2 * Routines for ftp packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * Copyright 2001, Juan Toledo <toledo@users.sourceforge.net> (Passive FTP)
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * Copied from packet-pop.c
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #include <epan/packet.h>
40 #include <epan/strutil.h>
41 #include <epan/conversation.h>
42 #include <epan/emem.h>
44 static int proto_ftp = -1;
45 static int proto_ftp_data = -1;
46 static int hf_ftp_response = -1;
47 static int hf_ftp_request = -1;
48 static int hf_ftp_request_command = -1;
49 static int hf_ftp_request_arg = -1;
50 static int hf_ftp_response_code = -1;
51 static int hf_ftp_response_arg = -1;
52 static int hf_ftp_pasv_ip = -1 ;
53 static int hf_ftp_pasv_port = -1;
54 static int hf_ftp_pasv_nat = -1;
55 static int hf_ftp_active_ip = -1;
56 static int hf_ftp_active_port = -1;
57 static int hf_ftp_active_nat = -1;
59 static gint ett_ftp = -1;
60 static gint ett_ftp_reqresp = -1;
61 static gint ett_ftp_data = -1;
63 static dissector_handle_t ftpdata_handle;
65 #define TCP_PORT_FTPDATA 20
66 #define TCP_PORT_FTP 21
68 static const value_string response_table[] = {
69 { 110, "Restart marker reply" },
70 { 120, "Service ready in nnn minutes" },
71 { 125, "Data connection already open; transfer starting" },
72 { 150, "File status okay; about to open data connection" },
73 { 200, "Command okay" },
74 { 202, "Command not implemented, superfluous at this site" },
75 { 211, "System status, or system help reply" },
76 { 212, "Directory status" },
77 { 213, "File status" },
78 { 214, "Help message" },
79 { 215, "NAME system type" },
80 { 220, "Service ready for new user" },
81 { 221, "Service closing control connection" },
82 { 225, "Data connection open; no transfer in progress" },
83 { 226, "Closing data connection" },
84 { 227, "Entering Passive Mode" },
85 { 230, "User logged in, proceed" },
86 { 250, "Requested file action okay, completed" },
87 { 257, "PATHNAME created" },
88 { 331, "User name okay, need password" },
89 { 332, "Need account for login" },
90 { 350, "Requested file action pending further information" },
91 { 421, "Service not available, closing control connection" },
92 { 425, "Can't open data connection" },
93 { 426, "Connection closed; transfer aborted" },
94 { 450, "Requested file action not taken" },
95 { 451, "Requested action aborted: local error in processing" },
96 { 452, "Requested action not taken. Insufficient storage space in system" },
97 { 500, "Syntax error, command unrecognized" },
98 { 501, "Syntax error in parameters or arguments" },
99 { 502, "Command not implemented" },
100 { 503, "Bad sequence of commands" },
101 { 504, "Command not implemented for that parameter" },
102 { 530, "Not logged in" },
103 { 532, "Need account for storing files" },
104 { 550, "Requested action not taken: File unavailable" },
105 { 551, "Requested action aborted: page type unknown" },
106 { 552, "Requested file action aborted: Exceeded storage allocation" },
107 { 553, "Requested action not taken: File name not allowed" },
112 dissect_ftpdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);
115 * Parse the address and port information in a PORT command or in the
116 * response to a PASV command. Return TRUE if we found an address and
117 * port, and supply the address and port; return FALSE if we didn't find
120 * We ignore the IP address in the reply, and use the address from which
123 * XXX - are there cases where they differ? What if the FTP server is
124 * behind a NAT box, so that the address it puts into the reply isn't
125 * the address at which you should contact it? Do all NAT boxes detect
126 * FTP PASV replies and rewrite the address? (I suspect not.)
128 * RFC 959 doesn't say much about the syntax of the 227 reply.
130 * A proposal from Dan Bernstein at
132 * http://cr.yp.to/ftp/retr.html
134 * "recommend[s] that clients use the following strategy to parse the
135 * response line: look for the first digit after the initial space; look
136 * for the fourth comma after that digit; read two (possibly negative)
137 * integers, separated by a comma; the TCP port number is p1*256+p2, where
138 * p1 is the first integer modulo 256 and p2 is the second integer modulo
141 * wget 1.5.3 looks for a digit, although it doesn't handle negative
144 * The FTP code in the source of the cURL library, at
146 * http://curl.haxx.se/lxr/source/lib/ftp.c
148 * says that cURL "now scans for a sequence of six comma-separated numbers
149 * and will take them as IP+port indicators"; it loops, doing "sscanf"s
150 * looking for six numbers separated by commas, stepping the start pointer
151 * in the scanf one character at a time - i.e., it tries rather exhaustively.
