2 * Routines handling protocols with a request/response line, headers,
3 * a blank line, and an optional body.
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include <epan/packet.h>
32 #include <epan/strutil.h>
35 #include <epan/req_resp_hdrs.h>
37 #ifdef NEED_G_ASCII_STRCASECMP_H
38 #include "g_ascii_strcasecmp.h"
42 * Optionally do reassembly of the request/response line, headers, and body.
45 req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo,
46 const gboolean desegment_headers, const gboolean desegment_body)
50 gint length_remaining, reported_length_remaining;
53 long int content_length;
54 gboolean content_length_found = FALSE;
55 gboolean content_type_found = FALSE;
56 gboolean chunked_encoding = FALSE;
57 gboolean keepalive_found = FALSE;
60 * Do header desegmentation if we've been told to.
62 * RFC 2616 defines HTTP messages as being either of the
63 * Request or the Response type
64 * (HTTP-message = Request | Response).
65 * Request and Response are defined as:
66 * Request = Request-Line
69 * | entity-header ) CRLF)
72 * Response = Status-Line
75 * | entity-header ) CRLF)
78 * that's why we can always assume two consecutive line
79 * endings (we allow CR, LF, or CRLF, as some clients
80 * or servers might not use a full CRLF) to mark the end
81 * of the headers. The worst thing that would happen
82 * otherwise would be the packet not being desegmented
83 * or being interpreted as only headers.
85 * RFC 2326 says RTSP works the same way; RFC 3261 says SIP
90 * If header desegmentation is activated, check that all
91 * headers are in this tvbuff (search for an empty line
92 * marking end of headers) or request one more byte (we
93 * don't know how many bytes we'll need, so we just ask
96 if (desegment_headers && pinfo->can_desegment) {
99 next_offset_sav = next_offset;
101 reported_length_remaining =
102 tvb_reported_length_remaining(tvb, next_offset);
105 * Request one more byte if there're no
106 * bytes left in the reported data (if there're
107 * bytes left in the reported data, but not in
108 * the available data, requesting more bytes
109 * won't help, as those bytes weren't captured).
111 if (reported_length_remaining < 1) {
112 pinfo->desegment_offset = offset;
113 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
117 length_remaining = tvb_length_remaining(tvb,
121 * Request one more byte if we cannot find a
122 * header (i.e. a line end).
124 linelen = tvb_find_line_end(tvb, next_offset,
125 -1, &next_offset, TRUE);
127 length_remaining >= reported_length_remaining) {
129 * Not enough data; ask for one more
132 pinfo->desegment_offset = offset;
133 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
139 * We found the end of the headers.
145 * Is this a Content-Length or Transfer-Encoding
146 * header? If not, it either means that we are in
147 * a different header line, or that we are
148 * at the end of the headers, or that there
149 * isn't enough data; the two latter cases
150 * have already been handled above.
152 if (desegment_body) {
154 * Check if we've found Content-Length.
156 if (tvb_strncaseeql(tvb, next_offset_sav,
157 "Content-Length:", 15) == 0) {
158 header_val = tvb_get_ephemeral_string(tvb,
159 next_offset_sav + 15,
161 if (sscanf(header_val,
162 "%li", &content_length)
164 content_length_found = TRUE;
165 } else if (tvb_strncaseeql(tvb, next_offset_sav,
166 "Content-Type:", 13) == 0) {
167 content_type_found = TRUE;
168 } else if (tvb_strncaseeql(tvb, next_offset_sav,
169 "Connection:", 11) == 0) {
170 /* Check for keep-alive */
171 header_val = tvb_get_ephemeral_string(tvb,
172 next_offset_sav + 11,
175 while(*header_val==' '){
178 if(!g_ascii_strncasecmp(header_val, "Keep-Alive", 10)){
179 keepalive_found = TRUE;
182 } else if (tvb_strncaseeql(tvb,
184 "Transfer-Encoding:", 18) == 0) {
186 * Find out if this Transfer-Encoding is
187 * chunked. It should be, since there
188 * really aren't any other types, but
189 * RFC 2616 allows for them.
