2 * Routines for AJP13 dissection
3 * Copyright 2002, Christopher K. St. John <cks@distributopia.com>
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
36 #include <epan/packet.h>
37 #include <epan/emem.h>
38 #include <epan/conversation.h>
39 #include "packet-tcp.h"
43 /* IMPORTANT IMPLEMENTATION NOTES
45 * You need to be looking at: jk/doc/AJP13.html in the
46 * jakarta-tomcat-connectors repository.
48 * If you're a wireshark dissector guru, then you can skip the rest of
49 * this. I'm writing it all down because I've written 3 dissectors so
50 * far and every time I've forgotten it all and had to re-learn it
51 * from scratch. Not this time, damnit.
53 * Dissector routines get called in two phases:
55 * The first phase is an in-order traversal of every incoming
56 * frame. Since we know it's in-order, we can set up a "conversational
57 * state" that records context-sensitive stuff like "was there a
58 * content-length in the previous request". During this first pass
59 * through the data, the "tree" parameter might be null, or not. For
60 * the regular gui-based Wireshark, it's null, which means we don't
61 * actually display the dissected data in the gui quite yet. For the
62 * text based interface, we might do the parsing and display both in
65 * The second phase happens when the data is actually displayed. In
66 * this pase the "tree" param is non-null, so you've got a hook to
67 * hang the parsed-out display data on. Since there might be gigabytes
68 * worth of capture data, the display code only calls the dissector
69 * for the stuff the user actually clicks on. So you have to assume
70 * the dissector is getting called on random frames, you can't depend
71 * on ordering anymore.
73 * But some parts of the AJP13 capture stream are context sensitive.
74 * That's no big deal during the first in-order pass, but the second
75 * phase requires us to display any random frame correctly. So during
76 * the first in-order phase we create a per-frame user data structure
77 * and attach it to the frame using p_add_proto_data.
79 * Since AJP13 is a TCP/IP based protocol, writing a dissector for it
80 * requires addressing several other issues:
82 * 1) TCP/IP segments can get retransmitted or be sent out of
83 * order. Users don't normally care, because the low-level kernel
84 * networking code takes care of reassembling them properly. But we're
85 * looking at raw network packets, aren't we? The stuff on the
86 * wire. Wireshark has been getting better and better at helping
87 * dissectors with this. I'm a little fuzzy on the details, but my
88 * uderstanding is that wireshark now contains a fairly substantial
89 * user-space TCP/IP stack so it can re-assemble the data. But I might
90 * be wrong. Since AJP13 is going to be used either on the loopback
91 * interface or on a LAN, it isn't likely to be a big issues anyway.
93 * 2) AJP13 packets (PDU's or protocol data unit's in
94 * networking-speak) don't necessarily line up with TCP segments. That
95 * is, one TCP segment can have more than one AJP13 PDU, or one AJP13
96 * PDU can stretch across multiple TCP segments. Assembling them is
97 * obviously possible, but a royal pain. During the "phase one"
98 * in-order pass you have to keep track of a bunch of offsets and
99 * store which PDU goes with which TCP segment. Luckly, recent
100 * (0.9.4+) versions of wireshark provide the "tcp_dissect_pdus()"
101 * function that takes care of much of the work. See the comments in
102 * packet-tcp.c, the example code in packet-dns.c, or check the
103 * wireshark-dev archives for details.
105 * 3) Wireshark isn't guaranteed to see all the data. I'm a little
106 * unclear on all the possible failure modes, but it comes down to: a)
107 * Not your fault: it's an imperfect world, we're eavesdroppers, and
108 * stuff happens. We might totally miss packets or get garbled
109 * data. Or b) Totally your fault: you turn on the capture during the
110 * middle of an AJP13 conversation and the capture starts out with
111 * half an AJP13 PDU. This code doesn't currently handle either case
112 * very well, but you can get arbitrarily clever. Like: put in tests
113 * to see if this packet has reasonable field values, and if it
114 * doesn't, walk the offset ahead until we see a matching magic number
115 * field, then re-test. But we don't do that now, and since we're
116 * using tcp_dissect_pdu's, I'm not sure how to do it.
