2 * Routines for TCP packet disassembly
4 * $Id: packet-tcp.c,v 1.134 2002/02/24 02:59:30 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #ifdef HAVE_SYS_TYPES_H
30 # include <sys/types.h>
33 #ifdef HAVE_NETINET_IN_H
34 # include <netinet/in.h>
42 #ifdef NEED_SNPRINTF_H
43 # include "snprintf.h"
46 #include <epan/resolv.h>
50 #include "packet-tcp.h"
51 #include "packet-ip.h"
52 #include <epan/conversation.h>
53 #include <epan/strutil.h>
54 #include "reassemble.h"
56 /* Place TCP summary in proto tree */
57 static gboolean tcp_summary_in_tree = TRUE;
60 * Don't check the TCP checksum (I've seen packets with bad TCP checksums
61 * in Solaris network traces, but the traffic appears to indicate that
62 * the packet *was* received; I suspect the packets were sent by the host
63 * on which the capture was being done, on a network interface to which
64 * checksumming was offloaded, so that DLPI supplied an un-checksummed
65 * packet to the capture program but a checksummed packet got put onto
68 static gboolean tcp_check_checksum = TRUE;
70 extern FILE* data_out_file;
72 static int proto_tcp = -1;
73 static int hf_tcp_srcport = -1;
74 static int hf_tcp_dstport = -1;
75 static int hf_tcp_port = -1;
76 static int hf_tcp_seq = -1;
77 static int hf_tcp_nxtseq = -1;
78 static int hf_tcp_ack = -1;
79 static int hf_tcp_hdr_len = -1;
80 static int hf_tcp_flags = -1;
81 static int hf_tcp_flags_cwr = -1;
82 static int hf_tcp_flags_ecn = -1;
83 static int hf_tcp_flags_urg = -1;
84 static int hf_tcp_flags_ack = -1;
85 static int hf_tcp_flags_push = -1;
86 static int hf_tcp_flags_reset = -1;
87 static int hf_tcp_flags_syn = -1;
88 static int hf_tcp_flags_fin = -1;
89 static int hf_tcp_window_size = -1;
90 static int hf_tcp_checksum = -1;
91 static int hf_tcp_checksum_bad = -1;
92 static int hf_tcp_urgent_pointer = -1;
94 static gint ett_tcp = -1;
95 static gint ett_tcp_flags = -1;
96 static gint ett_tcp_options = -1;
97 static gint ett_tcp_option_sack = -1;
98 static gint ett_tcp_segments = -1;
100 static dissector_table_t subdissector_table;
101 static heur_dissector_list_t heur_subdissector_list;
102 static dissector_handle_t data_handle;
104 /* TCP structs and definitions */
115 /* Minimum TCP header length. */
116 #define TCPH_MIN_LEN 20
122 #define TCPOPT_NOP 1 /* Padding */
123 #define TCPOPT_EOL 0 /* End of options */
124 #define TCPOPT_MSS 2 /* Segment size negotiating */
125 #define TCPOPT_WINDOW 3 /* Window scaling */
126 #define TCPOPT_SACK_PERM 4 /* SACK Permitted */
127 #define TCPOPT_SACK 5 /* SACK Block */
128 #define TCPOPT_ECHO 6
129 #define TCPOPT_ECHOREPLY 7
130 #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
132 #define TCPOPT_CCNEW 12
133 #define TCPOPT_CCECHO 13
134 #define TCPOPT_MD5 19 /* RFC2385 */
140 #define TCPOLEN_MSS 4
141 #define TCPOLEN_WINDOW 3
142 #define TCPOLEN_SACK_PERM 2
143 #define TCPOLEN_SACK_MIN 2
144 #define TCPOLEN_ECHO 6
145 #define TCPOLEN_ECHOREPLY 6
146 #define TCPOLEN_TIMESTAMP 10
148 #define TCPOLEN_CCNEW 6
149 #define TCPOLEN_CCECHO 6
150 #define TCPOLEN_MD5 18
154 /* Desegmentation of TCP streams */
155 /* table to hold defragmented TCP streams */
156 static GHashTable *tcp_fragment_table = NULL;
158 tcp_fragment_init(void)
160 fragment_table_init(&tcp_fragment_table);
163 /* functions to trace tcp segments */
164 /* Enable desegmenting of TCP streams */
165 static gboolean tcp_desegment = FALSE;
167 static GHashTable *tcp_segment_table = NULL;
168 static GMemChunk *tcp_segment_key_chunk = NULL;
169 static int tcp_segment_init_count = 200;
170 static GMemChunk *tcp_segment_address_chunk = NULL;
171 static int tcp_segment_address_init_count = 500;
173 typedef struct _tcp_segment_key {
174 /* for ouwn bookkeeping inside packet-tcp.c */
185 free_all_segments(gpointer key_arg, gpointer value, gpointer user_data)
187 tcp_segment_key *key = key_arg;
189 if((key->src)&&(key->src->data)){
190 g_free((gpointer)key->src->data);
194 if((key->dst)&&(key->dst->data)){
195 g_free((gpointer)key->dst->data);
203 tcp_segment_hash(gconstpointer k)
205 tcp_segment_key *key = (tcp_segment_key *)k;
211 tcp_segment_equal(gconstpointer k1, gconstpointer k2)
213 tcp_segment_key *key1 = (tcp_segment_key *)k1;
214 tcp_segment_key *key2 = (tcp_segment_key *)k2;
216 return ( ( (key1->seq==key2->seq)
217 &&(ADDRESSES_EQUAL(key1->src, key2->src))
218 &&(ADDRESSES_EQUAL(key1->dst, key2->dst))
223 tcp_desegment_init(void)
226 * Free this before freeing any memory chunks; those
227 * chunks contain data we'll look at in "free_all_segments()".