194 header_val = tvb_get_ephemeral_string(tvb,
195 next_offset_sav + 18, linelen - 18);
197 len = strlen(header_val);
198 /* Skip white space */
199 while (p < header_val + len &&
200 (*p == ' ' || *p == '\t'))
202 if (p <= header_val + len) {
203 if (g_ascii_strncasecmp(p, "chunked", 7)
206 * Don't bother looking
213 chunked_encoding = TRUE;
222 * The above loop ends when we reached the end of the headers, so
223 * there should be content_length bytes after the 4 terminating bytes
224 * and next_offset points to after the end of the headers.
226 if (desegment_body) {
227 if (content_length_found) {
228 /* next_offset has been set to the end of the headers */
229 if (!tvb_bytes_exist(tvb, next_offset, content_length)) {
230 length_remaining = tvb_length_remaining(tvb,
232 reported_length_remaining =
233 tvb_reported_length_remaining(tvb, next_offset);
234 if (length_remaining < reported_length_remaining) {
236 * It's a waste of time asking for more
237 * data, because that data wasn't captured.
241 if (length_remaining == -1)
242 length_remaining = 0;
243 pinfo->desegment_offset = offset;
244 pinfo->desegment_len =
245 content_length - length_remaining;
248 } else if (chunked_encoding) {
250 * This data is chunked, so we need to keep pulling
251 * data until we reach the end of the stream, or a
255 * This doesn't bother with trailing headers; I don't
256 * think they are really used, and we'd have to use
257 * is_http_request_or_reply() to determine if it was
258 * a trailing header, or the start of a new response.
260 gboolean done_chunking = FALSE;
262 while (!done_chunking) {
264 gint chunk_offset = 0;
265 gchar *chunk_string = NULL;
268 reported_length_remaining =
269 tvb_reported_length_remaining(tvb,
272 if (reported_length_remaining < 1) {
273 pinfo->desegment_offset = offset;
274 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
278 length_remaining = tvb_length_remaining(tvb,
281 linelen = tvb_find_line_end(tvb, next_offset,
282 -1, &chunk_offset, TRUE);
286 reported_length_remaining) {
287 pinfo->desegment_offset = offset;
288 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
292 /* We have a line with the chunk size in it.*/
293 chunk_string = tvb_get_ephemeral_string(tvb, next_offset,
298 * We don't care about the extensions.
300 if ((c = strchr(c, ';'))) {
304 if ((sscanf(chunk_string, "%x",
305 &chunk_size) < 0) || chunk_size < 0) {
306 /* We couldn't get the chunk size,
312 if (chunk_size == 0) {
314 * This is the last chunk. Let's pull in the
317 linelen = tvb_find_line_end(tvb,
318 chunk_offset, -1, &chunk_offset, TRUE);
322 reported_length_remaining) {
323 pinfo->desegment_offset = offset;
324 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
328 pinfo->desegment_offset = chunk_offset;
329 pinfo->desegment_len = 0;
330 done_chunking = TRUE;
333 * Skip to the next chunk if we
336 if (reported_length_remaining >
339 next_offset = chunk_offset
343 * Fetch this chunk, plus the
346 pinfo->desegment_offset = offset;
347 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
353 } else if (content_type_found && pinfo->can_desegment) {
354 /* We found a content-type but no content-length.
355 * This is probably a HTTP header for a session with
356 * only one HTTP PDU and where the content spans
357 * until the end of the tcp session, unless there
358 * is a keepalive header present in which case we
359 * assume there is no message body at all and thus
360 * we wont do any reassembly.
361 * Set up tcp reassembly until the end of this session.
363 length_remaining = tvb_length_remaining(tvb, next_offset);
364 reported_length_remaining = tvb_reported_length_remaining(tvb, next_offset);
365 if (length_remaining < reported_length_remaining) {
367 * It's a waste of time asking for more
368 * data, because that data wasn't captured.
373 if (keepalive_found) {
374 /* We have a keep-alive but no content-length.
375 * Assume there is no message body and dont
381 pinfo->desegment_offset = offset;
382 pinfo->desegment_len = DESEGMENT_UNTIL_FIN;
390 * No further desegmentation needed.