2 * Routines for socks versions 4 &5 packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
4 * Copyright 2008, Jelmer Vernooij <jelmer@samba.org>
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 * The Version 4 decode is based on SOCKS4.protocol and SOCKS4A.protocol.
28 * The Version 5 decoder is based upon rfc-1928
29 * The Version 5 User/Password authentication is based on rfc-1929.
33 * http://www.socks.permeo.com/TechnicalResources/ProtocolDocuments.asp
35 * for these and other documents. See
37 * http://www.socks.nec.com/protocol/socks4a.protocol
39 * for information on SOCKS version 4a.
43 * 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel
44 * causing heap overflow because of an infinite loop
45 * where the socks dissect was call over and over.
47 * Also remove some old code marked with __JUNK__
49 * 2001-01-08 JCFoster Fixed problem with NULL pointer for hash data.
50 * Now test and exit if hash_info is null.
53 /* Possible enhancements -
55 * Add GSS-API authentication per rfc-1961
56 * Add CHAP authentication
57 * Decode FLAG bits per
58 * http://archive.socks.permeo.com/draft/draft-ietf-aft-socks-pro-v5-04.txt
59 * In call_next_dissector, could load the destination address into
60 * pinfo->src or pinfo->dst structure before calling next dissector.
61 * remove display_string or at least make it use protocol identifiers
62 * socks_hash_entry_t needs to handle V5 address type and domain names
77 #include <epan/packet.h>
78 #include <epan/addr_resolv.h>
79 #include <epan/conversation.h>
81 #include <epan/emem.h>
82 #include "packet-tcp.h"
83 #include "packet-udp.h"
84 #include <epan/strutil.h>
87 #define compare_packet(X) (X == (pinfo->fd->num))
88 #define get_packet_ptr (pinfo->fd->num)
89 #define row_pointer_type guint32
91 #define TCP_PORT_SOCKS 1080
94 /**************** Socks commands ******************/
96 #define CONNECT_COMMAND 1
97 #define BIND_COMMAND 2
98 #define UDP_ASSOCIATE_COMMAND 3
99 #define PING_COMMAND 0x80
100 #define TRACERT_COMMAND 0x81
103 /********** V5 Authentication methods *************/
105 #define NO_AUTHENTICATION 0
106 #define GSS_API_AUTHENTICATION 1
107 #define USER_NAME_AUTHENTICATION 2
108 #define CHAP_AUTHENTICATION 3
109 #define AUTHENTICATION_FAILED 0xff
111 /* 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel */
113 static int in_socks_dissector_flag = 0; /* set to 1 to avoid recursive overflow */
115 /*********** Header field identifiers *************/
117 static int proto_socks = -1;
119 static int ett_socks = -1;
120 static int ett_socks_auth = -1;
121 static int ett_socks_name = -1;
123 static int hf_socks_ver = -1;
124 static int hf_socks_ip_dst = -1;
125 static int hf_socks_ip6_dst = -1;
126 static int hf_user_name = -1;
127 static int hf_gssapi_payload = -1;
128 static int hf_gssapi_command = -1;
129 static int hf_gssapi_length = -1;
130 static int hf_v4a_dns_name = -1;
131 static int hf_socks_dstport = -1;
132 static int hf_socks_cmd = -1;
133 static int hf_socks_results = -1;
134 static int hf_socks_results_4 = -1;
135 static int hf_socks_results_5 = -1;
138 /************* Dissector handles ***********/
140 static dissector_handle_t socks_handle;
141 static dissector_handle_t socks_udp_handle;
143 /************* State Machine names ***********/
169 guint32 udp_remote_port;
172 row_pointer_type v4_name_row;
173 row_pointer_type v4_user_name_row;
174 row_pointer_type connect_row;
175 row_pointer_type cmd_reply_row;
176 row_pointer_type bind_reply_row;
177 row_pointer_type command_row;
178 row_pointer_type auth_method_row;
179 row_pointer_type user_name_auth_row;
180 row_pointer_type auth_version;
181 row_pointer_type gssapi_auth_row;
182 row_pointer_type gssapi_auth_reply_row;
183 row_pointer_type gssapi_auth_failure_row;
184 guint32 start_done_row;
186 guint32 dst_addr; /* this needs to handle IPv6 */
192 static const char *address_type_table[] = {
202 /* String table for the V4 reply status messages */
204 static const value_string reply_table_v4[] = {
206 {91, "Rejected or Failed"},