122 * Request/response header codes. Common headers are stored as ints in
123 * an effort to improve performance. Why can't we just have one big
127 static const value_string req_header_codes[] = {
129 { 0x02, "accept-charset" },
130 { 0x03, "accept-encoding" },
131 { 0x04, "accept-language" },
132 { 0x05, "authorization" },
133 { 0x06, "connection" },
134 { 0x07, "content-type" },
135 { 0x08, "content-length" },
141 { 0x0E, "user-agent" },
146 static const value_string rsp_header_codes[] = {
147 { 0x01, "Content-Type" },
148 { 0x02, "Content-Language" },
149 { 0x03, "Content-Length" },
151 { 0x05, "Last-Modified" },
152 { 0x06, "Location" },
153 { 0x07, "Set-Cookie" },
154 { 0x08, "Set-Cookie2" },
155 { 0x09, "Servlet-Engine" },
157 { 0x0B, "WWW-Authenticate" },
162 static const value_string mtype_codes[] = {
165 { 2, "FORWARD REQUEST" },
166 { 3, "SEND BODY CHUNK" },
167 { 4, "SEND HEADERS" },
168 { 5, "END RESPONSE" },
169 { 6, "GET BODY CHUNK" },
177 static const value_string http_method_codes[] = {
194 { 17, "VERSION-CONTROL" },
197 { 20, "UNCHECKOUT" },
204 static int proto_ajp13 = -1;
205 static int hf_ajp13_magic = -1;
206 static int hf_ajp13_len = -1;
207 static int hf_ajp13_code = -1;
208 static int hf_ajp13_method = -1;
209 static int hf_ajp13_ver = -1;
210 static int hf_ajp13_uri = -1;
211 static int hf_ajp13_raddr = -1;
212 static int hf_ajp13_rhost = -1;
213 static int hf_ajp13_srv = -1;
214 static int hf_ajp13_port = -1;
215 static int hf_ajp13_sslp = -1;
216 static int hf_ajp13_nhdr = -1;
217 static int hf_ajp13_hname = -1;
218 static int hf_ajp13_hval = -1;
219 static int hf_ajp13_rlen = -1;
220 static int hf_ajp13_reusep = -1;
221 static int hf_ajp13_rstatus= -1;
222 static int hf_ajp13_rsmsg = -1;
223 static int hf_ajp13_data = -1;
224 static gint ett_ajp13 = -1;
227 typedef struct ajp13_conv_data {
229 gboolean was_get_body_chunk; /* XXX - not used */
232 typedef struct ajp13_frame_data {
233 gboolean is_request_body;
236 /* ajp13, in sort of a belt-and-suspenders move, encodes strings with
237 * both a leading length field, and a trailing null. Mostly, see
238 * AJPv13.html. The returned length _includes_ the trailing null, if
241 * XXX - is there a tvbuff routine to handle this?
244 get_nstring(tvbuff_t *tvb, gint offset, guint8* cbuf, size_t cbuflen)
249 len = tvb_get_ntohs(tvb, offset);
251 if (len == 0xffff || cbuflen < 1) {
256 if (copylen > cbuflen - 1)
257 copylen = cbuflen - 1;
258 tvb_memcpy(tvb, cbuf, offset+2, (gint) copylen);
259 cbuf[copylen] = '\0';
267 /* dissect a response. more work to do here.
