2 * Routines for SMTP packet disassembly
6 * Copyright (c) 2000 by Richard Sharpe <rsharpe@ns.aus.com>
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1999 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
37 #include <epan/packet.h>
38 #include <epan/conversation.h>
39 #include <epan/addr_resolv.h>
40 #include <epan/prefs.h>
41 #include <epan/strutil.h>
42 #include <epan/emem.h>
43 #include <epan/reassemble.h>
46 #define TCP_PORT_SMTP 25
49 #define TCP_PORT_SUBMISSION 587
51 static int proto_smtp = -1;
53 static int hf_smtp_req = -1;
54 static int hf_smtp_rsp = -1;
55 static int hf_smtp_req_command = -1;
56 static int hf_smtp_req_parameter = -1;
57 static int hf_smtp_rsp_code = -1;
58 static int hf_smtp_rsp_parameter = -1;
60 static int hf_smtp_data_fragments = -1;
61 static int hf_smtp_data_fragment = -1;
62 static int hf_smtp_data_fragment_overlap = -1;
63 static int hf_smtp_data_fragment_overlap_conflicts = -1;
64 static int hf_smtp_data_fragment_multiple_tails = -1;
65 static int hf_smtp_data_fragment_too_long_fragment = -1;
66 static int hf_smtp_data_fragment_error = -1;
67 static int hf_smtp_data_reassembled_in = -1;
69 static int ett_smtp = -1;
70 static int ett_smtp_cmdresp = -1;
72 static gint ett_smtp_data_fragment = -1;
73 static gint ett_smtp_data_fragments = -1;
75 /* desegmentation of SMTP command and response lines */
76 static gboolean smtp_desegment = TRUE;
77 static gboolean smtp_data_desegment = TRUE;
79 static GHashTable *smtp_data_segment_table = NULL;
80 static GHashTable *smtp_data_reassembled_table = NULL;
82 static const fragment_items smtp_data_frag_items = {
83 /* Fragment subtrees */
84 &ett_smtp_data_fragment,
85 &ett_smtp_data_fragments,
87 &hf_smtp_data_fragments,
88 &hf_smtp_data_fragment,
89 &hf_smtp_data_fragment_overlap,
90 &hf_smtp_data_fragment_overlap_conflicts,
91 &hf_smtp_data_fragment_multiple_tails,
92 &hf_smtp_data_fragment_too_long_fragment,
93 &hf_smtp_data_fragment_error,
94 /* Reassembled in field */
95 &hf_smtp_data_reassembled_in,
100 static dissector_handle_t ssl_handle;
101 static dissector_handle_t imf_handle;
104 * A CMD is an SMTP command, MESSAGE is the message portion, and EOM is the
105 * last part of a message
107 #define SMTP_PDU_CMD 0
108 #define SMTP_PDU_MESSAGE 1
109 #define SMTP_PDU_EOM 2
111 struct smtp_proto_data {
113 guint16 conversation_id;
118 * State information stored with a conversation.
121 READING_CMDS, /* reading commands */
122 READING_DATA, /* reading message data */
123 AWAITING_STARTTLS_RESPONSE /* sent STARTTLS, awaiting response */
126 struct smtp_session_state {
127 smtp_state_t smtp_state; /* Current state */
128 gboolean crlf_seen; /* Have we seen a CRLF on the end of a packet */
129 gboolean data_seen; /* Have we seen a DATA command yet */
130 guint32 msg_read_len; /* Length of BDAT message read so far */
131 guint32 msg_tot_len; /* Total length of BDAT message */
132 gboolean msg_last; /* Is this the last BDAT chunk */
133 guint32 last_nontls_frame; /* last non-TLS frame; 0 if not known or no TLS */
139 * http://support.microsoft.com/default.aspx?scid=kb;[LN];812455
141 * for the Exchange extensions.
