2 * Routines for TCP packet disassembly
4 * $Id: packet-tcp.c,v 1.92 2000/12/13 02:24:21 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
34 #ifdef HAVE_NETINET_IN_H
35 # include <netinet/in.h>
43 #ifdef NEED_SNPRINTF_H
44 # include "snprintf.h"
52 #include "packet-tcp.h"
53 #include "packet-ip.h"
54 #include "conversation.h"
57 /* Place TCP summary in proto tree */
58 static gboolean tcp_summary_in_tree = TRUE;
60 extern FILE* data_out_file;
62 guint16 tcp_urgent_pointer;
64 static int proto_tcp = -1;
65 static int hf_tcp_srcport = -1;
66 static int hf_tcp_dstport = -1;
67 static int hf_tcp_port = -1;
68 static int hf_tcp_seq = -1;
69 static int hf_tcp_nxtseq = -1;
70 static int hf_tcp_ack = -1;
71 static int hf_tcp_hdr_len = -1;
72 static int hf_tcp_flags = -1;
73 static int hf_tcp_flags_cwr = -1;
74 static int hf_tcp_flags_ecn = -1;
75 static int hf_tcp_flags_urg = -1;
76 static int hf_tcp_flags_ack = -1;
77 static int hf_tcp_flags_push = -1;
78 static int hf_tcp_flags_reset = -1;
79 static int hf_tcp_flags_syn = -1;
80 static int hf_tcp_flags_fin = -1;
81 static int hf_tcp_window_size = -1;
82 static int hf_tcp_checksum = -1;
83 static int hf_tcp_urgent_pointer = -1;
85 static gint ett_tcp = -1;
86 static gint ett_tcp_flags = -1;
87 static gint ett_tcp_options = -1;
88 static gint ett_tcp_option_sack = -1;
90 static dissector_table_t subdissector_table;
91 static heur_dissector_list_t heur_subdissector_list;
95 #define TCP_PORT_SMTP 25
97 /* TCP structs and definitions */
99 typedef struct _e_tcphdr {
104 guint8 th_off_x2; /* combines th_off and th_x2 */
123 #define TCPOPT_NOP 1 /* Padding */
124 #define TCPOPT_EOL 0 /* End of options */
125 #define TCPOPT_MSS 2 /* Segment size negotiating */
126 #define TCPOPT_WINDOW 3 /* Window scaling */
127 #define TCPOPT_SACK_PERM 4 /* SACK Permitted */
128 #define TCPOPT_SACK 5 /* SACK Block */
129 #define TCPOPT_ECHO 6
130 #define TCPOPT_ECHOREPLY 7
131 #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
133 #define TCPOPT_CCNEW 12
134 #define TCPOPT_CCECHO 13
140 #define TCPOLEN_MSS 4
141 #define TCPOLEN_WINDOW 3
142 #define TCPOLEN_SACK_PERM 2
143 #define TCPOLEN_SACK_MIN 2
144 #define TCPOLEN_ECHO 6
145 #define TCPOLEN_ECHOREPLY 6
146 #define TCPOLEN_TIMESTAMP 10
148 #define TCPOLEN_CCNEW 6
149 #define TCPOLEN_CCECHO 6
152 tcp_info_append_uint(frame_data *fd, const char *abbrev, guint32 val)
154 if (check_col(fd, COL_INFO))
155 col_append_fstr(fd, COL_INFO, " %s=%u", abbrev, val);
159 dissect_tcpopt_maxseg(const ip_tcp_opt *optp, tvbuff_t *tvb,
160 int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
164 mss = tvb_get_ntohs(tvb, offset + 2);
165 proto_tree_add_text(opt_tree, tvb, offset, optlen,
166 "%s: %u bytes", optp->name, mss);
167 tcp_info_append_uint(fd, "MSS", mss);
171 dissect_tcpopt_wscale(const ip_tcp_opt *optp, tvbuff_t *tvb,
172 int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
176 ws = tvb_get_guint8(tvb, offset + 2);
177 proto_tree_add_text(opt_tree, tvb, offset, optlen,
178 "%s: %u bytes", optp->name, ws);
179 tcp_info_append_uint(fd, "WS", ws);
183 dissect_tcpopt_sack(const ip_tcp_opt *optp, tvbuff_t *tvb,
184 int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
186 proto_tree *field_tree = NULL;
188 guint leftedge, rightedge;
190 tf = proto_tree_add_text(opt_tree, tvb, offset, optlen, "%s:", optp->name);
191 offset += 2; /* skip past type and length */
