2 * Routines for socks versions 4 &5 packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
5 * $Id: packet-socks.c,v 1.18 2001/01/10 10:59:11 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 * The Version 4 decode is based on SOCKS4.protocol and SOCKS4A.protocol.
28 * The Version 5 decoder is based upon rfc-1928
29 * The Version 5 User/Password authentication is based on rfc-1929.
31 * See http://www.socks.nec.com/socksprot.html for these and other documents
35 * 2001-01-08 JCFoster Fixed problem with NULL pointer for hash data.
36 * Now test and exit if hash_info is null.
39 /* Possible enhancements -
41 * Add GSS-API authentication per rfc-1961
42 * Add CHAP authentication
43 * Decode FLAG bits per
44 * http://www.socks.nec.com/draft/draft-ietf-aft-socks-pro-v-04.txt
45 * In call_next_dissector, could load the destination address into the
46 * pi structure before calling next dissector.
47 * remove display_string or at least make it use protocol identifiers
48 * socks_hash_entry_t needs to handle V5 address type and domain names
59 #ifdef HAVE_SYS_TYPES_H
60 # include <sys/types.h>
63 #ifdef HAVE_NETINET_IN_H
64 # include <netinet/in.h>
71 #ifdef NEED_SNPRINTF_H
72 # include "snprintf.h"
78 #include "alignment.h"
79 #include "conversation.h"
81 #include "packet-tcp.h"
82 #include "packet-udp.h"
86 #define CHECK_PACKET_LENGTH(X) if (!BYTES_ARE_IN_FRAME(offset, X)){ \
87 proto_tree_add_text(tree, NullTVB, offset, 0, "*** FRAME TOO SHORT ***"); \
90 #define compare_packet(X) (X == (fd->num))
91 #define get_packet_ptr (fd->num)
92 #define row_pointer_type guint32
94 #define TCP_PORT_SOCKS 1080
97 /**************** Socks commands ******************/
99 #define CONNECT_COMMAND 1
100 #define BIND_COMMAND 2
101 #define UDP_ASSOCIATE_COMMAND 3
102 #define PING_COMMAND 0x80
103 #define TRACERT_COMMAND 0x81
106 /********** V5 Authentication methods *************/
108 #define NO_AUTHENTICATION 0
109 #define GSS_API_AUTHENTICATION 1
110 #define USER_NAME_AUTHENTICATION 2
111 #define CHAP_AUTHENTICATION 3
112 #define AUTHENTICATION_FAILED 0xff
115 /*********** Header field identifiers *************/
117 static int proto_socks = -1;
119 static int ett_socks = -1;
120 static int ett_socks_auth = -1;
121 static int ett_socks_name = -1;
123 static int hf_socks_ver = -1;
124 static int hf_socks_ip_dst = -1;
125 static int hf_socks_ip6_dst = -1;
126 static int hf_user_name = -1;
127 static int hf_socks_dstport = -1;
128 static int hf_socks_command = -1;
131 /************* State Machine names ***********/
156 gint32 udp_remote_port;
159 row_pointer_type v4_name_row;
160 row_pointer_type v4_user_name_row;
161 row_pointer_type connect_row;
162 row_pointer_type cmd_reply_row;
163 row_pointer_type bind_reply_row;
164 row_pointer_type command_row;
165 row_pointer_type auth_method_row;
166 row_pointer_type user_name_auth_row;
167 guint32 start_done_row;
169 guint32 dst_addr; /* this needs to handle IPv6 */
175 static char *address_type_table[] = {
185 /* String table for the V4 reply status messages */
187 static char *reply_table_v4[] = {
189 "Rejected or Failed",
190 "Rejected because SOCKS server cannot connect to identd on the client",
191 "Rejected because the client program and identd report different user-ids",
196 /* String table for the V5 reply status messages */
198 static char *reply_table_v5[] = {
200 "General SOCKS server failure",
201 "Connection not allowed by ruleset",
202 "Network unreachable",
204 "Connection refused",
206 "Command not supported",
207 "Address type not supported",
