2 * SSL specific routines for following traffic streams
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
41 #include <epan/follow.h>
42 #include <epan/dissectors/packet-ipv6.h>
43 #include <epan/prefs.h>
44 #include <epan/addr_resolv.h>
45 #include <epan/epan_dissect.h>
46 #include <epan/filesystem.h>
47 #include <epan/ipproto.h>
51 #include <../globals.h>
52 #include <../alert_box.h>
53 #include <../simple_dialog.h>
56 #include <gtk/color_utils.h>
58 #include <gtk/dlg_utils.h>
59 #include <gtk/file_dlg.h>
61 #include <gtk/gui_utils.h>
62 #include <gtk/font_utils.h>
63 #include "gtk/follow_ssl.h"
64 #include "gtk/follow_stream.h"
67 #include "packet-ssl-utils.h"
69 #include <epan/dissectors/packet-ssl-utils.h>
79 ssl_queue_packet_data(void *tapdata, packet_info *pinfo, epan_dissect_t *edt _U_, const void *ssl)
81 follow_info_t* follow_info = tapdata;
82 SslDecryptedRecord* rec;
83 SslDataInfo* appl_data;
86 int proto_ssl = (long) ssl;
87 SslPacketInfo* pi = p_get_proto_data(pinfo->fd, proto_ssl);
89 /* skip packet without decrypted data payload*/
90 if (!pi || !pi->appl_data)
93 /* compute total length */
95 appl_data = pi->appl_data;
97 total_len += appl_data->plain_data.data_len;
98 appl_data = appl_data->next;
101 /* compute packet direction */
102 rec = g_malloc(sizeof(SslDecryptedRecord) + total_len);
104 if (follow_info->client_port == 0) {
105 follow_info->client_port = pinfo->srcport;
106 COPY_ADDRESS(&follow_info->client_ip, &pinfo->src);
108 if (ADDRESSES_EQUAL(&follow_info->client_ip, &pinfo->src) &&
109 follow_info->client_port == pinfo->srcport)
114 /* update stream counter */
115 follow_info->bytes_written[rec->is_server] += total_len;
117 /* extract decrypted data and queue it locally */
118 rec->data.data = (guchar*)(rec + 1);
119 rec->data.data_len = total_len;
120 appl_data = pi->appl_data;
123 memcpy(p, appl_data->plain_data.data, appl_data->plain_data.data_len);
124 p += appl_data->plain_data.data_len;
125 appl_data = appl_data->next;
127 follow_info->payload = g_list_append(
128 follow_info->payload,rec);
134 packet_is_ssl(epan_dissect_t* edt);
137 /* Follow the SSL stream, if any, to which the last packet that we called
138 a dissection routine on belongs (this might be the most recently
139 selected packet, or it might be the last packet in the file). */
141 follow_ssl_stream_cb(GtkWidget * w, gpointer data _U_)
143 GtkWidget *filter_te;
144 gchar *follow_filter;
145 const gchar *previous_filter;
146 int filter_out_filter_len, previous_filter_len;
147 const char *hostname0, *hostname1;
149 gchar *server_to_client_string = NULL;
150 gchar *client_to_server_string = NULL;
151 gchar *both_directions_string = NULL;
152 follow_stats_t stats;
153 follow_info_t *follow_info;
156 /* we got ssl so we can follow */
157 if (!packet_is_ssl(cfile.edt)) {
158 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
159 "Error following stream. Please make\n"
160 "sure you have an SSL packet selected.");
164 follow_info = g_new0(follow_info_t, 1);
165 follow_info->follow_type = FOLLOW_SSL;
167 /* Create a new filter that matches all packets in the SSL stream,
168 and set the display filter entry accordingly */
169 reset_tcp_reassembly();
170 follow_filter = build_follow_filter(&cfile.edt->pi);
173 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
174 "Error creating filter for this stream.\n"
175 "A network layer header is needed");
180 /* Set the display filter entry accordingly */
181 filter_te = g_object_get_data(G_OBJECT(w), E_DFILTER_TE_KEY);
183 /* needed in follow_filter_out_stream(), is there a better way? */
184 follow_info->filter_te = filter_te;
186 /* save previous filter, const since we're not supposed to alter */
188 (const gchar *)gtk_entry_get_text(GTK_ENTRY(filter_te));
190 /* allocate our new filter. API claims g_malloc terminates program on failure */
191 /* my calc for max alloc needed is really +10 but when did a few extra bytes hurt ? */
192 previous_filter_len = previous_filter?(int)strlen(previous_filter):0;
193 filter_out_filter_len = (int)strlen(follow_filter) + previous_filter_len + 16;
194 follow_info->filter_out_filter = (gchar *)g_malloc(filter_out_filter_len);
196 /* append the negation */
197 if(previous_filter_len) {
