2 * Routines for socks versions 4 &5 packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 * The Version 4 decode is based on SOCKS4.protocol and SOCKS4A.protocol.
27 * The Version 5 decoder is based upon rfc-1928
28 * The Version 5 User/Password authentication is based on rfc-1929.
32 * http://www.socks.permeo.com/TechnicalResources/ProtocolDocuments.asp
34 * for these and other documents. See
36 * http://www.socks.nec.com/protocol/socks4a.protocol
38 * for information on SOCKS version 4a.
42 * 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel
43 * causing heap overflow because of an infinite loop
44 * where the socks dissect was call over and over.
46 * Also remove some old code marked with __JUNK__
48 * 2001-01-08 JCFoster Fixed problem with NULL pointer for hash data.
49 * Now test and exit if hash_info is null.
52 /* Possible enhancements -
54 * Add GSS-API authentication per rfc-1961
55 * Add CHAP authentication
56 * Decode FLAG bits per
57 * http://archive.socks.permeo.com/draft/draft-ietf-aft-socks-pro-v5-04.txt
58 * In call_next_dissector, could load the destination address into
59 * pinfo->src or pinfo->dst structure before calling next dissector.
60 * remove display_string or at least make it use protocol identifiers
61 * socks_hash_entry_t needs to handle V5 address type and domain names
76 #include <epan/packet.h>
77 #include <epan/resolv.h>
78 #include <epan/conversation.h>
80 #include "packet-tcp.h"
81 #include "packet-udp.h"
82 #include <epan/strutil.h>
85 #define compare_packet(X) (X == (pinfo->fd->num))
86 #define get_packet_ptr (pinfo->fd->num)
87 #define row_pointer_type guint32
89 #define TCP_PORT_SOCKS 1080
92 /**************** Socks commands ******************/
94 #define CONNECT_COMMAND 1
95 #define BIND_COMMAND 2
96 #define UDP_ASSOCIATE_COMMAND 3
97 #define PING_COMMAND 0x80
98 #define TRACERT_COMMAND 0x81
101 /********** V5 Authentication methods *************/
103 #define NO_AUTHENTICATION 0
104 #define GSS_API_AUTHENTICATION 1
105 #define USER_NAME_AUTHENTICATION 2
106 #define CHAP_AUTHENTICATION 3
107 #define AUTHENTICATION_FAILED 0xff
109 /* 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel */
111 static int in_socks_dissector_flag = 0; /* set to 1 to avoid recursive overflow */
113 /*********** Header field identifiers *************/
115 static int proto_socks = -1;
117 static int ett_socks = -1;
118 static int ett_socks_auth = -1;
119 static int ett_socks_name = -1;
121 static int hf_socks_ver = -1;
122 static int hf_socks_ip_dst = -1;
123 static int hf_socks_ip6_dst = -1;
124 static int hf_user_name = -1;
125 static int hf_v4a_dns_name = -1;
126 static int hf_socks_dstport = -1;
127 static int hf_socks_cmd = -1;
128 static int hf_socks_results = -1;
129 static int hf_socks_results_4 = -1;
130 static int hf_socks_results_5 = -1;
133 /************* Dissector handles ***********/
135 static dissector_handle_t socks_handle;
136 static dissector_handle_t socks_udp_handle;
138 /************* State Machine names ***********/
164 guint32 udp_remote_port;
167 row_pointer_type v4_name_row;
168 row_pointer_type v4_user_name_row;
169 row_pointer_type connect_row;
170 row_pointer_type cmd_reply_row;
171 row_pointer_type bind_reply_row;
172 row_pointer_type command_row;
173 row_pointer_type auth_method_row;
174 row_pointer_type user_name_auth_row;
175 row_pointer_type auth_version;
176 guint32 start_done_row;
178 guint32 dst_addr; /* this needs to handle IPv6 */
184 static char *address_type_table[] = {
194 /* String table for the V4 reply status messages */
196 static const value_string reply_table_v4[] = {
198 {91, "Rejected or Failed"},
199 {92, "Rejected because SOCKS server cannot connect to identd on the client"},
