2 * Routines for IPsec/IPComp packet disassembly
4 * $Id: packet-ipsec.c,v 1.38 2002/01/24 09:20:48 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_TYPES_H
32 # include <sys/types.h>
35 #ifdef HAVE_NETINET_IN_H
36 # include <netinet/in.h>
41 #include <epan/packet.h>
42 #include "packet-ipsec.h"
43 #include "packet-ip.h"
44 #include <epan/resolv.h>
48 /* Place AH payload in sub tree */
49 gboolean g_ah_payload_in_subtree = FALSE;
51 static int proto_ah = -1;
52 static int hf_ah_spi = -1;
53 static int hf_ah_sequence = -1;
54 static int proto_esp = -1;
55 static int hf_esp_spi = -1;
56 static int hf_esp_sequence = -1;
57 static int proto_ipcomp = -1;
58 static int hf_ipcomp_flags = -1;
59 static int hf_ipcomp_cpi = -1;
61 static gint ett_ah = -1;
62 static gint ett_esp = -1;
63 static gint ett_ipcomp = -1;
65 static dissector_handle_t data_handle;
68 guint8 ah_nxt; /* Next Header */
69 guint8 ah_len; /* Length of data + 1, in 32bit */
70 guint16 ah_reserve; /* Reserved for future use */
71 guint32 ah_spi; /* Security parameter index */
72 guint32 ah_seq; /* Sequence number field */
73 /* variable size, 32bit bound*/ /* Authentication data */
77 guint32 esp_spi; /* ESP */
78 guint32 esp_seq; /* Sequence number */
79 /*variable size*/ /* (IV and) Payload data */
80 /*variable size*/ /* padding */
81 /*8bit*/ /* pad size */
82 /*8bit*/ /* next header */
83 /*8bit*/ /* next header */
84 /*variable size, 32bit bound*/ /* Authentication data */
88 guint8 comp_nxt; /* Next Header */
89 guint8 comp_flags; /* Must be zero */
90 guint16 comp_cpi; /* Compression parameter index */
93 /* well-known algorithm number (in CPI), from RFC2409 */
94 #define IPCOMP_OUI 1 /* vendor specific */
95 #define IPCOMP_DEFLATE 2 /* RFC2394 */
96 #define IPCOMP_LZS 3 /* RFC2395 */
99 static const value_string cpi2val[] = {
100 { IPCOMP_OUI, "OUI" },
101 { IPCOMP_DEFLATE, "DEFLATE" },
102 { IPCOMP_LZS, "LZS" },
107 #define offsetof(type, member) ((size_t)(&((type *)0)->member))
111 dissect_ah(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
113 proto_tree *next_tree;
118 advance = dissect_ah_header(tvb, pinfo, tree, &nxt, &next_tree);
119 next_tvb = tvb_new_subset(tvb, advance, -1, -1);
121 if (g_ah_payload_in_subtree) {
122 col_set_writable(pinfo->cinfo, FALSE);
125 /* do lookup with the subdissector table */
126 if (!dissector_try_port(ip_dissector_table, nxt, next_tvb, pinfo, next_tree)) {
127 call_dissector(data_handle,next_tvb, pinfo, next_tree);
132 dissect_ah_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
133 guint8 *nxt_p, proto_tree **next_tree_p)
140 if (check_col(pinfo->cinfo, COL_PROTOCOL))
141 col_set_str(pinfo->cinfo, COL_PROTOCOL, "AH");
142 if (check_col(pinfo->cinfo, COL_INFO))
143 col_clear(pinfo->cinfo, COL_INFO);
145 tvb_memcpy(tvb, (guint8 *)&ah, 0, sizeof(ah));
146 advance = sizeof(ah) + ((ah.ah_len - 1) << 2);