143 static const struct {
147 { "STARTTLS", 8 }, /* RFC 2487 */
148 { "X-EXPS", 6 }, /* Microsoft Exchange */
149 { "X-LINK2STATE", 12 }, /* Microsoft Exchange */
150 { "XEXCH50", 7 } /* Microsoft Exchange */
153 #define NCOMMANDS (sizeof commands / sizeof commands[0])
156 line_is_smtp_command(const guchar *command, int commandlen)
161 * To quote RFC 821, "Command codes are four alphabetic
164 * However, there are some SMTP extensions that involve commands
165 * longer than 4 characters and/or that contain non-alphabetic
166 * characters; we treat them specially.
168 * XXX - should we just have a table of known commands? Or would
169 * that fail to catch some extensions we don't know about?
171 if (commandlen == 4 && g_ascii_isalpha(command[0]) &&
172 g_ascii_isalpha(command[1]) && g_ascii_isalpha(command[2]) &&
173 g_ascii_isalpha(command[3])) {
174 /* standard 4-alphabetic command */
179 * Check the list of non-4-alphabetic commands.
181 for (i = 0; i < NCOMMANDS; i++) {
182 if (commandlen == commands[i].len &&
183 g_ascii_strncasecmp(command, commands[i].command, commands[i].len) == 0)
190 dissect_smtp_data(tvbuff_t *tvb, int offset, proto_tree *smtp_tree)
195 while (tvb_offset_exists(tvb, offset)) {
197 * Find the end of the line.
199 tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
204 proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset,
206 tvb_format_text(tvb, offset, next_offset - offset));
209 * Step to the next line.
211 offset = next_offset;
217 dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
219 struct smtp_proto_data *frame_data;
220 proto_tree *smtp_tree = NULL;
221 proto_tree *cmdresp_tree;
222 proto_item *ti, *hidden_item;
225 conversation_t *conversation;
226 struct smtp_session_state *session_state;
227 const guchar *line, *linep, *lineend;
231 gint length_remaining;
232 gboolean eom_seen = FALSE;
235 gboolean is_continuation_line;
237 fragment_data *frag_msg = NULL;
240 /* As there is no guarantee that we will only see frames in the
241 * the SMTP conversation once, and that we will see them in
242 * order - in Wireshark, the user could randomly click on frames
243 * in the conversation in any order in which they choose - we
244 * have to store information with each frame indicating whether
245 * it contains commands or data or an EOM indication.
247 * XXX - what about frames that contain *both*? TCP is a
248 * byte-stream protocol, and there are no guarantees that
249 * TCP segment boundaries will correspond to SMTP commands
250 * or EOM indications.
252 * We only need that for the client->server stream; responses
253 * are easy to manage.
255 * If we have per frame data, use that, else, we must be on the first
256 * pass, so we figure it out on the first pass.
260 * Find the conversation for this.
262 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
263 pinfo->srcport, pinfo->destport, 0);
264 if (conversation == NULL) { /* No conversation, create one */
265 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
266 pinfo->srcport, pinfo->destport, 0);
270 * Is there a request structure attached to this conversation?
272 session_state = conversation_get_proto_data(conversation, proto_smtp);
273 if (!session_state) {
275 * No - create one and attach it.
277 session_state = se_alloc(sizeof(struct smtp_session_state));
278 session_state->smtp_state = READING_CMDS;
279 session_state->crlf_seen = FALSE;
280 session_state->data_seen = FALSE;
281 session_state->msg_read_len = 0;
282 session_state->msg_tot_len = 0;
283 session_state->msg_last = TRUE;
284 session_state->last_nontls_frame = 0;
286 conversation_add_proto_data(conversation, proto_smtp, session_state);
290 * FIXME In my understanding of RFC 2487 client and server can send SMTP cmds
291 * after a rejected TLS negotiation
293 if (session_state->last_nontls_frame != 0 && pinfo->fd->num > session_state->last_nontls_frame) {
294 guint16 save_can_desegment;
295 /* This is TLS, not raw SMTP. TLS can desegment */
296 save_can_desegment = pinfo->can_desegment;
297 pinfo->can_desegment = pinfo->saved_can_desegment;
298 call_dissector(ssl_handle, tvb, pinfo, tree);
299 pinfo->can_desegment = save_can_desegment;
303 /* Is this a request or a response? */
304 request = pinfo->destport == pinfo->match_port;
307 * Is there any data attached to this frame?