212 #define socks_hash_init_count 20
213 #define socks_hash_val_length (sizeof(socks_hash_entry_t))
215 static GMemChunk *socks_vals = NULL;
218 /************************* Support routines ***************************/
221 static int display_string( const u_char *pd, int offset, frame_data *fd,
222 proto_tree *tree, char *label){
224 /* display a string with a length, characters encoding */
225 /* they are displayed under a tree with the name in Label variable */
226 /* return the length of the string and the length byte */
229 proto_tree *name_tree;
234 int length = GBYTE( pd, offset);
236 if (!BYTES_ARE_IN_FRAME(offset, 8)){
237 proto_tree_add_text(tree, NullTVB, offset, 0, "*** FRAME TOO SHORT ***");
241 strncpy( temp, &pd[ offset + 1], length);
244 ti = proto_tree_add_text(tree, NullTVB, offset, length + 1,
245 "%s: %s" , label, temp);
248 name_tree = proto_item_add_subtree(ti, ett_socks_name);
250 proto_tree_add_text( name_tree, NullTVB, offset, 1, "Length: %d", length);
254 proto_tree_add_text( name_tree, NullTVB, offset, length, "String: %s", temp);
261 static char *get_auth_method_name( guint Number){
263 /* return the name of the authenication method */
265 if ( Number == 0) return "No authentication";
266 if ( Number == 1) return "GSSAPI";
267 if ( Number == 2) return "Username/Password";
268 if ( Number == 3) return "Chap";
269 if (( Number >= 4) && ( Number <= 0x7f))return "IANA assigned";
270 if (( Number >= 0x80) && ( Number <= 0xfe)) return "private method";
271 if ( Number == 0xff) return "no acceptable method";
273 /* shouldn't reach here */
275 return "Bad method number (not 0-0xff)";
279 static char *get_command_name( guint Number){
281 /* return the name of the command as a string */
283 if ( Number == 0) return "Unknow";
284 if ( Number == 1) return "Connect";
285 if ( Number == 2) return "Bind";
286 if ( Number == 3) return "UdpAssociate";
287 if ( Number == 0x80) return "Ping";
288 if ( Number == 0x81) return "Traceroute";
293 static int display_address( const u_char *pd, int offset,
294 frame_data *fd, proto_tree *tree) {
296 /* decode and display the v5 address, return offset of next byte */
298 int a_type = GBYTE( pd, offset);
300 proto_tree_add_text( tree, NullTVB, offset, 1,
301 "Address Type: %d (%s)", a_type,
302 address_type_table[ MAX( 0, MIN( a_type,
303 array_length( address_type_table)-1))]);
307 if ( a_type == 1){ /* IPv4 address */
308 if (!BYTES_ARE_IN_FRAME(offset, 4))
309 proto_tree_add_text(tree, NullTVB, offset, 0, "*** FRAME TOO SHORT ***");
311 proto_tree_add_ipv4( tree, hf_socks_ip_dst, NullTVB, offset,
312 4, GWORD( pd, offset));
315 else if ( a_type == 3){ /* domain name address */
317 offset += display_string( pd, offset, fd, tree,
320 else if ( a_type == 4){ /* IPv6 address */
321 if (!BYTES_ARE_IN_FRAME(offset, 16))
322 proto_tree_add_text(tree, NullTVB, offset, 0, "*** FRAME TOO SHORT ***");
324 proto_tree_add_ipv6( tree, hf_socks_ip6_dst, NullTVB, offset,
333 static int get_address_v5( const u_char *pd, int offset,
334 socks_hash_entry_t *hash_info) {
336 /* decode the v5 address and return offset of next byte */
337 /*$$$ this needs to handle IPV6 and domain name addresses */
340 int a_type = GBYTE( pd, offset++);
342 if ( a_type == 1){ /* IPv4 address */
345 hash_info->dst_addr = GWORD( pd, offset);
349 else if ( a_type == 4) /* IPv6 address */
352 else if ( a_type == 3) /* domain name address */
353 offset += GBYTE( pd, offset) + 1;
359 /********************* V5 UDP Associate handlers ***********************/