198 g_snprintf(follow_info->filter_out_filter, filter_out_filter_len,
199 "%s and !(%s)", previous_filter, follow_filter);
201 g_snprintf(follow_info->filter_out_filter, filter_out_filter_len,
202 "!(%s)", follow_filter);
205 /* data will be passed via tap callback*/
206 msg = register_tap_listener("ssl", follow_info, follow_filter,
207 NULL, ssl_queue_packet_data, NULL);
210 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
211 "Can't register ssl tap: %s\n",msg->str);
212 g_free(follow_info->filter_out_filter);
214 g_free(follow_filter);
217 gtk_entry_set_text(GTK_ENTRY(filter_te), follow_filter);
219 /* Run the display filter so it goes in effect - even if it's the
220 same as the previous display filter. */
221 main_filter_packets(&cfile, follow_filter, TRUE);
223 /* Free the filter string, as we're done with it. */
224 g_free(follow_filter);
226 remove_tap_listener(follow_info);
229 follow_stats(&stats);
232 struct e_in6_addr ipaddr;
233 memcpy(&ipaddr, stats.ip_address[0], 16);
234 hostname0 = get_hostname6(&ipaddr);
235 memcpy(&ipaddr, stats.ip_address[0], 16);
236 hostname1 = get_hostname6(&ipaddr);
239 memcpy(&ipaddr, stats.ip_address[0], 4);
240 hostname0 = get_hostname(ipaddr);
241 memcpy(&ipaddr, stats.ip_address[1], 4);
242 hostname1 = get_hostname(ipaddr);
245 port0 = get_tcp_port(stats.port[0]);
246 port1 = get_tcp_port(stats.port[1]);
248 follow_info->is_ipv6 = stats.is_ipv6;
250 /* Both Stream Directions */
251 both_directions_string = g_strdup_printf("Entire conversation (%u bytes)", follow_info->bytes_written[0] + follow_info->bytes_written[1]);
253 if(follow_info->client_port == stats.port[0]) {
254 server_to_client_string =
255 g_strdup_printf("%s:%s --> %s:%s (%u bytes)",
258 follow_info->bytes_written[0]);
260 client_to_server_string =
261 g_strdup_printf("%s:%s --> %s:%s (%u bytes)",
264 follow_info->bytes_written[1]);
266 server_to_client_string =
267 g_strdup_printf("%s:%s --> %s:%s (%u bytes)",
270 follow_info->bytes_written[0]);
272 client_to_server_string =
273 g_strdup_printf("%s:%s --> %s:%s (%u bytes)",
276 follow_info->bytes_written[1]);
279 follow_stream("Follow SSL Stream", follow_info, both_directions_string,
280 server_to_client_string, client_to_server_string);
282 g_free(both_directions_string);
283 g_free(server_to_client_string);
284 g_free(client_to_server_string);
287 #define FLT_BUF_SIZE 1024
290 * XXX - the routine pointed to by "print_line" doesn't get handed lines,
291 * it gets handed bufferfuls. That's fine for "follow_write_raw()"
292 * and "follow_add_to_gtk_text()", but, as "follow_print_text()" calls
293 * the "print_line()" routine from "print.c", and as that routine might
294 * genuinely expect to be handed a line (if, for example, it's using
295 * some OS or desktop environment's printing API, and that API expects
296 * to be handed lines), "follow_print_text()" should probably accumulate
297 * lines in a buffer and hand them "print_line()". (If there's a
298 * complete line in a buffer - i.e., there's nothing of the line in
299 * the previous buffer or the next buffer - it can just hand that to
300 * "print_line()" after filtering out non-printables, as an
303 * This might or might not be the reason why C arrays display
304 * correctly but get extra blank lines very other line when printed.
307 follow_read_ssl_stream(follow_info_t *follow_info,
308 gboolean (*print_line)(char *, size_t, gboolean, void *),
312 guint32 global_client_pos = 0, global_server_pos = 0;
313 guint32 server_packet_count = 0;
314 guint32 client_packet_count = 0;
318 frs_return_t frs_return;
320 iplen = (follow_info->is_ipv6) ? 16 : 4;
322 for (cur = follow_info->payload; cur; cur = g_list_next(cur)) {
323 SslDecryptedRecord* rec = cur->data;
325 if (!rec->is_server) {
326 global_pos = &global_client_pos;
327 if (follow_info->show_stream == FROM_SERVER) {
331 global_pos = &global_server_pos;
332 if (follow_info->show_stream == FROM_CLIENT) {
338 size_t nchars = rec->data.data_len;
339 gchar *buffer = g_memdup(rec->data.data, (guint) nchars);
341 frs_return = follow_show(follow_info, print_line, buffer, nchars,
342 rec->is_server, arg, global_pos,
343 &server_packet_count, &client_packet_count);
345 if(frs_return == FRS_PRINT_ERROR)