309 frame_data = p_get_proto_data(pinfo->fd, proto_smtp);
319 * Create a frame data structure and attach it to the packet.
321 frame_data = se_alloc0(sizeof(struct smtp_proto_data));
323 frame_data->conversation_id = conversation->index;
324 frame_data->more_frags = TRUE;
326 p_add_proto_data(pinfo->fd, proto_smtp, frame_data);
331 * Get the first line from the buffer.
333 * Note that "tvb_find_line_end()" will, if it doesn't return
334 * -1, return a value that is not longer than what's in the buffer,
335 * and "tvb_find_line_end()" will always return a value that is not
336 * longer than what's in the buffer, so the "tvb_get_ptr()" call
337 * won't throw an exception.
340 while (tvb_offset_exists(tvb, loffset)) {
341 linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset,
342 smtp_desegment && pinfo->can_desegment);
344 if (offset == loffset) {
346 * We didn't find a line ending, and we're doing desegmentation;
347 * tell the TCP dissector where the data for this message starts
348 * in the data it handed us, and tell it we need more bytes
350 pinfo->desegment_offset = loffset;
351 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
354 linelen = tvb_length_remaining(tvb, loffset);
355 next_offset = loffset + linelen;
358 line = tvb_get_ptr(tvb, loffset, linelen);
361 * Check whether or not this packet is an end of message packet
362 * We should look for CRLF.CRLF and they may be split.
363 * We have to keep in mind that we may see what we want on
364 * two passes through here ...
366 if (session_state->smtp_state == READING_DATA) {
368 * The order of these is important ... We want to avoid
369 * cases where there is a CRLF at the end of a packet and a
370 * .CRLF at the begining of the same packet.
372 if ((session_state->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) ||
373 tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0)
376 length_remaining = tvb_length_remaining(tvb, loffset);
377 if (length_remaining == tvb_reported_length_remaining(tvb, loffset) &&
378 tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0)
379 session_state->crlf_seen = TRUE;
381 session_state->crlf_seen = FALSE;
385 * OK, Check if we have seen a DATA request. We do it here for
386 * simplicity, but we have to be careful below.
389 if (session_state->smtp_state == READING_DATA) {
391 * This is message data.
393 if (eom_seen) { /* Seen the EOM */
396 * Everything that comes after it is commands.
398 frame_data->pdu_type = SMTP_PDU_EOM;
399 session_state->smtp_state = READING_CMDS;
403 * Message data with no EOM.
405 frame_data->pdu_type = SMTP_PDU_MESSAGE;
407 if (session_state->msg_tot_len > 0) {
409 * We are handling a BDAT message.
410 * Check if we have reached end of the data chunk.
412 session_state->msg_read_len += tvb_length_remaining(tvb, loffset);
414 if (session_state->msg_read_len == session_state->msg_tot_len) {
416 * We have reached end of BDAT data chunk.
417 * Everything that comes after this is commands.
419 session_state->smtp_state = READING_CMDS;
421 if (session_state->msg_last) {
423 * We have found the LAST data chunk.
424 * The message can now be reassembled.
426 frame_data->more_frags = FALSE;
429 break; /* no need to go through the remaining lines */
435 * This is commands - unless the capture started in the
436 * middle of a session, and we're in the middle of data.
438 * Commands are not necessarily 4 characters; look
439 * for a space or the end of the line to see where
440 * the putative command ends.
443 lineend = line + linelen;
444 while (linep < lineend && (c = *linep) != ' ')
446 cmdlen = linep - line;
447 if (line_is_smtp_command(line, cmdlen)) {
448 if (g_ascii_strncasecmp(line, "DATA", 4) == 0) {
451 * This is a command, but everything that comes after it,
452 * until an EOM, is data.
454 frame_data->pdu_type = SMTP_PDU_CMD;
455 session_state->smtp_state = READING_DATA;
456 session_state->data_seen = TRUE;
457 } else if (g_ascii_strncasecmp(line, "BDAT", 4) == 0) {
460 * This is a command, but everything that comes after it,
461 * until given length is received, is data.