361 static void socks_udp_dissector( const u_char *pd, int offset, frame_data *fd,
364 /* Conversation dissector called from UDP dissector. Decode and display */
365 /* the socks header, the pass the rest of the data to the udp port */
366 /* decode routine to handle the payload. */
369 socks_hash_entry_t *hash_info;
370 conversation_t *conversation;
371 proto_tree *socks_tree;
375 conversation = find_conversation( &pi.src, &pi.dst, pi.ptype,
376 pi.srcport, pi.destport, 0);
378 g_assert( conversation); /* should always find a conversation */
380 hash_info = (socks_hash_entry_t*)conversation->data;
382 if (check_col(fd, COL_PROTOCOL))
383 col_set_str(fd, COL_PROTOCOL, "Socks");
385 if (check_col(fd, COL_INFO))
386 col_add_fstr(fd, COL_INFO, "Version: 5, UDP Associated packet");
389 ti = proto_tree_add_protocol_format( tree, proto_socks, NullTVB, offset,
390 END_OF_FRAME, "Socks" );
392 socks_tree = proto_item_add_subtree(ti, ett_socks);
394 CHECK_PACKET_LENGTH( 3);
396 proto_tree_add_text( socks_tree, NullTVB, offset, 2, "Reserved");
399 proto_tree_add_text( socks_tree, NullTVB, offset, 1, "Fragment Number: %d", GBYTE( pd,offset));
403 offset = display_address( pd, offset, fd, socks_tree);
404 hash_info->udp_remote_port = pntohs( &pd[ offset]);
406 CHECK_PACKET_LENGTH( 2);
407 proto_tree_add_uint( socks_tree, hf_socks_dstport, NullTVB,
408 offset, 2, hash_info->udp_remote_port);
412 else { /* no tree, skip past the socks header */
413 CHECK_PACKET_LENGTH( 3);
415 offset = get_address_v5( pd,offset, 0) + 2;
419 /* set pi src/dst port and call the udp sub-dissector lookup */
421 if ( pi.srcport == hash_info->port)
426 *ptr = hash_info->udp_remote_port;
428 tvb = tvb_create_from_top(0);
429 decode_udp_ports( tvb, offset, &pi, tree, pi.srcport, pi.destport);
431 *ptr = hash_info->udp_port;
436 void new_udp_conversation( socks_hash_entry_t *hash_info){
438 conversation_t *conversation = conversation_new( &pi.src, &pi.dst, PT_UDP,
439 hash_info->udp_port, hash_info->port, hash_info, 0);
441 g_assert( conversation);
443 old_conversation_set_dissector(conversation, socks_udp_dissector);
449 /**************** Protocol Tree Display routines ******************/
452 void display_socks_v4( const u_char *pd, int offset, frame_data *fd,
453 proto_tree *parent, proto_tree *tree, socks_hash_entry_t *hash_info) {
456 /* Display the protocol tree for the V5 version. This routine uses the */
457 /* stored conversation information to decide what to do with the row. */
458 /* Per packet information would have been better to do this, but we */
459 /* didn't have that when I wrote this. And I didn't expect this to get */
465 /* Display command from client */
466 if (compare_packet( hash_info->connect_row)){
468 CHECK_PACKET_LENGTH( 8);
469 proto_tree_add_text( tree, NullTVB, offset, 1,
470 "Version: %u ", hash_info->version);
472 command = GBYTE( pd, offset);
474 proto_tree_add_text( tree, NullTVB, offset, 1,
475 "Command: %u (%s)", command,
476 get_command_name( command));
480 proto_tree_add_uint( tree, hf_socks_dstport, NullTVB, offset, 2,
481 pntohs( &pd[ offset]));
484 /* Do destination address */
485 proto_tree_add_ipv4( tree, hf_socks_ip_dst, NullTVB, offset,
486 4, GWORD( pd, offset));
490 /*$$ check this, needs to do length checking */
491 /* display user name */
492 proto_tree_add_string( tree, hf_user_name, NullTVB, offset,
493 strlen( &pd[offset]) + 1,
497 /*Display command response from server*/
499 else if ( compare_packet( hash_info->cmd_reply_row)){
501 CHECK_PACKET_LENGTH( 8);