270 display_rsp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ajp13_tree)
272 const gchar* msg_code = NULL;
281 proto_tree_add_item(ajp13_tree, hf_ajp13_magic, tvb, pos, 2, 0);
287 proto_tree_add_item(ajp13_tree, hf_ajp13_len, tvb, pos, 2, 0);
292 mcode = tvb_get_guint8(tvb, pos);
293 msg_code = val_to_str(mcode, mtype_codes, "UNKNOWN");
294 mcode_buf=ep_alloc(32);
295 g_snprintf(mcode_buf, 32, "(%d) %s", mcode, msg_code);
297 proto_tree_add_string(ajp13_tree, hf_ajp13_code, tvb, pos, 1, mcode_buf);
300 if(check_col(pinfo->cinfo, COL_INFO))
301 col_append_str(pinfo->cinfo, COL_INFO, msg_code);
305 proto_tree_add_item(ajp13_tree, hf_ajp13_reusep, tvb, pos, 1, 0);
308 } else if (mcode == 4) {
310 guint8 rsmsg_bytes[8*1024]; /* DANGER WILL ROBINSON */
315 /* HTTP RESPONSE STATUS CODE
317 rcode_num = tvb_get_ntohs(tvb, pos);
319 proto_tree_add_item(ajp13_tree, hf_ajp13_rstatus, tvb, pos, 2, 0);
321 if(check_col(pinfo->cinfo, COL_INFO))
322 col_append_fstr(pinfo->cinfo, COL_INFO, ":%d", rcode_num);
324 /* HTTP RESPONSE STATUS MESSAGE
326 rsmsg_len = get_nstring(tvb, pos, rsmsg_bytes, sizeof rsmsg_bytes);
329 proto_tree_add_item(ajp13_tree, hf_ajp13_rsmsg, tvb, pos, rsmsg_len, 0);
331 /* dangerous assumption that we can just %s out raw bytes */
332 if(check_col(pinfo->cinfo, COL_INFO))
333 col_append_fstr(pinfo->cinfo, COL_INFO, " %s", rsmsg_bytes);
337 nhdr = tvb_get_ntohs(tvb, pos);
339 proto_tree_add_item(ajp13_tree, hf_ajp13_nhdr, tvb, pos, 2, 0);
344 for(i=0; i<nhdr; i++) {
351 const gchar* hname = NULL;
354 guint8 hname_bytes[1024];
358 hcd = tvb_get_guint8(tvb, pos);
362 hid = tvb_get_guint8(tvb, pos);
365 hname = val_to_str(hid, rsp_header_codes, "UNKNOWN");
366 /* Content-Length header (encoded by 0x08) is special */
370 int hname_len = get_nstring(tvb, pos, hname_bytes, sizeof hname_bytes);
373 hname = (gchar*)hname_bytes; /* VERY EVIL */
381 hval_len = get_nstring(tvb, pos, hval, sizeof hval);
387 hname_value=ep_alloc(512);
388 g_snprintf(hname_value, 512, "%s : %s", hname, hval);
389 proto_tree_add_string(ajp13_tree, hf_ajp13_hval, tvb, orig_pos, dp, hname_value);
393 } else if (mcode == 6) {
395 proto_tree_add_item(ajp13_tree, hf_ajp13_rlen, tvb, pos, 2, 0);
398 } else if ( mcode == 9 ) {
401 /* MESSAGE DATA (COPOUT)
404 proto_tree_add_item(ajp13_tree, hf_ajp13_data, tvb, pos+2, -1, 0);
410 /* dissect a request body. see AJPv13.html, but the idea is that these
411 * packets, unlike all other packets, have no type field. you just
412 * sort of have to know that they're coming based on the previous
416 display_req_body(tvbuff_t *tvb, proto_tree *ajp13_tree, ajp13_conv_data* cd)
418 /*printf("ajp13:display_req_body()\n");*/
421 * In a resued connection this is never reset.
423 guint16 content_length;
425 content_length = tvb_get_ntohs( tvb, 4 );
426 cd->content_length -= content_length;
430 guint8 body_bytes[128*1024]; /* DANGER WILL ROBINSON */
436 proto_tree_add_item(ajp13_tree, hf_ajp13_magic, tvb, pos, 2, 0);
441 proto_tree_add_item(ajp13_tree, hf_ajp13_len, tvb, pos, 2, 0);
446 body_len = get_nstring(tvb, pos, body_bytes, sizeof body_bytes);
447 proto_tree_add_item(ajp13_tree, hf_ajp13_data, tvb, pos+2, body_len-1, 0);
453 /* note that even if ajp13_tree is null on the first pass, we still
454 * need to dissect the packet in order to determine if there is a
455 * content-length, and thus if there is a subsequent automatic
456 * request-body transmitted in the next request packet. if there is a
457 * content-length, we record the fact in the conversation context.