207 {92, "Rejected because SOCKS server cannot connect to identd on the client"},
208 {93, "Rejected because the client program and identd report different user-ids"},
212 /* String table for the V5 reply status messages */
214 static const value_string reply_table_v5[] = {
216 {1, "General SOCKS server failure"},
217 {2, "Connection not allowed by ruleset"},
218 {3, "Network unreachable"},
219 {4, "Host unreachable"},
220 {5, "Connection refused"},
222 {7, "Command not supported"},
223 {8, "Address type not supported"},
227 static const value_string cmd_strings[] = {
233 {0x81, "Traceroute"},
237 static const value_string gssapi_command_table[] = {
238 { 1, "Authentication" },
244 /************************* Support routines ***************************/
247 static int display_string(tvbuff_t *tvb, int offset,
248 proto_tree *tree, const char *label){
250 /* display a string with a length, characters encoding */
251 /* they are displayed under a tree with the name in Label variable */
252 /* return the length of the string and the length byte */
255 proto_tree *name_tree;
259 int length = tvb_get_guint8(tvb, offset);
261 tvb_memcpy(tvb, (guint8 *)temp, offset+1, length);
264 ti = proto_tree_add_text(tree, tvb, offset, length + 1,
265 "%s: %s" , label, temp);
268 name_tree = proto_item_add_subtree(ti, ett_socks_name);
270 proto_tree_add_text( name_tree, tvb, offset, 1, "Length: %u", length);
274 proto_tree_add_text( name_tree, tvb, offset, length, "String: %s", temp);
281 static const char *get_auth_method_name( guint Number){
283 /* return the name of the authenication method */
285 if ( Number == 0) return "No authentication";
286 if ( Number == 1) return "GSSAPI";
287 if ( Number == 2) return "Username/Password";
288 if ( Number == 3) return "Chap";
289 if (( Number >= 4) && ( Number <= 0x7f))return "IANA assigned";
290 if (( Number >= 0x80) && ( Number <= 0xfe)) return "private method";
291 if ( Number == 0xff) return "no acceptable method";
293 /* shouldn't reach here */
295 return "Bad method number (not 0-0xff)";
299 static const char *get_command_name( guint Number){
301 /* return the name of the command as a string */
303 if ( Number == 0) return "Unknown";
304 if ( Number == 1) return "Connect";
305 if ( Number == 2) return "Bind";
306 if ( Number == 3) return "UdpAssociate";
307 if ( Number == 0x80) return "Ping";
308 if ( Number == 0x81) return "Traceroute";
313 static int display_address(tvbuff_t *tvb, int offset, proto_tree *tree) {
315 /* decode and display the v5 address, return offset of next byte */
317 int a_type = tvb_get_guint8(tvb, offset);
319 proto_tree_add_text( tree, tvb, offset, 1,
320 "Address Type: %d (%s)", a_type,
321 address_type_table[ MIN( (guint) a_type,
322 array_length( address_type_table)-1) ]);
326 if ( a_type == 1){ /* IPv4 address */
327 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset,
331 else if ( a_type == 3){ /* domain name address */
333 offset += display_string(tvb, offset, tree,
336 else if ( a_type == 4){ /* IPv6 address */
337 proto_tree_add_item( tree, hf_socks_ip6_dst, tvb, offset,
346 static int get_address_v5(tvbuff_t *tvb, int offset,
347 socks_hash_entry_t *hash_info) {
349 /* decode the v5 address and return offset of next byte */
350 /*XXX this needs to handle IPV6 and domain name addresses */
353 int a_type = tvb_get_guint8(tvb, offset++);
355 if ( a_type == 1){ /* IPv4 address */
358 hash_info->dst_addr = tvb_get_ipv4(tvb, offset);
362 else if ( a_type == 4) /* IPv6 address */
365 else if ( a_type == 3) /* domain name address */
366 offset += tvb_get_guint8(tvb, offset) + 1;
371 /********************* V5 UDP Associate handlers ***********************/
374 socks_udp_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
376 /* Conversation dissector called from UDP dissector. Decode and display */
377 /* the socks header, the pass the rest of the data to the udp port */
378 /* decode routine to handle the payload. */
382 socks_hash_entry_t *hash_info;
383 conversation_t *conversation;
384 proto_tree *socks_tree;
