", Len: %u", tcph->th_seglen);
+ }
+ proto_item_set_len(ti, tcph->th_hlen);
+ if (tcph->th_have_seglen) {
+ if (nxtseq != tcph->th_seq) {
+ proto_tree_add_uint(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq);
+ }
+ }
+ if (tcph->th_flags & TH_ACK)
+ proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, tcph->th_ack);
+ proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, tcph->th_hlen,
+ "Header length: %u bytes", tcph->th_hlen);
tf = proto_tree_add_uint_format(tcp_tree, hf_tcp_flags, tvb, offset + 13, 1,
- th_flags, "Flags: 0x%04x (%s)", th_flags, flags);
+ tcph->th_flags, "Flags: 0x%04x (%s)", tcph->th_flags, flags);
field_tree = proto_item_add_subtree(tf, ett_tcp_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_cwr, tvb, offset + 13, 1, th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_ecn, tvb, offset + 13, 1, th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_urg, tvb, offset + 13, 1, th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_ack, tvb, offset + 13, 1, th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_push, tvb, offset + 13, 1, th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, th_flags);
- proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, th_win);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_cwr, tvb, offset + 13, 1, tcph->th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_ecn, tvb, offset + 13, 1, tcph->th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_urg, tvb, offset + 13, 1, tcph->th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_ack, tvb, offset + 13, 1, tcph->th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_push, tvb, offset + 13, 1, tcph->th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, tcph->th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, tcph->th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, tcph->th_flags);
+ proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, tcph->th_win);
}
/* Supply the sequence number of the first byte. */
- tcpinfo.seq = th_seq;
+ tcpinfo.seq = tcph->th_seq;
/* Assume we'll pass un-reassembled data to subdissectors. */
tcpinfo.is_reassembled = FALSE;
* Assume, initially, that we can't desegment.
*/
pinfo->can_desegment = 0;
-
th_sum = tvb_get_ntohs(tvb, offset + 16);
- if (!pinfo->fragmented && len >= reported_len) {
+ if (!pinfo->fragmented && tvb_bytes_exist(tvb, 0, reported_len)) {
/* The packet isn't part of an un-reassembled fragmented datagram
and isn't truncated. This means we have all the data, and thus
can checksum it and, unless it's being returned in an error
g_assert_not_reached();
break;
}
- cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, len);
+ cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, reported_len);
cksum_vec[3].len = reported_len;
computed_cksum = in_cksum(&cksum_vec[0], 4);
if (computed_cksum == 0) {
/* Checksum is invalid, so we're not willing to desegment it. */
desegment_ok = FALSE;
+ pinfo->noreassembly_reason = " (incorrect TCP checksum)";
}
} else {
proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
}
}
- if (th_flags & TH_URG) {
+ if (tcph->th_flags & TH_URG) {
th_urp = tvb_get_ntohs(tvb, offset + 18);
/* Export the urgent pointer, for the benefit of protocols such as
rlogin. */
} else
tcpinfo.urgent = FALSE;
- if (check_col(pinfo->cinfo, COL_INFO))
- col_append_fstr(pinfo->cinfo, COL_INFO, " Len=%u", seglen);
+ if (tcph->th_have_seglen) {
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, " Len=%u", tcph->th_seglen);
+ }
/* Decode TCP options, if any. */
- if (tree && hlen > TCPH_MIN_LEN) {
+ if (tree && tcph->th_hlen > TCPH_MIN_LEN) {
/* There's more than just the fixed-length header. Decode the
options. */
- optlen = hlen - TCPH_MIN_LEN; /* length of options, in bytes */
+ optlen = tcph->th_hlen - TCPH_MIN_LEN; /* length of options, in bytes */
tf = proto_tree_add_text(tcp_tree, tvb, offset + 20, optlen,
"Options: (%u bytes)", optlen);
field_tree = proto_item_add_subtree(tf, ett_tcp_options);
}
/* Skip over header + options */
- offset += hlen;
+ offset += tcph->th_hlen;
/* Check the packet length to see if there's more data
(it could be an ACK-only packet) */
length_remaining = tvb_length_remaining(tvb, offset);
- if( data_out_file ) {
- reassemble_tcp( th_seq, /* sequence number */
- seglen, /* data length */
- tvb_get_ptr(tvb, offset, length_remaining), /* data */
- length_remaining, /* captured data length */
- ( th_flags & TH_SYN ), /* is syn set? */
- &pinfo->net_src,
- &pinfo->net_dst,
- pinfo->srcport,
- pinfo->destport);
+ if (tcph->th_have_seglen) {
+ if( data_out_file ) {
+ reassemble_tcp( tcph->th_seq, /* sequence number */
+ tcph->th_seglen, /* data length */
+ tvb_get_ptr(tvb, offset, length_remaining), /* data */
+ length_remaining, /* captured data length */
+ ( tcph->th_flags & TH_SYN ), /* is syn set? */
+ &pinfo->net_src,
+ &pinfo->net_dst,
+ pinfo->srcport,
+ pinfo->destport);
+ }
}
+ /*
+ * XXX - what, if any, of this should we do if this is included in an
+ * error packet? It might be nice to see the details of the packet
+ * that caused the ICMP error, but it might not be nice to have the
+ * dissector update state based on it.
