2 * Routines for HTTP packet disassembly
4 * Guy Harris <guy@alum.mit.edu>
6 * Copyright 2002, Tim Potter <tpot@samba.org>
7 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
9 * $Id: packet-http.c,v 1.54 2002/08/14 00:40:14 tpot Exp $
11 * Ethereal - Network traffic analyzer
12 * By Gerald Combs <gerald@ethereal.com>
13 * Copyright 1998 Gerald Combs
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
38 #include <epan/packet.h>
39 #include <epan/strutil.h>
41 #include "packet-http.h"
43 typedef enum _http_type {
50 static int proto_http = -1;
51 static int hf_http_notification = -1;
52 static int hf_http_response = -1;
53 static int hf_http_request = -1;
55 static gint ett_http = -1;
56 static gint ett_http_ntlmssp = -1;
58 static dissector_handle_t data_handle;
59 static dissector_handle_t http_handle;
61 #define TCP_PORT_HTTP 80
62 #define TCP_PORT_PROXY_HTTP 3128
63 #define TCP_PORT_PROXY_ADMIN_HTTP 3132
64 #define TCP_ALT_PORT_HTTP 8080
67 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
69 #define TCP_PORT_SSDP 1900
70 #define UDP_PORT_SSDP 1900
73 * Some headers that we dissect more deeply - Microsoft's abomination
74 * called NTLMSSP over HTTP.
76 #define NTLMSSP_AUTH "Authorization: NTLM "
77 #define NTLMSSP_WWWAUTH "WWW-Authenticate: NTLM "
80 * Protocols implemented atop HTTP.
83 PROTO_HTTP, /* just HTTP */
84 PROTO_SSDP /* Simple Service Discovery Protocol */
87 static int is_http_request_or_reply(const guchar *data, int linelen, http_type_t *type);
89 static dissector_table_t subdissector_table;
90 static heur_dissector_list_t heur_subdissector_list;
92 static dissector_handle_t ntlmssp_handle=NULL;
94 /* Decode a base64 string in-place - simple and slow algorithm.
95 Return length of result. Taken from rproxy/librsync/base64.c by
98 static size_t base64_decode(char *s)
100 const char *b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
101 int bit_offset, byte_offset, idx, i, n;
102 unsigned char *d = (unsigned char *)s;
107 while (*s && (p=strchr(b64, *s))) {
108 idx = (int)(p - b64);
109 byte_offset = (i*6)/8;
110 bit_offset = (i*6)%8;
111 d[byte_offset] &= ~((1<<(8-bit_offset))-1);
112 if (bit_offset < 3) {
113 d[byte_offset] |= (idx << (2-bit_offset));
116 d[byte_offset] |= (idx >> (bit_offset-2));
117 d[byte_offset+1] = 0;
118 d[byte_offset+1] |= (idx << (8-(bit_offset-2))) & 0xFF;
127 /* Return a tvb that contains the binary representation of a base64
131 base64_to_tvb(char *base64)
134 char *data = g_strdup(base64);
137 len = base64_decode(data);
138 tvb = tvb_new_real_data(data, len, len);
140 tvb_set_free_cb(tvb, g_free);
146 dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, char *line)
148 tvbuff_t *ntlmssp_tvb;
150 ntlmssp_tvb = base64_to_tvb(line);
151 tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb);
152 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP Data");
154 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
156 tvb_free(ntlmssp_tvb);
160 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
164 proto_tree *http_tree = NULL;
165 proto_item *ti = NULL;
169 const guchar *linep, *lineend;
172 http_type_t http_type;
175 switch (pinfo->match_port) {
177 case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
188 if (check_col(pinfo->cinfo, COL_PROTOCOL))
189 col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
190 if (check_col(pinfo->cinfo, COL_INFO)) {
192 * Put the first line from the buffer into the summary
193 * if it's an HTTP request or reply (but leave out the
195 * Otherwise, just call it a continuation.
197 * Note that "tvb_find_line_end()" will return a value that
198 * is not longer than what's in the buffer, so the
199 * "tvb_get_ptr()" call won't throw an exception.
201 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
203 line = tvb_get_ptr(tvb, offset, linelen);
204 http_type = HTTP_OTHERS; /* type not known yet */
205 if (is_http_request_or_reply(line, linelen, &http_type))
206 col_add_str(pinfo->cinfo, COL_INFO,
207 format_text(line, linelen));
209 col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
213 ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
215 http_tree = proto_item_add_subtree(ti, ett_http);
219 * Process the packet data, a line at a time.
