2 * Routines for socks versions 4 &5 packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
5 * $Id: packet-socks.c,v 1.27 2001/10/31 05:59:18 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 * The Version 4 decode is based on SOCKS4.protocol and SOCKS4A.protocol.
27 * The Version 5 decoder is based upon rfc-1928
28 * The Version 5 User/Password authentication is based on rfc-1929.
30 * See http://www.socks.nec.com/socksprot.html for these and other documents
34 * 2001-01-08 JCFoster Fixed problem with NULL pointer for hash data.
35 * Now test and exit if hash_info is null.
38 /* Possible enhancements -
40 * Add GSS-API authentication per rfc-1961
41 * Add CHAP authentication
42 * Decode FLAG bits per
43 * http://www.socks.nec.com/draft/draft-ietf-aft-socks-pro-v-04.txt
44 * In call_next_dissector, could load the destination address into the
45 * pi structure before calling next dissector.
46 * remove display_string or at least make it use protocol identifiers
47 * socks_hash_entry_t needs to handle V5 address type and domain names
58 #ifdef HAVE_SYS_TYPES_H
59 # include <sys/types.h>
62 #ifdef HAVE_NETINET_IN_H
63 # include <netinet/in.h>
70 #ifdef NEED_SNPRINTF_H
71 # include "snprintf.h"
76 #include "alignment.h"
77 #include "conversation.h"
79 #include "packet-tcp.h"
80 #include "packet-udp.h"
84 #define compare_packet(X) (X == (pinfo->fd->num))
85 #define get_packet_ptr (pinfo->fd->num)
86 #define row_pointer_type guint32
88 #define TCP_PORT_SOCKS 1080
91 /**************** Socks commands ******************/
93 #define CONNECT_COMMAND 1
94 #define BIND_COMMAND 2
95 #define UDP_ASSOCIATE_COMMAND 3
96 #define PING_COMMAND 0x80
97 #define TRACERT_COMMAND 0x81
100 /********** V5 Authentication methods *************/
102 #define NO_AUTHENTICATION 0
103 #define GSS_API_AUTHENTICATION 1
104 #define USER_NAME_AUTHENTICATION 2
105 #define CHAP_AUTHENTICATION 3
106 #define AUTHENTICATION_FAILED 0xff
109 /*********** Header field identifiers *************/
111 static int proto_socks = -1;
113 static int ett_socks = -1;
114 static int ett_socks_auth = -1;
115 static int ett_socks_name = -1;
117 static int hf_socks_ver = -1;
118 static int hf_socks_ip_dst = -1;
119 static int hf_socks_ip6_dst = -1;
120 static int hf_user_name = -1;
121 static int hf_socks_dstport = -1;
122 static int hf_socks_command = -1;
125 /************* State Machine names ***********/
150 guint32 udp_remote_port;
153 row_pointer_type v4_name_row;
154 row_pointer_type v4_user_name_row;
155 row_pointer_type connect_row;
156 row_pointer_type cmd_reply_row;
157 row_pointer_type bind_reply_row;
158 row_pointer_type command_row;
159 row_pointer_type auth_method_row;
160 row_pointer_type user_name_auth_row;
161 guint32 start_done_row;
163 guint32 dst_addr; /* this needs to handle IPv6 */
169 static char *address_type_table[] = {
179 /* String table for the V4 reply status messages */
181 static char *reply_table_v4[] = {
183 "Rejected or Failed",
184 "Rejected because SOCKS server cannot connect to identd on the client",
185 "Rejected because the client program and identd report different user-ids",
190 /* String table for the V5 reply status messages */
192 static char *reply_table_v5[] = {
194 "General SOCKS server failure",
195 "Connection not allowed by ruleset",
196 "Network unreachable",
198 "Connection refused",
200 "Command not supported",
201 "Address type not supported",
206 #define socks_hash_init_count 20