200 {93, "Rejected because the client program and identd report different user-ids"},
204 /* String table for the V5 reply status messages */
206 static const value_string reply_table_v5[] = {
208 {1, "General SOCKS server failure"},
209 {2, "Connection not allowed by ruleset"},
210 {3, "Network unreachable"},
211 {4, "Host unreachable"},
212 {5, "Connection refused"},
214 {7, "Command not supported"},
215 {8, "Address type not supported"},
219 static const value_string cmd_strings[] = {
225 {0x81, "Traceroute"},
229 #define socks_hash_init_count 20
230 #define socks_hash_val_length (sizeof(socks_hash_entry_t))
232 static GMemChunk *socks_vals = NULL;
235 /************************* Support routines ***************************/
238 static int display_string(tvbuff_t *tvb, int offset,
239 proto_tree *tree, char *label){
241 /* display a string with a length, characters encoding */
242 /* they are displayed under a tree with the name in Label variable */
243 /* return the length of the string and the length byte */
246 proto_tree *name_tree;
250 int length = tvb_get_guint8(tvb, offset);
252 tvb_memcpy(tvb, (guint8 *)temp, offset+1, length);
255 ti = proto_tree_add_text(tree, tvb, offset, length + 1,
256 "%s: %s" , label, temp);
259 name_tree = proto_item_add_subtree(ti, ett_socks_name);
261 proto_tree_add_text( name_tree, tvb, offset, 1, "Length: %u", length);
265 proto_tree_add_text( name_tree, tvb, offset, length, "String: %s", temp);
272 static char *get_auth_method_name( guint Number){
274 /* return the name of the authenication method */
276 if ( Number == 0) return "No authentication";
277 if ( Number == 1) return "GSSAPI";
278 if ( Number == 2) return "Username/Password";
279 if ( Number == 3) return "Chap";
280 if (( Number >= 4) && ( Number <= 0x7f))return "IANA assigned";
281 if (( Number >= 0x80) && ( Number <= 0xfe)) return "private method";
282 if ( Number == 0xff) return "no acceptable method";
284 /* shouldn't reach here */
286 return "Bad method number (not 0-0xff)";
290 static char *get_command_name( guint Number){
292 /* return the name of the command as a string */
294 if ( Number == 0) return "Unknow";
295 if ( Number == 1) return "Connect";
296 if ( Number == 2) return "Bind";
297 if ( Number == 3) return "UdpAssociate";
298 if ( Number == 0x80) return "Ping";
299 if ( Number == 0x81) return "Traceroute";
304 static int display_address(tvbuff_t *tvb, int offset, proto_tree *tree) {
306 /* decode and display the v5 address, return offset of next byte */
308 int a_type = tvb_get_guint8(tvb, offset);
310 proto_tree_add_text( tree, tvb, offset, 1,
311 "Address Type: %d (%s)", a_type,
312 address_type_table[ MIN( (guint) a_type,
313 array_length( address_type_table)-1) ]);
317 if ( a_type == 1){ /* IPv4 address */
318 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset,
322 else if ( a_type == 3){ /* domain name address */
324 offset += display_string(tvb, offset, tree,
327 else if ( a_type == 4){ /* IPv6 address */
328 proto_tree_add_item( tree, hf_socks_ip6_dst, tvb, offset,
337 static int get_address_v5(tvbuff_t *tvb, int offset,
338 socks_hash_entry_t *hash_info) {
340 /* decode the v5 address and return offset of next byte */
341 /*XXX this needs to handle IPV6 and domain name addresses */
344 int a_type = tvb_get_guint8(tvb, offset++);
346 if ( a_type == 1){ /* IPv4 address */
349 tvb_memcpy(tvb, (guint8 *)&hash_info->dst_addr,
354 else if ( a_type == 4) /* IPv6 address */
357 else if ( a_type == 3) /* domain name address */
358 offset += tvb_get_guint8(tvb, offset) + 1;
363 /********************* V5 UDP Associate handlers ***********************/
366 socks_udp_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