458 * ref the top of this file for comments explaining the multi-pass
462 display_req_forward(tvbuff_t *tvb, packet_info *pinfo,
463 proto_tree *ajp13_tree,
483 proto_tree_add_item(ajp13_tree, hf_ajp13_magic, tvb, pos, 2, 0);
487 proto_tree_add_item(ajp13_tree, hf_ajp13_len, tvb, pos, 2, 0);
492 cod = tvb_get_guint8(tvb, 4);
494 const gchar* msg_code = NULL;
496 msg_code = val_to_str(cod, mtype_codes, "UNKNOWN");
497 mcode_buf=ep_alloc(32);
498 g_snprintf(mcode_buf, 32, "(%d) %s", cod, msg_code);
499 proto_tree_add_string(ajp13_tree, hf_ajp13_code, tvb, pos, 1, mcode_buf);
503 if(check_col(pinfo->cinfo, COL_INFO))
504 col_append_str(pinfo->cinfo, COL_INFO, "CPING" );
508 /* HTTP METHOD (ENCODED AS INTEGER)
511 const gchar* meth_code = NULL;
512 meth = tvb_get_guint8(tvb, pos);
513 meth_code = val_to_str(meth, http_method_codes, "UNKNOWN");
516 mcode_buf=ep_alloc(32);
517 g_snprintf(mcode_buf, 32, "(%d) %s", meth, meth_code);
518 proto_tree_add_string(ajp13_tree, hf_ajp13_method, tvb, pos, 1, mcode_buf);
520 if(check_col(pinfo->cinfo, COL_INFO))
521 col_append_str(pinfo->cinfo, COL_INFO, meth_code);
525 /* HTTP VERSION STRING
527 ver_len = get_nstring(tvb, pos, ver, sizeof ver);
528 pos+=2; /* skip over size */
530 proto_tree_add_item(ajp13_tree, hf_ajp13_ver, tvb, pos, ver_len, 0);
531 pos=pos+ver_len; /* skip over chars + trailing null */
535 uri_len = get_nstring(tvb, pos, uri, sizeof uri);
536 pos+=2; /* skip over size */
538 proto_tree_add_item(ajp13_tree, hf_ajp13_uri, tvb, pos, uri_len, 0);
539 pos=pos+uri_len; /* skip over chars + trailing null */
542 if(check_col(pinfo->cinfo, COL_INFO))
543 col_append_fstr(pinfo->cinfo, COL_INFO, " %s %s", uri, ver);
548 raddr_len = get_nstring(tvb, pos, raddr, sizeof raddr);
549 pos+=2; /* skip over size */
551 proto_tree_add_item(ajp13_tree, hf_ajp13_raddr, tvb, pos, raddr_len, 0);
552 pos=pos+raddr_len; /* skip over chars + trailing null */
556 rhost_len = get_nstring(tvb, pos, rhost, sizeof rhost);
557 pos+=2; /* skip over size */
559 proto_tree_add_item(ajp13_tree, hf_ajp13_rhost, tvb, pos, rhost_len, 0);
560 pos=pos+rhost_len; /* skip over chars + trailing null */
564 srv_len = get_nstring(tvb, pos, srv, sizeof srv);
565 pos+=2; /* skip over size */
567 proto_tree_add_item(ajp13_tree, hf_ajp13_srv, tvb, pos, srv_len, 0);
568 pos=pos+srv_len; /* skip over chars + trailing null */
573 proto_tree_add_item(ajp13_tree, hf_ajp13_port, tvb, pos, 2, 0);
579 proto_tree_add_item(ajp13_tree, hf_ajp13_sslp, tvb, pos, 1, 0);
584 nhdr = tvb_get_ntohs(tvb, pos);
587 proto_tree_add_item(ajp13_tree, hf_ajp13_nhdr, tvb, pos, 2, 0);
589 cd->content_length = 0;
593 for(i=0; i<nhdr; i++) {
598 const gchar* hname = NULL;
606 hcd = tvb_get_guint8(tvb, pos);
610 hid = tvb_get_guint8(tvb, pos);
613 hname = val_to_str(hid, req_header_codes, "UNKNOWN");
620 hname_bytes=ep_alloc(1024);
621 hname_len = get_nstring(tvb, pos, hname_bytes, 1024);
623 hname = (gchar*)hname_bytes;
632 hval_len = get_nstring(tvb, pos, hval, 8192);