221 http_type = HTTP_OTHERS; /* type not known yet */
222 while (tvb_offset_exists(tvb, offset)) {
224 * Find the end of the line.
226 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
230 * Get a buffer that refers to the line.
232 line = tvb_get_ptr(tvb, offset, linelen);
233 lineend = line + linelen;
236 * OK, does it look like an HTTP request or response?
238 if (is_http_request_or_reply(line, linelen, &http_type))
242 * No. Does it look like a blank line (as would appear
243 * at the end of an HTTP request)?
249 * No. Does it look like a MIME header?
252 while (linep < lineend) {
255 break; /* not printable, not a MIME header */
275 * It's a tspecial, so it's not part of a
276 * token, so it's not a field name for the
277 * beginning of a MIME header.
283 * This ends the token; we consider this
284 * to be a MIME header.
292 * We don't consider this part of an HTTP request or
293 * reply, so we don't display it.
294 * (Yeah, that means we don't display, say, a text/http
295 * page, but you can get that from the data pane.)
304 proto_tree *hdr_tree;
305 proto_item *hdr_item;
308 text = tvb_format_text(tvb, offset, next_offset - offset);
310 hdr_item = proto_tree_add_text(http_tree, tvb, offset,
311 next_offset - offset, "%s", text);
313 if (strncmp(text, NTLMSSP_AUTH, strlen(NTLMSSP_AUTH)) == 0) {
314 hdr_tree = proto_item_add_subtree(
315 hdr_item, ett_http_ntlmssp);
316 text += strlen(NTLMSSP_AUTH);
317 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, text);
320 if (strncmp(text, NTLMSSP_WWWAUTH, strlen(NTLMSSP_WWWAUTH)) == 0) {
321 hdr_tree = proto_item_add_subtree(
322 hdr_item, ett_http_ntlmssp);
323 text += strlen(NTLMSSP_WWWAUTH);
324 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, text);
327 offset = next_offset;
333 case HTTP_NOTIFICATION:
334 proto_tree_add_boolean_hidden(http_tree,
335 hf_http_notification, tvb, 0, 0, 1);
339 proto_tree_add_boolean_hidden(http_tree,
340 hf_http_response, tvb, 0, 0, 1);
344 proto_tree_add_boolean_hidden(http_tree,
345 hf_http_request, tvb, 0, 0, 1);
354 datalen = tvb_length_remaining(tvb, offset);
356 tvbuff_t *next_tvb = tvb_new_subset(tvb, offset, -1, -1);
359 * OK, has some subdissector asked that they be called
360 * if something was on some particular port?
362 if (dissector_try_port(subdissector_table, pinfo->match_port,
363 next_tvb, pinfo, tree)) {
365 * Yes. Fix up the top-level item so that it
366 * doesn't include the stuff for that protocol.
369 proto_item_set_len(ti, offset);
370 } else if(dissector_try_heuristic(heur_subdissector_list,
371 next_tvb,pinfo,tree)){
373 * Yes. Fix up the top-level item so that it
374 * doesn't include the stuff for that protocol.
377 proto_item_set_len(ti, offset);
379 call_dissector(data_handle,
380 tvb_new_subset(tvb, offset, -1, -1), pinfo,
387 * XXX - this won't handle HTTP 0.9 replies, but they're all data
391 is_http_request_or_reply(const guchar *data, int linelen, http_type_t *type)
393 int isHttpRequestOrReply = FALSE;
396 * From RFC 2774 - An HTTP Extension Framework
398 * Support the command prefix that identifies the presence of
399 * a "mandatory" header.
