2 * Routines for HTTP packet disassembly
4 * Guy Harris <guy@alum.mit.edu>
6 * $Id: packet-http.c,v 1.24 2000/10/19 07:38:01 guy Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@zing.org>
10 * Copyright 1998 Gerald Combs
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
34 #ifdef HAVE_SYS_TYPES_H
35 #include <sys/types.h>
43 #include "packet-ipp.h"
46 typedef enum _http_type {
52 static int proto_http = -1;
53 static int hf_http_response = -1;
54 static int hf_http_request = -1;
56 static gint ett_http = -1;
58 #define TCP_PORT_HTTP 80
59 #define TCP_PORT_PROXY_HTTP 3128
60 #define TCP_PORT_PROXY_ADMIN_HTTP 3132
61 #define TCP_ALT_PORT_HTTP 8080
63 static int is_http_request_or_reply(const u_char *data, int linelen, http_type_t *type);
65 void dissect_http(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
67 gboolean is_ipp = (pi.srcport == 631 || pi.destport == 631);
69 proto_tree *http_tree;
70 const u_char *data, *dataend;
71 const u_char *linep, *lineend, *eol;
74 http_type_t http_type = HTTP_OTHERS;
76 OLD_CHECK_DISPLAY_AS_DATA(proto_http, pd, offset, fd, tree);
79 dataend = data + END_OF_FRAME;
81 if (check_col(fd, COL_PROTOCOL))
82 col_add_str(fd, COL_PROTOCOL, is_ipp ? "IPP" : "HTTP");
83 if (check_col(fd, COL_INFO)) {
85 * Put the first line from the buffer into the summary,
86 * if it's an HTTP request or reply (but leave out the
87 * "\r\n", or whatever, at the end).
88 * Otherwise, just call it a continuation.
90 lineend = find_line_end(data, dataend, &eol);
92 if (is_http_request_or_reply(data, linelen, &http_type))
93 col_add_str(fd, COL_INFO, format_text(data, linelen));
95 col_add_str(fd, COL_INFO, "Continuation");
99 ti = proto_tree_add_item(tree, proto_http, NullTVB, offset, END_OF_FRAME, FALSE);
100 http_tree = proto_item_add_subtree(ti, ett_http);
102 while (data < dataend) {
104 * Find the end of the line.
106 lineend = find_line_end(data, dataend, &eol);
107 linelen = lineend - data;
110 * OK, does it look like an HTTP request or
113 if (is_http_request_or_reply(data, linelen, &http_type))
117 * No. Does it look like a blank line (as would
118 * appear at the end of an HTTP request)?
125 if (strncmp(data, "\r\n", 2) == 0 ||
126 strncmp(data, "\n\r", 2) == 0)
131 * No. Does it look like a MIME header?
134 while (linep < lineend) {
137 break; /* not printable, not a MIME header */
157 * It's a tspecial, so it's not
158 * part of a token, so it's not
159 * a field name for the beginning
166 * This ends the token; we consider
167 * this to be a MIME header.
175 * We don't consider this part of an HTTP request or
176 * reply, so we don't display it.
177 * (Yeah, that means we don't display, say, a
178 * text/http page, but you can get that from the
187 proto_tree_add_text(http_tree, NullTVB, offset, linelen, "%s",
188 format_text(data, linelen));
196 proto_tree_add_boolean_hidden(http_tree,
197 hf_http_response, NullTVB, 0, 0, 1);
201 proto_tree_add_boolean_hidden(http_tree,
202 hf_http_request, NullTVB, 0, 0, 1);
210 if (data < dataend) {
212 dissect_ipp(pd, offset, fd, tree);
214 old_dissect_data(&pd[offset], offset, fd, http_tree);
220 * XXX - this won't handle HTTP 0.9 replies, but they're all data
224 is_http_request_or_reply(const u_char *data, int linelen, http_type_t *type)
227 if (strncmp(data, "GET ", 4) == 0 ||
228 strncmp(data, "PUT ", 4) == 0) {
229 if (*type == HTTP_OTHERS)
230 *type = HTTP_REQUEST;
235 if (strncmp(data, "HEAD ", 5) == 0 ||
236 strncmp(data, "POST ", 5) == 0) {
237 if (*type == HTTP_OTHERS)
238 *type = HTTP_REQUEST;
241 if (strncmp(data, "HTTP/", 5) == 0) {
242 if (*type == HTTP_OTHERS)
243 *type = HTTP_RESPONSE;
244 return TRUE; /* response */
248 if (strncmp(data, "TRACE ", 6) == 0) {
249 if (*type == HTTP_OTHERS)
250 *type = HTTP_REQUEST;
255 if (strncmp(data, "DELETE ", 7) == 0) {
256 if (*type == HTTP_OTHERS)
257 *type = HTTP_REQUEST;
262 if (strncmp(data, "OPTIONS ", 8) == 0 ||
263 strncmp(data, "CONNECT ", 8) == 0) {
264 if (*type == HTTP_OTHERS)
265 *type = HTTP_REQUEST;
273 proto_register_http(void)
276 static hf_register_info hf[] = {
278 { "Response", "http.response",
279 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
280 "TRUE if HTTP response" }},
282 { "Request", "http.request",
283 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
284 "TRUE if HTTP request" }},
286 static gint *ett[] = {
290 proto_http = proto_register_protocol("Hypertext Transfer Protocol", "http");
291 proto_register_field_array(proto_http, hf, array_length(hf));
292 proto_register_subtree_array(ett, array_length(ett));
296 proto_reg_handoff_http(void)
298 old_dissector_add("tcp.port", TCP_PORT_HTTP, dissect_http);
299 old_dissector_add("tcp.port", TCP_ALT_PORT_HTTP, dissect_http);
300 old_dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, dissect_http);
301 old_dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, dissect_http);