368 /* Conversation dissector called from UDP dissector. Decode and display */
369 /* the socks header, the pass the rest of the data to the udp port */
370 /* decode routine to handle the payload. */
374 socks_hash_entry_t *hash_info;
375 conversation_t *conversation;
376 proto_tree *socks_tree;
379 conversation = find_conversation( &pinfo->src, &pinfo->dst, pinfo->ptype,
380 pinfo->srcport, pinfo->destport, 0);
382 g_assert( conversation); /* should always find a conversation */
384 hash_info = conversation_get_proto_data(conversation, proto_socks);
386 if (check_col(pinfo->cinfo, COL_PROTOCOL))
387 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Socks");
389 if (check_col(pinfo->cinfo, COL_INFO))
390 col_add_fstr(pinfo->cinfo, COL_INFO, "Version: 5, UDP Associated packet");
393 ti = proto_tree_add_protocol_format( tree, proto_socks, tvb,
394 offset, -1, "Socks" );
396 socks_tree = proto_item_add_subtree(ti, ett_socks);
398 proto_tree_add_text( socks_tree, tvb, offset, 2, "Reserved");
401 proto_tree_add_text( socks_tree, tvb, offset, 1, "Fragment Number: %u", tvb_get_guint8(tvb, offset));
405 offset = display_address( tvb, offset, socks_tree);
406 hash_info->udp_remote_port = tvb_get_ntohs(tvb, offset);
408 proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb,
409 offset, 2, hash_info->udp_remote_port);
413 else { /* no tree, skip past the socks header */
415 offset = get_address_v5( tvb, offset, 0) + 2;
419 /* set pi src/dst port and call the udp sub-dissector lookup */
421 if ( pinfo->srcport == hash_info->port)
422 ptr = &pinfo->destport;
424 ptr = &pinfo->srcport;
426 *ptr = hash_info->udp_remote_port;
428 decode_udp_ports( tvb, offset, pinfo, tree, pinfo->srcport, pinfo->destport, -1);
430 *ptr = hash_info->udp_port;
436 new_udp_conversation( socks_hash_entry_t *hash_info, packet_info *pinfo){
438 conversation_t *conversation = conversation_new( &pinfo->src, &pinfo->dst, PT_UDP,
439 hash_info->udp_port, hash_info->port, 0);
441 g_assert( conversation);
443 conversation_add_proto_data(conversation, proto_socks, hash_info);
444 conversation_set_dissector(conversation, socks_udp_handle);
450 /**************** Protocol Tree Display routines ******************/
453 display_socks_v4(tvbuff_t *tvb, int offset, packet_info *pinfo,
454 proto_tree *tree, socks_hash_entry_t *hash_info) {
457 /* Display the protocol tree for the V4 version. This routine uses the */
458 /* stored conversation information to decide what to do with the row. */
459 /* Per packet information would have been better to do this, but we */
460 /* didn't have that when I wrote this. And I didn't expect this to get */
465 unsigned char ipaddr[4];
466 guint username_len, domainname_len;
468 /* Display command from client */
469 if (compare_packet( hash_info->connect_row)){
471 proto_tree_add_text( tree, tvb, offset, 1,
472 "Version: %u", hash_info->version);
474 command = tvb_get_guint8(tvb, offset);
476 proto_tree_add_text( tree, tvb, offset, 1,
477 "Command: %u (%s)", command,
478 get_command_name( command));
482 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2,
486 /* Do destination address */
487 tvb_memcpy(tvb, ipaddr, offset, 4);
488 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset,
493 /*XXX check this, needs to do length checking */
494 /* Should perhaps do TCP reassembly as well */
495 if ( tvb_offset_exists(tvb, offset)) {
496 /* display user name */
497 username_len = tvb_strsize(tvb, offset);
498 proto_tree_add_item( tree, hf_user_name, tvb, offset,
499 username_len, FALSE);
500 offset += username_len;
501 if ( ipaddr[0] == 0 && ipaddr[1] == 0 &&
502 ipaddr[2] == 0 && ipaddr[3] != 0) {
503 /* 0.0.0.x , where x!=0 means v4a support */
504 domainname_len = tvb_strsize(tvb, offset);