502 proto_tree_add_text( tree, NullTVB, offset, 1,
503 "Version: %u (should be 0) ", GBYTE( pd, offset));
505 /* Do results code */
506 proto_tree_add_text( tree, NullTVB, offset, 1,
507 "Result Code: %u (%s)", GBYTE( pd, offset) ,
508 reply_table_v4[ MAX(0, MIN( GBYTE( pd, offset) - 90, 4))]);
512 proto_tree_add_uint( tree, hf_socks_dstport, NullTVB, offset, 2,
513 pntohs( &pd[ offset]));
515 /* Do remote address */
516 proto_tree_add_ipv4( tree, hf_socks_ip_dst, NullTVB, offset, 4,
520 else if ( compare_packet( hash_info->v4_user_name_row)){
522 /*$$ check this, needs to do length checking */
523 proto_tree_add_text( tree, NullTVB, offset, strlen( &pd[offset]),
524 "User Name: %s", &pd[offset]);
530 void display_socks_v5( const u_char *pd, int offset, frame_data *fd,
531 proto_tree *parent, proto_tree *tree, socks_hash_entry_t *hash_info) {
533 /* Display the protocol tree for the version. This routine uses the */
534 /* stored conversation information to decide what to do with the row. */
535 /* Per packet information would have been better to do this, but we */
536 /* didn't have that when I wrote this. And I didn't expect this to get */
544 if (compare_packet( hash_info->connect_row)){
546 proto_tree *AuthTree;
549 CHECK_PACKET_LENGTH( 2);
551 proto_tree_add_uint( tree, hf_socks_ver, NullTVB, offset, 1,
555 temp = GBYTE( pd, offset); /* Get Auth method count */
556 /* build auth tree */
557 ti = proto_tree_add_text( tree, NullTVB, offset, 1,
558 "Client Authentication Methods");
560 AuthTree = proto_item_add_subtree(ti, ett_socks_auth);
562 proto_tree_add_text( AuthTree, NullTVB, offset, 1,
566 CHECK_PACKET_LENGTH( temp);
568 for( i = 0; i < temp; ++i) {
570 AuthMethodStr = get_auth_method_name(
571 GBYTE( pd, offset + i));
572 proto_tree_add_text( AuthTree, NullTVB, offset + i, 1,
573 "Method[%d]: %u (%s)", i,
574 GBYTE( pd, offset + i), AuthMethodStr);
577 } /* Get accepted auth method */
578 else if (compare_packet( hash_info->auth_method_row)) {
581 CHECK_PACKET_LENGTH( 1);
583 proto_tree_add_text( tree, NullTVB, offset, 1,
584 "Accepted Auth Method: 0x%0x (%s)", GBYTE( pd, offset),
585 get_auth_method_name( GBYTE( pd, offset)));
588 } /* handle user/password auth */
589 else if (compare_packet( hash_info->user_name_auth_row)) {
591 proto_tree_add_text( tree, NullTVB, offset, 1,
592 "Version: %u ", hash_info->version);
594 /* process user name */
595 offset += display_string( pd, offset, fd, tree,
597 /* process password */
598 offset += display_string( pd, offset, fd, tree,
601 /* command to the server */
602 /* command response from server */
603 else if ((compare_packet( hash_info->command_row)) ||
604 (compare_packet( hash_info->cmd_reply_row)) ||
605 (compare_packet( hash_info->bind_reply_row))){
607 proto_tree_add_text( tree, NullTVB, offset, 1,
608 "Version: %u ", hash_info->version);
610 CHECK_PACKET_LENGTH( 1);
614 command = GBYTE( pd, offset);
616 if (compare_packet( hash_info->command_row))
617 proto_tree_add_text( tree, NullTVB, offset, 1, "Command: %u (%s)",
618 command, get_command_name( command));
620 proto_tree_add_text( tree, NullTVB, offset, 1, "Status: %d (%s)",
621 GBYTE( pd, offset), reply_table_v5[ MAX( 0,
622 MIN(GBYTE( pd, offset) - 90, 9))]);
625 proto_tree_add_text( tree, NullTVB, offset, 1,
626 "Reserved: 0x%0x (should = 0x00)", GBYTE( pd, offset));
629 offset = display_address( pd, offset, fd, tree);
631 CHECK_PACKET_LENGTH( 2);
633 proto_tree_add_text( tree, NullTVB, offset, 2,
635 (compare_packet( hash_info->bind_reply_row) ?