637 proto_tree_add_string_format(ajp13_tree, hf_ajp13_hval,
638 tvb, orig_pos, dp, hname,
639 "%s: %s", hname, hval);
643 cd->content_length = cl;
650 /* main dissector function. wireshark calls it for segments in both
654 dissect_ajp13_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
658 conversation_t *conv = NULL;
659 ajp13_conv_data *cd = NULL;
660 proto_tree *ajp13_tree = NULL;
661 ajp13_frame_data* fd = NULL;
663 /* conversational state really only does us good during the first
666 conv = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
667 pinfo->srcport, pinfo->destport, 0);
669 conv = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
670 pinfo->srcport, pinfo->destport, 0);
672 cd = (ajp13_conv_data*)conversation_get_proto_data(conv, proto_ajp13);
674 cd = se_alloc(sizeof(ajp13_conv_data));
675 cd->content_length = 0;
676 cd->was_get_body_chunk = FALSE;
677 conversation_add_proto_data(conv, proto_ajp13, cd);
680 /* we use the per segment user data to record the conversational
681 * state for use later on when we're called out of order (see
682 * comments at top of this file)
684 fd = (ajp13_frame_data*)p_get_proto_data(pinfo->fd, proto_ajp13);
686 /*printf("ajp13:dissect_ajp13_common():no frame data, adding");*/
687 /* since there's no per-packet user data, this must be the first
688 * time we've see the packet, and it must be the first "in order"
689 * pass through the data.
691 fd = se_alloc(sizeof(ajp13_frame_data));
692 p_add_proto_data(pinfo->fd, proto_ajp13, fd);
693 fd->is_request_body = FALSE;
694 if (cd->content_length) {
695 /* this is screwy, see AJPv13.html. the idea is that if the
696 * request has a body (as determined by the content-length
697 * header), then there's always an immediate follow-up PDU with
698 * no GET_BODY_CHUNK from the container.
700 fd->is_request_body = TRUE;
704 if (check_col(pinfo->cinfo, COL_INFO))
705 col_clear(pinfo->cinfo, COL_INFO);
707 mag = tvb_get_ntohs(tvb, 0);
708 len = tvb_get_ntohs(tvb, 2);
710 if (check_col(pinfo->cinfo, COL_PROTOCOL))
711 col_set_str(pinfo->cinfo, COL_PROTOCOL, "AJP13");
712 if (check_col(pinfo->cinfo, COL_INFO)) {
713 if (mag == 0x1234 && !fd->is_request_body)
714 col_append_fstr(pinfo->cinfo, COL_INFO, "%d:REQ:", conv->index);
715 else if (mag == 0x1234 && fd->is_request_body)
716 col_append_fstr(pinfo->cinfo, COL_INFO, "%d:REQ:Body", conv->index);
717 else if (mag == 0x4142)
718 col_append_fstr(pinfo->cinfo, COL_INFO, "%d:RSP:", conv->index);
720 col_set_str(pinfo->cinfo, COL_INFO, "AJP13 Error?");
725 ti = proto_tree_add_item(tree, proto_ajp13, tvb, 0, tvb_length(tvb), FALSE);
726 ajp13_tree = proto_item_add_subtree(ti, ett_ajp13);
731 if (fd->is_request_body)
732 display_req_body(tvb, ajp13_tree, cd);
734 display_req_forward(tvb, pinfo, ajp13_tree, cd);
736 } else if (mag == 0x4142) {
738 display_rsp(tvb, pinfo, ajp13_tree);
745 /* given the first chunk of the AJP13 pdu, extract out and return the
746 * packet length. see comments in packet-tcp.c:tcp_dissect_pdus().