148 if (check_col(pinfo->cinfo, COL_INFO)) {
149 col_add_fstr(pinfo->cinfo, COL_INFO, "AH (SPI=0x%08x)",
150 (guint32)ntohl(ah.ah_spi));
154 /* !!! specify length */
155 ti = proto_tree_add_item(tree, proto_ah, tvb, 0, advance, FALSE);
156 ah_tree = proto_item_add_subtree(ti, ett_ah);
158 proto_tree_add_text(ah_tree, tvb,
159 offsetof(struct newah, ah_nxt), 1,
160 "Next Header: %s (0x%02x)",
161 ipprotostr(ah.ah_nxt), ah.ah_nxt);
162 proto_tree_add_text(ah_tree, tvb,
163 offsetof(struct newah, ah_len), 1,
164 "Length: %u", (ah.ah_len + 2) << 2);
165 proto_tree_add_uint(ah_tree, hf_ah_spi, tvb,
166 offsetof(struct newah, ah_spi), 4,
167 (guint32)ntohl(ah.ah_spi));
168 proto_tree_add_uint(ah_tree, hf_ah_sequence, tvb,
169 offsetof(struct newah, ah_seq), 4,
170 (guint32)ntohl(ah.ah_seq));
171 proto_tree_add_text(ah_tree, tvb,
172 sizeof(ah), (ah.ah_len - 1) << 2,
175 if (next_tree_p != NULL) {
176 /* Decide where to place next protocol decode */
177 if (g_ah_payload_in_subtree) {
178 *next_tree_p = ah_tree;
185 if (next_tree_p != NULL)
192 /* start of the new header (could be a extension header) */
197 dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
199 proto_tree *esp_tree;
204 * load the top pane info. This should be overwritten by
205 * the next protocol in the stack
207 if (check_col(pinfo->cinfo, COL_PROTOCOL))
208 col_set_str(pinfo->cinfo, COL_PROTOCOL, "ESP");
209 if (check_col(pinfo->cinfo, COL_INFO))
210 col_clear(pinfo->cinfo, COL_INFO);
212 tvb_memcpy(tvb, (guint8 *)&esp, 0, sizeof(esp));
214 if (check_col(pinfo->cinfo, COL_INFO)) {
215 col_add_fstr(pinfo->cinfo, COL_INFO, "ESP (SPI=0x%08x)",
216 (guint32)ntohl(esp.esp_spi));
220 * populate a tree in the second pane with the status of the link layer
224 ti = proto_tree_add_item(tree, proto_esp, tvb, 0, -1, FALSE);
225 esp_tree = proto_item_add_subtree(ti, ett_esp);
226 proto_tree_add_uint(esp_tree, hf_esp_spi, tvb,
227 offsetof(struct newesp, esp_spi), 4,
228 (guint32)ntohl(esp.esp_spi));
229 proto_tree_add_uint(esp_tree, hf_esp_sequence, tvb,
230 offsetof(struct newesp, esp_seq), 4,
231 (guint32)ntohl(esp.esp_seq));
232 call_dissector(data_handle,tvb_new_subset(tvb, sizeof(struct newesp),-1,tvb_reported_length_remaining(tvb,sizeof(struct newesp))), pinfo, esp_tree);
237 dissect_ipcomp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
239 proto_tree *ipcomp_tree;
241 struct ipcomp ipcomp;
245 * load the top pane info. This should be overwritten by
246 * the next protocol in the stack
248 if (check_col(pinfo->cinfo, COL_PROTOCOL))
249 col_set_str(pinfo->cinfo, COL_PROTOCOL, "IPComp");
250 if (check_col(pinfo->cinfo, COL_INFO))
251 col_clear(pinfo->cinfo, COL_INFO);
253 tvb_memcpy(tvb, (guint8 *)&ipcomp, 0, sizeof(ipcomp));
255 if (check_col(pinfo->cinfo, COL_INFO)) {
256 p = match_strval(ntohs(ipcomp.comp_cpi), cpi2val);
258 col_add_fstr(pinfo->cinfo, COL_INFO, "IPComp (CPI=0x%04x)",