636 "Remote Host " : ""),
637 pntohs( &pd[ offset]));
643 /**************** Decoder State Machines ******************/
646 static guint state_machine_v4( socks_hash_entry_t *hash_info, const u_char *pd,
647 int offset, frame_data *fd) {
649 /* Decode V4 protocol. This is done on the first pass through the */
650 /* list. Based upon the current state, decode the packet and determine */
651 /* what the next state should be. If we had per packet information, */
652 /* this would be the place to load them up. */
654 if ( hash_info->state == None) { /* new connection */
656 if (check_col(fd, COL_INFO))
657 col_append_str(fd, COL_INFO, " Connect to server request");
659 hash_info->state = Connecting; /* change state */
661 hash_info->command = GBYTE( pd, offset + 1);
662 /* get remote port */
663 if ( hash_info->command == CONNECT_COMMAND)
664 hash_info->port = pntohs( &pd[ offset + 2]);
665 /* get remote address */
666 hash_info->dst_addr = GWORD( pd, offset + 4);
668 /* save the packet pointer */
669 hash_info->connect_row = get_packet_ptr;
671 /* skip past this stuff */
672 hash_info->connect_offset = offset + 8;
676 if ( offset == pi.len) /* if no user name */
678 hash_info->state = V4UserNameWait;
681 hash_info->connect_offset += strlen( &pd[ offset]) + 1;
683 if ( !hash_info->dst_addr){ /* if no dest address */
685 if ( hash_info->connect_offset < pi.len ) {
686 /*$$$ copy remote name here ??? */
687 hash_info->state = Connecting;
690 hash_info->state = V4NameWait;
692 /* waiting for V4 user name */
693 }else if ( hash_info->state == V4UserNameWait){
695 if (check_col(fd, COL_INFO))
696 col_append_str(fd, COL_INFO, " Connect Request (User name)");
698 hash_info->v4_user_name_row = get_packet_ptr;
699 /*$$$ may need to check for domain name here */
700 hash_info->state = Connecting;
702 /* waiting for V4 domain name */
703 else if ( hash_info->state == V4NameWait){
705 hash_info->v4_name_row = get_packet_ptr;
706 hash_info->state = Connecting;
709 else if ( hash_info->state == Connecting){
711 if (check_col(fd, COL_INFO))
712 col_append_str(fd, COL_INFO, " Connect Response");
714 /* save packet pointer */
715 hash_info->cmd_reply_row = get_packet_ptr;
716 hash_info->state = Done; /* change state */
725 static void state_machine_v5( socks_hash_entry_t *hash_info, const u_char *pd,
726 int offset, frame_data *fd) {
728 /* Decode V5 protocol. This is done on the first pass through the */
729 /* list. Based upon the current state, decode the packet and determine */
730 /* what the next state should be. If we had per packet information, */
731 /* this would be the place to load them up. */
736 if ( hash_info->state == None) {
738 if (check_col(fd, COL_INFO))
739 col_append_str(fd, COL_INFO, " Connect to server request");
741 hash_info->state = Connecting; /* change state */
742 hash_info->connect_row = get_packet_ptr;
744 if (!BYTES_ARE_IN_FRAME(offset, 1)){
745 hash_info->state = Done; /* change state */
749 temp = GBYTE( pd, offset + 1);
750 /* skip past auth methods */
751 offset = hash_info->connect_offset = offset + 1 + temp;
753 else if ( hash_info->state == Connecting){
755 guint AuthMethod = GBYTE( pd, offset + 1);
757 if (check_col(fd, COL_INFO))
758 col_append_str(fd, COL_INFO, " Connect to server response");
760 hash_info->auth_method_row = get_packet_ptr;
762 if ( AuthMethod == NO_AUTHENTICATION)
