2 * Routines for HTTP packet disassembly
4 * Guy Harris <guy@alum.mit.edu>
6 * $Id: packet-http.c,v 1.30 2000/11/21 22:40:40 guy Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@zing.org>
10 * Copyright 1998 Gerald Combs
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
34 #ifdef HAVE_SYS_TYPES_H
35 #include <sys/types.h>
45 typedef enum _http_type {
51 static int proto_http = -1;
52 static int hf_http_response = -1;
53 static int hf_http_request = -1;
55 static gint ett_http = -1;
57 #define TCP_PORT_HTTP 80
58 #define TCP_PORT_PROXY_HTTP 3128
59 #define TCP_PORT_PROXY_ADMIN_HTTP 3132
60 #define TCP_ALT_PORT_HTTP 8080
62 static int is_http_request_or_reply(const u_char *data, int linelen, http_type_t *type);
64 static dissector_handle_t ipp_handle;
67 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
69 gboolean is_ipp = (pinfo->srcport == 631 || pinfo->destport == 631);
70 proto_tree *http_tree = NULL;
71 proto_item *ti = NULL;
75 const u_char *linep, *lineend;
78 http_type_t http_type;
81 CHECK_DISPLAY_AS_DATA(proto_http, tvb, pinfo, tree);
83 pinfo->current_proto = "HTTP";
85 if (check_col(pinfo->fd, COL_PROTOCOL))
86 col_set_str(pinfo->fd, COL_PROTOCOL, is_ipp ? "IPP" : "HTTP");
87 if (check_col(pinfo->fd, COL_INFO)) {
89 * Put the first line from the buffer into the summary
90 * if it's an HTTP request or reply (but leave out the
92 * Otherwise, just call it a continuation.
94 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset);
95 line = tvb_get_ptr(tvb, offset, linelen);
96 http_type = HTTP_OTHERS; /* type not known yet */
97 if (is_http_request_or_reply(line, linelen, &http_type))
98 col_add_str(pinfo->fd, COL_INFO,
99 format_text(line, linelen));
101 col_set_str(pinfo->fd, COL_INFO, "Continuation");
105 ti = proto_tree_add_item(tree, proto_http, tvb, offset,
106 tvb_length_remaining(tvb, offset), FALSE);
107 http_tree = proto_item_add_subtree(ti, ett_http);
110 * Process the packet data, a line at a time.
112 http_type = HTTP_OTHERS; /* type not known yet */
113 while (tvb_offset_exists(tvb, offset)) {
115 * Find the end of the line.
117 linelen = tvb_find_line_end(tvb, offset, -1,
121 * Get a buffer that refers to the line.
123 line = tvb_get_ptr(tvb, offset, linelen);
124 lineend = line + linelen;
127 * OK, does it look like an HTTP request or
130 if (is_http_request_or_reply(line, linelen, &http_type))
134 * No. Does it look like a blank line (as would
135 * appear at the end of an HTTP request)?
141 * No. Does it look like a MIME header?
144 while (linep < lineend) {
147 break; /* not printable, not a MIME header */
167 * It's a tspecial, so it's not
168 * part of a token, so it's not
169 * a field name for the beginning
176 * This ends the token; we consider
177 * this to be a MIME header.
185 * We don't consider this part of an HTTP request or
186 * reply, so we don't display it.
187 * (Yeah, that means we don't display, say, a
188 * text/http page, but you can get that from the
197 proto_tree_add_text(http_tree, tvb, offset,
198 next_offset - offset, "%s",
199 tvb_format_text(tvb, offset, next_offset - offset));
200 offset = next_offset;
206 proto_tree_add_boolean_hidden(http_tree,
207 hf_http_response, tvb, 0, 0, 1);
211 proto_tree_add_boolean_hidden(http_tree,
212 hf_http_request, tvb, 0, 0, 1);
221 datalen = tvb_length_remaining(tvb, offset);
224 tvbuff_t *new_tvb = tvb_new_subset(tvb, offset, -1, -1);
227 * Fix up the top-level item so that it doesn't
228 * include the IPP stuff.
231 proto_item_set_len(ti, offset);
233 call_dissector(ipp_handle, new_tvb, pinfo, tree);
235 dissect_data(tvb, offset, pinfo, http_tree);
240 * XXX - this won't handle HTTP 0.9 replies, but they're all data
244 is_http_request_or_reply(const u_char *data, int linelen, http_type_t *type)
247 if (strncmp(data, "GET ", 4) == 0 ||
248 strncmp(data, "PUT ", 4) == 0) {
249 if (*type == HTTP_OTHERS)
250 *type = HTTP_REQUEST;
255 if (strncmp(data, "HEAD ", 5) == 0 ||
256 strncmp(data, "POST ", 5) == 0) {
257 if (*type == HTTP_OTHERS)
258 *type = HTTP_REQUEST;
261 if (strncmp(data, "HTTP/", 5) == 0) {
262 if (*type == HTTP_OTHERS)
263 *type = HTTP_RESPONSE;
264 return TRUE; /* response */
268 if (strncmp(data, "TRACE ", 6) == 0) {
269 if (*type == HTTP_OTHERS)
270 *type = HTTP_REQUEST;
275 if (strncmp(data, "DELETE ", 7) == 0) {
276 if (*type == HTTP_OTHERS)
277 *type = HTTP_REQUEST;
282 if (strncmp(data, "OPTIONS ", 8) == 0 ||
283 strncmp(data, "CONNECT ", 8) == 0) {
284 if (*type == HTTP_OTHERS)
285 *type = HTTP_REQUEST;
293 proto_register_http(void)
295 static hf_register_info hf[] = {
297 { "Response", "http.response",
298 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
299 "TRUE if HTTP response" }},
301 { "Request", "http.request",
302 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
303 "TRUE if HTTP request" }},
305 static gint *ett[] = {
309 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
311 proto_register_field_array(proto_http, hf, array_length(hf));
312 proto_register_subtree_array(ett, array_length(ett));
316 proto_reg_handoff_http(void)
318 dissector_add("tcp.port", TCP_PORT_HTTP, dissect_http);
319 dissector_add("tcp.port", TCP_ALT_PORT_HTTP, dissect_http);
320 dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, dissect_http);
321 dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, dissect_http);
324 * Get a handle for the IPP dissector.
326 ipp_handle = find_dissector("ipp");