229 if(tcp_segment_table){
230 g_hash_table_foreach_remove(tcp_segment_table,
231 free_all_segments, NULL);
232 g_hash_table_destroy(tcp_segment_table);
233 tcp_segment_table = NULL;
236 if(tcp_segment_key_chunk){
237 g_mem_chunk_destroy(tcp_segment_key_chunk);
238 tcp_segment_key_chunk = NULL;
240 if(tcp_segment_address_chunk){
241 g_mem_chunk_destroy(tcp_segment_address_chunk);
242 tcp_segment_address_chunk = NULL;
245 /* dont allocate any hash table or memory chunks unless the user
246 really uses this option
252 tcp_segment_table = g_hash_table_new(tcp_segment_hash,
255 tcp_segment_key_chunk = g_mem_chunk_new("tcp_segment_key_chunk",
256 sizeof(tcp_segment_key),
257 tcp_segment_init_count*sizeof(tcp_segment_key),
260 tcp_segment_address_chunk = g_mem_chunk_new("tcp_segment_address_chunk",
262 tcp_segment_address_init_count*sizeof(address),
267 desegment_tcp(tvbuff_t *tvb, packet_info *pinfo, int offset,
268 guint32 seq, guint32 nxtseq,
269 guint32 sport, guint32 dport,
270 proto_tree *tree, proto_tree *tcp_tree)
272 struct tcpinfo *tcpinfo = pinfo->private_data;
273 fragment_data *ipfd_head;
274 tcp_segment_key old_tsk, *tsk;
275 gboolean must_desegment = FALSE;
276 gboolean called_dissector = FALSE;
282 * Initialize these to assume no desegmentation.
283 * If that's not the case, these will be set appropriately
284 * by the subdissector.
286 pinfo->desegment_offset = 0;
287 pinfo->desegment_len = 0;
290 * Initialize this to assume that this segment will just be
291 * added to the middle of a desegmented chunk of data, so
292 * that we should show it all as data.
293 * If that's not the case, it will be set appropriately.
295 deseg_offset = offset;
297 /* First we must check if this TCP segment should be desegmented.
298 This is only to check if we should desegment this packet,
299 so we dont spend time doing COPY_ADDRESS/g_free.
300 We just "borrow" some address structures from pinfo instead. Cheaper.
302 old_tsk.src = &pinfo->src;
303 old_tsk.dst = &pinfo->dst;
305 tsk = g_hash_table_lookup(tcp_segment_table, &old_tsk);
308 /* OK, this segment was found, which means it continues
309 a higher-level PDU. This means we must desegment it.
310 Add it to the defragmentation lists.
312 ipfd_head = fragment_add(tvb, offset, pinfo, tsk->start_seq,
314 seq - tsk->start_seq,
316 (nxtseq < (tsk->start_seq + tsk->tot_len)) );
319 /* fragment_add() returned NULL, This means that
320 desegmentation is not completed yet.
321 (its like defragmentation but we know we will
322 always add the segments in order).
323 XXX - no, we don't; there is no guarantee that
324 TCP segments are in order on the wire.
326 we must add next segment to our table so we will
329 tcp_segment_key *new_tsk;
331 new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
332 memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
334 g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
337 /* This segment was not found in our table, so it doesn't
338 contain a continuation of a higher-level PDU.
339 Call the normal subdissector.
341 decode_tcp_ports(tvb, offset, pinfo, tree,
343 called_dissector = TRUE;
345 /* Did the subdissector ask us to desegment some more data
346 before it could handle the packet?
347 If so we have to create some structures in our table but
348 this is something we only do the first time we see this
351 if(pinfo->desegment_len) {
352 if (!pinfo->fd->flags.visited)
353 must_desegment = TRUE;
356 * Set "deseg_offset" to the offset in "tvb"
357 * of the first byte of data that the
358 * subdissector didn't process.
360 deseg_offset = offset + pinfo->desegment_offset;
363 /* Either no desegmentation is necessary, or this is
364 segment contains the beginning but not the end of
365 a higher-level PDU and thus isn't completely
371 /* is it completely desegmented? */
374 proto_tree *st = NULL;
375 proto_item *si = NULL;
378 * Yes, we think it is.