192 optlen -= 2; /* subtract size of type and length */
194 if (field_tree == NULL) {
195 /* Haven't yet made a subtree out of this option. Do so. */
196 field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
199 proto_tree_add_text(field_tree, tvb, offset, optlen,
200 "(suboption would go past end of option)");
203 leftedge = tvb_get_ntohl(tvb, offset);
206 proto_tree_add_text(field_tree, tvb, offset, optlen,
207 "(suboption would go past end of option)");
210 /* XXX - check whether it goes past end of packet */
211 rightedge = tvb_get_ntohl(tvb, offset + 4);
213 proto_tree_add_text(field_tree, tvb, offset, 8,
214 "left edge = %u, right edge = %u", leftedge, rightedge);
215 tcp_info_append_uint(fd, "SLE", leftedge);
216 tcp_info_append_uint(fd, "SRE", rightedge);
222 dissect_tcpopt_echo(const ip_tcp_opt *optp, tvbuff_t *tvb,
223 int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
227 echo = tvb_get_ntohl(tvb, offset + 2);
228 proto_tree_add_text(opt_tree, tvb, offset, optlen,
229 "%s: %u", optp->name, echo);
230 tcp_info_append_uint(fd, "ECHO", echo);
234 dissect_tcpopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
235 int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
239 tsv = tvb_get_ntohl(tvb, offset + 2);
240 tser = tvb_get_ntohl(tvb, offset + 6);
241 proto_tree_add_text(opt_tree, tvb, offset, optlen,
242 "%s: tsval %u, tsecr %u", optp->name, tsv, tser);
243 tcp_info_append_uint(fd, "TSV", tsv);
244 tcp_info_append_uint(fd, "TSER", tser);
248 dissect_tcpopt_cc(const ip_tcp_opt *optp, tvbuff_t *tvb,
249 int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
253 cc = tvb_get_ntohl(tvb, offset + 2);
254 proto_tree_add_text(opt_tree, tvb, offset, optlen,
255 "%s: %u", optp->name, cc);
256 tcp_info_append_uint(fd, "CC", cc);
259 static const ip_tcp_opt tcpopts[] = {
278 "Maximum segment size",
282 dissect_tcpopt_maxseg
290 dissect_tcpopt_wscale
303 &ett_tcp_option_sack,
330 dissect_tcpopt_timestamp
358 #define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
361 static const true_false_string flags_set_truth = {
367 /* Determine if there is a sub-dissector and call it. This has been */
368 /* separated into a stand alone routine to other protocol dissectors */
369 /* can call to it, ie. socks */
372 decode_tcp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
373 proto_tree *tree, int src_port, int dst_port)
377 const u_char *next_pd;
381 next_tvb = tvb_new_subset(tvb, offset, -1, -1);
383 /* determine if this packet is part of a conversation and call dissector */
384 /* for the conversation if available */
386 if (try_conversation_dissector(&pinfo->src, &pinfo->dst, PT_TCP,
387 src_port, dst_port, next_tvb, pinfo, tree))
390 /* try to apply the plugins */
393 plugin *pt_plug = plugin_list;
395 if (enabled_plugins_number > 0) {
396 tvb_compat(next_tvb, &next_pd, &next_offset);
398 if (pt_plug->enabled && strstr(pt_plug->protocol, "tcp") &&
399 tree && dfilter_apply(pt_plug->filter, tree, next_pd, pinfo->fd->cap_len)) {
400 pt_plug->dissector(next_pd, next_offset, pinfo->fd, tree);
403 pt_plug = pt_plug->next;
409 /* do lookup with the subdissector table */
410 if (dissector_try_port(subdissector_table, src_port, next_tvb, pinfo, tree) ||
411 dissector_try_port(subdissector_table, dst_port, next_tvb, pinfo, tree))
414 /* do lookup with the heuristic subdissector table */
415 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
418 /* Oh, well, we don't know this; dissect it as data. */
