2 * Routines for TCP packet disassembly
4 * $Id: packet-tcp.c,v 1.17 1999/03/23 03:58:59 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
34 #ifdef HAVE_NETINET_IN_H
35 # include <netinet/in.h>
45 #ifdef NEED_SNPRINTF_H
51 # include "snprintf.h"
54 #ifndef __PACKET_IP_H__
55 #include "packet-ip.h"
58 extern FILE* data_out_file;
59 extern packet_info pi;
61 static gchar info_str[COL_MAX_LEN];
66 #define TCP_PORT_HTTP 80
67 #define TCP_PORT_PRINTER 515
68 #define TCP_ALT_PORT_HTTP 8080
70 /* TCP structs and definitions */
72 typedef struct _e_tcphdr {
77 guint8 th_off_x2; /* combines th_off and th_x2 */
94 #define TCPOPT_NOP 1 /* Padding */
95 #define TCPOPT_EOL 0 /* End of options */
96 #define TCPOPT_MSS 2 /* Segment size negotiating */
97 #define TCPOPT_WINDOW 3 /* Window scaling */
98 #define TCPOPT_SACK_PERM 4 /* SACK Permitted */
99 #define TCPOPT_SACK 5 /* SACK Block */
100 #define TCPOPT_ECHO 6
101 #define TCPOPT_ECHOREPLY 7
102 #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
104 #define TCPOPT_CCNEW 12
105 #define TCPOPT_CCECHO 13
111 #define TCPOLEN_MSS 4
112 #define TCPOLEN_WINDOW 3
113 #define TCPOLEN_SACK_PERM 2
114 #define TCPOLEN_SACK_MIN 2
115 #define TCPOLEN_ECHO 6
116 #define TCPOLEN_ECHOREPLY 6
117 #define TCPOLEN_TIMESTAMP 10
119 #define TCPOLEN_CCNEW 6
120 #define TCPOLEN_CCECHO 6
123 tcp_info_append_uint(const char *abbrev, guint32 val) {
128 add_len = snprintf(&info_str[info_len], COL_MAX_LEN - info_len, " %s=%u",
135 dissect_tcpopt_maxseg(proto_tree *opt_tree, const char *name, const u_char *opd,
136 int offset, guint optlen)
138 proto_tree_add_item(opt_tree, offset, optlen,
139 "%s: %u bytes", name, pntohs(opd));
140 tcp_info_append_uint("MSS", pntohs(opd));
144 dissect_tcpopt_wscale(proto_tree *opt_tree, const char *name, const u_char *opd,
145 int offset, guint optlen)
147 proto_tree_add_item(opt_tree, offset, optlen,
148 "%s: %u bytes", name, *opd);
149 tcp_info_append_uint("WS", *opd);
153 dissect_tcpopt_sack(proto_tree *opt_tree, const char *name, const u_char *opd,
154 int offset, guint optlen)
156 proto_tree *field_tree = NULL;
158 guint leftedge, rightedge;
160 tf = proto_tree_add_item(opt_tree, offset, optlen, "%s:", name);
161 offset += 2; /* skip past type and length */
162 optlen -= 2; /* subtract size of type and length */
164 if (field_tree == NULL) {
165 /* Haven't yet made a subtree out of this option. Do so. */
166 field_tree = proto_tree_new();
167 proto_item_add_subtree(tf, field_tree, ETT_TCP_OPTION_SACK);
170 proto_tree_add_item(field_tree, offset, optlen,
171 "(suboption would go past end of option)");
174 /* XXX - check whether it goes past end of packet */
175 leftedge = pntohl(opd);
179 proto_tree_add_item(field_tree, offset, optlen,
180 "(suboption would go past end of option)");
183 /* XXX - check whether it goes past end of packet */
184 rightedge = pntohl(opd);
187 proto_tree_add_item(field_tree, offset, 8,
188 "left edge = %u, right edge = %u", leftedge, rightedge);
189 tcp_info_append_uint("SLE", leftedge);