505 proto_tree_add_item( tree, hf_v4a_dns_name,
506 tvb, offset, domainname_len,
512 /*Display command response from server*/
514 else if ( compare_packet( hash_info->cmd_reply_row)){
516 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1,
519 /* Do results code */
520 proto_tree_add_item( tree, hf_socks_results_4, tvb, offset, 1, FALSE);
521 proto_tree_add_item_hidden(tree, hf_socks_results, tvb, offset, 1, FALSE);
526 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2,
529 /* Do remote address */
530 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset, 4,
534 else if ( compare_packet( hash_info->v4_user_name_row)){
536 /*XXX check this, needs to do length checking */
537 /* Should perhaps do TCP reassembly as well */
538 if ( tvb_offset_exists(tvb, offset)) {
539 proto_tree_add_text( tree, tvb, offset,
540 tvb_strsize(tvb, offset),
541 "User Name: %s", tvb_get_ptr(tvb, offset, -1));
548 display_socks_v5(tvbuff_t *tvb, int offset, packet_info *pinfo,
549 proto_tree *tree, socks_hash_entry_t *hash_info) {
551 /* Display the protocol tree for the version. This routine uses the */
552 /* stored conversation information to decide what to do with the row. */
553 /* Per packet information would have been better to do this, but we */
554 /* didn't have that when I wrote this. And I didn't expect this to get */
557 unsigned int i, command;
562 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, FALSE);
565 if (compare_packet( hash_info->connect_row)){
567 proto_tree *AuthTree;
570 temp = tvb_get_guint8(tvb, offset); /* Get Auth method count */
571 /* build auth tree */
572 ti = proto_tree_add_text( tree, tvb, offset, -1,
573 "Client Authentication Methods");
575 AuthTree = proto_item_add_subtree(ti, ett_socks_auth);
577 proto_tree_add_text( AuthTree, tvb, offset, 1,
581 for( i = 0; i < temp; ++i) {
583 AuthMethodStr = get_auth_method_name(
584 tvb_get_guint8( tvb, offset));
585 proto_tree_add_text( AuthTree, tvb, offset, 1,
586 "Method[%u]: %u (%s)", i,
587 tvb_get_guint8( tvb, offset), AuthMethodStr);
590 proto_item_set_end( ti, tvb, offset);
592 } /* Get accepted auth method */
593 else if (compare_packet( hash_info->auth_method_row)) {
595 proto_tree_add_text( tree, tvb, offset, 1,
596 "Accepted Auth Method: 0x%0x (%s)", tvb_get_guint8( tvb, offset),
597 get_auth_method_name( tvb_get_guint8( tvb, offset)));
600 } /* handle user/password auth */
601 else if (compare_packet( hash_info->user_name_auth_row)) {
603 /* process user name */
604 offset += display_string( tvb, offset, tree,
606 /* process password */
607 offset += display_string( tvb, offset, tree,
610 /* command to the server */
611 /* command response from server */
612 else if (compare_packet( hash_info->auth_version)) {
613 auth_status = tvb_get_guint8(tvb, offset);
615 proto_tree_add_text( tree, tvb, offset, 1, "Status: %u (failure)", auth_status);
617 proto_tree_add_text( tree, tvb, offset, 1, "Status: success");
620 else if ((compare_packet( hash_info->command_row)) ||
621 (compare_packet( hash_info->cmd_reply_row)) ||
622 (compare_packet( hash_info->bind_reply_row))){
624 command = tvb_get_guint8(tvb, offset);
626 if (compare_packet( hash_info->command_row))
627 proto_tree_add_uint( tree, hf_socks_cmd, tvb, offset, 1,
631 proto_tree_add_item( tree, hf_socks_results_5, tvb, offset, 1, FALSE);
632 proto_tree_add_item_hidden(tree, hf_socks_results, tvb, offset, 1, FALSE);
637 proto_tree_add_text( tree, tvb, offset, 1,
638 "Reserved: 0x%0x (should = 0x00)", tvb_get_guint8(tvb, offset));
641 offset = display_address(tvb, offset, tree);
642 /*XXX Add remote port for search somehow */
644 proto_tree_add_text( tree, tvb, offset, 2,
646 (compare_packet( hash_info->bind_reply_row) ?