+ * Also, we probably don't want to run TCP taps on those packets.
+ */
if (length_remaining != 0) {
- if (th_flags & TH_RST) {
+ if (tcph->th_flags & TH_RST) {
/*
* RFC1122 says:
*
/* Can we desegment this segment? */
if (pinfo->can_desegment) {
/* Yes. */
- desegment_tcp(tvb, pinfo, offset, th_seq, nxtseq, th_sport, th_dport, tree, tcp_tree);
+ desegment_tcp(tvb, pinfo, offset, tcph->th_seq, nxtseq, tcph->th_sport, tcph->th_dport, tree, tcp_tree);
} else {
/* No - just call the subdissector.
Mark this as fragmented, so if somebody throws an exception,
we don't report it as a malformed frame. */
save_fragmented = pinfo->fragmented;
pinfo->fragmented = TRUE;
- decode_tcp_ports(tvb, offset, pinfo, tree, th_sport, th_dport);
+ decode_tcp_ports(tvb, offset, pinfo, tree, tcph->th_sport, tcph->th_dport, nxtseq);
pinfo->fragmented = save_fragmented;
}
}
if(tcp_analyze_seq){
tcp_print_sequence_number_analysis(pinfo, tvb, tcp_tree);
}
+ tap_queue_packet(tcp_tap, pinfo, tcph);
}
void
{ "Fin", "tcp.flags.fin", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_FIN,
"", HFILL }},
+ /* 32 bits so we can present some values adjusted to window scaling */
{ &hf_tcp_window_size,
- { "Window size", "tcp.window_size", FT_UINT16, BASE_DEC, NULL, 0x0,
+ { "Window size", "tcp.window_size", FT_UINT32, BASE_DEC, NULL, 0x0,
"", HFILL }},
{ &hf_tcp_checksum,
"This frame has some of the TCP analysis flags set", HFILL }},
{ &hf_tcp_analysis_retransmission,
- { "", "tcp.analysis.retransmission", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ { "Retransmission", "tcp.analysis.retransmission", FT_NONE, BASE_NONE, NULL, 0x0,
"This frame is a suspected TCP retransmission", HFILL }},
{ &hf_tcp_analysis_lost_packet,
- { "", "tcp.analysis.lost_segment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ { "Previous Segment Lost", "tcp.analysis.lost_segment", FT_NONE, BASE_NONE, NULL, 0x0,
"A segment before this one was lost from the capture", HFILL }},
{ &hf_tcp_analysis_ack_lost_packet,
- { "", "tcp.analysis.ack_lost_segment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ { "ACKed Lost Packet", "tcp.analysis.ack_lost_segment", FT_NONE, BASE_NONE, NULL, 0x0,
"This frame ACKs a lost segment", HFILL }},
{ &hf_tcp_analysis_keep_alive,
- { "", "tcp.analysis.keep_alive", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ { "Keep Alive", "tcp.analysis.keep_alive", FT_NONE, BASE_NONE, NULL, 0x0,
"This is a keep-alive segment", HFILL }},
+ { &hf_tcp_analysis_keep_alive_ack,
+ { "Keep Alive ACK", "tcp.analysis.keep_alive_ack", FT_NONE, BASE_NONE, NULL, 0x0,
+ "This is an ACK to a keep-alive segment", HFILL }},
+
{ &hf_tcp_analysis_duplicate_ack,
- { "", "tcp.analysis.duplicate_ack", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ { "Duplicate ACK", "tcp.analysis.duplicate_ack", FT_NONE, BASE_NONE, NULL, 0x0,
"This is a duplicate ACK", HFILL }},
+ { &hf_tcp_analysis_duplicate_ack_num,
+ { "Duplicate ACK #", "tcp.analysis.duplicate_ack_num", FT_UINT32, BASE_DEC, NULL, 0x0,
+ "This is duplicate ACK number #", HFILL }},
+
+ { &hf_tcp_analysis_duplicate_ack_frame,
+ { "Duplicate to the ACK in frame", "tcp.analysis.duplicate_ack_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
+ "This is a duplicate to the ACK in frame #", HFILL }},
+
{ &hf_tcp_analysis_zero_window_violation,
- { "", "tcp.analysis.zero_window_violation", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ { "Zero Window Violation", "tcp.analysis.zero_window_violation", FT_NONE, BASE_NONE, NULL, 0x0,
"This is a zero-window violation, an attempt to write >1 byte to a zero-window", HFILL }},