763 hash_info->state = V5Command;
765 else if ( AuthMethod == USER_NAME_AUTHENTICATION)
766 hash_info->state = UserNameAuth;
768 else if ( AuthMethod == GSS_API_AUTHENTICATION)
769 /*$$$ should be this hash_info->state = GssApiAuth; */
770 hash_info->state = Done;
772 else hash_info->state = Done; /*Auth failed or error*/
776 else if ( hash_info->state == V5Command) { /* Handle V5 Command */
780 if (!BYTES_ARE_IN_FRAME(offset, 1)){
781 hash_info->state = Done; /* change state */
785 hash_info->command = GBYTE( pd, offset + 1); /* get command */
787 if (check_col(fd, COL_INFO))
788 col_append_fstr(fd, COL_INFO, " Command Request - %s",
789 get_command_name(hash_info->command));
791 hash_info->state = V5Reply;
792 hash_info->command_row = get_packet_ptr;
794 offset += 3; /* skip to address type */
796 offset = get_address_v5( pd, offset, hash_info);
798 if (!BYTES_ARE_IN_FRAME(offset, 1)){
799 hash_info->state = Done;
802 temp = GBYTE( pd, offset);
804 if (( hash_info->command == CONNECT_COMMAND) ||
805 ( hash_info->command == UDP_ASSOCIATE_COMMAND))
806 /* get remote port */
807 hash_info->port = pntohs( &pd[ offset]);
810 else if ( hash_info->state == V5Reply) { /* V5 Command Reply */
813 if (check_col(fd, COL_INFO))
814 col_append_fstr(fd, COL_INFO, " Command Response - %s",
815 get_command_name(hash_info->command));
817 hash_info->cmd_reply_row = get_packet_ptr;
819 if (( hash_info->command == CONNECT_COMMAND) ||
820 (hash_info->command == PING_COMMAND) ||
821 (hash_info->command == TRACERT_COMMAND))
822 hash_info->state = Done;
824 else if ( hash_info->command == BIND_COMMAND)
825 hash_info->state = V5BindReply;
827 else if ( hash_info->command == UDP_ASSOCIATE_COMMAND){
828 offset += 3; /* skip to address type */
829 offset = get_address_v5( pd, offset, hash_info);
831 /* save server udp port and create upd conversation */
832 if (!BYTES_ARE_IN_FRAME(offset, 2)){
833 hash_info->state = Done;
836 hash_info->udp_port = pntohs( &pd[ offset]);
838 new_udp_conversation( hash_info);
840 /*$$ may need else statement to handle unknows and generate error message */
844 else if ( hash_info->state == V5BindReply) { /* V5 Bind Second Reply */
846 if (check_col(fd, COL_INFO))
847 col_append_str(fd, COL_INFO, " Command Response: Bind remote host info");
849 hash_info->bind_reply_row = get_packet_ptr;
850 hash_info->state = Done;
852 else if ( hash_info->state == UserNameAuth) { /* Handle V5 User Auth*/
853 if (check_col(fd, COL_INFO))
854 col_append_str(fd, COL_INFO,
855 " User authentication response");
857 hash_info->user_name_auth_row = get_packet_ptr;
858 hash_info->state = AuthReply;
861 else if ( hash_info->state == AuthReply){ /* V5 User Auth reply */
862 hash_info->cmd_reply_row = get_packet_ptr;
863 if (check_col(fd, COL_INFO))
864 col_append_str(fd, COL_INFO, " User authentication reply");
865 hash_info->state = V5Command;
871 static void display_ping_and_tracert( const u_char *pd, int offset,
872 frame_data *fd, proto_tree *tree, socks_hash_entry_t *hash_info) {
874 /* Display the ping/trace_route conversation */
877 const u_char *data, *dataend;
878 const u_char *lineend, *eol;
881 /* handle the end command */
882 if ( pi.destport == TCP_PORT_SOCKS){
883 if (check_col(fd, COL_INFO))
884 col_append_str(fd, COL_INFO, ", Terminate Request");
887 proto_tree_add_text(tree, NullTVB, offset, 1,
888 (hash_info->command == PING_COMMAND) ?