379 * We only call subdissector for the last segment.
380 * Note that the last segment may include more than what
383 if(nxtseq >= (tsk->start_seq + tsk->tot_len)){
385 * OK, this is the last segment.
386 * Let's call the subdissector with the desegmented
392 /* create a new TVB structure for desegmented data */
393 next_tvb = tvb_new_real_data(ipfd_head->data,
394 ipfd_head->datalen, ipfd_head->datalen);
396 /* add this tvb as a child to the original one */
397 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
399 /* add desegmented data to the data source list */
400 add_new_data_source(pinfo->fd, next_tvb,
404 * Supply the sequence number of the first of the
407 tcpinfo->seq = tsk->start_seq;
409 /* indicate that this is reassembled data */
410 tcpinfo->is_reassembled = TRUE;
412 /* call subdissector */
413 decode_tcp_ports(next_tvb, 0, pinfo, tree,
415 called_dissector = TRUE;
418 * OK, did the subdissector think it was completely
419 * desegmented, or does it think we need even more
422 old_len=(int)(tvb_reported_length(next_tvb)-tvb_reported_length_remaining(tvb, offset));
423 if(pinfo->desegment_len &&
424 pinfo->desegment_offset<=old_len){
425 tcp_segment_key *new_tsk;
428 * "desegment_len" isn't 0, so it needs more
429 * data for something - and "desegment_offset"
430 * is before "old_len", so it needs more data
431 * to dissect the stuff we thought was
432 * completely desegmented (as opposed to the
433 * stuff at the beginning being completely
434 * desegmented, but the stuff at the end
435 * being a new higher-level PDU that also
436 * needs desegmentation).
438 fragment_set_partial_reassembly(pinfo,tsk->start_seq,tcp_fragment_table);
439 tsk->tot_len = tvb_reported_length(next_tvb) + pinfo->desegment_len;
442 * Update tsk structure.
443 * Can ask ->next->next because at least there's a hdr and one
444 * entry in fragment_add()
446 for(ipfd=ipfd_head->next; ipfd->next; ipfd=ipfd->next){
447 old_tsk.seq = tsk->start_seq + ipfd->offset;
448 new_tsk = g_hash_table_lookup(tcp_segment_table, &old_tsk);
449 new_tsk->tot_len = tsk->tot_len;
452 /* this is the next segment in the sequence we want */
453 new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
454 memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
455 new_tsk->seq = nxtseq;
456 g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
459 * Show the stuff in this TCP segment as
460 * just raw TCP segment data.
463 tvb_reported_length_remaining(tvb, offset);
464 proto_tree_add_text(tcp_tree, tvb, offset, -1,
465 "TCP segment data (%u byte%s)", nbytes,
466 plurality(nbytes, "", "s"));
469 * The subdissector thought it was completely
470 * desegmented (although the stuff at the
471 * end may, in turn, require desegmentation),
472 * so we show a tree with all segments.
474 si = proto_tree_add_text(tcp_tree, tvb, 0, 0,
476 st = proto_item_add_subtree(si, ett_tcp_segments);
477 for(ipfd=ipfd_head->next; ipfd; ipfd=ipfd->next){
478 proto_tree_add_text(st, tvb, 0, 0,
479 "Frame:%u seq#:%u-%u [%u-%u]",
481 tsk->start_seq + ipfd->offset,
482 tsk->start_seq + ipfd->offset + ipfd->len-1,
484 ipfd->offset + ipfd->len - 1);
487 /* Did the subdissector ask us to desegment
488 some more data? This means that the data
489 at the beginning of this segment completed
490 a higher-level PDU, but the data at the
491 end of this segment started a higher-level
492 PDU but didn't complete it.
494 If so, we have to create some structures
495 in our table, but this is something we
496 only do the first time we see this packet.
498 if(pinfo->desegment_len) {
499 if (!pinfo->fd->flags.visited)
500 must_desegment = TRUE;
502 /* The stuff we couldn't dissect
503 must have come from this segment,
504 so it's all in "tvb".
506 "pinfo->desegment_offset" is
507 relative to the beginning of
508 "next_tvb"; we want an offset
509 relative to the beginning of "tvb".
511 First, compute the offset relative
512 to the *end* of "next_tvb" - i.e.,
513 the number of bytes before the end
514 of "next_tvb" at which the
515 subdissector stopped. That's the
516 length of "next_tvb" minus the
517 offset, relative to the beginning
518 of "next_tvb, at which the
519 subdissector stopped.
522 ipfd_head->datalen - pinfo->desegment_offset;
524 /* "tvb" and "next_tvb" end at the
525 same byte of data, so the offset
526 relative to the end of "next_tvb"
527 of the byte at which we stopped
528 is also the offset relative to
529 the end of "tvb" of the byte at
532 Convert that back into an offset
533 relative to the beginninng of
534 "tvb", by taking the length of
535 "tvb" and subtracting the offset
538 deseg_offset=tvb_reported_length(tvb) - deseg_offset;
544 if (must_desegment) {
545 tcp_segment_key *tsk, *new_tsk;
548 * The sequence number at which the stuff to be desegmented
549 * starts is the sequence number of the byte at an offset
550 * of "deseg_offset" into "tvb".
