packet-ftp.c

   1 /* packet-ftp.c
   2  * Routines for ftp packet dissection
   3  * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
   4  * Copyright 2001, Juan Toledo <toledo@users.sourceforge.net> (Passive FTP)
   5  *
   6  * $Id: packet-ftp.c,v 1.35 2001/09/03 20:52:25 guy Exp $
   7  *
   8  * Ethereal - Network traffic analyzer
   9  * By Gerald Combs <gerald@ethereal.com>
  10  * Copyright 1998 Gerald Combs
  11  *
  12  * Copied from packet-pop.c
  13  *
  14  * This program is free software; you can redistribute it and/or
  15  * modify it under the terms of the GNU General Public License
  16  * as published by the Free Software Foundation; either version 2
  17  * of the License, or (at your option) any later version.
  18  *
  19  * This program is distributed in the hope that it will be useful,
  20  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  22  * GNU General Public License for more details.
  23  *
  24  * You should have received a copy of the GNU General Public License
  25  * along with this program; if not, write to the Free Software
  26  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
  27  */
  28
  29 #ifdef HAVE_CONFIG_H
  30 # include "config.h"
  31 #endif
  32
  33 #include <stdio.h>
  34 #include <stdlib.h>
  35 #include <ctype.h>
  36
  37 #ifdef HAVE_SYS_TYPES_H
  38 # include <sys/types.h>
  39 #endif
  40
  41 #ifdef HAVE_NETINET_IN_H
  42 # include <netinet/in.h>
  43 #endif
  44
  45 #include <string.h>
  46 #include <glib.h>
  47 #include "packet.h"
  48 #include "strutil.h"
  49 #include "conversation.h"
  50
  51 static int proto_ftp = -1;
  52 static int proto_ftp_data = -1;
  53 static int hf_ftp_response = -1;
  54 static int hf_ftp_request = -1;
  55 static int hf_ftp_request_command = -1;
  56 static int hf_ftp_request_data = -1;
  57 static int hf_ftp_response_code = -1;
  58 static int hf_ftp_response_data = -1;
  59
  60 static gint ett_ftp = -1;
  61 static gint ett_ftp_data = -1;
  62
  63 #define TCP_PORT_FTPDATA                20
  64 #define TCP_PORT_FTP                    21
  65
  66 static void
  67 dissect_ftpdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree);
  68
  69 /*
  70  * Handle a response to a PASV command.
  71  *
  72  * We ignore the IP address in the reply, and use the address from which
  73  * the request came.
  74  *
  75  * XXX - are there cases where they differ?  What if the FTP server is
  76  * behind a NAT box, so that the address it puts into the reply isn't
  77  * the address at which you should contact it?  Do all NAT boxes detect
  78  * FTP PASV replies and rewrite the address?  (I suspect not.)
  79  *
  80  * RFC 959 doesn't say much about the syntax of the 227 reply.
  81  *
  82  * A proposal from Dan Bernstein at
  83  *
  84  *      http://cr.yp.to/ftp/retr.html
  85  *
  86  * "recommend[s] that clients use the following strategy to parse the
  87  * response line: look for the first digit after the initial space; look
  88  * for the fourth comma after that digit; read two (possibly negative)
  89  * integers, separated by a comma; the TCP port number is p1*256+p2, where
  90  * p1 is the first integer modulo 256 and p2 is the second integer modulo
  91  * 256."
  92  *
  93  * wget 1.5.3 looks for a digit, although it doesn't handle negative
  94  * integers.
  95  *
  96  * The FTP code in the source of the cURL library, at
  97  *
  98  *      http://curl.haxx.se/lxr/source/lib/ftp.c
  99  *
 100  * says that cURL "now scans for a sequence of six comma-separated numbers
 101  * and will take them as IP+port indicators"; it loops, doing "sscanf"s
 102  * looking for six numbers separated by commas, stepping the start pointer
 103  * in the scanf one character at a time - i.e., it tries rather exhaustively.
 104  *
 105  * An optimization would be to scan for a digit, and start there, and if
 106  * the scanf doesn't find six values, scan for the next digit and try
 107  * again; this will probably succeed on the first try.