153 * An optimization would be to scan for a digit, and start there, and if
154 * the scanf doesn't find six values, scan for the next digit and try
155 * again; this will probably succeed on the first try.
157 * The cURL code also says that "found reply-strings include":
159 * "227 Entering Passive Mode (127,0,0,1,4,51)"
160 * "227 Data transfer will passively listen to 127,0,0,1,4,51"
161 * "227 Entering passive mode. 127,0,0,1,4,51"
163 * so it appears that you can't assume there are parentheses around
164 * the address and port number.
167 parse_port_pasv(const guchar *line, int linelen, guint32 *ftp_ip,
174 int address[4], port[2];
175 gboolean ret = FALSE;
178 * Copy the rest of the line into a null-terminated buffer.
180 args = ep_alloc(linelen + 1);
181 memcpy(args, line, linelen);
182 args[linelen] = '\0';
189 while ((c = *p) != '\0' && !isdigit(c))
194 * We ran out of text without finding anything.
200 * See if we have six numbers.
202 i = sscanf(p, "%d,%d,%d,%d,%d,%d",
203 &address[0], &address[1], &address[2], &address[3],
209 *ftp_port = ((port[0] & 0xFF)<<8) | (port[1] & 0xFF);
210 *ftp_ip = g_htonl((address[0] << 24) | (address[1] <<16) | (address[2] <<8) | address[3]);
216 * Well, that didn't work. Skip the first number we found,
219 while ((c = *p) != '\0' && isdigit(c))
227 dissect_ftp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
230 proto_tree *ftp_tree = NULL;
231 proto_tree *reqresp_tree = NULL;
237 gboolean is_port_request = FALSE;
238 gboolean is_pasv_response = FALSE;
242 const guchar *next_token;
246 address ftp_ip_address;
248 conversation_t *conversation;
250 ftp_ip_address = pinfo->src;
252 if (pinfo->match_port == pinfo->destport)
257 if (check_col(pinfo->cinfo, COL_PROTOCOL))
258 col_set_str(pinfo->cinfo, COL_PROTOCOL, "FTP");
261 * Find the end of the first line.
263 * Note that "tvb_find_line_end()" will return a value that is
264 * not longer than what's in the buffer, so the "tvb_get_ptr()"
265 * call won't throw an exception.
267 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
268 line = tvb_get_ptr(tvb, offset, linelen);
270 if (check_col(pinfo->cinfo, COL_INFO)) {
272 * Put the first line from the buffer into the summary
273 * (but leave out the line terminator).
275 col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
276 is_request ? "Request" : "Response",
277 format_text(line, linelen));
281 ti = proto_tree_add_item(tree, proto_ftp, tvb, offset, -1,
283 ftp_tree = proto_item_add_subtree(ti, ett_ftp);
286 proto_tree_add_boolean_hidden(ftp_tree,
287 hf_ftp_request, tvb, 0, 0, TRUE);
288 proto_tree_add_boolean_hidden(ftp_tree,
289 hf_ftp_response, tvb, 0, 0, FALSE);
291 proto_tree_add_boolean_hidden(ftp_tree,
292 hf_ftp_request, tvb, 0, 0, FALSE);
293 proto_tree_add_boolean_hidden(ftp_tree,
294 hf_ftp_response, tvb, 0, 0, TRUE);
298 * Put the line into the protocol tree.
300 ti = proto_tree_add_text(ftp_tree, tvb, offset,
301 next_offset - offset, "%s",
302 tvb_format_text(tvb, offset, next_offset - offset));
303 reqresp_tree = proto_item_add_subtree(ti, ett_ftp_reqresp);
308 * Extract the first token, and, if there is a first
309 * token, add it as the request.
