5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 #ifndef __PACKET_TCP_H__
25 #define __PACKET_TCP_H__
27 #ifndef __CONVERSATION_H__
28 #include "epan/conversation.h"
41 /* Idea for gt: either x > y, or y is much bigger (assume wrap) */
42 #define GT_SEQ(x, y) ((gint32)((y) - (x)) < 0)
43 #define LT_SEQ(x, y) ((gint32)((x) - (y)) < 0)
44 #define GE_SEQ(x, y) ((gint32)((y) - (x)) <= 0)
45 #define LE_SEQ(x, y) ((gint32)((x) - (y)) <= 0)
46 #define EQ_SEQ(x, y) ((x) == (y))
48 /* the tcp header structure, passed to tap listeners */
49 typedef struct tcpheader {
52 gboolean th_have_seglen; /* TRUE if th_seglen is valid */
54 guint32 th_win; /* make it 32 bits so we can handle some scaling */
64 * Private data passed from the TCP dissector to subdissectors. Passed to the
65 * subdissectors in pinfo->private_data
68 guint32 seq; /* Sequence number of first byte in the data */
69 guint32 nxtseq; /* Sequence number of first byte after data */
70 guint32 lastackseq; /* Sequence number of last ack */
71 gboolean is_reassembled; /* This is reassembled data. */
72 gboolean urgent; /* TRUE if "urgent_pointer" is valid */
73 guint16 urgent_pointer; /* Urgent pointer value for the current packet. */
77 * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
78 * consists of a fixed-length chunk of data that contains enough information
79 * to determine the length of the PDU, followed by rest of the PDU.
81 * The first three arguments are the arguments passed to the dissector
82 * that calls this routine.
84 * "proto_desegment" is the dissector's flag controlling whether it should
85 * desegment PDUs that cross TCP segment boundaries.
87 * "fixed_len" is the length of the fixed-length part of the PDU.
89 * "get_pdu_len()" is a routine called to get the length of the PDU from
90 * the fixed-length part of the PDU; it's passed "pinfo", "tvb" and "offset".
92 * "dissect_pdu()" is the routine to dissect a PDU.
95 tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
96 gboolean proto_desegment, guint fixed_len,
97 guint (*get_pdu_len)(packet_info *, tvbuff_t *, int),
98 dissector_t dissect_pdu);
100 extern struct tcp_multisegment_pdu *
101 pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, guint32 seq, guint32 nxtpdu, emem_tree_t *multisegment_pdus);
103 typedef struct _tcp_unacked_t {
104 struct _tcp_unacked_t *next;
116 nstime_t rto_ts; /* Time since previous packet for
119 guint32 dupack_num; /* dup ack number */
120 guint32 dupack_frame; /* dup ack to frame # */
121 guint32 bytes_in_flight; /* number of bytes in flight */
124 /* One instance of this structure is created for each pdu that spans across
125 * multiple tcp segments.
127 struct tcp_multisegment_pdu {
132 nstime_t last_frame_time;
134 #define MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT 0x00000001
137 typedef struct _tcp_flow_t {
138 guint32 base_seq; /* base seq number (used by relative sequence numbers)
139 * or 0 if not yet known.
141 tcp_unacked_t *segments;
142 guint32 lastack; /* last seen ack */
143 nstime_t lastacktime; /* Time of the last ack packet */
144 guint32 lastnondupack; /* frame number of last seen non dupack */
145 guint32 dupacknum; /* dupack number */
146 guint32 nextseq; /* highest seen nextseq */
147 guint32 nextseqframe; /* frame number for segment with highest
150 nstime_t nextseqtime; /* Time of the nextseq packet so we can
151 * distinguish between retransmission,
152 * fast retransmissions and outoforder
154 guint32 window; /* last seen window */
155 gint16 win_scale; /* -1 is we dont know */
156 gint16 scps_capable; /* flow advertised scps capabilities */
157 guint16 maxsizeacked; /* 0 if not yet known */
159 /* This tcp flow/session contains only one single PDU and should
160 * be reassembled until the final FIN segment.
162 #define TCP_FLOW_REASSEMBLE_UNTIL_FIN 0x0001
164 guint32 lastsegmentflags;
166 /* This tree is indexed by sequence number and keeps track of all
167 * all pdus spanning multiple segments for this flow.
169 emem_tree_t *multisegment_pdus;
171 /* Process info, currently discovered via IPFIX */
172 guint32 process_uid; /* UID of local process */
173 guint32 process_pid; /* PID of local process */
174 gchar *username; /* Username of the local process */
175 gchar *command; /* Local process name + path + args */
179 struct tcp_analysis {
180 /* These two structs are managed based on comparing the source
181 * and destination addresses and, if they're equal, comparing
182 * the source and destination ports.
184 * If the source is greater than the destination, then stuff
185 * sent from src is in ual1.
187 * If the source is less than the destination, then stuff
188 * sent from src is in ual2.
190 * XXX - if the addresses and ports are equal, we don't guarantee
196 /* These pointers are set by get_tcp_conversation_data()
197 * fwd point in the same direction as the current packet
198 * and rev in the reverse direction
203 /* This pointer is NULL or points to a tcp_acked struct if this
204 * packet has "interesting" properties such as being a KeepAlive or
207 struct tcp_acked *ta;
208 /* This structure contains a tree containing all the various ta's
209 * keyed by frame number.
211 emem_tree_t *acked_table;
213 /* Remember the timestamp of the first frame seen in this tcp
214 * conversation to be able to calculate a relative time compared
215 * to the start of this conversation
219 /* Remember the timestamp of the frame that was last seen in this
220 * tcp conversation to be able to calculate a delta time compared
221 * to previous frame in this conversation
226 /* Structure that keeps per packet data. First used to be able
227 * to calculate the time_delta from the last seen frame in this
228 * TCP conversation. Can be extended for future use.
230 struct tcp_per_packet_data_t {
235 extern void dissect_tcp_payload(tvbuff_t *tvb, packet_info *pinfo, int offset,
236 guint32 seq, guint32 nxtseq, guint32 sport,
237 guint32 dport, proto_tree *tree,
238 proto_tree *tcp_tree,
239 struct tcp_analysis *tcpd);
241 extern struct tcp_analysis *get_tcp_conversation_data(conversation_t *conv,
244 extern gboolean decode_tcp_ports(tvbuff_t *, int, packet_info *, proto_tree *, int, int, struct tcp_analysis *);
246 /** Associate process information with a given flow
248 * @param local_addr The local IPv4 or IPv6 address of the process
249 * @param remote_addr The remote IPv4 or IPv6 address of the process
250 * @param local_port The local TCP port of the process
251 * @param remote_port The remote TCP port of the process
252 * @param uid The numeric user ID of the process
253 * @param pid The numeric PID of the process
254 * @param username Ephemeral string containing the full or partial process name
255 * @param command Ephemeral string containing the full or partial process name
257 extern void add_tcp_process_info(guint32 frame_num, address *local_addr, address *remote_addr, guint16 local_port, guint16 remote_port, guint32 uid, guint32 pid, gchar *username, gchar *command);