419 dissect_data(next_tvb, 0, pinfo, tree);
424 dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
427 proto_tree *tcp_tree = NULL, *field_tree = NULL;
430 gchar flags[64] = "<None>";
431 gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECN", "CWR" };
442 guint16 computed_cksum;
443 guint length_remaining;
445 CHECK_DISPLAY_AS_DATA(proto_tcp, tvb, pinfo, tree);
447 pinfo->current_proto = "TCP";
449 if (check_col(pinfo->fd, COL_PROTOCOL))
450 col_set_str(pinfo->fd, COL_PROTOCOL, "TCP");
452 /* Clear out the Info column. */
453 if (check_col(pinfo->fd, COL_INFO))
454 col_clear(pinfo->fd, COL_INFO);
456 /* Avoids alignment problems on many architectures. */
457 tvb_memcpy(tvb, (guint8 *)&th, offset, sizeof(e_tcphdr));
458 th.th_sport = ntohs(th.th_sport);
459 th.th_dport = ntohs(th.th_dport);
460 th.th_win = ntohs(th.th_win);
461 th.th_sum = ntohs(th.th_sum);
462 th.th_urp = ntohs(th.th_urp);
463 th.th_seq = ntohl(th.th_seq);
464 th.th_ack = ntohl(th.th_ack);
466 /* Export the urgent pointer, for the benefit of protocols such as
468 tcp_urgent_pointer = th.th_urp;
470 if (check_col(pinfo->fd, COL_INFO) || tree) {
471 for (i = 0; i < 8; i++) {
473 if (th.th_flags & bpos) {
475 strcpy(&flags[fpos], ", ");
478 strcpy(&flags[fpos], fstr[i]);
485 hlen = hi_nibble(th.th_off_x2) * 4; /* TCP header length, in bytes */
487 reported_len = tvb_reported_length(tvb);
488 len = tvb_length(tvb);
490 /* Compute the length of data in this segment. */
491 seglen = reported_len - hlen;
493 /* Compute the sequence number of next octet after this segment. */
494 nxtseq = th.th_seq + seglen;
496 if (check_col(pinfo->fd, COL_INFO)) {
497 if (th.th_flags & TH_URG)
498 col_append_fstr(pinfo->fd, COL_INFO, "%s > %s [%s] Seq=%u Ack=%u Win=%u Urg=%u Len=%d",
499 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
500 th.th_seq, th.th_ack, th.th_win, th.th_urp, seglen);
502 col_append_fstr(pinfo->fd, COL_INFO, "%s > %s [%s] Seq=%u Ack=%u Win=%u Len=%d",
503 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
504 th.th_seq, th.th_ack, th.th_win, seglen);
508 if (tcp_summary_in_tree) {
509 ti = proto_tree_add_protocol_format(tree, proto_tcp, tvb, offset, hlen, "Transmission Control Protocol, Src Port: %s (%u), Dst Port: %s (%u), Seq: %u, Ack: %u", get_tcp_port(th.th_sport), th.th_sport, get_tcp_port(th.th_dport), th.th_dport, th.th_seq, th.th_ack);
512 ti = proto_tree_add_item(tree, proto_tcp, tvb, offset, hlen, FALSE);
514 tcp_tree = proto_item_add_subtree(ti, ett_tcp);
515 proto_tree_add_uint_format(tcp_tree, hf_tcp_srcport, tvb, offset, 2, th.th_sport,
516 "Source port: %s (%u)", get_tcp_port(th.th_sport), th.th_sport);
517 proto_tree_add_uint_format(tcp_tree, hf_tcp_dstport, tvb, offset + 2, 2, th.th_dport,
518 "Destination port: %s (%u)", get_tcp_port(th.th_dport), th.th_dport);
519 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset, 2, th.th_sport);
520 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset + 2, 2, th.th_dport);
521 proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, th.th_seq);
522 if (nxtseq != th.th_seq)
523 proto_tree_add_uint(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq);
524 if (th.th_flags & TH_ACK)
525 proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, th.th_ack);
526 proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, hlen,
527 "Header length: %u bytes", hlen);