207 #define socks_hash_val_length (sizeof(socks_hash_entry_t))
209 static GMemChunk *socks_vals = NULL;
212 /************************* Support routines ***************************/
215 static int display_string(tvbuff_t *tvb, int offset, packet_info *pinfo,
216 proto_tree *tree, char *label){
218 /* display a string with a length, characters encoding */
219 /* they are displayed under a tree with the name in Label variable */
220 /* return the length of the string and the length byte */
223 proto_tree *name_tree;
228 int length = tvb_get_guint8(tvb, offset);
230 strncpy( temp, tvb_get_ptr(tvb, offset+1, -1), length);
233 ti = proto_tree_add_text(tree, tvb, offset, length + 1,
234 "%s: %s" , label, temp);
237 name_tree = proto_item_add_subtree(ti, ett_socks_name);
239 proto_tree_add_text( name_tree, tvb, offset, 1, "Length: %d", length);
243 proto_tree_add_text( name_tree, tvb, offset, length, "String: %s", temp);
250 static char *get_auth_method_name( guint Number){
252 /* return the name of the authenication method */
254 if ( Number == 0) return "No authentication";
255 if ( Number == 1) return "GSSAPI";
256 if ( Number == 2) return "Username/Password";
257 if ( Number == 3) return "Chap";
258 if (( Number >= 4) && ( Number <= 0x7f))return "IANA assigned";
259 if (( Number >= 0x80) && ( Number <= 0xfe)) return "private method";
260 if ( Number == 0xff) return "no acceptable method";
262 /* shouldn't reach here */
264 return "Bad method number (not 0-0xff)";
268 static char *get_command_name( guint Number){
270 /* return the name of the command as a string */
272 if ( Number == 0) return "Unknow";
273 if ( Number == 1) return "Connect";
274 if ( Number == 2) return "Bind";
275 if ( Number == 3) return "UdpAssociate";
276 if ( Number == 0x80) return "Ping";
277 if ( Number == 0x81) return "Traceroute";
282 static int display_address(tvbuff_t *tvb, int offset,
283 packet_info *pinfo, proto_tree *tree) {
285 /* decode and display the v5 address, return offset of next byte */
287 int a_type = tvb_get_guint8(tvb, offset);
289 proto_tree_add_text( tree, tvb, offset, 1,
290 "Address Type: %d (%s)", a_type,
291 address_type_table[ MIN( (guint) a_type,
292 array_length( address_type_table)-1) ]);
296 if ( a_type == 1){ /* IPv4 address */
297 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset,
301 else if ( a_type == 3){ /* domain name address */
303 offset += display_string(tvb, offset, pinfo, tree,
306 else if ( a_type == 4){ /* IPv6 address */
307 proto_tree_add_item( tree, hf_socks_ip6_dst, tvb, offset,
316 static int get_address_v5(tvbuff_t *tvb, int offset,
317 socks_hash_entry_t *hash_info) {
319 /* decode the v5 address and return offset of next byte */
320 /*XXX this needs to handle IPV6 and domain name addresses */
323 int a_type = tvb_get_guint8(tvb, offset++);
325 if ( a_type == 1){ /* IPv4 address */
328 tvb_memcpy(tvb, (guint8 *)&hash_info->dst_addr,
333 else if ( a_type == 4) /* IPv6 address */
336 else if ( a_type == 3) /* domain name address */
337 offset += tvb_get_guint8(tvb, offset) + 1;
342 /********************* V5 UDP Associate handlers ***********************/
345 socks_udp_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
347 /* Conversation dissector called from UDP dissector. Decode and display */
348 /* the socks header, the pass the rest of the data to the udp port */
349 /* decode routine to handle the payload. */
353 socks_hash_entry_t *hash_info;