{ &hf_tcp_analysis_zero_window_probe,
- { "", "tcp.analysis.zero_window_probe", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ { "Zero Window Probe", "tcp.analysis.zero_window_probe", FT_NONE, BASE_NONE, NULL, 0x0,
"This is a zero-window-probe", HFILL }},
{ &hf_tcp_analysis_zero_window,
- { "", "tcp.analysis.zero_window", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ { "Zero Window", "tcp.analysis.zero_window", FT_NONE, BASE_NONE, NULL, 0x0,
"This is a Zero-Window", HFILL }},
{ &hf_tcp_len,
"", HFILL}},
{ &hf_tcp_analysis_acks_frame,
- { "This is an ACK to the segment in frame", "tcp.analysis.acks_frame", FT_UINT32, BASE_DEC, NULL, 0x0,
+ { "This is an ACK to the segment in frame", "tcp.analysis.acks_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
"Which previous segment is this an ACK for", HFILL}},
{ &hf_tcp_analysis_ack_rtt,
{ &hf_tcp_urgent_pointer,
{ "Urgent pointer", "tcp.urgent_pointer", FT_UINT16, BASE_DEC, NULL, 0x0,
"", HFILL }},
+
+ { &hf_tcp_segment_overlap,
+ { "Segment overlap", "tcp.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ "Segment overlaps with other segments", HFILL }},
+
+ { &hf_tcp_segment_overlap_conflict,
+ { "Conflicting data in segment overlap", "tcp.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ "Overlapping segments contained conflicting data", HFILL }},
+
+ { &hf_tcp_segment_multiple_tails,
+ { "Multiple tail segments found", "tcp.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ "Several tails were found when desegmenting the pdu", HFILL }},
+
+ { &hf_tcp_segment_too_long_fragment,
+ { "Segment too long", "tcp.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ "Segment contained data past end of the pdu", HFILL }},
+
+ { &hf_tcp_segment_error,
+ { "Desegmentation error", "tcp.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
+ "Desegmentation error due to illegal segments", HFILL }},
+
+ { &hf_tcp_segment,
+ { "TCP Segment", "tcp.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
+ "TCP Segment", HFILL }},
+
+ { &hf_tcp_segments,
+ { "TCP Segments", "tcp.segments", FT_NONE, BASE_NONE, NULL, 0x0,
+ "TCP Segments", HFILL }},
+
+ { &hf_tcp_reassembled_in,
+ { "Reassembled PDU in frame", "tcp.reassembled_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
+ "The PDU that starts but doesn't end in this segment is reassembled in this frame", HFILL }},
+
+ { &hf_tcp_option_mss,
+ { "TCP MSS Option", "tcp.options.mss", FT_BOOLEAN,
+ BASE_NONE, NULL, 0x0, "TCP MSS Option", HFILL }},
+
+ { &hf_tcp_option_mss_val,
+ { "TCP MSS Option Value", "tcp.options.mss_val", FT_UINT16,
+ BASE_DEC, NULL, 0x0, "TCP MSS Option Value", HFILL}},
+
+ { &hf_tcp_option_wscale,
+ { "TCP Window Scale Option", "tcp.options.wscale",
+ FT_BOOLEAN,
+ BASE_NONE, NULL, 0x0, "TCP Window Option", HFILL}},
+
+ { &hf_tcp_option_wscale_val,
+ { "TCP Windows Scale Option Value", "tcp.options.wscale_val",
+ FT_UINT8, BASE_DEC, NULL, 0x0, "TCP Window Scale Value",
+ HFILL}},
+
+ { &hf_tcp_option_sack_perm,
+ { "TCP Sack Perm Option", "tcp.options.sack_perm",
+ FT_BOOLEAN,
+ BASE_NONE, NULL, 0x0, "TCP Sack Perm Option", HFILL}},
+
+ { &hf_tcp_option_sack,
+ { "TCP Sack Option", "tcp.options.sack", FT_BOOLEAN,
+ BASE_NONE, NULL, 0x0, "TCP Sack Option", HFILL}},
+
+ { &hf_tcp_option_sack_sle,
+ {"TCP Sack Left Edge", "tcp.options.sack_le", FT_UINT32,
+ BASE_DEC, NULL, 0x0, "TCP Sack Left Edge", HFILL}},
+
+ { &hf_tcp_option_sack_sre,
+ {"TCP Sack Right Edge", "tcp.options.sack_re", FT_UINT32,
+ BASE_DEC, NULL, 0x0, "TCP Sack Right Edge", HFILL}},
+
+ { &hf_tcp_option_echo,
