2 * Routines for SMTP packet disassembly
4 * $Id: packet-smtp.c,v 1.37 2004/05/16 18:50:40 guy Exp $
6 * Copyright (c) 2000 by Richard Sharpe <rsharpe@ns.aus.com>
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1999 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
37 #include <epan/packet.h>
38 #include <epan/conversation.h>
39 #include <epan/resolv.h>
41 #include <epan/strutil.h>
43 #define TCP_PORT_SMTP 25
45 static int proto_smtp = -1;
47 static int hf_smtp_req = -1;
48 static int hf_smtp_rsp = -1;
49 static int hf_smtp_req_command = -1;
50 static int hf_smtp_req_parameter = -1;
51 static int hf_smtp_rsp_code = -1;
52 static int hf_smtp_rsp_parameter = -1;
54 static int ett_smtp = -1;
55 static int ett_smtp_cmdresp = -1;
57 /* desegmentation of SMTP command and response lines */
58 static gboolean smtp_desegment = TRUE;
61 * A CMD is an SMTP command, MESSAGE is the message portion, and EOM is the
62 * last part of a message
65 #define SMTP_PDU_CMD 0
66 #define SMTP_PDU_MESSAGE 1
67 #define SMTP_PDU_EOM 2
69 struct smtp_proto_data {
73 static int smtp_packet_init_count = 100;
76 * State information stored with a conversation.
78 struct smtp_request_val {
79 gboolean reading_data; /* Reading message data, not commands */
80 guint16 crlf_seen; /* Have we seen a CRLF on the end of a packet */
83 static GMemChunk *smtp_request_vals = NULL;
84 static GMemChunk *smtp_packet_infos = NULL;
87 smtp_init_protocol(void)
89 if (smtp_request_vals)
90 g_mem_chunk_destroy(smtp_request_vals);
91 if (smtp_packet_infos)
92 g_mem_chunk_destroy(smtp_packet_infos);
94 smtp_request_vals = g_mem_chunk_new("smtp_request_vals",
95 sizeof(struct smtp_request_val),
96 smtp_packet_init_count * sizeof(struct smtp_request_val), G_ALLOC_AND_FREE);
97 smtp_packet_infos = g_mem_chunk_new("smtp_packet_infos",
98 sizeof(struct smtp_proto_data),
99 smtp_packet_init_count * sizeof(struct smtp_proto_data), G_ALLOC_AND_FREE);
104 dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
106 struct smtp_proto_data *frame_data;
107 proto_tree *smtp_tree;
108 proto_tree *cmdresp_tree;
112 conversation_t *conversation;
113 struct smtp_request_val *request_val;
117 gint length_remaining;
118 gboolean eom_seen = FALSE;
120 gboolean is_continuation_line;
123 /* As there is no guarantee that we will only see frames in the
124 * the SMTP conversation once, and that we will see them in
125 * order - in Ethereal, the user could randomly click on frames
126 * in the conversation in any order in which they choose - we
127 * have to store information with each frame indicating whether
128 * it contains commands or data or an EOM indication.
130 * XXX - what about frames that contain *both*? TCP is a
131 * byte-stream protocol, and there are no guarantees that
132 * TCP segment boundaries will correspond to SMTP commands
133 * or EOM indications.
135 * We only need that for the client->server stream; responses
136 * are easy to manage.
138 * If we have per frame data, use that, else, we must be on the first
139 * pass, so we figure it out on the first pass.
142 /* Find out what conversation this packet is part of ... but only
143 * if we have no information on this packet, so find the per-frame
147 /* SMTP messages have a simple format ... */
149 request = pinfo -> destport == pinfo -> match_port;
152 * Get the first line from the buffer.
154 * Note that "tvb_find_line_end()" will, if it doesn't return
155 * -1, return a value that is not longer than what's in the buffer,
156 * and "tvb_find_line_end()" will always return a value that is not
157 * longer than what's in the buffer, so the "tvb_get_ptr()" call
158 * won't throw an exception.
160 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
161 smtp_desegment && pinfo->can_desegment);
164 * We didn't find a line ending, and we're doing desegmentation;
165 * tell the TCP dissector where the data for this message starts
166 * in the data it handed us, and tell it we need one more byte
167 * (we may need more, but we'll try again if what we get next
168 * isn't enough), and return.
170 pinfo->desegment_offset = offset;
171 pinfo->desegment_len = 1;
174 line = tvb_get_ptr(tvb, offset, linelen);
176 frame_data = p_get_proto_data(pinfo->fd, proto_smtp);
180 conversation = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
181 pinfo->srcport, pinfo->destport, 0);
182 if (conversation == NULL) { /* No conversation, create one */
183 conversation = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
184 pinfo->srcport, pinfo->destport, 0);
189 * Is there a request structure attached to this conversation?