354 conversation_t *conversation;
355 proto_tree *socks_tree;
358 conversation = find_conversation( &pinfo->src, &pinfo->dst, pinfo->ptype,
359 pinfo->srcport, pinfo->destport, 0);
361 g_assert( conversation); /* should always find a conversation */
363 hash_info = conversation_get_proto_data(conversation, proto_socks);
365 if (check_col(pinfo->fd, COL_PROTOCOL))
366 col_set_str(pinfo->fd, COL_PROTOCOL, "Socks");
368 if (check_col(pinfo->fd, COL_INFO))
369 col_add_fstr(pinfo->fd, COL_INFO, "Version: 5, UDP Associated packet");
372 ti = proto_tree_add_protocol_format( tree, proto_socks, tvb, offset,
373 tvb_length_remaining(tvb, offset), "Socks" );
375 socks_tree = proto_item_add_subtree(ti, ett_socks);
377 proto_tree_add_text( socks_tree, tvb, offset, 2, "Reserved");
380 proto_tree_add_text( socks_tree, tvb, offset, 1, "Fragment Number: %d", tvb_get_guint8(tvb, offset));
384 offset = display_address( tvb, offset, pinfo, socks_tree);
385 hash_info->udp_remote_port = tvb_get_ntohs(tvb, offset);
387 proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb,
388 offset, 2, hash_info->udp_remote_port);
392 else { /* no tree, skip past the socks header */
394 offset = get_address_v5( tvb, offset, 0) + 2;
398 /* set pi src/dst port and call the udp sub-dissector lookup */
400 if ( pinfo->srcport == hash_info->port)
401 ptr = &pinfo->destport;
403 ptr = &pinfo->srcport;
405 *ptr = hash_info->udp_remote_port;
407 decode_udp_ports( tvb, offset, &pi, tree, pinfo->srcport, pinfo->destport);
409 *ptr = hash_info->udp_port;
415 new_udp_conversation( socks_hash_entry_t *hash_info, packet_info *pinfo){
417 conversation_t *conversation = conversation_new( &pinfo->src, &pinfo->dst, PT_UDP,
418 hash_info->udp_port, hash_info->port, 0);
420 g_assert( conversation);
422 conversation_add_proto_data(conversation, proto_socks, hash_info);
423 conversation_set_dissector(conversation, socks_udp_dissector);
429 /**************** Protocol Tree Display routines ******************/
432 display_socks_v4(tvbuff_t *tvb, int offset, packet_info *pinfo,
433 proto_tree *parent, proto_tree *tree, socks_hash_entry_t *hash_info) {
436 /* Display the protocol tree for the V5 version. This routine uses the */
437 /* stored conversation information to decide what to do with the row. */
438 /* Per packet information would have been better to do this, but we */
439 /* didn't have that when I wrote this. And I didn't expect this to get */
445 /* Display command from client */
446 if (compare_packet( hash_info->connect_row)){
448 proto_tree_add_text( tree, tvb, offset, 1,
449 "Version: %u ", hash_info->version);
451 command = tvb_get_guint8(tvb, offset);
453 proto_tree_add_text( tree, tvb, offset, 1,
454 "Command: %u (%s)", command,
455 get_command_name( command));
459 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2,
463 /* Do destination address */
464 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset,
469 /*XXX check this, needs to do length checking */
470 /* Should perhaps do TCP reassembly as well */
471 if ( tvb_offset_exists(tvb, offset)) {
472 /* display user name */
473 proto_tree_add_string( tree, hf_user_name, tvb, offset,
474 strlen( tvb_get_ptr(tvb, offset, -1)) + 1,
475 tvb_get_ptr(tvb, offset, -1));
479 /*Display command response from server*/
481 else if ( compare_packet( hash_info->cmd_reply_row)){
483 proto_tree_add_text( tree, tvb, offset, 1,
484 "Version: %u (should be 0) ", tvb_get_guint8(tvb, offset));