311 tokenlen = get_token_len(line, line + linelen, &next_token);
314 proto_tree_add_item(reqresp_tree,
315 hf_ftp_request_command, tvb, offset,
318 if (strncmp(line, "PORT", tokenlen) == 0)
319 is_port_request = TRUE;
323 * This is a response; the response code is 3 digits,
324 * followed by a space or hyphen, possibly followed by
327 * If the line doesn't start with 3 digits, it's part of
330 * XXX - keep track of state in the first pass, and
331 * treat non-continuation lines not beginning with digits
334 if (linelen >= 3 && isdigit(line[0]) && isdigit(line[1])
335 && isdigit(line[2])) {
337 * One-line reply, or first or last line
338 * of a multi-line reply.
340 tvb_get_nstringz0(tvb, offset, sizeof(code_str), code_str);
341 code = strtoul(code_str, NULL, 10);
344 proto_tree_add_uint(reqresp_tree,
345 hf_ftp_response_code, tvb, offset, 3, code);
349 * See if it's a passive-mode response.
351 * XXX - check for "229" responses to EPSV
352 * commands, to handle IPv6, as per RFC 2428?
354 * XXX - does anybody do FOOBAR, as per RFC
355 * 1639, or has that been supplanted by RFC 2428?
358 is_pasv_response = TRUE;
361 * Skip the 3 digits and, if present, the
365 next_token = line + 4;
367 next_token = line + linelen;
370 * Line doesn't start with 3 digits; assume it's
371 * a line in the middle of a multi-line reply.
376 offset += next_token - line;
377 linelen -= next_token - line;
382 * Add the rest of the first line as request or
387 proto_tree_add_item(reqresp_tree,
388 hf_ftp_request_arg, tvb, offset,
391 proto_tree_add_item(reqresp_tree,
392 hf_ftp_response_arg, tvb, offset,
396 offset = next_offset;
400 * If this is a PORT request or a PASV response, handle it.
402 if (is_port_request) {
403 if (parse_port_pasv(line, linelen, &ftp_ip,
406 proto_tree_add_ipv4(reqresp_tree,
407 hf_ftp_active_ip, tvb, 0, 0,
409 proto_tree_add_uint(reqresp_tree,
410 hf_ftp_active_port, tvb, 0, 0,
413 SET_ADDRESS(&ftp_ip_address, AT_IPv4, 4,
414 (const guint8 *)&ftp_ip);
415 ftp_nat = !ADDRESSES_EQUAL(&pinfo->src,
419 proto_tree_add_boolean(
421 hf_ftp_active_nat, tvb,
428 if (is_pasv_response) {
431 * This frame contains a PASV response; set up a
432 * conversation for the data.
434 if (parse_port_pasv(line, linelen, &pasv_ip,
437 proto_tree_add_ipv4(reqresp_tree,
438 hf_ftp_pasv_ip, tvb, 0, 0, pasv_ip);
439 proto_tree_add_uint(reqresp_tree,
440 hf_ftp_pasv_port, tvb, 0, 0,
443 SET_ADDRESS(&ftp_ip_address, AT_IPv4, 4,
444 (const guint8 *)&pasv_ip);
445 ftp_nat = !ADDRESSES_EQUAL(&pinfo->src,
449 proto_tree_add_boolean(reqresp_tree,
450 hf_ftp_pasv_nat, tvb, 0, 0,
456 * We use "ftp_ip_address", so that if
457 * we're NAT'd we look for the un-NAT'd
460 * XXX - should this call to
461 * "find_conversation()" just use
462 * "ftp_ip_address" and "server_port", and
463 * wildcard everything else?
465 conversation = find_conversation(pinfo->fd->num, &ftp_ip_address,
466 &pinfo->dst, PT_TCP, ftp_port, 0,
468 if (conversation == NULL) {
470 * XXX - should this call to
471 * "conversation_new()" just use
472 * "ftp_ip_address" and "server_port",
473 * and wildcard everything else?
475 * XXX - what if we did find a
476 * conversation? As we create it
477 * only on the first pass through
478 * the packets, if we find one, it's
479 * presumably an unrelated conversation.
480 * Should we remove the old one from
481 * the hash table and put this one in
482 * its place? Can the conversation
483 * code handle conversations not in
484 * the hash table? Or should we
485 * make conversations support
486 * start and end frames, as circuits
487 * do, and treat this as an indication
488 * that one conversation was closed
489 * and a new one was opened?
491 conversation = conversation_new(
492 pinfo->fd->num, &ftp_ip_address, &pinfo->dst,
493 PT_TCP, ftp_port, 0, NO_PORT2);
494 conversation_set_dissector(conversation,
503 * Show the rest of the request or response as text,
505 * XXX - only if there's a continuation indicator?