749 get_ajp13_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
753 magic = tvb_get_ntohs(tvb, offset);
754 plen = tvb_get_ntohs(tvb, offset+2);
761 /* Code to actually dissect the packets.
764 dissect_ajp13(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
766 /* Set up structures needed to add the protocol subtree and manage it
768 tcp_dissect_pdus(tvb, pinfo, tree,
769 TRUE, /* desegment or not */
770 4, /* magic + length */
771 get_ajp13_pdu_len, /* use first 4, calc data len */
772 dissect_ajp13_tcp_pdu); /* the naive dissector */
778 proto_register_ajp13(void)
780 static hf_register_info hf[] = {
782 { "Magic", "ajp13.magic", FT_BYTES, BASE_NONE, NULL, 0x0, "Magic Number",
786 { "Length", "ajp13.len", FT_UINT16, BASE_DEC, NULL, 0x0, "Data Length",
790 { "Code", "ajp13.code", FT_STRING, BASE_NONE, NULL, 0x0, "Type Code",
794 { "Method", "ajp13.method", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Method",
798 { "Version", "ajp13.ver", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Version",
802 { "URI", "ajp13.uri", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP URI",
806 { "RADDR", "ajp13.raddr", FT_STRING, BASE_NONE, NULL, 0x0, "Remote Address",
810 { "RHOST", "ajp13.rhost", FT_STRING, BASE_NONE, NULL, 0x0, "Remote Host",
814 { "SRV", "ajp13.srv", FT_STRING, BASE_NONE, NULL, 0x0, "Server",
818 { "PORT", "ajp13.port", FT_UINT16, BASE_DEC, NULL, 0x0, "Port",
822 { "SSLP", "ajp13.sslp", FT_UINT8, BASE_DEC, NULL, 0x0, "Is SSL?",
826 { "NHDR", "ajp13.nhdr", FT_UINT16, BASE_DEC, NULL, 0x0, "Num Headers",
830 { "HNAME", "ajp13.hname", FT_STRING, BASE_NONE, NULL, 0x0, "Header Name",
834 { "HVAL", "ajp13.hval", FT_STRING, BASE_NONE, NULL, 0x0, "Header Value",
838 { "RLEN", "ajp13.rlen", FT_UINT16, BASE_DEC, NULL, 0x0, "Requested Length",
842 { "REUSEP", "ajp13.reusep", FT_UINT8, BASE_DEC, NULL, 0x0, "Reuse Connection?",
846 { "RSTATUS", "ajp13.rstatus", FT_UINT16, BASE_DEC, NULL, 0x0, "HTTP Status Code",
850 { "RSMSG", "ajp13.rmsg", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Status Message",
854 { "Data", "ajp13.data", FT_STRING, BASE_NONE, NULL, 0x0, NULL,
859 static gint *ett[] = {
863 /* Register the protocol name and description
865 proto_ajp13 = proto_register_protocol("Apache JServ Protocol v1.3", "AJP13", "ajp13");
867 proto_register_field_array(proto_ajp13, hf, array_length(hf));
868 proto_register_subtree_array(ett, array_length(ett));
875 proto_reg_handoff_ajp13(void)
877 dissector_handle_t ajp13_handle;
878 ajp13_handle = create_dissector_handle(dissect_ajp13, proto_ajp13);
879 dissector_add("tcp.port", 8009, ajp13_handle);