486 /* Do results code */
487 proto_tree_add_text( tree, tvb, offset, 1,
488 "Result Code: %u (%s)", tvb_get_guint8(tvb, offset) ,
489 reply_table_v4[ MAX(0, MIN( tvb_get_guint8(tvb, offset) - 90, 4))]);
493 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2,
496 /* Do remote address */
497 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset, 4,
501 else if ( compare_packet( hash_info->v4_user_name_row)){
503 /*XXX check this, needs to do length checking */
504 /* Should perhaps do TCP reassembly as well */
505 if ( tvb_offset_exists(tvb, offset)) {
506 proto_tree_add_text( tree, tvb, offset,
507 strlen( tvb_get_ptr(tvb, offset, -1)),
508 "User Name: %s", tvb_get_ptr(tvb, offset, -1));
515 display_socks_v5(tvbuff_t *tvb, int offset, packet_info *pinfo,
516 proto_tree *parent, proto_tree *tree, socks_hash_entry_t *hash_info) {
518 /* Display the protocol tree for the version. This routine uses the */
519 /* stored conversation information to decide what to do with the row. */
520 /* Per packet information would have been better to do this, but we */
521 /* didn't have that when I wrote this. And I didn't expect this to get */
524 unsigned int i, command;
529 if (compare_packet( hash_info->connect_row)){
531 proto_tree *AuthTree;
535 proto_tree_add_uint( tree, hf_socks_ver, tvb, offset, 1,
539 temp = tvb_get_guint8(tvb, offset); /* Get Auth method count */
540 /* build auth tree */
541 ti = proto_tree_add_text( tree, tvb, offset, 1,
542 "Client Authentication Methods");
544 AuthTree = proto_item_add_subtree(ti, ett_socks_auth);
546 proto_tree_add_text( AuthTree, tvb, offset, 1,
550 for( i = 0; i < temp; ++i) {
552 AuthMethodStr = get_auth_method_name(
553 tvb_get_guint8( tvb, offset + i));
554 proto_tree_add_text( AuthTree, tvb, offset + i, 1,
555 "Method[%d]: %u (%s)", i,
556 tvb_get_guint8( tvb, offset + i), AuthMethodStr);
559 } /* Get accepted auth method */
560 else if (compare_packet( hash_info->auth_method_row)) {
564 proto_tree_add_text( tree, tvb, offset, 1,
565 "Accepted Auth Method: 0x%0x (%s)", tvb_get_guint8( tvb, offset),
566 get_auth_method_name( tvb_get_guint8( tvb, offset)));
569 } /* handle user/password auth */
570 else if (compare_packet( hash_info->user_name_auth_row)) {
572 proto_tree_add_text( tree, tvb, offset, 1,
573 "Version: %u ", hash_info->version);
575 /* process user name */
576 offset += display_string( tvb, offset, pinfo, tree,
578 /* process password */
579 offset += display_string( tvb, offset, pinfo, tree,
582 /* command to the server */
583 /* command response from server */
584 else if ((compare_packet( hash_info->command_row)) ||
585 (compare_packet( hash_info->cmd_reply_row)) ||
586 (compare_packet( hash_info->bind_reply_row))){
588 proto_tree_add_text( tree, tvb, offset, 1,
589 "Version: %u ", hash_info->version);
593 command = tvb_get_guint8(tvb, offset);
595 if (compare_packet( hash_info->command_row))
596 proto_tree_add_text( tree, tvb, offset, 1, "Command: %u (%s)",
597 command, get_command_name( command));
599 proto_tree_add_text( tree, tvb, offset, 1, "Status: %d (%s)",
600 tvb_get_guint8(tvb, offset), reply_table_v5[ MAX( 0,
601 MIN(tvb_get_guint8(tvb, offset) - 90, 9))]);
604 proto_tree_add_text( tree, tvb, offset, 1,
605 "Reserved: 0x%0x (should = 0x00)", tvb_get_guint8(tvb, offset));
608 offset = display_address(tvb, offset, pinfo, tree);
611 proto_tree_add_text( tree, tvb, offset, 2,
613 (compare_packet( hash_info->bind_reply_row) ?