647 "Remote Host " : ""),
648 tvb_get_ntohs(tvb, offset));
654 /**************** Decoder State Machines ******************/
658 state_machine_v4( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
659 int offset, packet_info *pinfo) {
661 /* Decode V4 protocol. This is done on the first pass through the */
662 /* list. Based upon the current state, decode the packet and determine */
663 /* what the next state should be. If we had per packet information, */
664 /* this would be the place to load them up. */
666 if ( hash_info->state == None) { /* new connection */
668 if (check_col(pinfo->cinfo, COL_INFO))
669 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server request");
671 hash_info->state = Connecting; /* change state */
673 hash_info->command = tvb_get_guint8(tvb, offset + 1);
674 /* get remote port */
675 if ( hash_info->command == CONNECT_COMMAND)
676 hash_info->port = tvb_get_ntohs(tvb, offset + 2);
677 /* get remote address */
679 tvb_memcpy(tvb, (guint8 *)&hash_info->dst_addr, offset + 4, 4);
681 /* save the packet pointer */
682 hash_info->connect_row = get_packet_ptr;
684 /* skip past this stuff */
685 hash_info->connect_offset = offset + 8;
689 if ( !tvb_offset_exists(tvb, offset)) { /* if no user name */
691 hash_info->state = V4UserNameWait;
693 * XXX - add 1, or leave it alone?
694 * We were adding "strlen(...) + 1".
696 hash_info->connect_offset += 1;
699 * Add in the length of the user name.
700 * XXX - what if the user name is split between
703 hash_info->connect_offset += tvb_strsize(tvb, offset);
706 if ( !hash_info->dst_addr){ /* if no dest address */
708 if ( tvb_offset_exists(tvb, hash_info->connect_offset)) {
709 /*XXX copy remote name here ??? */
710 hash_info->state = Connecting;
713 hash_info->state = V4NameWait;
715 /* waiting for V4 user name */
716 }else if ( hash_info->state == V4UserNameWait){
718 if (check_col(pinfo->cinfo, COL_INFO))
719 col_append_str(pinfo->cinfo, COL_INFO, " Connect Request (User name)");
721 hash_info->v4_user_name_row = get_packet_ptr;
722 /*XXX may need to check for domain name here */
723 hash_info->state = Connecting;
725 /* waiting for V4 domain name */
726 else if ( hash_info->state == V4NameWait){
728 hash_info->v4_name_row = get_packet_ptr;
729 hash_info->state = Connecting;
732 else if ( hash_info->state == Connecting){
734 if (check_col(pinfo->cinfo, COL_INFO))
735 col_append_str(pinfo->cinfo, COL_INFO, " Connect Response");
737 /* save packet pointer */
738 hash_info->cmd_reply_row = get_packet_ptr;
739 hash_info->state = Done; /* change state */
749 state_machine_v5( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
750 int offset, packet_info *pinfo) {
752 /* Decode V5 protocol. This is done on the first pass through the */
753 /* list. Based upon the current state, decode the packet and determine */
754 /* what the next state should be. If we had per packet information, */
755 /* this would be the place to load them up. */
760 if ( hash_info->state == None) {
762 if (check_col(pinfo->cinfo, COL_INFO))
763 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server request");
765 hash_info->state = Connecting; /* change state */
766 hash_info->connect_row = get_packet_ptr;
768 temp = tvb_get_guint8(tvb, offset + 1);
769 /* skip past auth methods */
770 offset = hash_info->connect_offset = offset + 1 + temp;
772 else if ( hash_info->state == Connecting){
774 guint AuthMethod = tvb_get_guint8(tvb, offset + 1);
776 if (check_col(pinfo->cinfo, COL_INFO))
777 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server response");
779 hash_info->auth_method_row = get_packet_ptr;
781 if ( AuthMethod == NO_AUTHENTICATION)