552 * The sequence number of the byte at an offset of "offset"
553 * is "seq", i.e. the starting sequence number of this
554 * segment, so the sequence number of the byte at
555 * "deseg_offset" is "seq + (deseg_offset - offset)".
557 deseg_seq = seq + (deseg_offset - offset);
560 * XXX - how do we detect out-of-order transmissions?
561 * We can't just check for "nxtseq" being greater than
562 * "tsk->start_seq"; for now, we check for the difference
563 * being less than a megabyte, but this is a really
564 * gross hack - we really need to handle out-of-order
565 * transmissions correctly.
567 if ((nxtseq - deseg_seq) <= 1024*1024) {
568 /* OK, subdissector wants us to desegment
569 some data before it can process it. Add
570 what remains of this packet and set
571 up next packet/sequence number as well.
573 We must remember this segment
575 tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
576 tsk->src = g_mem_chunk_alloc(tcp_segment_address_chunk);
577 COPY_ADDRESS(tsk->src, &pinfo->src);
578 tsk->dst = g_mem_chunk_alloc(tcp_segment_address_chunk);
579 COPY_ADDRESS(tsk->dst, &pinfo->dst);
580 tsk->seq = deseg_seq;
581 tsk->start_seq = tsk->seq;
582 tsk->tot_len = nxtseq - tsk->start_seq + pinfo->desegment_len;
583 tsk->first_frame = pinfo->fd->num;
584 g_hash_table_insert(tcp_segment_table, tsk, tsk);
586 /* Add portion of segment unprocessed by the subdissector
587 to defragmentation lists */
588 fragment_add(tvb, deseg_offset, pinfo, tsk->start_seq,
590 tsk->seq - tsk->start_seq,
591 nxtseq - tsk->start_seq,
592 (nxtseq < tsk->start_seq + tsk->tot_len));
594 /* this is the next segment in the sequence we want */
595 new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
596 memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
597 new_tsk->seq = nxtseq;
598 g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
602 if (!called_dissector || pinfo->desegment_len != 0) {
604 * Either we didn't call the subdissector at all (i.e.,
605 * this is a segment that contains the middle of a
606 * higher-level PDU, but contains neither the beginning
607 * nor the end), or the subdissector couldn't dissect it
608 * all, as some data was missing (i.e., it set
609 * "pinfo->desegment_len" to the amount of additional
612 if (pinfo->desegment_offset == 0) {
614 * It couldn't, in fact, dissect any of it (the
615 * first byte it couldn't dissect is at an offset
616 * of "pinfo->desegment_offset" from the beginning
617 * of the payload, and that's 0).
618 * Just mark this as TCP.
620 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
621 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
623 if (check_col(pinfo->cinfo, COL_INFO)){
624 col_set_str(pinfo->cinfo, COL_INFO, "[Desegmented TCP]");
629 * Show what's left in the packet as just raw TCP segment
631 * XXX - remember what protocol the last subdissector
632 * was, and report it as a continuation of that, instead?
634 nbytes = tvb_reported_length_remaining(tvb, deseg_offset);
635 proto_tree_add_text(tcp_tree, tvb, deseg_offset, -1,
636 "TCP segment data (%u byte%s)", nbytes,
637 plurality(nbytes, "", "s"));
639 pinfo->can_desegment=0;
640 pinfo->desegment_offset = 0;
641 pinfo->desegment_len = 0;
648 tcp_info_append_uint(packet_info *pinfo, const char *abbrev, guint32 val)
650 if (check_col(pinfo->cinfo, COL_INFO))
651 col_append_fstr(pinfo->cinfo, COL_INFO, " %s=%u", abbrev, val);
655 dissect_tcpopt_maxseg(const ip_tcp_opt *optp, tvbuff_t *tvb,
656 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
660 mss = tvb_get_ntohs(tvb, offset + 2);
661 proto_tree_add_text(opt_tree, tvb, offset, optlen,
662 "%s: %u bytes", optp->name, mss);
663 tcp_info_append_uint(pinfo, "MSS", mss);
667 dissect_tcpopt_wscale(const ip_tcp_opt *optp, tvbuff_t *tvb,
668 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
672 ws = tvb_get_guint8(tvb, offset + 2);
673 proto_tree_add_text(opt_tree, tvb, offset, optlen,
674 "%s: %u bytes", optp->name, ws);
675 tcp_info_append_uint(pinfo, "WS", ws);
679 dissect_tcpopt_sack(const ip_tcp_opt *optp, tvbuff_t *tvb,
680 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
682 proto_tree *field_tree = NULL;