528 tf = proto_tree_add_uint_format(tcp_tree, hf_tcp_flags, tvb, offset + 13, 1,
529 th.th_flags, "Flags: 0x%04x (%s)", th.th_flags, flags);
530 field_tree = proto_item_add_subtree(tf, ett_tcp_flags);
531 proto_tree_add_boolean(field_tree, hf_tcp_flags_cwr, tvb, offset + 13, 1, th.th_flags);
532 proto_tree_add_boolean(field_tree, hf_tcp_flags_ecn, tvb, offset + 13, 1, th.th_flags);
533 proto_tree_add_boolean(field_tree, hf_tcp_flags_urg, tvb, offset + 13, 1, th.th_flags);
534 proto_tree_add_boolean(field_tree, hf_tcp_flags_ack, tvb, offset + 13, 1, th.th_flags);
535 proto_tree_add_boolean(field_tree, hf_tcp_flags_push, tvb, offset + 13, 1, th.th_flags);
536 proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, th.th_flags);
537 proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, th.th_flags);
538 proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, th.th_flags);
539 proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, th.th_win);
540 if (!pinfo->fragmented && len >= reported_len) {
541 /* The packet isn't part of a fragmented datagram and isn't
542 truncated, so we can checksum it.
543 XXX - make a bigger scatter-gather list once we do fragment
546 /* Set up the fields of the pseudo-header. */
547 cksum_vec[0].ptr = pinfo->src.data;
548 cksum_vec[0].len = pinfo->src.len;
549 cksum_vec[1].ptr = pinfo->dst.data;
550 cksum_vec[1].len = pinfo->dst.len;
551 cksum_vec[2].ptr = (const guint8 *)&phdr;
552 switch (pinfo->src.type) {
555 phdr[0] = htonl((IP_PROTO_TCP<<16) + reported_len);
556 cksum_vec[2].len = 4;
560 phdr[0] = htonl(reported_len);
561 phdr[1] = htonl(IP_PROTO_TCP);
562 cksum_vec[2].len = 8;
566 /* TCP runs only atop IPv4 and IPv6.... */
567 g_assert_not_reached();
570 cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, len);
571 cksum_vec[3].len = reported_len;
572 computed_cksum = in_cksum(&cksum_vec[0], 4);
573 if (computed_cksum == 0) {
574 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
575 offset + 16, 2, th.th_sum, "Checksum: 0x%04x (correct)", th.th_sum);
577 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
578 offset + 16, 2, th.th_sum,
579 "Checksum: 0x%04x (incorrect, should be 0x%04x)", th.th_sum,
580 in_cksum_shouldbe(th.th_sum, computed_cksum));
583 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
584 offset + 16, 2, th.th_sum, "Checksum: 0x%04x", th.th_sum);
586 if (th.th_flags & TH_URG)
587 proto_tree_add_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, th.th_urp);
590 /* Decode TCP options, if any. */
591 if (tree && hlen > sizeof (e_tcphdr)) {
592 /* There's more than just the fixed-length header. Decode the
594 optlen = hlen - sizeof (e_tcphdr); /* length of options, in bytes */
595 tf = proto_tree_add_text(tcp_tree, tvb, offset + 20, optlen,
596 "Options: (%d bytes)", optlen);
597 field_tree = proto_item_add_subtree(tf, ett_tcp_options);
598 dissect_ip_tcp_options(tvb, offset + 20, optlen,
599 tcpopts, N_TCP_OPTS, TCPOPT_EOL, pinfo->fd, field_tree);
602 /* Skip over header + options */
605 pinfo->ptype = PT_TCP;
606 pinfo->srcport = th.th_sport;
607 pinfo->destport = th.th_dport;
609 /* Check the packet length to see if there's more data
610 (it could be an ACK-only packet) */
611 length_remaining = tvb_length_remaining(tvb, offset);
612 if (length_remaining != 0) {
613 if (th.th_flags & TH_RST) {
617 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
619 * A TCP SHOULD allow a received RST segment to include data.