614 "Remote Host " : ""),
615 tvb_get_ntohs(tvb, offset));
621 /**************** Decoder State Machines ******************/
625 state_machine_v4( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
626 int offset, packet_info *pinfo) {
628 /* Decode V4 protocol. This is done on the first pass through the */
629 /* list. Based upon the current state, decode the packet and determine */
630 /* what the next state should be. If we had per packet information, */
631 /* this would be the place to load them up. */
633 if ( hash_info->state == None) { /* new connection */
635 if (check_col(pinfo->fd, COL_INFO))
636 col_append_str(pinfo->fd, COL_INFO, " Connect to server request");
638 hash_info->state = Connecting; /* change state */
640 hash_info->command = tvb_get_guint8(tvb, offset + 1);
641 /* get remote port */
642 if ( hash_info->command == CONNECT_COMMAND)
643 hash_info->port = tvb_get_ntohs(tvb, offset + 2);
644 /* get remote address */
646 tvb_memcpy(tvb, (guint8 *)&hash_info->dst_addr, offset + 4, 4);
648 /* save the packet pointer */
649 hash_info->connect_row = get_packet_ptr;
651 /* skip past this stuff */
652 hash_info->connect_offset = offset + 8;
656 if ( !tvb_offset_exists(tvb, offset)) /* if no user name */
658 hash_info->state = V4UserNameWait;
661 hash_info->connect_offset += strlen( tvb_get_ptr(tvb, offset, -1)) + 1;
663 if ( !hash_info->dst_addr){ /* if no dest address */
665 if ( tvb_offset_exists(tvb, hash_info->connect_offset)) {
666 /*XXX copy remote name here ??? */
667 hash_info->state = Connecting;
670 hash_info->state = V4NameWait;
672 /* waiting for V4 user name */
673 }else if ( hash_info->state == V4UserNameWait){
675 if (check_col(pinfo->fd, COL_INFO))
676 col_append_str(pinfo->fd, COL_INFO, " Connect Request (User name)");
678 hash_info->v4_user_name_row = get_packet_ptr;
679 /*XXX may need to check for domain name here */
680 hash_info->state = Connecting;
682 /* waiting for V4 domain name */
683 else if ( hash_info->state == V4NameWait){
685 hash_info->v4_name_row = get_packet_ptr;
686 hash_info->state = Connecting;
689 else if ( hash_info->state == Connecting){
691 if (check_col(pinfo->fd, COL_INFO))
692 col_append_str(pinfo->fd, COL_INFO, " Connect Response");
694 /* save packet pointer */
695 hash_info->cmd_reply_row = get_packet_ptr;
696 hash_info->state = Done; /* change state */
706 state_machine_v5( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
707 int offset, packet_info *pinfo) {
709 /* Decode V5 protocol. This is done on the first pass through the */
710 /* list. Based upon the current state, decode the packet and determine */
711 /* what the next state should be. If we had per packet information, */
712 /* this would be the place to load them up. */
717 if ( hash_info->state == None) {
719 if (check_col(pinfo->fd, COL_INFO))
720 col_append_str(pinfo->fd, COL_INFO, " Connect to server request");
722 hash_info->state = Connecting; /* change state */
723 hash_info->connect_row = get_packet_ptr;
725 temp = tvb_get_guint8(tvb, offset + 1);
726 /* skip past auth methods */
727 offset = hash_info->connect_offset = offset + 1 + temp;
729 else if ( hash_info->state == Connecting){
731 guint AuthMethod = tvb_get_guint8(tvb, offset + 1);
733 if (check_col(pinfo->fd, COL_INFO))
734 col_append_str(pinfo->fd, COL_INFO, " Connect to server response");