684 guint leftedge, rightedge;
686 tf = proto_tree_add_text(opt_tree, tvb, offset, optlen, "%s:", optp->name);
687 offset += 2; /* skip past type and length */
688 optlen -= 2; /* subtract size of type and length */
690 if (field_tree == NULL) {
691 /* Haven't yet made a subtree out of this option. Do so. */
692 field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
695 proto_tree_add_text(field_tree, tvb, offset, optlen,
696 "(suboption would go past end of option)");
699 leftedge = tvb_get_ntohl(tvb, offset);
702 proto_tree_add_text(field_tree, tvb, offset, optlen,
703 "(suboption would go past end of option)");
706 /* XXX - check whether it goes past end of packet */
707 rightedge = tvb_get_ntohl(tvb, offset + 4);
709 proto_tree_add_text(field_tree, tvb, offset, 8,
710 "left edge = %u, right edge = %u", leftedge, rightedge);
711 tcp_info_append_uint(pinfo, "SLE", leftedge);
712 tcp_info_append_uint(pinfo, "SRE", rightedge);
718 dissect_tcpopt_echo(const ip_tcp_opt *optp, tvbuff_t *tvb,
719 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
723 echo = tvb_get_ntohl(tvb, offset + 2);
724 proto_tree_add_text(opt_tree, tvb, offset, optlen,
725 "%s: %u", optp->name, echo);
726 tcp_info_append_uint(pinfo, "ECHO", echo);
730 dissect_tcpopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
731 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
735 tsv = tvb_get_ntohl(tvb, offset + 2);
736 tser = tvb_get_ntohl(tvb, offset + 6);
737 proto_tree_add_text(opt_tree, tvb, offset, optlen,
738 "%s: tsval %u, tsecr %u", optp->name, tsv, tser);
739 tcp_info_append_uint(pinfo, "TSV", tsv);
740 tcp_info_append_uint(pinfo, "TSER", tser);
744 dissect_tcpopt_cc(const ip_tcp_opt *optp, tvbuff_t *tvb,
745 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
749 cc = tvb_get_ntohl(tvb, offset + 2);
750 proto_tree_add_text(opt_tree, tvb, offset, optlen,
751 "%s: %u", optp->name, cc);
752 tcp_info_append_uint(pinfo, "CC", cc);
755 static const ip_tcp_opt tcpopts[] = {
774 "Maximum segment size",
778 dissect_tcpopt_maxseg
786 dissect_tcpopt_wscale
799 &ett_tcp_option_sack,
826 dissect_tcpopt_timestamp
862 #define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
865 static const true_false_string flags_set_truth = {
871 /* Determine if there is a sub-dissector and call it. This has been */
872 /* separated into a stand alone routine to other protocol dissectors */
873 /* can call to it, ie. socks */
876 decode_tcp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
877 proto_tree *tree, int src_port, int dst_port)
881 next_tvb = tvb_new_subset(tvb, offset, -1, -1);
883 /* determine if this packet is part of a conversation and call dissector */
884 /* for the conversation if available */
886 if (try_conversation_dissector(&pinfo->src, &pinfo->dst, PT_TCP,
887 src_port, dst_port, next_tvb, pinfo, tree))
890 /* do lookup with the subdissector table */
891 if (dissector_try_port(subdissector_table, src_port, next_tvb, pinfo, tree) ||
892 dissector_try_port(subdissector_table, dst_port, next_tvb, pinfo, tree))
895 /* do lookup with the heuristic subdissector table */
896 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
899 /* Oh, well, we don't know this; dissect it as data. */
900 call_dissector(data_handle,next_tvb, pinfo, tree);
905 dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
911 guint8 th_off_x2; /* combines th_off and th_x2 */
916 proto_tree *tcp_tree = NULL, *field_tree = NULL;
917 proto_item *ti = NULL, *tf;
919 gchar flags[64] = "<None>";
920 gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECN", "CWR" };
931 guint16 computed_cksum;
932 guint length_remaining;
933 gboolean desegment_ok;
934 struct tcpinfo tcpinfo;
935 gboolean save_fragmented;
937 if (check_col(pinfo->cinfo, COL_PROTOCOL))
938 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
940 /* Clear out the Info column. */
941 if (check_col(pinfo->cinfo, COL_INFO))
942 col_clear(pinfo->cinfo, COL_INFO);
944 th_sport = tvb_get_ntohs(tvb, offset);
945 th_dport = tvb_get_ntohs(tvb, offset + 2);
946 if (check_col(pinfo->cinfo, COL_INFO)) {
947 col_append_fstr(pinfo->cinfo, COL_INFO, "%s > %s",
948 get_tcp_port(th_sport), get_tcp_port(th_dport));