 108  *
 109  * The cURL code also says that "found reply-strings include":
 110  *
 111  *      "227 Entering Passive Mode (127,0,0,1,4,51)"
 112  *      "227 Data transfer will passively listen to 127,0,0,1,4,51"
 113  *      "227 Entering passive mode. 127,0,0,1,4,51"
 114  *
 115  * so it appears that you can't assume there are parentheses around
 116  * the address and port number.
 117  */
 118 static void
 119 handle_pasv_response(const u_char *line, int linelen, packet_info *pinfo)
 120 {
 121         char *args;
 122         char *p, *endp;
 123         u_char c;
 124         int i;
 125         int address[4], port[2];
 126         guint16 server_port;
 127         conversation_t  *conversation;
 128
 129         /*
 130          * Copy the rest of the line into a null-terminated buffer.
 131          */
 132         args = g_malloc(linelen + 1);
 133         memcpy(args, line, linelen);
 134         args[linelen] = '\0';
 135         p = args;
 136
 137         for (;;) {
 138                 /*
 139                  * Look for a digit.
 140                  */
 141                 while ((c = *p) != '\0' && !isdigit(c))
 142                         p++;
 143
 144                 if (*p == '\0') {
 145                         /*
 146                          * We ran out of text without finding anything.
 147                          */
 148                         break;
 149                 }
 150
 151                 /*
 152                  * See if we have six numbers.
 153                  */
 154                 i = sscanf(p, "%d,%d,%d,%d,%d,%d",
 155                     &address[0], &address[1], &address[2], &address[3],
 156                     &port[0], &port[1]);
 157                 if (i == 6) {
 158                         /*
 159                          * We have a winner!
 160                          * Set up a conversation, to be dissected as FTP data.
 161                          */
 162                         server_port = ((port[0] & 0xFF)<<8) | (port[1] & 0xFF);
 163
 164                         /*
 165                          * XXX - should this call to "find_conversation()"
 166                          * just use "pinfo->src" and "server_port", and
 167                          * wildcard everything else?
 168                          */
 169                         conversation = find_conversation(&pinfo->src,
 170                             &pinfo->dst, PT_TCP, server_port, 0, NO_PORT_B);
 171                         if (conversation == NULL) {
 172                                 /*
 173                                  * XXX - should this call to
 174                                  * "conversation_new()" just use "pinfo->src"
 175                                  * and "server_port", and wildcard everything
 176                                  * else?
 177                                  *
 178                                  * XXX - what if we did find a conversation?
 179                                  * As we create it only on the first pass
 180                                  * through the packets, if we find one, it's
 181                                  * presumably an unrelated conversation.
 182                                  * Should we remove the old one from the hash
 183                                  * table and put this one in its place?
 184                                  * Can the conversaton code handle
 185                                  * conversations not in the hash table?
 186                                  */
 187                                 conversation = conversation_new(&pinfo->src,
 188                                     &pinfo->dst, PT_TCP, server_port, 0,
 189                                     NO_PORT2);
 190                                 conversation_set_dissector(conversation,
 191                                     dissect_ftpdata);
 192                         }
 193                         break;
 194                 }
 195
 196                 /*
 197                  * Well, that didn't work.  Skip the first number we found,
 198                  * and keep trying.
 199                  */
 200                 while ((c = *p) != '\0' && isdigit(c))
 201                         p++;
 202         }
 203
 204         g_free(args);
 205 }
 206
 207 static void
 208 dissect_ftp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 209 {
 210         gboolean        is_request;
 211         proto_tree      *ftp_tree = NULL;
 212         proto_item      *ti;
 213         gint            offset = 0;
 214         const u_char    *line;
 215         gboolean        is_pasv_response = FALSE;
 216         gint            next_offset;
 217         int             linelen;
 218         int             tokenlen;
 219         const u_char    *next_token;
 220
 221         if (pinfo->match_port == pinfo->destport)
 222                 is_request = TRUE;
 223         else
 224                 is_request = FALSE;
 225
 226         if (check_col(pinfo->fd, COL_PROTOCOL))
 227                 col_set_str(pinfo->fd, COL_PROTOCOL, "FTP");
 228
 229         /*
 230          * Find the end of the first line.