736 hash_info->auth_method_row = get_packet_ptr;
738 if ( AuthMethod == NO_AUTHENTICATION)
739 hash_info->state = V5Command;
741 else if ( AuthMethod == USER_NAME_AUTHENTICATION)
742 hash_info->state = UserNameAuth;
744 else if ( AuthMethod == GSS_API_AUTHENTICATION)
745 /*XXX should be this hash_info->state = GssApiAuth; */
746 hash_info->state = Done;
748 else hash_info->state = Done; /*Auth failed or error*/
752 else if ( hash_info->state == V5Command) { /* Handle V5 Command */
756 hash_info->command = tvb_get_guint8(tvb, offset + 1); /* get command */
758 if (check_col(pinfo->fd, COL_INFO))
759 col_append_fstr(pinfo->fd, COL_INFO, " Command Request - %s",
760 get_command_name(hash_info->command));
762 hash_info->state = V5Reply;
763 hash_info->command_row = get_packet_ptr;
765 offset += 3; /* skip to address type */
767 offset = get_address_v5(tvb, offset, hash_info);
769 temp = tvb_get_guint8(tvb, offset);
771 if (( hash_info->command == CONNECT_COMMAND) ||
772 ( hash_info->command == UDP_ASSOCIATE_COMMAND))
773 /* get remote port */
774 hash_info->port = tvb_get_ntohs(tvb, offset);
777 else if ( hash_info->state == V5Reply) { /* V5 Command Reply */
780 if (check_col(pinfo->fd, COL_INFO))
781 col_append_fstr(pinfo->fd, COL_INFO, " Command Response - %s",
782 get_command_name(hash_info->command));
784 hash_info->cmd_reply_row = get_packet_ptr;
786 if (( hash_info->command == CONNECT_COMMAND) ||
787 (hash_info->command == PING_COMMAND) ||
788 (hash_info->command == TRACERT_COMMAND))
789 hash_info->state = Done;
791 else if ( hash_info->command == BIND_COMMAND)
792 hash_info->state = V5BindReply;
794 else if ( hash_info->command == UDP_ASSOCIATE_COMMAND){
795 offset += 3; /* skip to address type */
796 offset = get_address_v5(tvb, offset, hash_info);
798 /* save server udp port and create udp conversation */
799 hash_info->udp_port = tvb_get_ntohs(tvb, offset);
801 if (!pinfo->fd->flags.visited)
802 new_udp_conversation( hash_info, pinfo);
804 /*XXX may need else statement to handle unknows and generate error message */
808 else if ( hash_info->state == V5BindReply) { /* V5 Bind Second Reply */
810 if (check_col(pinfo->fd, COL_INFO))
811 col_append_str(pinfo->fd, COL_INFO, " Command Response: Bind remote host info");
813 hash_info->bind_reply_row = get_packet_ptr;
814 hash_info->state = Done;
816 else if ( hash_info->state == UserNameAuth) { /* Handle V5 User Auth*/
817 if (check_col(pinfo->fd, COL_INFO))
818 col_append_str(pinfo->fd, COL_INFO,
819 " User authentication response");
821 hash_info->user_name_auth_row = get_packet_ptr;
822 hash_info->state = AuthReply;
825 else if ( hash_info->state == AuthReply){ /* V5 User Auth reply */
826 hash_info->cmd_reply_row = get_packet_ptr;
827 if (check_col(pinfo->fd, COL_INFO))
828 col_append_str(pinfo->fd, COL_INFO, " User authentication reply");
829 hash_info->state = V5Command;
836 display_ping_and_tracert(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, socks_hash_entry_t *hash_info) {
838 /* Display the ping/trace_route conversation */
841 const u_char *data, *dataend;
842 const u_char *lineend, *eol;
845 /* handle the end command */
846 if ( pinfo->destport == TCP_PORT_SOCKS){
847 if (check_col(pinfo->fd, COL_INFO))
848 col_append_str(pinfo->fd, COL_INFO, ", Terminate Request");
851 proto_tree_add_text(tree, tvb, offset, 1,
852 (hash_info->command == PING_COMMAND) ?