782 hash_info->state = V5Command;
784 else if ( AuthMethod == USER_NAME_AUTHENTICATION)
785 hash_info->state = UserNameAuth;
787 else if ( AuthMethod == GSS_API_AUTHENTICATION)
788 /*XXX should be this hash_info->state = GssApiAuth; */
789 hash_info->state = Done;
791 else hash_info->state = Done; /*Auth failed or error*/
795 else if ( hash_info->state == V5Command) { /* Handle V5 Command */
799 hash_info->command = tvb_get_guint8(tvb, offset + 1); /* get command */
801 if (check_col(pinfo->cinfo, COL_INFO))
802 col_append_fstr(pinfo->cinfo, COL_INFO, " Command Request - %s",
803 get_command_name(hash_info->command));
805 hash_info->state = V5Reply;
806 hash_info->command_row = get_packet_ptr;
808 offset += 3; /* skip to address type */
810 offset = get_address_v5(tvb, offset, hash_info);
812 temp = tvb_get_guint8(tvb, offset);
814 if (( hash_info->command == CONNECT_COMMAND) ||
815 ( hash_info->command == UDP_ASSOCIATE_COMMAND))
816 /* get remote port */
817 hash_info->port = tvb_get_ntohs(tvb, offset);
820 else if ( hash_info->state == V5Reply) { /* V5 Command Reply */
823 if (check_col(pinfo->cinfo, COL_INFO))
824 col_append_fstr(pinfo->cinfo, COL_INFO, " Command Response - %s",
825 get_command_name(hash_info->command));
827 hash_info->cmd_reply_row = get_packet_ptr;
829 if (( hash_info->command == CONNECT_COMMAND) ||
830 (hash_info->command == PING_COMMAND) ||
831 (hash_info->command == TRACERT_COMMAND))
832 hash_info->state = Done;
834 else if ( hash_info->command == BIND_COMMAND)
835 hash_info->state = V5BindReply;
837 else if ( hash_info->command == UDP_ASSOCIATE_COMMAND){
838 offset += 3; /* skip to address type */
839 offset = get_address_v5(tvb, offset, hash_info);
841 /* save server udp port and create udp conversation */
842 hash_info->udp_port = tvb_get_ntohs(tvb, offset);
844 if (!pinfo->fd->flags.visited)
845 new_udp_conversation( hash_info, pinfo);
847 /*XXX may need else statement to handle unknows and generate error message */
851 else if ( hash_info->state == V5BindReply) { /* V5 Bind Second Reply */
853 if (check_col(pinfo->cinfo, COL_INFO))
854 col_append_str(pinfo->cinfo, COL_INFO, " Command Response: Bind remote host info");
856 hash_info->bind_reply_row = get_packet_ptr;
857 hash_info->state = Done;
859 else if ( hash_info->state == UserNameAuth) { /* Handle V5 User Auth*/
860 hash_info->auth_version = get_packet_ptr;
861 if (check_col(pinfo->cinfo, COL_INFO))
862 col_append_str(pinfo->cinfo, COL_INFO,
863 " User authentication request");
865 hash_info->user_name_auth_row = get_packet_ptr;
866 hash_info->state = AuthReply;
869 else if ( hash_info->state == AuthReply){ /* V5 User Auth reply */
870 hash_info->auth_version = get_packet_ptr;
871 if (check_col(pinfo->cinfo, COL_INFO))
872 col_append_str(pinfo->cinfo, COL_INFO, " User authentication reply");
873 hash_info->state = V5Command;
880 display_ping_and_tracert(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, socks_hash_entry_t *hash_info) {
882 /* Display the ping/trace_route conversation */
885 const guchar *data, *dataend;
886 const guchar *lineend, *eol;
889 /* handle the end command */
890 if ( pinfo->destport == TCP_PORT_SOCKS){
891 if (check_col(pinfo->cinfo, COL_INFO))
892 col_append_str(pinfo->cinfo, COL_INFO, ", Terminate Request");
895 proto_tree_add_text(tree, tvb, offset, 1,
896 (hash_info->command == PING_COMMAND) ?
897 "Ping: End command" :
898 "Traceroute: End command");
900 else{ /* display the PING or Traceroute results */
901 if (check_col(pinfo->cinfo, COL_INFO))
902 col_append_str(pinfo->cinfo, COL_INFO, ", Results");
905 proto_tree_add_text(tree, tvb, offset, -1,
906 (hash_info->command == PING_COMMAND) ?