387 conversation = find_conversation( pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
388 pinfo->srcport, pinfo->destport, 0);
390 DISSECTOR_ASSERT( conversation); /* should always find a conversation */
392 hash_info = conversation_get_proto_data(conversation, proto_socks);
394 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Socks");
396 if (check_col(pinfo->cinfo, COL_INFO))
397 col_set_str(pinfo->cinfo, COL_INFO, "Version: 5, UDP Associated packet");
400 ti = proto_tree_add_protocol_format( tree, proto_socks, tvb,
401 offset, -1, "Socks" );
403 socks_tree = proto_item_add_subtree(ti, ett_socks);
405 proto_tree_add_text( socks_tree, tvb, offset, 2, "Reserved");
408 proto_tree_add_text( socks_tree, tvb, offset, 1, "Fragment Number: %u", tvb_get_guint8(tvb, offset));
412 offset = display_address( tvb, offset, socks_tree);
413 hash_info->udp_remote_port = tvb_get_ntohs(tvb, offset);
415 proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb,
416 offset, 2, hash_info->udp_remote_port);
420 else { /* no tree, skip past the socks header */
422 offset = get_address_v5( tvb, offset, 0) + 2;
426 /* set pi src/dst port and call the udp sub-dissector lookup */
428 if ( pinfo->srcport == hash_info->port)
429 ptr = &pinfo->destport;
431 ptr = &pinfo->srcport;
433 *ptr = hash_info->udp_remote_port;
435 decode_udp_ports( tvb, offset, pinfo, tree, pinfo->srcport, pinfo->destport, -1);
437 *ptr = hash_info->udp_port;
443 new_udp_conversation( socks_hash_entry_t *hash_info, packet_info *pinfo){
445 conversation_t *conversation = conversation_new( pinfo->fd->num, &pinfo->src, &pinfo->dst, PT_UDP,
446 hash_info->udp_port, hash_info->port, 0);
448 DISSECTOR_ASSERT( conversation);
450 conversation_add_proto_data(conversation, proto_socks, hash_info);
451 conversation_set_dissector(conversation, socks_udp_handle);
457 /**************** Protocol Tree Display routines ******************/
460 display_socks_v4(tvbuff_t *tvb, int offset, packet_info *pinfo,
461 proto_tree *tree, socks_hash_entry_t *hash_info) {
464 /* Display the protocol tree for the V4 version. This routine uses the */
465 /* stored conversation information to decide what to do with the row. */
466 /* Per packet information would have been better to do this, but we */
467 /* didn't have that when I wrote this. And I didn't expect this to get */
471 proto_item *hidden_item;
473 unsigned char ipaddr[4];
474 guint username_len, domainname_len;
476 /* Display command from client */
477 if (compare_packet( hash_info->connect_row)){
479 proto_tree_add_text( tree, tvb, offset, 1,
480 "Version: %u", hash_info->version);
482 command = tvb_get_guint8(tvb, offset);
484 proto_tree_add_text( tree, tvb, offset, 1,
485 "Command: %u (%s)", command,
486 get_command_name( command));
490 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2,
494 /* Do destination address */
495 tvb_memcpy(tvb, ipaddr, offset, 4);
496 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset,
501 /*XXX check this, needs to do length checking */
502 /* Should perhaps do TCP reassembly as well */
503 if ( tvb_offset_exists(tvb, offset)) {
504 /* display user name */
505 username_len = tvb_strsize(tvb, offset);
506 proto_tree_add_item( tree, hf_user_name, tvb, offset,
507 username_len, FALSE);
508 offset += username_len;
509 if ( ipaddr[0] == 0 && ipaddr[1] == 0 &&
510 ipaddr[2] == 0 && ipaddr[3] != 0) {
511 /* 0.0.0.x , where x!=0 means v4a support */
512 domainname_len = tvb_strsize(tvb, offset);
513 proto_tree_add_item( tree, hf_v4a_dns_name,
514 tvb, offset, domainname_len,
520 /*Display command response from server*/
522 else if ( compare_packet( hash_info->cmd_reply_row)){
524 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1,
527 /* Do results code */
528 proto_tree_add_item( tree, hf_socks_results_4, tvb, offset, 1, FALSE);
529 hidden_item = proto_tree_add_item(tree, hf_socks_results, tvb, offset, 1, FALSE);
530 PROTO_ITEM_SET_HIDDEN(hidden_item);
535 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2,
538 /* Do remote address */
539 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset, 4,