465 msg_len = strtoul (line+5, NULL, 10);
467 frame_data->pdu_type = SMTP_PDU_CMD;
468 session_state->data_seen = TRUE;
469 session_state->msg_tot_len += msg_len;
472 /* No data to read, next will be a command */
473 session_state->smtp_state = READING_CMDS;
475 session_state->smtp_state = READING_DATA;
478 if (g_ascii_strncasecmp(line+linelen-4, "LAST", 4) == 0) {
480 * This is the last data chunk.
482 session_state->msg_last = TRUE;
486 * No more data to expect.
487 * The message can now be reassembled.
489 frame_data->more_frags = FALSE;
492 session_state->msg_last = FALSE;
494 } else if (g_ascii_strncasecmp(line, "STARTTLS", 8) == 0) {
497 * This is a command, but if the response is 220,
498 * everything after the response is TLS.
500 session_state->smtp_state = AWAITING_STARTTLS_RESPONSE;
501 frame_data->pdu_type = SMTP_PDU_CMD;
506 frame_data->pdu_type = SMTP_PDU_CMD;
510 * Assume it's message data.
512 frame_data->pdu_type = session_state->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD;
518 * Step past this line.
520 loffset = next_offset;
526 * From here, we simply add items to the tree and info to the info
530 if (check_col(pinfo->cinfo, COL_PROTOCOL))
531 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP");
533 if (check_col(pinfo->cinfo, COL_INFO)) { /* Add the appropriate type here */
534 col_clear(pinfo->cinfo, COL_INFO);
537 * If it is a request, we have to look things up, otherwise, just
538 * display the right things
542 /* We must have frame_data here ... */
543 switch (frame_data->pdu_type) {
544 case SMTP_PDU_MESSAGE:
546 length_remaining = tvb_length_remaining(tvb, offset);
547 col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body");
548 col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining,
549 plurality (length_remaining, "", "s"));
553 col_set_str(pinfo->cinfo, COL_INFO, "C: .");
558 while (tvb_offset_exists(tvb, loffset)) {
560 * Find the end of the line.
562 linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
563 line = tvb_get_ptr(tvb, loffset, linelen);
565 if(loffset == offset)
566 col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s",
567 format_text(line, linelen));
569 col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
570 format_text(line, linelen));
573 loffset = next_offset;
579 while (tvb_offset_exists(tvb, loffset)) {
581 * Find the end of the line.
583 linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
584 line = tvb_get_ptr(tvb, loffset, linelen);
586 if (loffset == offset)
587 col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s",
588 format_text(line, linelen));
590 col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
591 format_text(line, linelen));
594 loffset = next_offset;
599 if (tree) { /* Build the tree info ... */
600 ti = proto_tree_add_item(tree, proto_smtp, tvb, offset, -1, FALSE);
601 smtp_tree = proto_item_add_subtree(ti, ett_smtp);
606 * Check out whether or not we can see a command in there ...
607 * What we are looking for is not data_seen and the word DATA
610 * We will see DATA and session_state->data_seen when we process the
611 * tree view after we have seen a DATA packet when processing
612 * the packet list pane.
614 * On the first pass, we will not have any info on the packets
615 * On second and subsequent passes, we will.
617 switch (frame_data->pdu_type) {
619 case SMTP_PDU_MESSAGE:
620 if (smtp_data_desegment) {
621 frag_msg = fragment_add_seq_next(tvb, 0, pinfo, frame_data->conversation_id,
622 smtp_data_segment_table, smtp_data_reassembled_table,
623 tvb_length(tvb), frame_data->more_frags);
627 * Put its lines into the protocol tree, a line at a time.
629 dissect_smtp_data(tvb, offset, smtp_tree);
635 * End-of-message-body indicator.
637 * XXX - what about stuff after the first line?
638 * Unlikely, as the client should wait for a response to the
639 * DATA command this terminates before sending another
640 * request, but we should probably handle it.
642 proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: .");
644 if (smtp_data_desegment) {
645 /* add final data segment */
647 fragment_add_seq_next(tvb, 0, pinfo, frame_data->conversation_id,
648 smtp_data_segment_table, smtp_data_reassembled_table,
649 loffset, frame_data->more_frags);
651 /* terminate the desegmentation */
652 frag_msg = fragment_end_seq_next (pinfo, frame_data->conversation_id, smtp_data_segment_table,
653 smtp_data_reassembled_table);
661 * XXX - what about stuff after the first line?