 231          *
 232          * Note that "tvb_find_line_end()" will return a value that is
 233          * not longer than what's in the buffer, so the "tvb_get_ptr()"
 234          * call won't throw an exception.
 235          */
 236         linelen = tvb_find_line_end(tvb, offset, -1, &next_offset);
 237         line = tvb_get_ptr(tvb, offset, linelen);
 238
 239         if (check_col(pinfo->fd, COL_INFO)) {
 240                 /*
 241                  * Put the first line from the buffer into the summary
 242                  * (but leave out the line terminator).
 243                  */
 244                 col_add_fstr(pinfo->fd, COL_INFO, "%s: %s",
 245                     is_request ? "Request" : "Response",
 246                     format_text(line, linelen));
 247         }
 248
 249         if (tree) {
 250                 ti = proto_tree_add_item(tree, proto_ftp, tvb, offset,
 251                     tvb_length_remaining(tvb, offset), FALSE);
 252                 ftp_tree = proto_item_add_subtree(ti, ett_ftp);
 253
 254                 if (is_request) {
 255                         proto_tree_add_boolean_hidden(ftp_tree,
 256                             hf_ftp_request, tvb, 0, 0, TRUE);
 257                         proto_tree_add_boolean_hidden(ftp_tree,
 258                             hf_ftp_response, tvb, 0, 0, FALSE);
 259                 } else {
 260                         proto_tree_add_boolean_hidden(ftp_tree,
 261                             hf_ftp_request, tvb, 0, 0, FALSE);
 262                         proto_tree_add_boolean_hidden(ftp_tree,
 263                             hf_ftp_response, tvb, 0, 0, TRUE);
 264                 }
 265         }
 266
 267         /*
 268          * Extract the first token, and, if there is a first
 269          * token, add it as the request or reply code.
 270          */
 271         tokenlen = get_token_len(line, line + linelen, &next_token);
 272         if (tokenlen != 0) {
 273                 if (is_request) {
 274                         if (tree) {
 275                                 proto_tree_add_string_format(ftp_tree,
 276                                     hf_ftp_request_command, tvb, offset,
 277                                     tokenlen, line, "Request: %s",
 278                                     format_text(line, tokenlen));
 279                         }
 280                 } else {
 281                         /*
 282                          * This is a response; see if it's a passive-mode
 283                          * response.
 284                          *
 285                          * XXX - check for "229" responses to EPSV
 286                          * commands, to handle IPv6, as per RFC 2428?
 287                          *
 288                          * XXX - does anybody do FOOBAR, as per RFC 1639,
 289                          * or has that been supplanted by RFC 2428?
 290                          */
 291                         if (tokenlen == 3 &&
 292                             strncmp("227", line, tokenlen) == 0)
 293                                 is_pasv_response = TRUE;
 294                         if (tree) {
 295                                 proto_tree_add_uint_format(ftp_tree,
 296                                     hf_ftp_response_code, tvb, offset,
 297                                     tokenlen, atoi(line), "Response: %s",
 298                                     format_text(line, tokenlen));
 299                         }
 300                 }
 301                 offset += next_token - line;
 302                 linelen -= next_token - line;
 303                 line = next_token;
 304
 305                 /*
 306                  * If this is a PASV response, handle it if we haven't
 307                  * already processed this frame.
 308                  */
 309                 if (!pinfo->fd->flags.visited && is_pasv_response) {
 310                         /*
 311                          * We haven't processed this frame, and it contains
 312                          * a PASV response; set up a conversation for the
 313                          * data.
 314                          */
 315                         handle_pasv_response(line, linelen, pinfo);
 316                 }
 317         }
 318
 319         if (tree) {
 320                 /*
 321                  * Add the rest of the first line as request or
 322                  * reply data.
 323                  */
 324                 if (linelen != 0) {
 325                         if (is_request) {
 326                                 proto_tree_add_string_format(ftp_tree,
 327                                     hf_ftp_request_data, tvb, offset,
 328                                     linelen, line, "Request Arg: %s",
 329                                     format_text(line, linelen));
 330                         } else {
 331                                 proto_tree_add_string_format(ftp_tree,
 332                                     hf_ftp_response_data, tvb, offset,
 333                                     linelen, line, "Response Arg: %s",
 334                                     format_text(line, linelen));
 335                         }
 336                 }
 337                 offset = next_offset;
 338
 339                 /*
 340                  * Show the rest of the request or response as text,
 341                  * a line at a time.