543 else if ( compare_packet( hash_info->v4_user_name_row)){
545 /*XXX check this, needs to do length checking */
546 /* Should perhaps do TCP reassembly as well */
547 if ( tvb_offset_exists(tvb, offset)) {
548 proto_tree_add_text( tree, tvb, offset,
549 tvb_strsize(tvb, offset),
550 "User Name: %s", tvb_get_ptr(tvb, offset, -1));
557 display_socks_v5(tvbuff_t *tvb, int offset, packet_info *pinfo,
558 proto_tree *tree, socks_hash_entry_t *hash_info) {
560 /* Display the protocol tree for the version. This routine uses the */
561 /* stored conversation information to decide what to do with the row. */
562 /* Per packet information would have been better to do this, but we */
563 /* didn't have that when I wrote this. And I didn't expect this to get */
566 unsigned int i, command;
568 const char *AuthMethodStr;
571 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, FALSE);
574 if (compare_packet( hash_info->connect_row)){
576 proto_tree *AuthTree;
579 temp = tvb_get_guint8(tvb, offset); /* Get Auth method count */
580 /* build auth tree */
581 ti = proto_tree_add_text( tree, tvb, offset, -1,
582 "Client Authentication Methods");
584 AuthTree = proto_item_add_subtree(ti, ett_socks_auth);
586 proto_tree_add_text( AuthTree, tvb, offset, 1,
590 for( i = 0; i < temp; ++i) {
592 AuthMethodStr = get_auth_method_name(
593 tvb_get_guint8( tvb, offset));
594 proto_tree_add_text( AuthTree, tvb, offset, 1,
595 "Method[%u]: %u (%s)", i,
596 tvb_get_guint8( tvb, offset), AuthMethodStr);
599 proto_item_set_end( ti, tvb, offset);
601 } /* Get accepted auth method */
602 else if (compare_packet( hash_info->auth_method_row)) {
604 proto_tree_add_text( tree, tvb, offset, 1,
605 "Accepted Auth Method: 0x%0x (%s)", tvb_get_guint8( tvb, offset),
606 get_auth_method_name( tvb_get_guint8( tvb, offset)));
609 } /* handle user/password auth */
610 else if (compare_packet( hash_info->user_name_auth_row)) {
612 /* process user name */
613 offset += display_string( tvb, offset, tree,
615 /* process password */
616 offset += display_string( tvb, offset, tree,
619 /* command to the server */
620 /* command response from server */
621 else if (compare_packet( hash_info->auth_version)) {
622 auth_status = tvb_get_guint8(tvb, offset);
624 proto_tree_add_text( tree, tvb, offset, 1, "Status: %u (failure)", auth_status);
626 proto_tree_add_text( tree, tvb, offset, 1, "Status: success");
629 else if (compare_packet( hash_info->gssapi_auth_row)) {
631 proto_tree_add_item( tree, hf_gssapi_command, tvb, offset, 1, FALSE);
632 proto_tree_add_item( tree, hf_gssapi_length, tvb, offset+1, 2, FALSE);
633 len = tvb_get_ntohs(tvb, offset+1);
635 proto_tree_add_item( tree, hf_gssapi_payload, tvb, offset+3, len, FALSE);
637 else if (compare_packet( hash_info->gssapi_auth_failure_row)) {
638 proto_tree_add_item( tree, hf_gssapi_command, tvb, offset, 1, FALSE);
640 else if (compare_packet( hash_info->gssapi_auth_reply_row)) {
642 proto_tree_add_item( tree, hf_gssapi_command, tvb, offset, 1, FALSE);
643 proto_tree_add_item( tree, hf_gssapi_length, tvb, offset+1, 2, FALSE);
644 len = tvb_get_ntohs(tvb, offset+1);
646 proto_tree_add_item( tree, hf_gssapi_payload, tvb, offset+3, len, FALSE);
648 else if ((compare_packet( hash_info->command_row)) ||
649 (compare_packet( hash_info->cmd_reply_row)) ||
650 (compare_packet( hash_info->bind_reply_row))){
652 command = tvb_get_guint8(tvb, offset);
654 if (compare_packet( hash_info->command_row))
655 proto_tree_add_uint( tree, hf_socks_cmd, tvb, offset, 1,
659 proto_item *hidden_item;
660 proto_tree_add_item( tree, hf_socks_results_5, tvb, offset, 1, FALSE);
661 hidden_item = proto_tree_add_item(tree, hf_socks_results, tvb, offset, 1, FALSE);
662 PROTO_ITEM_SET_HIDDEN(hidden_item);
667 proto_tree_add_text( tree, tvb, offset, 1,
668 "Reserved: 0x%0x (should = 0x00)", tvb_get_guint8(tvb, offset));
671 offset = display_address(tvb, offset, tree);
672 /*XXX Add remote port for search somehow */
674 proto_tree_add_text( tree, tvb, offset, 2,
676 (compare_packet( hash_info->bind_reply_row) ?