401 if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
407 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
408 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
410 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
413 if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
414 *type = HTTP_RESPONSE;
415 isHttpRequestOrReply = TRUE; /* response */
417 guchar * ptr = (guchar *)data;
420 /* Look for the space following the Method */
421 while (index < linelen) {
430 /* Check the methods that have same length */
434 if (strncmp(data, "GET", index) == 0 ||
435 strncmp(data, "PUT", index) == 0) {
436 *type = HTTP_REQUEST;
437 isHttpRequestOrReply = TRUE;
442 if (strncmp(data, "COPY", index) == 0 ||
443 strncmp(data, "HEAD", index) == 0 ||
444 strncmp(data, "LOCK", index) == 0 ||
445 strncmp(data, "MOVE", index) == 0 ||
446 strncmp(data, "POLL", index) == 0 ||
447 strncmp(data, "POST", index) == 0) {
448 *type = HTTP_REQUEST;
449 isHttpRequestOrReply = TRUE;
454 if (strncmp(data, "BCOPY", index) == 0 ||
455 strncmp(data, "BMOVE", index) == 0 ||
456 strncmp(data, "MKCOL", index) == 0 ||
457 strncmp(data, "TRACE", index) == 0) {
458 *type = HTTP_REQUEST;
459 isHttpRequestOrReply = TRUE;
464 if (strncmp(data, "DELETE", index) == 0 ||
465 strncmp(data, "SEARCH", index) == 0 ||
466 strncmp(data, "UNLOCK", index) == 0) {
467 *type = HTTP_REQUEST;
468 isHttpRequestOrReply = TRUE;
470 else if (strncmp(data, "NOTIFY", index) == 0) {
471 *type = HTTP_NOTIFICATION;
472 isHttpRequestOrReply = TRUE;
477 if (strncmp(data, "BDELETE", index) == 0 ||
478 strncmp(data, "CONNECT", index) == 0 ||
479 strncmp(data, "OPTIONS", index) == 0) {
480 *type = HTTP_REQUEST;
481 isHttpRequestOrReply = TRUE;
486 if (strncmp(data, "PROPFIND", index) == 0) {
487 *type = HTTP_REQUEST;
488 isHttpRequestOrReply = TRUE;
493 if (strncmp(data, "SUBSCRIBE", index) == 0) {
494 *type = HTTP_NOTIFICATION;
495 isHttpRequestOrReply = TRUE;
496 } else if (strncmp(data, "PROPPATCH", index) == 0 ||
497 strncmp(data, "BPROPFIND", index) == 0) {
498 *type = HTTP_REQUEST;
499 isHttpRequestOrReply = TRUE;
504 if (strncmp(data, "BPROPPATCH", index) == 0) {
505 *type = HTTP_REQUEST;
506 isHttpRequestOrReply = TRUE;
511 if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
512 *type = HTTP_NOTIFICATION;
513 isHttpRequestOrReply = TRUE;
522 return isHttpRequestOrReply;
527 proto_register_http(void)
529 static hf_register_info hf[] = {
530 { &hf_http_notification,
531 { "Notification", "http.notification",
532 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
533 "TRUE if HTTP notification", HFILL }},
535 { "Response", "http.response",
536 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
537 "TRUE if HTTP response", HFILL }},
539 { "Request", "http.request",
540 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
541 "TRUE if HTTP request", HFILL }},
543 static gint *ett[] = {
548 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
550 proto_register_field_array(proto_http, hf, array_length(hf));
551 proto_register_subtree_array(ett, array_length(ett));
553 register_dissector("http", dissect_http, proto_http);
554 http_handle = find_dissector("http");
557 * Dissectors shouldn't register themselves in this table;
558 * instead, they should call "http_dissector_add()", and
559 * we'll register the port number they specify as a port
560 * for HTTP, and register them in our subdissector table.
562 * This only works for protocols such as IPP that run over
563 * HTTP on a specific non-HTTP port.
565 subdissector_table = register_dissector_table("http.port",
566 "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
569 * Heuristic dissectors SHOULD register themselves in
570 * this table using the standard heur_dissector_add()
574 register_heur_dissector_list("http",&heur_subdissector_list);
579 * Called by dissectors for protocols that run atop HTTP/TCP.
582 http_dissector_add(guint32 port, dissector_handle_t handle)
585 * Register ourselves as the handler for that port number
588 dissector_add("tcp.port", port, http_handle);
591 * And register them in *our* table for that port.
593 dissector_add("http.port", port, handle);
597 proto_reg_handoff_http(void)
599 data_handle = find_dissector("data");
600 dissector_add("tcp.port", TCP_PORT_HTTP, http_handle);
601 dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle);
602 dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle);
603 dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle);
606 * XXX - is there anything to dissect in the body of an SSDP
607 * request or reply? I.e., should there be an SSDP dissector?
609 dissector_add("tcp.port", TCP_PORT_SSDP, http_handle);
610 dissector_add("udp.port", UDP_PORT_SSDP, http_handle);
612 ntlmssp_handle = find_dissector("ntlmssp");