622 * It has been suggested that a RST segment could contain
623 * ASCII text that encoded and explained the cause of the
624 * RST. No standard has yet been established for such
627 * so for segments with RST we just display the data as text.
629 proto_tree_add_text(tcp_tree, tvb, offset, length_remaining,
631 tvb_format_text(tvb, offset, length_remaining));
633 decode_tcp_ports( tvb, offset, pinfo, tree, th.th_sport, th.th_dport);
636 if( data_out_file ) {
637 reassemble_tcp( th.th_seq, /* sequence number */
638 seglen, /* data length */
639 tvb_get_ptr(tvb, offset, length_remaining), /* data */
640 length_remaining, /* captured data length */
641 ( th.th_flags & TH_SYN ), /* is syn set? */
650 proto_register_tcp(void)
652 static hf_register_info hf[] = {
655 { "Source Port", "tcp.srcport", FT_UINT16, BASE_DEC, NULL, 0x0,
659 { "Destination Port", "tcp.dstport", FT_UINT16, BASE_DEC, NULL, 0x0,
663 { "Source or Destination Port", "tcp.port", FT_UINT16, BASE_DEC, NULL, 0x0,
667 { "Sequence number", "tcp.seq", FT_UINT32, BASE_DEC, NULL, 0x0,
671 { "Next sequence number", "tcp.nxtseq", FT_UINT32, BASE_DEC, NULL, 0x0,
675 { "Acknowledgement number", "tcp.ack", FT_UINT32, BASE_DEC, NULL, 0x0,
679 { "Header Length", "tcp.hdr_len", FT_UINT8, BASE_DEC, NULL, 0x0,
683 { "Flags", "tcp.flags", FT_UINT8, BASE_HEX, NULL, 0x0,
687 { "Congestion Window Reduced (CWR)", "tcp.flags.cwr", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_CWR,
691 { "ECN-Echo", "tcp.flags.ecn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ECN,
695 { "Urgent", "tcp.flags.urg", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_URG,
699 { "Acknowledgment", "tcp.flags.ack", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ACK,
702 { &hf_tcp_flags_push,
703 { "Push", "tcp.flags.push", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_PUSH,
706 { &hf_tcp_flags_reset,
707 { "Reset", "tcp.flags.reset", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_RST,
711 { "Syn", "tcp.flags.syn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_SYN,
715 { "Fin", "tcp.flags.fin", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_FIN,
718 { &hf_tcp_window_size,
719 { "Window size", "tcp.window_size", FT_UINT16, BASE_DEC, NULL, 0x0,
723 { "Checksum", "tcp.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
726 { &hf_tcp_urgent_pointer,
727 { "Urgent pointer", "tcp.urgent_pointer", FT_UINT16, BASE_DEC, NULL, 0x0,
730 static gint *ett[] = {
734 &ett_tcp_option_sack,
736 module_t *tcp_module;
738 proto_tcp = proto_register_protocol ("Transmission Control Protocol", "tcp");
739 proto_register_field_array(proto_tcp, hf, array_length(hf));
740 proto_register_subtree_array(ett, array_length(ett));
742 /* subdissector code */
743 subdissector_table = register_dissector_table("tcp.port");
744 register_heur_dissector_list("tcp", &heur_subdissector_list);
746 /* Register configuration preferences */
747 tcp_module = prefs_register_module("tcp", "TCP", NULL);
748 prefs_register_bool_preference(tcp_module, "tcp_summary_in_tree",
749 "Show TCP summary in protocol tree",
750 "Whether the TCP summary line should be shown in the protocol tree",
751 &tcp_summary_in_tree);
755 proto_reg_handoff_tcp(void)
757 dissector_add("ip.proto", IP_PROTO_TCP, dissect_tcp);
git.samba.org / obnox / wireshark / wip.git / blob