677 "Remote Host " : ""),
678 tvb_get_ntohs(tvb, offset));
684 /**************** Decoder State Machines ******************/
688 state_machine_v4( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
689 int offset, packet_info *pinfo) {
691 /* Decode V4 protocol. This is done on the first pass through the */
692 /* list. Based upon the current state, decode the packet and determine */
693 /* what the next state should be. If we had per packet information, */
694 /* this would be the place to load them up. */
696 if ( hash_info->state == None) { /* new connection */
698 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server request");
700 hash_info->state = Connecting; /* change state */
702 hash_info->command = tvb_get_guint8(tvb, offset + 1);
703 /* get remote port */
704 if ( hash_info->command == CONNECT_COMMAND)
705 hash_info->port = tvb_get_ntohs(tvb, offset + 2);
706 /* get remote address */
708 hash_info->dst_addr = tvb_get_ipv4(tvb, offset + 4);
710 /* save the packet pointer */
711 hash_info->connect_row = get_packet_ptr;
713 /* skip past this stuff */
714 hash_info->connect_offset = offset + 8;
718 if ( !tvb_offset_exists(tvb, offset)) { /* if no user name */
720 hash_info->state = V4UserNameWait;
722 * XXX - add 1, or leave it alone?
723 * We were adding "strlen(...) + 1".
725 hash_info->connect_offset += 1;
728 * Add in the length of the user name.
729 * XXX - what if the user name is split between
732 hash_info->connect_offset += tvb_strsize(tvb, offset);
735 if ( !hash_info->dst_addr){ /* if no dest address */
737 if ( tvb_offset_exists(tvb, hash_info->connect_offset)) {
738 /*XXX copy remote name here ??? */
739 hash_info->state = Connecting;
742 hash_info->state = V4NameWait;
744 /* waiting for V4 user name */
745 }else if ( hash_info->state == V4UserNameWait){
747 col_append_str(pinfo->cinfo, COL_INFO, " Connect Request (User name)");
749 hash_info->v4_user_name_row = get_packet_ptr;
750 /*XXX may need to check for domain name here */
751 hash_info->state = Connecting;
753 /* waiting for V4 domain name */
754 else if ( hash_info->state == V4NameWait){
756 hash_info->v4_name_row = get_packet_ptr;
757 hash_info->state = Connecting;
760 else if ( hash_info->state == Connecting){
762 col_append_str(pinfo->cinfo, COL_INFO, " Connect Response");
764 /* save packet pointer */
765 hash_info->cmd_reply_row = get_packet_ptr;
766 hash_info->state = Done; /* change state */
776 state_machine_v5( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
777 int offset, packet_info *pinfo) {
779 /* Decode V5 protocol. This is done on the first pass through the */
780 /* list. Based upon the current state, decode the packet and determine */
781 /* what the next state should be. If we had per packet information, */
782 /* this would be the place to load them up. */
787 if ( hash_info->state == None) {
789 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server request");
791 hash_info->state = Connecting; /* change state */
792 hash_info->connect_row = get_packet_ptr;
794 temp = tvb_get_guint8(tvb, offset + 1);
795 /* skip past auth methods */
796 offset = hash_info->connect_offset = offset + 1 + temp;
798 else if ( hash_info->state == Connecting){
800 guint AuthMethod = tvb_get_guint8(tvb, offset + 1);
802 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server response");
804 hash_info->auth_method_row = get_packet_ptr;
806 if ( AuthMethod == NO_AUTHENTICATION)
807 hash_info->state = V5Command;
809 else if ( AuthMethod == USER_NAME_AUTHENTICATION)
810 hash_info->state = UserNameAuth;
812 else if ( AuthMethod == GSS_API_AUTHENTICATION)
813 hash_info->state = GssApiAuth;
815 else hash_info->state = Done; /*Auth failed or error*/
819 else if ( hash_info->state == V5Command) { /* Handle V5 Command */
