2 * UDP specific routines for following traffic streams
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
33 #include <epan/addr_resolv.h>
34 #include <epan/epan_dissect.h>
35 #include <epan/follow.h>
36 #include <epan/ipproto.h>
37 #include <epan/strutil.h>
40 #include <../globals.h>
41 #include <../simple_dialog.h>
43 #include "gtk/follow_stream.h"
46 #include "gtk/follow_udp.h"
50 udp_queue_packet_data(void *tapdata, packet_info *pinfo,
51 epan_dissect_t *edt _U_, const void *data)
53 follow_record_t *follow_record;
54 follow_info_t *follow_info = tapdata;
55 const tvbuff_t *next_tvb = data;
57 follow_record = g_malloc(sizeof(follow_record_t));
59 follow_record->data = g_byte_array_sized_new(next_tvb->length);
60 follow_record->data = g_byte_array_append(follow_record->data,
64 if (follow_info->client_port == 0) {
65 follow_info->client_port = pinfo->srcport;
66 COPY_ADDRESS(&follow_info->client_ip, &pinfo->src);
69 if (ADDRESSES_EQUAL(&follow_info->client_ip, &pinfo->src) &&
70 follow_info->client_port == pinfo->srcport)
71 follow_record->is_server = FALSE;
73 follow_record->is_server = TRUE;
75 /* update stream counter */
76 follow_info->bytes_written[follow_record->is_server] +=
77 follow_record->data->len;
79 follow_info->payload = g_list_append(follow_info->payload,
85 /* Follow the UDP stream, if any, to which the last packet that we called
86 a dissection routine on belongs (this might be the most recently
87 selected packet, or it might be the last packet in the file). */
89 follow_udp_stream_cb(GtkWidget *w, gpointer data _U_)
93 const gchar *previous_filter;
94 int filter_out_filter_len, previous_filter_len;
95 const char *hostname0, *hostname1;
97 gchar *server_to_client_string = NULL;
98 gchar *client_to_server_string = NULL;
99 gchar *both_directions_string = NULL;
100 follow_stats_t stats;
101 follow_info_t *follow_info;
104 /* we got udp so we can follow */
105 if(cfile.edt->pi.ipproto != IP_PROTO_UDP) {
106 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
107 "Error following stream. Please make\n"
108 "sure you have a UDP packet selected.");
112 follow_info = g_new0(follow_info_t, 1);
113 follow_info->follow_type = FOLLOW_UDP;
115 /* Create a new filter that matches all packets in the UDP stream,
116 and set the display filter entry accordingly */
117 follow_filter = build_follow_filter(&cfile.edt->pi);
120 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
121 "Error creating filter for this stream.\n"
122 "A network layer header is needed");
127 /* Set the display filter entry accordingly */
128 filter_te = g_object_get_data(G_OBJECT(w), E_DFILTER_TE_KEY);
130 /* needed in follow_filter_out_stream(), is there a better way? */
131 follow_info->filter_te = filter_te;
133 /* save previous filter, const since we're not supposed to alter */
135 (const gchar *)gtk_entry_get_text(GTK_ENTRY(filter_te));
137 /* allocate our new filter. API claims g_malloc terminates program on failure */
138 /* my calc for max alloc needed is really +10 but when did a few extra bytes hurt ? */
139 previous_filter_len = previous_filter?strlen(previous_filter):0;
140 filter_out_filter_len = strlen(follow_filter) + previous_filter_len + 16;
141 follow_info->filter_out_filter = (gchar *)g_malloc(filter_out_filter_len);
143 /* append the negation */
144 if(previous_filter_len) {
145 g_snprintf(follow_info->filter_out_filter, filter_out_filter_len,
146 "%s and !(%s)", previous_filter, follow_filter);
148 g_snprintf(follow_info->filter_out_filter, filter_out_filter_len,
149 "!(%s)", follow_filter);
152 /* data will be passed via tap callback*/
153 msg = register_tap_listener("udp_follow", follow_info, follow_filter,
154 NULL, udp_queue_packet_data, NULL);
156 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
157 "Can't register udp_follow tap: %s\n",