 342                  */
 343                 while (tvb_offset_exists(tvb, offset)) {
 344                         /*
 345                          * Find the end of the line.
 346                          */
 347                         linelen = tvb_find_line_end(tvb, offset, -1,
 348                             &next_offset);
 349
 350                         /*
 351                          * Put this line.
 352                          */
 353                         proto_tree_add_text(ftp_tree, tvb, offset,
 354                             next_offset - offset, "%s",
 355                             tvb_format_text(tvb, offset, next_offset - offset));
 356                         offset = next_offset;
 357                 }
 358         }
 359 }
 360
 361 static void
 362 dissect_ftpdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 363 {
 364         proto_tree      *ti, *ftp_data_tree;
 365         int             data_length;
 366
 367         if (check_col(pinfo->fd, COL_PROTOCOL))
 368                 col_set_str(pinfo->fd, COL_PROTOCOL, "FTP-DATA");
 369
 370         if (check_col(pinfo->fd, COL_INFO)) {
 371                 col_add_fstr(pinfo->fd, COL_INFO, "FTP Data: %u bytes",
 372                     tvb_length(tvb));
 373         }
 374
 375         if (tree) {
 376                 data_length = tvb_length(tvb);
 377
 378                 ti = proto_tree_add_item(tree, proto_ftp_data, tvb, 0,
 379                     data_length, FALSE);
 380                 ftp_data_tree = proto_item_add_subtree(ti, ett_ftp_data);
 381
 382                 /*
 383                  * XXX - if this is binary data, it'll produce
 384                  * a *really* long line.
 385                  */
 386                 proto_tree_add_text(ftp_data_tree, tvb, 0, data_length,
 387                     "FTP Data: %s", tvb_format_text(tvb, 0, data_length));
 388         }
 389 }
 390
 391 void
 392 proto_register_ftp(void)
 393 {
 394     static hf_register_info hf[] = {
 395     { &hf_ftp_response,
 396       { "Response",           "ftp.response",
 397         FT_BOOLEAN, BASE_NONE, NULL, 0x0,
 398         "TRUE if FTP response", HFILL }},
 399
 400     { &hf_ftp_request,
 401       { "Request",            "ftp.request",
 402         FT_BOOLEAN, BASE_NONE, NULL, 0x0,
 403         "TRUE if FTP request", HFILL }},
 404
 405     { &hf_ftp_request_command,
 406       { "Request command",    "ftp.request.command",
 407         FT_STRING,  BASE_NONE, NULL, 0x0,
 408         "", HFILL }},
 409
 410     { &hf_ftp_request_data,
 411       { "Request data",       "ftp.request.data",
 412         FT_STRING,  BASE_NONE, NULL, 0x0,
 413         "", HFILL }},
 414
 415     { &hf_ftp_response_code,
 416       { "Response code",      "ftp.response.code",
 417         FT_UINT8,   BASE_DEC, NULL, 0x0,
 418         "", HFILL }},
 419
 420     { &hf_ftp_response_data,
 421       { "Response data",      "ftp.reponse.data",
 422         FT_STRING,  BASE_NONE, NULL, 0x0,
 423         "", HFILL }}
 424   };
 425   static gint *ett[] = {
 426     &ett_ftp,
 427     &ett_ftp_data,
 428   };
 429
 430   proto_ftp = proto_register_protocol("File Transfer Protocol (FTP)", "FTP",
 431                                       "ftp");
 432   proto_ftp_data = proto_register_protocol("FTP Data", "FTP-DATA", "ftp-data");
 433   proto_register_field_array(proto_ftp, hf, array_length(hf));
 434   proto_register_subtree_array(ett, array_length(ett));
 435 }
 436
 437 void
 438 proto_reg_handoff_ftp(void)
 439 {
 440   dissector_add("tcp.port", TCP_PORT_FTPDATA, &dissect_ftpdata, proto_ftp_data);
 441   dissector_add("tcp.port", TCP_PORT_FTP, &dissect_ftp, proto_ftp);
 442 }