908 "Traceroute Results");
910 data = tvb_get_ptr(tvb, offset, -1);
911 dataend = data + tvb_length_remaining(tvb, offset);
913 while (data < dataend) {
915 lineend = find_line_end(data, dataend, &eol);
916 linelen = lineend - data;
918 proto_tree_add_text( tree, tvb, offset, linelen,
919 "%s", format_text(data, linelen));
929 static void clear_in_socks_dissector_flag(void *dummy _U_)
931 in_socks_dissector_flag = 0; /* avoid recursive overflow */
934 static void call_next_dissector(tvbuff_t *tvb, int offset, packet_info *pinfo,
935 proto_tree *tree, proto_tree *socks_tree,
936 socks_hash_entry_t *hash_info)
939 /* Display the results for PING and TRACERT extensions or */
940 /* Call TCP dissector for the port that was passed during the */
941 /* connect process */
942 /* Load pointer to pinfo->XXXport depending upon the direction, */
943 /* change pinfo port to the remote port, call next dissecotr to decode */
944 /* the payload, and restore the pinfo port after that is done. */
947 struct tcpinfo *tcpinfo = pinfo->private_data;
948 guint16 save_can_desegment;
950 if (( hash_info->command == PING_COMMAND) ||
951 ( hash_info->command == TRACERT_COMMAND))
953 display_ping_and_tracert(tvb, offset, pinfo, tree, hash_info);
955 else { /* call the tcp port decoder to handle the payload */
957 /*XXX may want to load dest address here */
959 if ( pinfo->destport == TCP_PORT_SOCKS)
960 ptr = &pinfo->destport;
962 ptr = &pinfo->srcport;
964 *ptr = hash_info->port;
966 /* 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel */
968 in_socks_dissector_flag = 1; /* avoid recursive overflow */
969 CLEANUP_PUSH(clear_in_socks_dissector_flag, NULL);
971 save_can_desegment = pinfo->can_desegment;
972 pinfo->can_desegment = pinfo->saved_can_desegment;
973 dissect_tcp_payload(tvb, pinfo, offset, tcpinfo->seq,
974 tcpinfo->nxtseq, pinfo->srcport, pinfo->destport,
976 pinfo->can_desegment = save_can_desegment;
978 CLEANUP_CALL_AND_POP;
980 *ptr = TCP_PORT_SOCKS;
987 dissect_socks(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
990 proto_tree *socks_tree = NULL;
992 socks_hash_entry_t *hash_info;
993 conversation_t *conversation;
995 /* 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel */
997 /* avoid recursive overflow */
999 if ( in_socks_dissector_flag) {
1003 conversation = find_conversation( &pinfo->src, &pinfo->dst, pinfo->ptype,
1004 pinfo->srcport, pinfo->destport, 0);
1006 if ( !conversation){
1007 conversation = conversation_new( &pinfo->src, &pinfo->dst, pinfo->ptype,
1008 pinfo->srcport, pinfo->destport, 0);
1010 hash_info = conversation_get_proto_data(conversation,proto_socks);
1012 hash_info = g_mem_chunk_alloc(socks_vals);
1013 hash_info->start_done_row = G_MAXINT;
1014 hash_info->state = None;
1015 hash_info->port = 0;
1016 hash_info->version = tvb_get_guint8(tvb, offset); /* get version*/
1018 if (( hash_info->version != 4) && /* error test version */
1019 ( hash_info->version != 5))
1020 hash_info->state = Done;
1022 conversation_add_proto_data(conversation, proto_socks,
1025 /* set dissector for now */
1026 conversation_set_dissector(conversation, socks_handle);
1029 /* display summary window information */
1031 if (check_col(pinfo->cinfo, COL_PROTOCOL))
1032 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Socks");
1034 if (check_col(pinfo->cinfo, COL_INFO)){
1035 if (( hash_info->version == 4) || ( hash_info->version == 5)){
1036 col_add_fstr(pinfo->cinfo, COL_INFO, "Version: %d",
1037 hash_info->version);
1039 else /* unknown version display error */
1040 col_set_str(pinfo->cinfo, COL_INFO, "Unknown");
1043 if ( hash_info->command == PING_COMMAND)
1044 col_append_str(pinfo->cinfo, COL_INFO, ", Ping Req");
1045 if ( hash_info->command == TRACERT_COMMAND)
1046 col_append_str(pinfo->cinfo, COL_INFO, ", Traceroute Req");
1048 /*XXX if ( hash_info->port != -1) */