191 request_val = conversation_get_proto_data(conversation, proto_smtp);
196 * No - create one and attach it.
198 request_val = g_mem_chunk_alloc(smtp_request_vals);
199 request_val->reading_data = FALSE;
200 request_val->crlf_seen = 0;
202 conversation_add_proto_data(conversation, proto_smtp, request_val);
207 * Check whether or not this packet is an end of message packet
208 * We should look for CRLF.CRLF and they may be split.
209 * We have to keep in mind that we may see what we want on
210 * two passes through here ...
213 if (request_val->reading_data) {
216 * The order of these is important ... We want to avoid
217 * cases where there is a CRLF at the end of a packet and a
218 * .CRLF at the begining of the same packet.
221 if ((request_val->crlf_seen && tvb_strneql(tvb, offset, ".\r\n", 3) == 0) ||
222 tvb_strneql(tvb, offset, "\r\n.\r\n", 5) == 0) {
228 length_remaining = tvb_length_remaining(tvb, offset);
229 if (length_remaining == tvb_reported_length_remaining(tvb, offset) &&
230 tvb_strneql(tvb, offset + length_remaining - 2, "\r\n", 2) == 0) {
232 request_val->crlf_seen = 1;
237 request_val->crlf_seen = 0;
243 * OK, Check if we have seen a DATA request. We do it here for
244 * simplicity, but we have to be careful below.
249 frame_data = g_mem_chunk_alloc(smtp_packet_infos);
251 if (request_val->reading_data) {
253 * This is message data.
255 if (eom_seen) { /* Seen the EOM */
258 * Everything that comes after it is commands.
260 * XXX - what if the EOM isn't at the beginning of
261 * the TCP segment? It can occur anywhere....
263 frame_data->pdu_type = SMTP_PDU_EOM;
264 request_val->reading_data = FALSE;
267 * Message data with no EOM.
269 frame_data->pdu_type = SMTP_PDU_MESSAGE;
273 * This is commands - unless the capture started in the
274 * middle of a session, and we're in the middle of data.
275 * To quote RFC 821, "Command codes are four alphabetic
276 * characters"; if we don't see four alphabetic characters
277 * and, if there's anything else in the line, a space, we
278 * assume it's not a command.
279 * (We treat only A-Z and a-z as alphabetic.)
281 #define ISALPHA(c) (((c) >= 'A' && (c) <= 'Z') || \
282 ((c) >= 'a' && (c) <= 'z'))
283 if (linelen >= 4 && ISALPHA(line[0]) && ISALPHA(line[1]) &&
284 ISALPHA(line[2]) && ISALPHA(line[3]) &&
285 (linelen == 4 || line[4] == ' ')) {
286 if (strncasecmp(line, "DATA", 4) == 0) {
290 * This is a command, but everything that comes after it,
291 * until an EOM, is data.
293 frame_data->pdu_type = SMTP_PDU_CMD;
294 request_val->reading_data = TRUE;
301 frame_data->pdu_type = SMTP_PDU_CMD;
305 if ((linelen >= 7) && line[0] == 'X' && ( (strncasecmp(line, "X-EXPS ", 7) == 0) ||
306 ((linelen >=13) && (strncasecmp(line, "X-LINK2STATE ", 13) == 0)) ||
307 ((linelen >= 8) && (strncasecmp(line, "XEXCH50 ", 8) == 0)) ))
308 frame_data->pdu_type = SMTP_PDU_CMD;
311 * Assume it's message data.
314 frame_data->pdu_type = SMTP_PDU_MESSAGE;
320 p_add_proto_data(pinfo->fd, proto_smtp, frame_data);
326 * From here, we simply add items to the tree and info to the info
330 if (check_col(pinfo->cinfo, COL_PROTOCOL))
331 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP");
333 if (check_col(pinfo->cinfo, COL_INFO)) { /* Add the appropriate type here */
336 * If it is a request, we have to look things up, otherwise, just
337 * display the right things
342 /* We must have frame_data here ... */
344 switch (frame_data->pdu_type) {
345 case SMTP_PDU_MESSAGE:
347 col_set_str(pinfo->cinfo, COL_INFO, "Message Body");
352 col_add_fstr(pinfo->cinfo, COL_INFO, "EOM: %s",
353 format_text(line, linelen));
358 col_add_fstr(pinfo->cinfo, COL_INFO, "Command: %s",
359 format_text(line, linelen));
367 col_add_fstr(pinfo->cinfo, COL_INFO, "Response: %s",
368 format_text(line, linelen));
373 if (tree) { /* Build the tree info ... */
375 ti = proto_tree_add_item(tree, proto_smtp, tvb, offset, -1, FALSE);
376 smtp_tree = proto_item_add_subtree(ti, ett_smtp);
380 * Check out whether or not we can see a command in there ...