952 if (tcp_summary_in_tree) {
953 ti = proto_tree_add_protocol_format(tree, proto_tcp, tvb, 0, -1,
954 "Transmission Control Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
955 get_tcp_port(th_sport), th_sport,
956 get_tcp_port(th_dport), th_dport);
959 ti = proto_tree_add_item(tree, proto_tcp, tvb, 0, -1, FALSE);
961 tcp_tree = proto_item_add_subtree(ti, ett_tcp);
962 proto_tree_add_uint_format(tcp_tree, hf_tcp_srcport, tvb, offset, 2, th_sport,
963 "Source port: %s (%u)", get_tcp_port(th_sport), th_sport);
964 proto_tree_add_uint_format(tcp_tree, hf_tcp_dstport, tvb, offset + 2, 2, th_dport,
965 "Destination port: %s (%u)", get_tcp_port(th_dport), th_dport);
966 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset, 2, th_sport);
967 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset + 2, 2, th_dport);
970 th_seq = tvb_get_ntohl(tvb, offset + 4);
971 th_ack = tvb_get_ntohl(tvb, offset + 8);
972 th_off_x2 = tvb_get_guint8(tvb, offset + 12);
973 th_flags = tvb_get_guint8(tvb, offset + 13);
974 th_win = tvb_get_ntohs(tvb, offset + 14);
976 if (check_col(pinfo->cinfo, COL_INFO) || tree) {
977 for (i = 0; i < 8; i++) {
979 if (th_flags & bpos) {
981 strcpy(&flags[fpos], ", ");
984 strcpy(&flags[fpos], fstr[i]);
991 if (check_col(pinfo->cinfo, COL_INFO)) {
992 col_append_fstr(pinfo->cinfo, COL_INFO, " [%s] Seq=%u Ack=%u Win=%u",
993 flags, th_seq, th_ack, th_win);
997 if (tcp_summary_in_tree)
998 proto_item_append_text(ti, ", Seq: %u", th_seq);
999 proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, th_seq);
1002 hlen = hi_nibble(th_off_x2) * 4; /* TCP header length, in bytes */
1004 if (hlen < TCPH_MIN_LEN) {
1005 /* Give up at this point; we put the source and destination port in
1006 the tree, before fetching the header length, so that they'll
1007 show up if this is in the failing packet in an ICMP error packet,
1008 but it's now time to give up if the header length is bogus. */
1009 if (check_col(pinfo->cinfo, COL_INFO))
1010 col_append_fstr(pinfo->cinfo, COL_INFO, ", bogus TCP header length (%u, must be at least %u)",
1011 hlen, TCPH_MIN_LEN);
1013 proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, hlen,
1014 "Header length: %u bytes (bogus, must be at least %u)", hlen,
1020 reported_len = tvb_reported_length(tvb);
1021 len = tvb_length(tvb);
1023 /* Compute the length of data in this segment. */
1024 seglen = reported_len - hlen;
1026 /* Compute the sequence number of next octet after this segment. */
1027 nxtseq = th_seq + seglen;
1030 if (tcp_summary_in_tree)
1031 proto_item_append_text(ti, ", Ack: %u", th_ack);
1032 proto_item_set_len(ti, hlen);
1033 if (nxtseq != th_seq)
1034 proto_tree_add_uint(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq);
1035 if (th_flags & TH_ACK)
1036 proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, th_ack);
1037 proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, hlen,
1038 "Header length: %u bytes", hlen);
1039 tf = proto_tree_add_uint_format(tcp_tree, hf_tcp_flags, tvb, offset + 13, 1,
1040 th_flags, "Flags: 0x%04x (%s)", th_flags, flags);
1041 field_tree = proto_item_add_subtree(tf, ett_tcp_flags);
1042 proto_tree_add_boolean(field_tree, hf_tcp_flags_cwr, tvb, offset + 13, 1, th_flags);
1043 proto_tree_add_boolean(field_tree, hf_tcp_flags_ecn, tvb, offset + 13, 1, th_flags);
1044 proto_tree_add_boolean(field_tree, hf_tcp_flags_urg, tvb, offset + 13, 1, th_flags);
1045 proto_tree_add_boolean(field_tree, hf_tcp_flags_ack, tvb, offset + 13, 1, th_flags);
1046 proto_tree_add_boolean(field_tree, hf_tcp_flags_push, tvb, offset + 13, 1, th_flags);
1047 proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, th_flags);
1048 proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, th_flags);
1049 proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, th_flags);
1050 proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, th_win);
1053 /* Supply the sequence number of the first byte. */
1054 tcpinfo.seq = th_seq;
1056 /* Assume we'll pass un-reassembled data to subdissectors. */
1057 tcpinfo.is_reassembled = FALSE;
1059 pinfo->private_data = &tcpinfo;
1062 * Assume, initially, that we can't desegment.