853 "Ping: End command" :
854 "Traceroute: End command");
856 else{ /* display the PING or Traceroute results */
857 if (check_col(pinfo->fd, COL_INFO))
858 col_append_str(pinfo->fd, COL_INFO, ", Results");
861 proto_tree_add_text(tree, tvb, offset,
862 tvb_length_remaining(tvb, offset),
863 (hash_info->command == PING_COMMAND) ?
865 "Traceroute Results");
867 data = tvb_get_ptr(tvb, offset, -1);
868 dataend = data + tvb_length_remaining(tvb, offset);
870 while (data < dataend) {
872 lineend = find_line_end(data, dataend, &eol);
873 linelen = lineend - data;
875 proto_tree_add_text( tree, tvb, offset, linelen,
876 format_text(data, linelen));
886 static void call_next_dissector(tvbuff_t *tvb, int offset, packet_info *pinfo,
887 proto_tree *tree, socks_hash_entry_t *hash_info) {
889 /* Display the results for PING and TRACERT extensions or */
890 /* Call TCP dissector for the port that was passed during the */
891 /* connect process */
892 /* Load pointer to pinfo->XXXport depending upon the direction, */
893 /* change pinfo port to the remote port, call next dissecotr to decode */
894 /* the payload, and restore the pinfo port after that is done. */
898 if (( hash_info->command == PING_COMMAND) ||
899 ( hash_info->command == TRACERT_COMMAND))
901 display_ping_and_tracert(tvb, offset, pinfo, tree, hash_info);
903 else { /* call the tcp port decoder to handle the payload */
905 /*XXX may want to load dest address here */
907 if ( pinfo->destport == TCP_PORT_SOCKS)
908 ptr = &pinfo->destport;
910 ptr = &pinfo->srcport;
912 *ptr = hash_info->port;
913 decode_tcp_ports( tvb, offset, pinfo, tree, pinfo->srcport, pinfo->destport);
914 *ptr = TCP_PORT_SOCKS;
921 dissect_socks(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
924 proto_tree *socks_tree;
926 socks_hash_entry_t *hash_info;
927 conversation_t *conversation;
929 conversation = find_conversation( &pinfo->src, &pinfo->dst, pinfo->ptype,
930 pinfo->srcport, pinfo->destport, 0);
933 conversation = conversation_new( &pinfo->src, &pinfo->dst, pinfo->ptype,
934 pinfo->srcport, pinfo->destport, 0);
936 hash_info = conversation_get_proto_data(conversation,proto_socks);
938 hash_info = g_mem_chunk_alloc(socks_vals);
939 hash_info->start_done_row = G_MAXINT;
940 hash_info->state = None;
941 //XX hash_info->port = -1;
943 hash_info->version = tvb_get_guint8(tvb, offset); /* get version*/
945 if (( hash_info->version != 4) && /* error test version */
946 ( hash_info->version != 5))
947 hash_info->state = Done;
949 conversation_add_proto_data(conversation, proto_socks,
952 /* set dissector for now */
953 conversation_set_dissector(conversation, dissect_socks);
956 /* display summary window information */
958 if (check_col(pinfo->fd, COL_PROTOCOL))
959 col_set_str(pinfo->fd, COL_PROTOCOL, "Socks");
961 if (check_col(pinfo->fd, COL_INFO)){
962 if (( hash_info->version == 4) || ( hash_info->version == 5)){
963 col_add_fstr(pinfo->fd, COL_INFO, "Version: %d",
966 else /* unknown version display error */
967 col_set_str(pinfo->fd, COL_INFO, "Unknown");
970 if ( hash_info->command == PING_COMMAND)
971 col_append_str(pinfo->fd, COL_INFO, ", Ping Req");
972 if ( hash_info->command == TRACERT_COMMAND)
973 col_append_str(pinfo->fd, COL_INFO, ", Traceroute Req");
975 //XX if ( hash_info->port != -1)