889 "Ping: End command" :
890 "Traceroute: End command");
892 else{ /* display the PING or Traceroute results */
893 if (check_col(fd, COL_INFO))
894 col_append_str(fd, COL_INFO, ", Results");
897 proto_tree_add_text(tree, NullTVB, offset, END_OF_FRAME,
898 (hash_info->command == PING_COMMAND) ?
900 "Traceroute Results");
903 dataend = data + END_OF_FRAME;
905 while (data < dataend) {
907 lineend = find_line_end(data, dataend, &eol);
908 linelen = lineend - data;
910 proto_tree_add_text( tree, NullTVB, offset, linelen,
911 format_text(data, linelen));
921 static void call_next_dissector( const u_char *pd, int offset, frame_data *fd,
922 proto_tree *tree, socks_hash_entry_t *hash_info) {
924 /* Display the results for PING and TRACERT extensions or */
925 /* Call TCP dissector for the port that was passed during the */
926 /* connect process */
927 /* Load pointer to pi.XXXport depending upon the direction, change */
928 /* pi port to the remote port, call next dissecotr to decode the */
929 /* payload, and restore the pi port after that is done. */
934 if (( hash_info->command == PING_COMMAND) ||
935 ( hash_info->command == TRACERT_COMMAND))
937 display_ping_and_tracert( pd, offset, fd, tree, hash_info);
939 else { /* call the tcp port decoder to handle the payload */
941 /*$$$ may want to load dest address here */
943 if ( pi.destport == TCP_PORT_SOCKS)
948 *ptr = hash_info->port;
949 tvb = tvb_create_from_top(0);
950 decode_tcp_ports( tvb, offset, &pi, tree, pi.srcport, pi.destport);
951 *ptr = TCP_PORT_SOCKS;
958 dissect_socks(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
960 proto_tree *socks_tree;
962 socks_hash_entry_t *hash_info;
963 conversation_t *conversation;
965 OLD_CHECK_DISPLAY_AS_DATA(proto_socks, pd, offset, fd, tree);
967 conversation = find_conversation( &pi.src, &pi.dst, pi.ptype,
968 pi.srcport, pi.destport, 0);
970 if ( conversation){ /* conversation found */
971 hash_info = conversation->data;
972 if ( !hash_info){ /* exit if bad value */
973 old_dissect_data(pd, offset, fd, tree);
977 /* new conversation create local data structure */
979 hash_info = g_mem_chunk_alloc(socks_vals);
980 hash_info->start_done_row = G_MAXINT;
981 hash_info->state = None;
982 hash_info->port = -1;
983 hash_info->version = GBYTE( pd, offset); /* get version*/
985 if (( hash_info->version != 4) && /* error test version */
986 ( hash_info->version != 5))
987 hash_info->state = Done;
989 conversation = conversation_new( &pi.src, &pi.dst, pi.ptype,
990 pi.srcport, pi.destport, hash_info, 0);
992 /* set dissector for now */
993 old_conversation_set_dissector(conversation, dissect_socks);
996 /* display summary window information */
998 if (check_col(fd, COL_PROTOCOL))
999 col_set_str(fd, COL_PROTOCOL, "Socks");
1001 if (check_col(fd, COL_INFO)){
1002 if (( hash_info->version == 4) || ( hash_info->version == 5)){
1003 col_add_fstr(fd, COL_INFO, "Version: %d",
1004 hash_info->version);
1006 else /* unknown version display error */
1007 col_set_str(fd, COL_INFO, "Unknown");
1010 if ( hash_info->command == PING_COMMAND)
1011 col_append_str(fd, COL_INFO, ", Ping Req");
1012 if ( hash_info->command == TRACERT_COMMAND)