662 * Unlikely, as the client should wait for a response to the
663 * previous command before sending another request, but we
664 * should probably handle it.
668 while (tvb_offset_exists(tvb, loffset)) {
670 * Find the end of the line.
672 linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
678 hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_req, tvb,
680 PROTO_ITEM_SET_HIDDEN(hidden_item);
683 * Put the command line into the protocol tree.
685 ti = proto_tree_add_text(smtp_tree, tvb, loffset, next_offset - loffset,
687 tvb_format_text(tvb, loffset, next_offset - loffset));
688 cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
690 proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb,
691 loffset, cmdlen, FALSE);
693 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
694 loffset + 5, linelen - 5, FALSE);
697 if (smtp_data_desegment && !frame_data->more_frags) {
698 /* terminate the desegmentation */
699 frag_msg = fragment_end_seq_next (pinfo, frame_data->conversation_id, smtp_data_segment_table,
700 smtp_data_reassembled_table);
704 * Step past this line.
706 loffset = next_offset;
710 if (smtp_data_desegment) {
711 next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled DATA",
712 frag_msg, &smtp_data_frag_items, NULL, smtp_tree);
714 /* XXX: this is presumptious - we may have negotiated something else */
716 call_dissector(imf_handle, next_tvb, pinfo, tree);
720 * Put its lines into the protocol tree, a line at a time.
722 dissect_smtp_data(tvb, offset, smtp_tree);
725 pinfo->fragmented = FALSE;
727 pinfo->fragmented = TRUE;
732 * Process the response, a line at a time, until we hit a line
733 * that doesn't have a continuation indication on it.
736 hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_rsp, tvb,
738 PROTO_ITEM_SET_HIDDEN(hidden_item);
741 while (tvb_offset_exists(tvb, offset)) {
743 * Find the end of the line.
745 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
749 * Put it into the protocol tree.
751 ti = proto_tree_add_text(smtp_tree, tvb, offset,
752 next_offset - offset, "Response: %s",
753 tvb_format_text(tvb, offset,
754 next_offset - offset));
755 cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
760 * Is it a continuation line?
762 is_continuation_line =
763 (linelen >= 4 && tvb_get_guint8(tvb, offset + 3) == '-');
765 line = tvb_get_ptr(tvb, offset, linelen);
766 if (linelen >= 3 && isdigit(line[0]) && isdigit(line[1])
767 && isdigit(line[2])) {
769 * We have a 3-digit response code.
771 code = (line[0] - '0')*100 + (line[1] - '0')*10 + (line[2] - '0');
774 * If we're awaiting the response to a STARTTLS code, this
775 * is it - if it's 220, all subsequent traffic will
776 * be TLS, otherwise we're back to boring old SMTP.
778 if (session_state->smtp_state == AWAITING_STARTTLS_RESPONSE) {
780 /* This is the last non-TLS frame. */
781 session_state->last_nontls_frame = pinfo->fd->num;
782 session_state->smtp_state = READING_DATA;
784 session_state->smtp_state = READING_CMDS;
789 * Put the response code and parameters into the protocol tree.
791 proto_tree_add_uint(cmdresp_tree, hf_smtp_rsp_code, tvb, offset, 3,
795 proto_tree_add_item(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
796 offset + 4, linelen - 4, FALSE);
802 * Step past this line.
804 offset = next_offset;
807 * If it's not a continuation line, quit.