1064 pinfo->can_desegment = 0;
1066 th_sum = tvb_get_ntohs(tvb, offset + 16);
1067 if (!pinfo->fragmented && len >= reported_len) {
1068 /* The packet isn't part of an un-reassembled fragmented datagram
1069 and isn't truncated. This means we have all the data, and thus
1070 can checksum it and, unless it's being returned in an error
1071 packet, are willing to allow subdissectors to request reassembly
1074 if (tcp_check_checksum) {
1075 /* We haven't turned checksum checking off; checksum it. */
1077 /* Set up the fields of the pseudo-header. */
1078 cksum_vec[0].ptr = pinfo->src.data;
1079 cksum_vec[0].len = pinfo->src.len;
1080 cksum_vec[1].ptr = pinfo->dst.data;
1081 cksum_vec[1].len = pinfo->dst.len;
1082 cksum_vec[2].ptr = (const guint8 *)&phdr;
1083 switch (pinfo->src.type) {
1086 phdr[0] = htonl((IP_PROTO_TCP<<16) + reported_len);
1087 cksum_vec[2].len = 4;
1091 phdr[0] = htonl(reported_len);
1092 phdr[1] = htonl(IP_PROTO_TCP);
1093 cksum_vec[2].len = 8;
1097 /* TCP runs only atop IPv4 and IPv6.... */
1098 g_assert_not_reached();
1101 cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, len);
1102 cksum_vec[3].len = reported_len;
1103 computed_cksum = in_cksum(&cksum_vec[0], 4);
1104 if (computed_cksum == 0) {
1105 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
1106 offset + 16, 2, th_sum, "Checksum: 0x%04x (correct)", th_sum);
1108 /* Checksum is valid, so we're willing to desegment it. */
1109 desegment_ok = TRUE;
1111 proto_tree_add_boolean_hidden(tcp_tree, hf_tcp_checksum_bad, tvb,
1112 offset + 16, 2, TRUE);
1113 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
1114 offset + 16, 2, th_sum,
1115 "Checksum: 0x%04x (incorrect, should be 0x%04x)", th_sum,
1116 in_cksum_shouldbe(th_sum, computed_cksum));
1118 /* Checksum is invalid, so we're not willing to desegment it. */
1119 desegment_ok = FALSE;
1122 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
1123 offset + 16, 2, th_sum, "Checksum: 0x%04x", th_sum);
1125 /* We didn't check the checksum, and don't care if it's valid,
1126 so we're willing to desegment it. */
1127 desegment_ok = TRUE;
1130 /* We don't have all the packet data, so we can't checksum it... */
1131 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
1132 offset + 16, 2, th_sum, "Checksum: 0x%04x", th_sum);
1134 /* ...and aren't willing to desegment it. */
1135 desegment_ok = FALSE;
1139 /* We're willing to desegment this. Is desegmentation enabled? */
1140 if (tcp_desegment) {
1141 /* Yes - is this segment being returned in an error packet? */
1142 if (!pinfo->in_error_pkt) {
1143 /* No - indicate that we will desegment.
1144 We do NOT want to desegment segments returned in error
1145 packets, as they're not part of a TCP connection. */
1146 pinfo->can_desegment = 2;
1151 if (th_flags & TH_URG) {
1152 th_urp = tvb_get_ntohs(tvb, offset + 18);
1153 /* Export the urgent pointer, for the benefit of protocols such as
1155 tcpinfo.urgent = TRUE;
1156 tcpinfo.urgent_pointer = th_urp;
1157 if (check_col(pinfo->cinfo, COL_INFO))
1158 col_append_fstr(pinfo->cinfo, COL_INFO, " Urg=%u", th_urp);
1159 if (tcp_tree != NULL)
1160 proto_tree_add_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, th_urp);
1162 tcpinfo.urgent = FALSE;
1164 if (check_col(pinfo->cinfo, COL_INFO))
1165 col_append_fstr(pinfo->cinfo, COL_INFO, " Len=%u", seglen);
1167 /* Decode TCP options, if any. */
1168 if (tree && hlen > TCPH_MIN_LEN) {
1169 /* There's more than just the fixed-length header. Decode the
1171 optlen = hlen - TCPH_MIN_LEN; /* length of options, in bytes */
1172 tf = proto_tree_add_text(tcp_tree, tvb, offset + 20, optlen,
1173 "Options: (%u bytes)", optlen);
1174 field_tree = proto_item_add_subtree(tf, ett_tcp_options);
1175 dissect_ip_tcp_options(tvb, offset + 20, optlen,
1176 tcpopts, N_TCP_OPTS, TCPOPT_EOL, pinfo, field_tree);
1179 /* Skip over header + options */
1182 pinfo->ptype = PT_TCP;
1183 pinfo->srcport = th_sport;
1184 pinfo->destport = th_dport;
1186 /* Check the packet length to see if there's more data
1187 (it could be an ACK-only packet) */
1188 length_remaining = tvb_length_remaining(tvb, offset);
1189 if (length_remaining != 0) {
1190 if (th_flags & TH_RST) {
1194 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
1196 * A TCP SHOULD allow a received RST segment to include data.
1199 * It has been suggested that a RST segment could contain
1200 * ASCII text that encoded and explained the cause of the
1201 * RST. No standard has yet been established for such
1204 * so for segments with RST we just display the data as text.
1206 proto_tree_add_text(tcp_tree, tvb, offset, length_remaining,
1208 tvb_format_text(tvb, offset, length_remaining));
1210 /* Can we desegment this segment? */
1211 if (pinfo->can_desegment) {
1213 desegment_tcp(tvb, pinfo, offset, th_seq, nxtseq, th_sport, th_dport, tree, tcp_tree);
1215 /* No - just call the subdissector.