823 hash_info->command = tvb_get_guint8(tvb, offset + 1); /* get command */
825 if (check_col(pinfo->cinfo, COL_INFO))
826 col_append_fstr(pinfo->cinfo, COL_INFO, " Command Request - %s",
827 get_command_name(hash_info->command));
829 hash_info->state = V5Reply;
830 hash_info->command_row = get_packet_ptr;
832 offset += 3; /* skip to address type */
834 offset = get_address_v5(tvb, offset, hash_info);
836 temp = tvb_get_guint8(tvb, offset);
838 if (( hash_info->command == CONNECT_COMMAND) ||
839 ( hash_info->command == UDP_ASSOCIATE_COMMAND))
840 /* get remote port */
841 hash_info->port = tvb_get_ntohs(tvb, offset);
844 else if ( hash_info->state == V5Reply) { /* V5 Command Reply */
847 if (check_col(pinfo->cinfo, COL_INFO))
848 col_append_fstr(pinfo->cinfo, COL_INFO, " Command Response - %s",
849 get_command_name(hash_info->command));
851 hash_info->cmd_reply_row = get_packet_ptr;
853 if (( hash_info->command == CONNECT_COMMAND) ||
854 (hash_info->command == PING_COMMAND) ||
855 (hash_info->command == TRACERT_COMMAND))
856 hash_info->state = Done;
858 else if ( hash_info->command == BIND_COMMAND)
859 hash_info->state = V5BindReply;
861 else if ( hash_info->command == UDP_ASSOCIATE_COMMAND){
862 offset += 3; /* skip to address type */
863 offset = get_address_v5(tvb, offset, hash_info);
865 /* save server udp port and create udp conversation */
866 hash_info->udp_port = tvb_get_ntohs(tvb, offset);
868 if (!pinfo->fd->flags.visited)
869 new_udp_conversation( hash_info, pinfo);
871 /*XXX may need else statement to handle unknowns and generate error message */
875 else if ( hash_info->state == V5BindReply) { /* V5 Bind Second Reply */
877 col_append_str(pinfo->cinfo, COL_INFO, " Command Response: Bind remote host info");
879 hash_info->bind_reply_row = get_packet_ptr;
880 hash_info->state = Done;
882 else if ( hash_info->state == UserNameAuth) { /* Handle V5 User Auth*/
883 col_append_str(pinfo->cinfo, COL_INFO,
884 " User authentication request");
886 hash_info->user_name_auth_row = get_packet_ptr;
887 hash_info->state = UserNameAuthReply;
890 else if ( hash_info->state == GssApiAuth) {
891 col_append_str(pinfo->cinfo, COL_INFO,
892 " GSSAPI Authentication request");
893 hash_info->gssapi_auth_row = get_packet_ptr;
894 hash_info->state = GssApiAuthReply;
896 else if ( hash_info->state == GssApiAuthReply) {
897 if (tvb_get_guint8(tvb, offset+1) == 0xFF) {
898 col_append_str(pinfo->cinfo, COL_INFO,
899 " GSSAPI Authentication failure");
900 hash_info->gssapi_auth_failure_row = get_packet_ptr;
902 col_append_str(pinfo->cinfo, COL_INFO,
903 " GSSAPI Authentication reply");
904 if (tvb_get_ntohs(tvb, offset+2) == 0)
905 hash_info->state = V5Command;
907 hash_info->state = GssApiAuth;
908 hash_info->gssapi_auth_reply_row = get_packet_ptr;
911 else if ( hash_info->state == UserNameAuthReply){ /* V5 User Auth reply */
912 hash_info->auth_version = get_packet_ptr;
913 col_append_str(pinfo->cinfo, COL_INFO, " User authentication reply");
914 hash_info->state = V5Command;
921 display_ping_and_tracert(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, socks_hash_entry_t *hash_info) {
923 /* Display the ping/trace_route conversation */
926 const guchar *data, *dataend;
927 const guchar *lineend, *eol;
930 /* handle the end command */
931 if ( pinfo->destport == TCP_PORT_SOCKS){
932 col_append_str(pinfo->cinfo, COL_INFO, ", Terminate Request");
935 proto_tree_add_text(tree, tvb, offset, 1,
936 (hash_info->command == PING_COMMAND) ?
937 "Ping: End command" :
938 "Traceroute: End command");
940 else{ /* display the PING or Traceroute results */
941 col_append_str(pinfo->cinfo, COL_INFO, ", Results");
944 proto_tree_add_text(tree, tvb, offset, -1,
945 (hash_info->command == PING_COMMAND) ?