190 tcp_info_append_uint("SRE", rightedge);
196 dissect_tcpopt_echo(proto_tree *opt_tree, const char *name, const u_char *opd,
197 int offset, guint optlen)
199 proto_tree_add_item(opt_tree, offset, optlen,
200 "%s: %u", name, pntohl(opd));
201 tcp_info_append_uint("ECHO", pntohl(opd));
205 dissect_tcpopt_timestamp(proto_tree *opt_tree, const char *name,
206 const u_char *opd, int offset, guint optlen)
208 proto_tree_add_item(opt_tree, offset, optlen,
209 "%s: tsval %u, tsecr %u", name, pntohl(opd), pntohl(opd + 4));
210 tcp_info_append_uint("TSV", pntohl(opd));
211 tcp_info_append_uint("TSER", pntohl(opd + 4));
215 dissect_tcpopt_cc(proto_tree *opt_tree, const char *name, const u_char *opd,
216 int offset, guint optlen)
218 proto_tree_add_item(opt_tree, offset, optlen,
219 "%s: %u", name, pntohl(opd));
220 tcp_info_append_uint("CC", pntohl(opd));
223 static ip_tcp_opt tcpopts[] = {
240 "Maximum segment size",
243 dissect_tcpopt_maxseg
250 dissect_tcpopt_wscale
285 dissect_tcpopt_timestamp
310 #define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
313 dissect_tcp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
315 proto_tree *tcp_tree = NULL, *field_tree = NULL;
317 gchar flags[64] = "<None>";
318 gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG"};
324 /* To do: Check for {cap len,pkt len} < struct len */
325 /* Avoids alignment problems on many architectures. */
326 memcpy(&th, &pd[offset], sizeof(e_tcphdr));
327 th.th_sport = ntohs(th.th_sport);
328 th.th_dport = ntohs(th.th_dport);
329 th.th_win = ntohs(th.th_win);
330 th.th_sum = ntohs(th.th_sum);
331 th.th_urp = ntohs(th.th_urp);
332 th.th_seq = ntohl(th.th_seq);
333 th.th_ack = ntohl(th.th_ack);
337 if (check_col(fd, COL_PROTOCOL) || tree) {
338 for (i = 0; i < 6; i++) {
340 if (th.th_flags & bpos) {
342 strcpy(&flags[fpos], ", ");
345 strcpy(&flags[fpos], fstr[i]);
352 hlen = hi_nibble(th.th_off_x2) * 4; /* TCP header length, in bytes */
354 if (check_col(fd, COL_RES_SRC_PORT))
355 col_add_str(fd, COL_RES_SRC_PORT, get_tcp_port(th.th_sport));
356 if (check_col(fd, COL_UNRES_SRC_PORT))
357 col_add_fstr(fd, COL_UNRES_SRC_PORT, "%u", th.th_sport);
358 if (check_col(fd, COL_RES_DST_PORT))
359 col_add_str(fd, COL_RES_DST_PORT, get_tcp_port(th.th_dport));
360 if (check_col(fd, COL_UNRES_DST_PORT))
361 col_add_fstr(fd, COL_UNRES_DST_PORT, "%u", th.th_dport);
362 if (check_col(fd, COL_PROTOCOL))
363 col_add_str(fd, COL_PROTOCOL, "TCP");
364 if (check_col(fd, COL_INFO)) {
365 /* Copy the data into info_str in case one of the option handling
366 routines needs to append to it. */
367 if (th.th_flags & TH_URG)
368 info_len = snprintf(info_str, COL_MAX_LEN, "%s > %s [%s] Seq=%u Ack=%u Win=%u Urg=%u",
369 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
370 th.th_seq, th.th_ack, th.th_win, th.th_urp);
372 info_len = snprintf(info_str, COL_MAX_LEN, "%s > %s [%s] Seq=%u Ack=%u Win=%u",
373 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
374 th.th_seq, th.th_ack, th.th_win);
375 /* The info column is actually written after the options are decoded */