381 * What we are looking for is not data_seen and the word DATA
384 * We will see DATA and request_val->data_seen when we process the
385 * tree view after we have seen a DATA packet when processing
386 * the packet list pane.
388 * On the first pass, we will not have any info on the packets
389 * On second and subsequent passes, we will.
392 switch (frame_data->pdu_type) {
394 case SMTP_PDU_MESSAGE:
398 * Put its lines into the protocol tree, a line at a time.
400 while (tvb_offset_exists(tvb, offset)) {
403 * Find the end of the line.
405 tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
410 proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset,
412 tvb_format_text(tvb, offset, next_offset - offset));
415 * Step to the next line.
417 offset = next_offset;
426 * End-of-message-body indicator.
428 * XXX - what about stuff after the first line?
429 * Unlikely, as the client should wait for a response to the
430 * DATA command this terminates before sending another
431 * request, but we should probably handle it.
433 proto_tree_add_text(smtp_tree, tvb, offset, linelen,
434 "EOM: %s", format_text(line, linelen));
443 * XXX - what about stuff after the first line?
444 * Unlikely, as the client should wait for a response to the
445 * previous command before sending another request, but we
446 * should probably handle it.
452 proto_tree_add_boolean_hidden(smtp_tree, hf_smtp_req, tvb,
455 * Put the command line into the protocol tree.
457 ti = proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset,
459 tvb_format_text(tvb, offset, next_offset - offset));
460 cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
462 proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb,
463 offset, cmdlen, FALSE);
465 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
466 offset + 5, linelen - 5, FALSE);
475 * Process the response, a line at a time, until we hit a line
476 * that doesn't have a continuation indication on it.
478 proto_tree_add_boolean_hidden(smtp_tree, hf_smtp_rsp, tvb,
481 while (tvb_offset_exists(tvb, offset)) {
484 * Find the end of the line.
486 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
489 * Put it into the protocol tree.
491 ti = proto_tree_add_text(smtp_tree, tvb, offset,
492 next_offset - offset, "Response: %s",
493 tvb_format_text(tvb, offset,
494 next_offset - offset));
495 cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
498 * Is it a continuation line?
500 is_continuation_line =
501 (linelen >= 4 && tvb_get_guint8(tvb, offset + 3) == '-');
504 * Put the response code and parameters into the protocol tree.
506 line = tvb_get_ptr(tvb, offset, linelen);
507 if (linelen >= 3 && isdigit(line[0]) && isdigit(line[1])
508 && isdigit(line[2])) {
510 * We have a 3-digit response code.
512 code = (line[0] - '0')*100 + (line[1] - '0')*10 + (line[2] - '0');
513 proto_tree_add_uint(cmdresp_tree, hf_smtp_rsp_code, tvb, offset, 3,
517 proto_tree_add_item(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
518 offset + 4, linelen - 4, FALSE);
523 * Step past this line.
525 offset = next_offset;
528 * If it's not a continuation line, quit.
530 if (!is_continuation_line)
539 /* Register all the bits needed by the filtering engine */
542 proto_register_smtp(void)
544 static hf_register_info hf[] = {
546 { "Request", "smtp.req", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "", HFILL }},
549 { "Response", "smtp.rsp", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "", HFILL }},
551 { &hf_smtp_req_command,
552 { "Command", "smtp.req.command", FT_STRING, BASE_NONE, NULL, 0x0,
555 { &hf_smtp_req_parameter,
556 { "Request parameter", "smtp.req.parameter", FT_STRING, BASE_NONE, NULL, 0x0,
560 { "Response code", "smtp.response.code", FT_UINT32, BASE_DEC, NULL, 0x0,
563 { &hf_smtp_rsp_parameter,
564 { "Response parameter", "smtp.rsp.parameter", FT_STRING, BASE_NONE, NULL, 0x0,
567 static gint *ett[] = {
571 module_t *smtp_module;
573 /* No Configuration options to register? */
575 proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol",
578 proto_register_field_array(proto_smtp, hf, array_length(hf));
579 proto_register_subtree_array(ett, array_length(ett));
580 register_init_routine(&smtp_init_protocol);
582 smtp_module = prefs_register_protocol(proto_smtp, NULL);
583 prefs_register_bool_preference(smtp_module, "desegment_lines",
584 "Desegment all SMTP command and response lines\nspanning multiple TCP segments",
585 "Whether the SMTP dissector should desegment all command and response lines spanning multiple TCP segments",
589 /* The registration hand-off routine */
591 proto_reg_handoff_smtp(void)
593 dissector_handle_t smtp_handle;
595 smtp_handle = create_dissector_handle(dissect_smtp, proto_smtp);
596 dissector_add("tcp.port", TCP_PORT_SMTP, smtp_handle);