809 /* if (!is_continuation_line)
815 static void smtp_data_reassemble_init (void)
817 fragment_table_init (&smtp_data_segment_table);
818 reassembled_table_init (&smtp_data_reassembled_table);
822 /* Register all the bits needed by the filtering engine */
825 proto_register_smtp(void)
827 static hf_register_info hf[] = {
829 { "Request", "smtp.req", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "", HFILL }},
832 { "Response", "smtp.rsp", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "", HFILL }},
834 { &hf_smtp_req_command,
835 { "Command", "smtp.req.command", FT_STRING, BASE_NONE, NULL, 0x0,
838 { &hf_smtp_req_parameter,
839 { "Request parameter", "smtp.req.parameter", FT_STRING, BASE_NONE, NULL, 0x0,
843 { "Response code", "smtp.response.code", FT_UINT32, BASE_DEC, NULL, 0x0,
846 { &hf_smtp_rsp_parameter,
847 { "Response parameter", "smtp.rsp.parameter", FT_STRING, BASE_NONE, NULL, 0x0,
850 /* Fragment entries */
851 { &hf_smtp_data_fragments,
852 { "DATA fragments", "smtp.data.fragments", FT_NONE, BASE_NONE,
853 NULL, 0x00, "Message fragments", HFILL } },
854 { &hf_smtp_data_fragment,
855 { "DATA fragment", "smtp.data.fragment", FT_FRAMENUM, BASE_NONE,
856 NULL, 0x00, "Message fragment", HFILL } },
857 { &hf_smtp_data_fragment_overlap,
858 { "DATA fragment overlap", "smtp.data.fragment.overlap", FT_BOOLEAN,
859 BASE_NONE, NULL, 0x00, "Message fragment overlap", HFILL } },
860 { &hf_smtp_data_fragment_overlap_conflicts,
861 { "DATA fragment overlapping with conflicting data",
862 "smtp.data.fragment.overlap.conflicts", FT_BOOLEAN, BASE_NONE, NULL,
863 0x00, "Message fragment overlapping with conflicting data", HFILL } },
864 { &hf_smtp_data_fragment_multiple_tails,
865 { "DATA has multiple tail fragments",
866 "smtp.data.fragment.multiple_tails", FT_BOOLEAN, BASE_NONE,
867 NULL, 0x00, "Message has multiple tail fragments", HFILL } },
868 { &hf_smtp_data_fragment_too_long_fragment,
869 { "DATA fragment too long", "smtp.data.fragment.too_long_fragment",
870 FT_BOOLEAN, BASE_NONE, NULL, 0x00, "Message fragment too long",
872 { &hf_smtp_data_fragment_error,
873 { "DATA defragmentation error", "smtp.data.fragment.error", FT_FRAMENUM,
874 BASE_NONE, NULL, 0x00, "Message defragmentation error", HFILL } },
875 { &hf_smtp_data_reassembled_in,
876 { "Reassembled DATA in frame", "smtp.data.reassembled.in", FT_FRAMENUM, BASE_NONE,
877 NULL, 0x00, "This DATA fragment is reassembled in this frame", HFILL } },
879 static gint *ett[] = {
882 &ett_smtp_data_fragment,
883 &ett_smtp_data_fragments,
886 module_t *smtp_module;
888 proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol",
891 proto_register_field_array(proto_smtp, hf, array_length(hf));
892 proto_register_subtree_array(ett, array_length(ett));
893 register_init_routine (&smtp_data_reassemble_init);
895 /* Allow dissector to find be found by name. */
896 register_dissector("smtp", dissect_smtp, proto_smtp);
899 smtp_module = prefs_register_protocol(proto_smtp, NULL);
900 prefs_register_bool_preference(smtp_module, "desegment_lines",
901 "Reassemble SMTP command and response lines\nspanning multiple TCP segments",
902 "Whether the SMTP dissector should reassemble command and response lines spanning multiple TCP segments."
903 " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
906 prefs_register_bool_preference(smtp_module, "desegment_data",
907 "Reassemble SMTP DATA commands spanning multiple TCP segments",
908 "Whether the SMTP dissector should reassemble DATA command and lines spanning multiple TCP segments."
909 " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
910 &smtp_data_desegment);
914 /* The registration hand-off routine */
916 proto_reg_handoff_smtp(void)
918 dissector_handle_t smtp_handle;
920 smtp_handle = find_dissector("smtp");
921 dissector_add("tcp.port", TCP_PORT_SMTP, smtp_handle);
922 dissector_add("tcp.port", TCP_PORT_SUBMISSION, smtp_handle);
924 /* find the IMF dissector */
925 imf_handle = find_dissector("imf");
927 /* find the SSL dissector */
928 ssl_handle = find_dissector("ssl");