159 g_free(follow_info->filter_out_filter);
161 g_free(follow_filter);
165 gtk_entry_set_text(GTK_ENTRY(filter_te), follow_filter);
167 /* Run the display filter so it goes in effect - even if it's the
168 same as the previous display filter. */
169 main_filter_packets(&cfile, follow_filter, TRUE);
171 /* Free the filter string, as we're done with it. */
172 g_free(follow_filter);
174 remove_tap_listener(follow_info);
177 follow_stats(&stats);
180 struct e_in6_addr ipaddr;
181 memcpy(&ipaddr, stats.ip_address[0], 16);
182 hostname0 = get_hostname6(&ipaddr);
183 memcpy(&ipaddr, stats.ip_address[0], 16);
184 hostname1 = get_hostname6(&ipaddr);
187 memcpy(&ipaddr, stats.ip_address[0], 4);
188 hostname0 = get_hostname(ipaddr);
189 memcpy(&ipaddr, stats.ip_address[1], 4);
190 hostname1 = get_hostname(ipaddr);
193 port0 = get_udp_port(stats.port[0]);
194 port1 = get_udp_port(stats.port[1]);
196 follow_info->is_ipv6 = stats.is_ipv6;
198 /* Both Stream Directions */
199 both_directions_string = g_strdup_printf("Entire conversation (%u bytes)", follow_info->bytes_written[0] + follow_info->bytes_written[1]);
201 if(follow_info->client_port == stats.port[0]) {
202 server_to_client_string =
203 g_strdup_printf("%s:%s --> %s:%s (%u bytes)",
206 follow_info->bytes_written[0]);
208 client_to_server_string =
209 g_strdup_printf("%s:%s --> %s:%s (%u bytes)",
212 follow_info->bytes_written[1]);
214 server_to_client_string =
215 g_strdup_printf("%s:%s --> %s:%s (%u bytes)",
218 follow_info->bytes_written[0]);
220 client_to_server_string =
221 g_strdup_printf("%s:%s --> %s:%s (%u bytes)",
224 follow_info->bytes_written[1]);
227 follow_stream("Follow UDP Stream", follow_info, both_directions_string,
228 server_to_client_string, client_to_server_string);
230 g_free(both_directions_string);
231 g_free(server_to_client_string);
232 g_free(client_to_server_string);
235 #define FLT_BUF_SIZE 1024
238 * XXX - the routine pointed to by "print_line" doesn't get handed lines,
239 * it gets handed bufferfuls. That's fine for "follow_write_raw()"
240 * and "follow_add_to_gtk_text()", but, as "follow_print_text()" calls
241 * the "print_line()" routine from "print.c", and as that routine might
242 * genuinely expect to be handed a line (if, for example, it's using
243 * some OS or desktop environment's printing API, and that API expects
244 * to be handed lines), "follow_print_text()" should probably accumulate
245 * lines in a buffer and hand them "print_line()". (If there's a
246 * complete line in a buffer - i.e., there's nothing of the line in
247 * the previous buffer or the next buffer - it can just hand that to
248 * "print_line()" after filtering out non-printables, as an
251 * This might or might not be the reason why C arrays display
252 * correctly but get extra blank lines very other line when printed.
255 follow_read_udp_stream(follow_info_t *follow_info,
256 gboolean (*print_line)(char *, size_t, gboolean, void *),
260 guint32 global_client_pos = 0, global_server_pos = 0;
261 guint32 server_packet_count = 0;
262 guint32 client_packet_count = 0;
266 frs_return_t frs_return;
267 follow_record_t *follow_record;
270 iplen = (follow_info->is_ipv6) ? 16 : 4;
272 for (cur = follow_info->payload; cur; cur = g_list_next(cur)) {
273 follow_record = cur->data;
275 if (!follow_record->is_server) {
276 global_pos = &global_client_pos;
277 if(follow_info->show_stream == FROM_SERVER) {
281 global_pos = &global_server_pos;
282 if (follow_info->show_stream == FROM_CLIENT) {
288 buffer = g_memdup(follow_record->data->data,
289 follow_record->data->len);
291 frs_return = follow_show(follow_info, print_line,
293 follow_record->data->len,
294 follow_record->is_server, arg,
296 &server_packet_count,
297 &client_packet_count);
299 if(frs_return == FRS_PRINT_ERROR)