1049 if ( hash_info->port != 0)
1050 col_append_fstr(pinfo->cinfo, COL_INFO, ", Remote Port: %u",
1055 /* run state machine if needed */
1057 if ((hash_info->state != Done) && ( !pinfo->fd->flags.visited)){
1059 if ( hash_info->version == 4)
1060 state_machine_v4( hash_info, tvb, offset, pinfo);
1062 else if ( hash_info->version == 5)
1063 state_machine_v5( hash_info, tvb, offset, pinfo);
1065 if (hash_info->state == Done) { /* if done now */
1066 hash_info->start_done_row = pinfo->fd->num;
1070 /* if proto tree, decode and display */
1073 ti = proto_tree_add_item( tree, proto_socks, tvb, offset, -1,
1076 socks_tree = proto_item_add_subtree(ti, ett_socks);
1078 if ( hash_info->version == 4)
1079 display_socks_v4(tvb, offset, pinfo, socks_tree,
1082 else if ( hash_info->version == 5)
1083 display_socks_v5(tvb, offset, pinfo, socks_tree,
1086 /* if past startup, add the faked stuff */
1087 if ( pinfo->fd->num > hash_info->start_done_row){
1088 /* add info to tree */
1089 proto_tree_add_text( socks_tree, tvb, offset, 0,
1090 "Command: %d (%s)", hash_info->command,
1091 get_command_name(hash_info->command));
1093 proto_tree_add_ipv4( socks_tree, hf_socks_ip_dst, tvb,
1094 offset, 0, hash_info->dst_addr);
1096 /* no fake address for ping & traceroute */
1098 if (( hash_info->command != PING_COMMAND) &&
1099 ( hash_info->command != TRACERT_COMMAND)){
1100 proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb,
1101 offset, 0, hash_info->port);
1108 /* call next dissector if ready */
1110 if ( pinfo->fd->num > hash_info->start_done_row){
1111 call_next_dissector(tvb, offset, pinfo, tree, socks_tree,
1118 static void socks_reinit( void){
1120 /* Do the cleanup work when a new pass through the packet list is */
1121 /* performed. Reset the highest row seen counter and re-initialize the */
1122 /* conversation memory chunks. */
1125 g_mem_chunk_destroy(socks_vals);
1127 socks_vals = g_mem_chunk_new("socks_vals", socks_hash_val_length,
1128 socks_hash_init_count * socks_hash_val_length,
1134 proto_register_socks( void){
1136 /*** Prep the socks protocol, register it and a initialization routine */
1137 /* to clear the hash stuff. */
1140 static gint *ett[] = {
1147 static hf_register_info hf[] = {
1151 { "Version", "socks.version", FT_UINT8, BASE_DEC, NULL,
1156 { "Remote Address", "socks.dst", FT_IPv4, BASE_NONE, NULL,
1160 { &hf_socks_ip6_dst,
1161 { "Remote Address(ipv6)", "socks.dstV6", FT_IPv6, BASE_NONE, NULL,
1167 { "User Name", "socks.username", FT_STRINGZ, BASE_NONE,
1168 NULL, 0x0, "", HFILL
1172 { "SOCKS v4a Remote Domain Name", "socks.v4a_dns_name", FT_STRINGZ, BASE_NONE,
1173 NULL, 0x0, "", HFILL
1176 { &hf_socks_dstport,
1177 { "Remote Port", "socks.dstport", FT_UINT16,
1178 BASE_DEC, NULL, 0x0, "", HFILL
1182 { "Command", "socks.command", FT_UINT8,
1183 BASE_DEC, VALS(cmd_strings), 0x0, "", HFILL
1186 { &hf_socks_results_4,
1187 { "Results(V4)", "socks.results_v4", FT_UINT8,
1188 BASE_DEC, VALS(reply_table_v4), 0x0, "", HFILL
1191 { &hf_socks_results_5,
1192 { "Results(V5)", "socks.results_v5", FT_UINT8,
1193 BASE_DEC, VALS(reply_table_v5), 0x0, "", HFILL
1196 { &hf_socks_results,
1197 { "Results(V5)", "socks.results", FT_UINT8,
1198 BASE_DEC, NULL, 0x0, "", HFILL
1205 proto_socks = proto_register_protocol (
1206 "Socks Protocol", "Socks", "socks");
1208 proto_register_field_array(proto_socks, hf, array_length(hf));
1209 proto_register_subtree_array(ett, array_length(ett));
1211 register_init_routine( &socks_reinit); /* register re-init routine */
1213 socks_udp_handle = create_dissector_handle(socks_udp_dissector,
1215 socks_handle = create_dissector_handle(dissect_socks, proto_socks);
1220 proto_reg_handoff_socks(void) {
1222 /* dissector install routine */
1224 dissector_add("tcp.port", TCP_PORT_SOCKS, socks_handle);
git.samba.org / obnox / wireshark / wip.git / blob