976 if ( hash_info->port != 0)
977 col_append_fstr(pinfo->fd, COL_INFO, ", Remote Port: %d",
982 /* run state machine if needed */
984 if ((hash_info->state != Done) && ( !pinfo->fd->flags.visited)){
986 if ( hash_info->version == 4)
987 state_machine_v4( hash_info, tvb, offset, pinfo);
989 else if ( hash_info->version == 5)
990 state_machine_v5( hash_info, tvb, offset, pinfo);
992 if (hash_info->state == Done) { /* if done now */
993 hash_info->start_done_row = pinfo->fd->num;
997 /* if proto tree, decode and display */
1000 ti = proto_tree_add_item( tree, proto_socks, tvb, offset,
1001 tvb_length_remaining(tvb, offset), FALSE );
1003 socks_tree = proto_item_add_subtree(ti, ett_socks);
1005 if ( hash_info->version == 4)
1006 display_socks_v4(tvb, offset, pinfo, tree, socks_tree,
1009 else if ( hash_info->version == 5)
1010 display_socks_v5(tvb, offset, pinfo, tree, socks_tree,
1013 /* if past startup, add the faked stuff */
1014 if ( pinfo->fd->num > hash_info->start_done_row){
1015 /* add info to tree */
1016 proto_tree_add_text( socks_tree, tvb, offset, 0,
1017 "Command: %d (%s)", hash_info->command,
1018 get_command_name(hash_info->command));
1020 proto_tree_add_ipv4( socks_tree, hf_socks_ip_dst, tvb,
1021 offset, 0, hash_info->dst_addr);
1023 /* no fake address for ping & traceroute */
1025 if (( hash_info->command != PING_COMMAND) &&
1026 ( hash_info->command != TRACERT_COMMAND)){
1027 proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb,
1028 offset, 0, hash_info->port);
1035 /* call next dissector if ready */
1037 if ( pinfo->fd->num > hash_info->start_done_row){
1038 call_next_dissector(tvb, offset, pinfo, tree, hash_info);
1044 static void socks_reinit( void){
1046 /* Do the cleanup work when a new pass through the packet list is */
1047 /* performed. Reset the highest row seen counter and re-initialize the */
1048 /* conversation memory chunks. */
1051 g_mem_chunk_destroy(socks_vals);
1053 socks_vals = g_mem_chunk_new("socks_vals", socks_hash_val_length,
1054 socks_hash_init_count * socks_hash_val_length,
1060 proto_register_socks( void){
1062 /*** Prep the socks protocol, register it and a initialization routine */
1063 /* to clear the hash stuff. */
1066 static gint *ett[] = {
1073 static hf_register_info hf[] = {
1077 { "Version", "socks.ver", FT_UINT8, BASE_DEC, NULL,
1082 { "Remote Address", "socks.dst", FT_IPv4, BASE_NONE, NULL,
1086 { &hf_socks_ip6_dst,
1087 { "Remote Address", "socks.dstV6", FT_IPv6, BASE_NONE, NULL,
1093 { "User Name", "socks.username", FT_STRING, BASE_NONE,
1094 NULL, 0x0, "", HFILL
1097 { &hf_socks_dstport,
1098 { "Remote Port", "socks.dstport", FT_UINT16,
1099 BASE_DEC, NULL, 0x0, "", HFILL
1102 { &hf_socks_command,
1103 { "Command", "socks.command", FT_UINT16,
1104 BASE_DEC, NULL, 0x0, "", HFILL
1111 proto_socks = proto_register_protocol (
1112 "Socks Protocol", "Socks", "socks");
1114 proto_register_field_array(proto_socks, hf, array_length(hf));
1115 proto_register_subtree_array(ett, array_length(ett));
1117 register_init_routine( &socks_reinit); /* register re-init routine */
1122 proto_reg_handoff_socks(void) {
1124 /* dissector install routine */
1126 dissector_add("tcp.port", TCP_PORT_SOCKS, dissect_socks,
git.samba.org / obnox / wireshark / wip.git / blob