947 "Traceroute Results");
949 data = tvb_get_ptr(tvb, offset, -1);
950 dataend = data + tvb_length_remaining(tvb, offset);
952 while (data < dataend) {
954 lineend = find_line_end(data, dataend, &eol);
955 linelen = (int)(lineend - data);
957 proto_tree_add_text( tree, tvb, offset, linelen,
958 "%s", format_text(data, linelen));
968 static void clear_in_socks_dissector_flag(void *dummy _U_)
970 in_socks_dissector_flag = 0; /* avoid recursive overflow */
973 static void call_next_dissector(tvbuff_t *tvb, int offset, packet_info *pinfo,
974 proto_tree *tree, proto_tree *socks_tree,
975 socks_hash_entry_t *hash_info)
978 /* Display the results for PING and TRACERT extensions or */
979 /* Call TCP dissector for the port that was passed during the */
980 /* connect process */
981 /* Load pointer to pinfo->XXXport depending upon the direction, */
982 /* change pinfo port to the remote port, call next dissecotr to decode */
983 /* the payload, and restore the pinfo port after that is done. */
986 struct tcpinfo *tcpinfo = pinfo->private_data;
987 guint16 save_can_desegment;
988 struct tcp_analysis *tcpd=NULL;
990 tcpd=get_tcp_conversation_data(NULL,pinfo);
992 if (( hash_info->command == PING_COMMAND) ||
993 ( hash_info->command == TRACERT_COMMAND))
995 display_ping_and_tracert(tvb, offset, pinfo, tree, hash_info);
997 else { /* call the tcp port decoder to handle the payload */
999 /*XXX may want to load dest address here */
1001 if ( pinfo->destport == TCP_PORT_SOCKS)
1002 ptr = &pinfo->destport;
1004 ptr = &pinfo->srcport;
1006 *ptr = hash_info->port;
1008 /* 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel */
1010 in_socks_dissector_flag = 1; /* avoid recursive overflow */
1011 CLEANUP_PUSH(clear_in_socks_dissector_flag, NULL);
1013 save_can_desegment = pinfo->can_desegment;
1014 pinfo->can_desegment = pinfo->saved_can_desegment;
1015 dissect_tcp_payload(tvb, pinfo, offset, tcpinfo->seq,
1016 tcpinfo->nxtseq, pinfo->srcport, pinfo->destport,
1017 tree, socks_tree, tcpd);
1018 pinfo->can_desegment = save_can_desegment;
1020 CLEANUP_CALL_AND_POP;
1022 *ptr = TCP_PORT_SOCKS;
1029 dissect_socks(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
1032 proto_tree *socks_tree = NULL;
1034 socks_hash_entry_t *hash_info;
1035 conversation_t *conversation;
1037 /* 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel */
1039 /* avoid recursive overflow */
1041 if ( in_socks_dissector_flag) {
1045 conversation = find_conversation( pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
1046 pinfo->srcport, pinfo->destport, 0);
1048 if ( !conversation){
1049 conversation = conversation_new( pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
1050 pinfo->srcport, pinfo->destport, 0);
1052 hash_info = conversation_get_proto_data(conversation,proto_socks);
1054 hash_info = se_alloc(sizeof(socks_hash_entry_t));
1055 hash_info->start_done_row = G_MAXINT;
1056 hash_info->state = None;
1057 hash_info->port = 0;
1058 hash_info->version = tvb_get_guint8(tvb, offset); /* get version*/
1060 if (( hash_info->version != 4) && /* error test version */
1061 ( hash_info->version != 5))
1062 hash_info->state = Done;
1064 conversation_add_proto_data(conversation, proto_socks,
1067 /* set dissector for now */
1068 conversation_set_dissector(conversation, socks_handle);
1071 /* display summary window information */
1073 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Socks");
1075 if (check_col(pinfo->cinfo, COL_INFO)){
1076 if (( hash_info->version == 4) || ( hash_info->version == 5)){
1077 col_add_fstr(pinfo->cinfo, COL_INFO, "Version: %d",
1078 hash_info->version);
1080 else /* unknown version display error */
1081 col_set_str(pinfo->cinfo, COL_INFO, "Unknown");
1084 if ( hash_info->command == PING_COMMAND)
1085 col_append_str(pinfo->cinfo, COL_INFO, ", Ping Req");