1013 col_append_str(fd, COL_INFO, ", Traceroute Req");
1015 if ( hash_info->port != -1)
1016 col_append_fstr(fd, COL_INFO, ", Remote Port: %d",
1021 /* run state machine if needed */
1023 if ((hash_info->state != Done) && ( !fd->flags.visited)){
1025 if ( hash_info->version == 4)
1026 state_machine_v4( hash_info, pd, offset, fd);
1028 else if ( hash_info->version == 5)
1029 state_machine_v5( hash_info, pd, offset, fd);
1031 if (hash_info->state == Done) { /* if done now */
1032 hash_info->start_done_row = fd->num;
1036 /* if proto tree, decode and display */
1039 ti = proto_tree_add_item( tree, proto_socks, NullTVB, offset,
1040 END_OF_FRAME, FALSE );
1042 socks_tree = proto_item_add_subtree(ti, ett_socks);
1044 if ( hash_info->version == 4)
1045 display_socks_v4( pd, offset, fd, tree, socks_tree,
1048 else if ( hash_info->version == 5)
1049 display_socks_v5( pd, offset, fd, tree, socks_tree,
1052 /* if past startup, add the faked stuff */
1053 if ( fd->num > hash_info->start_done_row){
1054 /* add info to tree */
1055 proto_tree_add_text( socks_tree, NullTVB, offset, 0,
1056 "Command: %d (%s)", hash_info->command,
1057 get_command_name(hash_info->command));
1059 proto_tree_add_ipv4( socks_tree, hf_socks_ip_dst, NullTVB,
1060 offset, 0, hash_info->dst_addr);
1062 /* no fake address for ping & traceroute */
1064 if (( hash_info->command != PING_COMMAND) &&
1065 ( hash_info->command != TRACERT_COMMAND)){
1066 proto_tree_add_uint( socks_tree, hf_socks_dstport, NullTVB,
1067 offset, 0, hash_info->port);
1074 /* call next dissector if ready */
1076 if ( fd->num > hash_info->start_done_row){
1077 call_next_dissector( pd, offset, fd, tree, hash_info);
1083 static void socks_reinit( void){
1085 /* Do the cleanup work when a new pass through the packet list is */
1086 /* performed. Reset the highest row seen counter and re-initialize the */
1087 /* conversation memory chunks. */
1090 g_mem_chunk_destroy(socks_vals);
1092 socks_vals = g_mem_chunk_new("socks_vals", socks_hash_val_length,
1093 socks_hash_init_count * socks_hash_val_length,
1099 proto_register_socks( void){
1101 /*** Prep the socks protocol, register it and a initialization routine */
1102 /* to clear the hash stuff. */
1105 static gint *ett[] = {
1112 static hf_register_info hf[] = {
1116 { "Version", "socks.ver", FT_UINT8, BASE_NONE, NULL,
1121 { "Remote Address", "socks.dst", FT_IPv4, BASE_NONE, NULL,
1125 { &hf_socks_ip6_dst,
1126 { "Remote Address", "socks.dstV6", FT_IPv6, BASE_NONE, NULL,
1132 { "User Name", "socks.username", FT_STRING, BASE_NONE,
1136 { &hf_socks_dstport,
1137 { "Remote Port", "socks.dstport", FT_UINT16,
1138 BASE_DEC, NULL, 0x0, ""
1141 { &hf_socks_command,
1142 { "Command", "socks.command", FT_UINT16,
1143 BASE_DEC, NULL, 0x0, ""
1150 proto_socks = proto_register_protocol (
1151 "Socks Protocol", "Socks", "socks");
1153 proto_register_field_array(proto_socks, hf, array_length(hf));
1154 proto_register_subtree_array(ett, array_length(ett));
1156 register_init_routine( &socks_reinit); /* register re-init routine */
1161 proto_reg_handoff_socks(void) {
1163 /* dissector install routine */
1165 old_dissector_add("tcp.port", TCP_PORT_SOCKS, dissect_socks,