507 while (tvb_offset_exists(tvb, offset)) {
509 * Find the end of the line.
511 linelen = tvb_find_line_end(tvb, offset, -1,
512 &next_offset, FALSE);
517 proto_tree_add_text(ftp_tree, tvb, offset,
518 next_offset - offset, "%s",
519 tvb_format_text(tvb, offset, next_offset - offset));
520 offset = next_offset;
526 dissect_ftpdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
528 proto_tree *ti, *ftp_data_tree;
531 if (check_col(pinfo->cinfo, COL_PROTOCOL))
532 col_set_str(pinfo->cinfo, COL_PROTOCOL, "FTP-DATA");
534 if (check_col(pinfo->cinfo, COL_INFO)) {
535 col_add_fstr(pinfo->cinfo, COL_INFO, "FTP Data: %u bytes",
536 tvb_reported_length(tvb));
540 data_length = tvb_length(tvb);
542 ti = proto_tree_add_item(tree, proto_ftp_data, tvb, 0, -1,
544 ftp_data_tree = proto_item_add_subtree(ti, ett_ftp_data);
547 * XXX - if this is binary data, it'll produce
548 * a *really* long line.
550 proto_tree_add_text(ftp_data_tree, tvb, 0, data_length,
551 "FTP Data: %s", tvb_format_text(tvb, 0, data_length));
556 proto_register_ftp(void)
558 static hf_register_info hf[] = {
560 { "Response", "ftp.response",
561 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
562 "TRUE if FTP response", HFILL }},
565 { "Request", "ftp.request",
566 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
567 "TRUE if FTP request", HFILL }},
569 { &hf_ftp_request_command,
570 { "Request command", "ftp.request.command",
571 FT_STRING, BASE_NONE, NULL, 0x0,
574 { &hf_ftp_request_arg,
575 { "Request arg", "ftp.request.arg",
576 FT_STRING, BASE_NONE, NULL, 0x0,
579 { &hf_ftp_response_code,
580 { "Response code", "ftp.response.code",
581 FT_UINT32, BASE_DEC, VALS(response_table), 0x0,
584 { &hf_ftp_response_arg,
585 { "Response arg", "ftp.response.arg",
586 FT_STRING, BASE_NONE, NULL, 0x0,
590 { "Passive IP address", "ftp.passive.ip",
591 FT_IPv4, BASE_NONE, NULL,0x0,
592 "Passive IP address (check NAT)", HFILL}},
595 { "Passive port", "ftp.passive.port",
596 FT_UINT16, BASE_DEC, NULL,0x0,
597 "Passive FTP server port", HFILL }},
600 {"Passive IP NAT", "ftp.passive.nat",
601 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
602 "NAT is active SIP and passive IP different", HFILL }},
605 { "Active IP address", "ftp.active.cip",
606 FT_IPv4, BASE_NONE, NULL, 0x0,
607 "Active FTP client IP address", HFILL }},
609 { &hf_ftp_active_port,
610 {"Active port", "ftp.active.port",
611 FT_UINT16, BASE_DEC, NULL, 0x0,
612 "Active FTP client port", HFILL }},
614 { &hf_ftp_active_nat,
615 { "Active IP NAT", "ftp.active.nat",
616 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
617 "NAT is active", HFILL}}
620 static gint *ett[] = {
626 proto_ftp = proto_register_protocol("File Transfer Protocol (FTP)", "FTP",
628 proto_ftp_data = proto_register_protocol("FTP Data", "FTP-DATA", "ftp-data");
629 proto_register_field_array(proto_ftp, hf, array_length(hf));
630 proto_register_subtree_array(ett, array_length(ett));
632 ftpdata_handle = create_dissector_handle(dissect_ftpdata, proto_ftp_data);
636 proto_reg_handoff_ftp(void)
638 dissector_handle_t ftpdata_handle, ftp_handle;
640 ftpdata_handle = create_dissector_handle(dissect_ftpdata, proto_ftp_data);
641 dissector_add("tcp.port", TCP_PORT_FTPDATA, ftpdata_handle);
642 ftp_handle = create_dissector_handle(dissect_ftp, proto_ftp);
643 dissector_add("tcp.port", TCP_PORT_FTP, ftp_handle);