1216 Mark this as fragmented, so if somebody throws an exception,
1217 we don't report it as a malformed frame. */
1218 save_fragmented = pinfo->fragmented;
1219 pinfo->fragmented = TRUE;
1220 decode_tcp_ports(tvb, offset, pinfo, tree, th_sport, th_dport);
1221 pinfo->fragmented = save_fragmented;
1226 if( data_out_file ) {
1227 reassemble_tcp( th_seq, /* sequence number */
1228 seglen, /* data length */
1229 tvb_get_ptr(tvb, offset, length_remaining), /* data */
1230 length_remaining, /* captured data length */
1231 ( th_flags & TH_SYN ), /* is syn set? */
1240 proto_register_tcp(void)
1242 static hf_register_info hf[] = {
1245 { "Source Port", "tcp.srcport", FT_UINT16, BASE_DEC, NULL, 0x0,
1249 { "Destination Port", "tcp.dstport", FT_UINT16, BASE_DEC, NULL, 0x0,
1253 { "Source or Destination Port", "tcp.port", FT_UINT16, BASE_DEC, NULL, 0x0,
1257 { "Sequence number", "tcp.seq", FT_UINT32, BASE_DEC, NULL, 0x0,
1261 { "Next sequence number", "tcp.nxtseq", FT_UINT32, BASE_DEC, NULL, 0x0,
1265 { "Acknowledgement number", "tcp.ack", FT_UINT32, BASE_DEC, NULL, 0x0,
1269 { "Header Length", "tcp.hdr_len", FT_UINT8, BASE_DEC, NULL, 0x0,
1273 { "Flags", "tcp.flags", FT_UINT8, BASE_HEX, NULL, 0x0,
1276 { &hf_tcp_flags_cwr,
1277 { "Congestion Window Reduced (CWR)", "tcp.flags.cwr", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_CWR,
1280 { &hf_tcp_flags_ecn,
1281 { "ECN-Echo", "tcp.flags.ecn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ECN,
1284 { &hf_tcp_flags_urg,
1285 { "Urgent", "tcp.flags.urg", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_URG,
1288 { &hf_tcp_flags_ack,
1289 { "Acknowledgment", "tcp.flags.ack", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ACK,
1292 { &hf_tcp_flags_push,
1293 { "Push", "tcp.flags.push", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_PUSH,
1296 { &hf_tcp_flags_reset,
1297 { "Reset", "tcp.flags.reset", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_RST,
1300 { &hf_tcp_flags_syn,
1301 { "Syn", "tcp.flags.syn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_SYN,
1304 { &hf_tcp_flags_fin,
1305 { "Fin", "tcp.flags.fin", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_FIN,
1308 { &hf_tcp_window_size,
1309 { "Window size", "tcp.window_size", FT_UINT16, BASE_DEC, NULL, 0x0,
1313 { "Checksum", "tcp.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
1316 { &hf_tcp_checksum_bad,
1317 { "Bad Checksum", "tcp.checksum_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1320 { &hf_tcp_urgent_pointer,
1321 { "Urgent pointer", "tcp.urgent_pointer", FT_UINT16, BASE_DEC, NULL, 0x0,
1324 static gint *ett[] = {
1328 &ett_tcp_option_sack,
1331 module_t *tcp_module;
1333 proto_tcp = proto_register_protocol("Transmission Control Protocol",
1335 proto_register_field_array(proto_tcp, hf, array_length(hf));
1336 proto_register_subtree_array(ett, array_length(ett));
1338 /* subdissector code */
1339 subdissector_table = register_dissector_table("tcp.port",
1340 "TCP port", FT_UINT16, BASE_DEC);
1341 register_heur_dissector_list("tcp", &heur_subdissector_list);
1343 /* Register configuration preferences */
1344 tcp_module = prefs_register_protocol(proto_tcp, NULL);
1345 prefs_register_bool_preference(tcp_module, "tcp_summary_in_tree",
1346 "Show TCP summary in protocol tree",
1347 "Whether the TCP summary line should be shown in the protocol tree",
1348 &tcp_summary_in_tree);
1349 prefs_register_bool_preference(tcp_module, "check_checksum",
1350 "Check the validity of the TCP checksum when possible",
1351 "Whether to check the validity of the TCP checksum",
1352 &tcp_check_checksum);
1353 prefs_register_bool_preference(tcp_module, "desegment_tcp_streams",
1354 "Allow subdissector to desegment TCP streams",
1355 "Whether subdissector can request TCP streams to be desegmented",
1358 register_init_routine(tcp_desegment_init);
1359 register_init_routine(tcp_fragment_init);
1363 proto_reg_handoff_tcp(void)
1365 dissector_handle_t tcp_handle;
1367 tcp_handle = create_dissector_handle(dissect_tcp, proto_tcp);
1368 dissector_add("ip.proto", IP_PROTO_TCP, tcp_handle);
1369 data_handle = find_dissector("data");