+ { "TCP Echo Option", "tcp.options.echo", FT_BOOLEAN,
+ BASE_NONE, NULL, 0x0, "TCP Sack Echo", HFILL}},
+
+ { &hf_tcp_option_echo_reply,
+ { "TCP Echo Reply Option", "tcp.options.echo_reply",
+ FT_BOOLEAN,
+ BASE_NONE, NULL, 0x0, "TCP Echo Reply Option", HFILL}},
+
+ { &hf_tcp_option_time_stamp,
+ { "TCP Time Stamp Option", "tcp.options.time_stamp",
+ FT_BOOLEAN,
+ BASE_NONE, NULL, 0x0, "TCP Time Stamp Option", HFILL}},
+
+ { &hf_tcp_option_cc,
+ { "TCP CC Option", "tcp.options.cc", FT_BOOLEAN, BASE_NONE,
+ NULL, 0x0, "TCP CC Option", HFILL}},
+
+ { &hf_tcp_option_ccnew,
+ { "TCP CC New Option", "tcp.options.ccnew", FT_BOOLEAN,
+ BASE_NONE, NULL, 0x0, "TCP CC New Option", HFILL}},
+
+ { &hf_tcp_option_ccecho,
+ { "TCP CC Echo Option", "tcp.options.ccecho", FT_BOOLEAN,
+ BASE_NONE, NULL, 0x0, "TCP CC Echo Option", HFILL}},
+
+ { &hf_tcp_option_md5,
+ { "TCP MD5 Option", "tcp.options.md5", FT_BOOLEAN, BASE_NONE,
+ NULL, 0x0, "TCP MD5 Option", HFILL}},
};
static gint *ett[] = {
&ett_tcp,
&ett_tcp_flags,
&ett_tcp_options,
&ett_tcp_option_sack,
- &ett_tcp_segments,
&ett_tcp_analysis_faults,
- &ett_tcp_analysis
+ &ett_tcp_analysis,
+ &ett_tcp_segments,
+ &ett_tcp_segment
};
module_t *tcp_module;
/* Register configuration preferences */
tcp_module = prefs_register_protocol(proto_tcp, NULL);
- prefs_register_bool_preference(tcp_module, "tcp_summary_in_tree",
+ prefs_register_bool_preference(tcp_module, "summary_in_tree",
"Show TCP summary in protocol tree",
-"Whether the TCP summary line should be shown in the protocol tree",
+ "Whether the TCP summary line should be shown in the protocol tree",
&tcp_summary_in_tree);
prefs_register_bool_preference(tcp_module, "check_checksum",
"Check the validity of the TCP checksum when possible",
-"Whether to check the validity of the TCP checksum",
+ "Whether to check the validity of the TCP checksum",
&tcp_check_checksum);
prefs_register_bool_preference(tcp_module, "desegment_tcp_streams",
"Allow subdissector to desegment TCP streams",
-"Whether subdissector can request TCP streams to be desegmented",
+ "Whether subdissector can request TCP streams to be desegmented",
&tcp_desegment);
- prefs_register_bool_preference(tcp_module, "tcp_analyze_sequence_numbers",
+ prefs_register_bool_preference(tcp_module, "analyze_sequence_numbers",
"Analyze TCP sequence numbers",
"Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT",
&tcp_analyze_seq);
- prefs_register_bool_preference(tcp_module, "tcp_relative_sequence_numbers",
- "Use relative sequence numbers",
- "Make the TCP dissector use relative sequence numbers instead of absolute ones. To use this option you must also enable \"Analyze TCP sequence numbers\".",
+ prefs_register_bool_preference(tcp_module, "relative_sequence_numbers",
+ "Relative sequence numbers and window scaling",
+ "Make the TCP dissector use relative sequence numbers instead of absolute ones. "
+ "To use this option you must also enable \"Analyze TCP sequence numbers\". "
+ "This option will also try to track and adjust the window field according to any TCP window scaling options seen.",
&tcp_relative_seq);
+ prefs_register_bool_preference(tcp_module, "try_heuristic_first",
+ "Try heuristic sub-dissectors first",
+ "Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",
+ &try_heuristic_first);
register_init_routine(tcp_analyze_seq_init);
register_init_routine(tcp_desegment_init);
tcp_handle = create_dissector_handle(dissect_tcp, proto_tcp);
dissector_add("ip.proto", IP_PROTO_TCP, tcp_handle);
data_handle = find_dissector("data");
+ tcp_tap = register_tap("tcp");
}