1086 if ( hash_info->command == TRACERT_COMMAND)
1087 col_append_str(pinfo->cinfo, COL_INFO, ", Traceroute Req");
1089 /*XXX if ( hash_info->port != -1) */
1090 if ( hash_info->port != 0)
1091 col_append_fstr(pinfo->cinfo, COL_INFO, ", Remote Port: %u",
1096 /* run state machine if needed */
1098 if ((hash_info->state != Done) && ( !pinfo->fd->flags.visited)){
1100 if ( hash_info->version == 4)
1101 state_machine_v4( hash_info, tvb, offset, pinfo);
1103 else if ( hash_info->version == 5)
1104 state_machine_v5( hash_info, tvb, offset, pinfo);
1106 if (hash_info->state == Done) { /* if done now */
1107 hash_info->start_done_row = pinfo->fd->num;
1111 /* if proto tree, decode and display */
1114 ti = proto_tree_add_item( tree, proto_socks, tvb, offset, -1,
1117 socks_tree = proto_item_add_subtree(ti, ett_socks);
1119 if ( hash_info->version == 4)
1120 display_socks_v4(tvb, offset, pinfo, socks_tree,
1123 else if ( hash_info->version == 5)
1124 display_socks_v5(tvb, offset, pinfo, socks_tree,
1127 /* if past startup, add the faked stuff */
1128 if ( pinfo->fd->num > hash_info->start_done_row){
1129 /* add info to tree */
1130 proto_tree_add_text( socks_tree, tvb, offset, 0,
1131 "Command: %d (%s)", hash_info->command,
1132 get_command_name(hash_info->command));
1134 proto_tree_add_ipv4( socks_tree, hf_socks_ip_dst, tvb,
1135 offset, 0, hash_info->dst_addr);
1137 /* no fake address for ping & traceroute */
1139 if (( hash_info->command != PING_COMMAND) &&
1140 ( hash_info->command != TRACERT_COMMAND)){
1141 proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb,
1142 offset, 0, hash_info->port);
1149 /* call next dissector if ready */
1151 if ( pinfo->fd->num > hash_info->start_done_row){
1152 call_next_dissector(tvb, offset, pinfo, tree, socks_tree,
1160 proto_register_socks( void){
1162 /*** Prep the socks protocol, register it and a initialization routine */
1163 /* to clear the hash stuff. */
1166 static gint *ett[] = {
1173 static hf_register_info hf[] = {
1177 { "Version", "socks.version", FT_UINT8, BASE_DEC, NULL,
1182 { "Remote Address", "socks.dst", FT_IPv4, BASE_NONE, NULL,
1186 { &hf_socks_ip6_dst,
1187 { "Remote Address(ipv6)", "socks.dstV6", FT_IPv6, BASE_NONE, NULL,
1192 { "User Name", "socks.username", FT_STRINGZ, BASE_NONE, NULL,
1196 { &hf_gssapi_payload,
1197 { "GSSAPI data", "socks.gssapi.data", FT_BYTES, BASE_NONE, NULL,
1201 { &hf_gssapi_command,
1202 { "SOCKS/GSSAPI command", "socks.gssapi.command", FT_UINT8, BASE_DEC,
1203 VALS(gssapi_command_table), 0x0, NULL, HFILL
1206 { &hf_gssapi_length,
1207 { "SOCKS/GSSAPI data length", "socks.gssapi.length", FT_UINT16, BASE_DEC, NULL,
1212 { "SOCKS v4a Remote Domain Name", "socks.v4a_dns_name", FT_STRINGZ, BASE_NONE,
1213 NULL, 0x0, NULL, HFILL
1216 { &hf_socks_dstport,
1217 { "Remote Port", "socks.dstport", FT_UINT16,
1218 BASE_DEC, NULL, 0x0, NULL, HFILL
1222 { "Command", "socks.command", FT_UINT8,
1223 BASE_DEC, VALS(cmd_strings), 0x0, NULL, HFILL
1226 { &hf_socks_results_4,
1227 { "Results(V4)", "socks.results_v4", FT_UINT8,
1228 BASE_DEC, VALS(reply_table_v4), 0x0, NULL, HFILL
1231 { &hf_socks_results_5,
1232 { "Results(V5)", "socks.results_v5", FT_UINT8,
1233 BASE_DEC, VALS(reply_table_v5), 0x0, NULL, HFILL
1236 { &hf_socks_results,
1237 { "Results(V5)", "socks.results", FT_UINT8,
1238 BASE_DEC, NULL, 0x0, NULL, HFILL
1245 proto_socks = proto_register_protocol (
1246 "Socks Protocol", "Socks", "socks");
1248 proto_register_field_array(proto_socks, hf, array_length(hf));
1249 proto_register_subtree_array(ett, array_length(ett));
1254 proto_reg_handoff_socks(void) {
1256 /* dissector install routine */
1257 socks_udp_handle = create_dissector_handle(socks_udp_dissector, proto_socks);
1258 socks_handle = create_dissector_handle(dissect_socks, proto_socks);
1260 dissector_add("tcp.port", TCP_PORT_SOCKS, socks_handle);