259 ntohs(ipcomp.comp_cpi));
261 col_add_fstr(pinfo->cinfo, COL_INFO, "IPComp (CPI=%s)", p);
265 * populate a tree in the second pane with the status of the link layer
269 ti = proto_tree_add_item(tree, proto_ipcomp, tvb, 0, -1, FALSE);
270 ipcomp_tree = proto_item_add_subtree(ti, ett_ipcomp);
272 proto_tree_add_text(ipcomp_tree, tvb,
273 offsetof(struct ipcomp, comp_nxt), 1,
274 "Next Header: %s (0x%02x)",
275 ipprotostr(ipcomp.comp_nxt), ipcomp.comp_nxt);
276 proto_tree_add_uint(ipcomp_tree, hf_ipcomp_flags, tvb,
277 offsetof(struct ipcomp, comp_flags), 1,
279 proto_tree_add_uint(ipcomp_tree, hf_ipcomp_cpi, tvb,
280 offsetof(struct ipcomp, comp_cpi), 2,
281 ntohs(ipcomp.comp_cpi));
282 call_dissector(data_handle,tvb_new_subset(tvb, sizeof(struct ipcomp), -1,tvb_reported_length_remaining(tvb,sizeof(struct ipcomp))),pinfo, ipcomp_tree);
287 proto_register_ipsec(void)
290 static hf_register_info hf_ah[] = {
292 { "SPI", "ah.spi", FT_UINT32, BASE_HEX, NULL, 0x0,
295 { "Sequence", "ah.sequence", FT_UINT32, BASE_HEX, NULL, 0x0,
299 static hf_register_info hf_esp[] = {
301 { "SPI", "esp.spi", FT_UINT32, BASE_HEX, NULL, 0x0,
304 { "Sequence", "esp.sequence", FT_UINT32, BASE_HEX, NULL, 0x0,
308 static hf_register_info hf_ipcomp[] = {
310 { "Flags", "ipcomp.flags", FT_UINT8, BASE_HEX, NULL, 0x0,
313 { "CPI", "ipcomp.cpi", FT_UINT16, BASE_HEX,
314 VALS(cpi2val), 0x0, "", HFILL }},
316 static gint *ett[] = {
324 proto_ah = proto_register_protocol("Authentication Header", "AH", "ah");
325 proto_register_field_array(proto_ah, hf_ah, array_length(hf_ah));
327 proto_esp = proto_register_protocol("Encapsulating Security Payload",
329 proto_register_field_array(proto_esp, hf_esp, array_length(hf_esp));
331 proto_ipcomp = proto_register_protocol("IP Payload Compression",
333 proto_register_field_array(proto_ipcomp, hf_ipcomp, array_length(hf_ipcomp));
335 proto_register_subtree_array(ett, array_length(ett));
337 /* Register a configuration option for placement of AH payload dissection */
338 ah_module = prefs_register_protocol(proto_ah, NULL);
339 prefs_register_bool_preference(ah_module, "place_ah_payload_in_subtree",
340 "Place AH payload in subtree",
341 "Whether the AH payload decode should be placed in a subtree",
342 &g_ah_payload_in_subtree);
344 register_dissector("esp", dissect_esp, proto_esp);
345 register_dissector("ah", dissect_ah, proto_ah);
349 proto_reg_handoff_ipsec(void)
351 dissector_handle_t esp_handle, ah_handle, ipcomp_handle;
353 data_handle = find_dissector("data");
354 ah_handle = find_dissector("ah");
355 dissector_add("ip.proto", IP_PROTO_AH, ah_handle);
356 esp_handle = find_dissector("esp");
357 dissector_add("ip.proto", IP_PROTO_ESP, esp_handle);
358 ipcomp_handle = create_dissector_handle(dissect_ipcomp, proto_ipcomp);
359 dissector_add("ip.proto", IP_PROTO_IPCOMP, ipcomp_handle);