379 ti = proto_tree_add_item(tree, offset, hlen,
380 "Transmission Control Protocol");
381 tcp_tree = proto_tree_new();
382 proto_item_add_subtree(ti, tcp_tree, ETT_TCP);
383 proto_tree_add_item(tcp_tree, offset, 2, "Source port: %s (%u)",
384 get_tcp_port(th.th_sport), th.th_sport);
385 proto_tree_add_item(tcp_tree, offset + 2, 2, "Destination port: %s (%u)",
386 get_tcp_port(th.th_dport), th.th_dport);
387 proto_tree_add_item(tcp_tree, offset + 4, 4, "Sequence number: %u",
389 if (th.th_flags & TH_ACK)
390 proto_tree_add_item(tcp_tree, offset + 8, 4, "Acknowledgement number: %u",
392 proto_tree_add_item(tcp_tree, offset + 12, 1, "Header length: %u bytes", hlen);
393 tf = proto_tree_add_item(tcp_tree, offset + 13, 1, "Flags: 0x%x", th.th_flags);
394 field_tree = proto_tree_new();
395 proto_item_add_subtree(tf, field_tree, ETT_TCP_FLAGS);
396 proto_tree_add_item(field_tree, offset + 13, 1, "%s",
397 decode_boolean_bitfield(th.th_flags, TH_URG, sizeof (th.th_flags)*8,
398 "Urgent pointer", "No urgent pointer"));
399 proto_tree_add_item(field_tree, offset + 13, 1, "%s",
400 decode_boolean_bitfield(th.th_flags, TH_ACK, sizeof (th.th_flags)*8,
401 "Acknowledgment", "No acknowledgment"));
402 proto_tree_add_item(field_tree, offset + 13, 1, "%s",
403 decode_boolean_bitfield(th.th_flags, TH_PUSH, sizeof (th.th_flags)*8,
405 proto_tree_add_item(field_tree, offset + 13, 1, "%s",
406 decode_boolean_bitfield(th.th_flags, TH_RST, sizeof (th.th_flags)*8,
407 "Reset", "No reset"));
408 proto_tree_add_item(field_tree, offset + 13, 1, "%s",
409 decode_boolean_bitfield(th.th_flags, TH_SYN, sizeof (th.th_flags)*8,
411 proto_tree_add_item(field_tree, offset + 13, 1, "%s",
412 decode_boolean_bitfield(th.th_flags, TH_FIN, sizeof (th.th_flags)*8,
414 proto_tree_add_item(tcp_tree, offset + 14, 2, "Window size: %u", th.th_win);
415 proto_tree_add_item(tcp_tree, offset + 16, 2, "Checksum: 0x%04x", th.th_sum);
416 if (th.th_flags & TH_URG)
417 proto_tree_add_item(tcp_tree, offset + 18, 2, "Urgent pointer: 0x%04x",
421 /* Decode TCP options, if any. */
422 if (hlen > sizeof (e_tcphdr)) {
423 /* There's more than just the fixed-length header. Decode the
425 optlen = hlen - sizeof (e_tcphdr); /* length of options, in bytes */
427 tf = proto_tree_add_item(tcp_tree, offset + 20, optlen,
428 "Options: (%d bytes)", optlen);
429 field_tree = proto_tree_new();
430 proto_item_add_subtree(tf, field_tree, ETT_TCP_OPTIONS);
432 dissect_ip_tcp_options(field_tree, &pd[offset + 20], offset + 20, optlen,
433 tcpopts, N_TCP_OPTS, TCPOPT_EOL);
436 if (check_col(fd, COL_INFO))
437 col_add_str(fd, COL_INFO, info_str);
439 /* Skip over header + options */
442 /* Check the packet length to see if there's more data
443 (it could be an ACK-only packet) */
444 if (fd->cap_len > offset) {
445 switch(MIN(th.th_sport, th.th_dport)) {
446 case TCP_PORT_PRINTER:
447 dissect_lpd(pd, offset, fd, tree);
450 case TCP_ALT_PORT_HTTP:
451 dissect_http(pd, offset, fd, tree);
454 /* check existence of high level protocols */
456 if (memcmp(&pd[offset], "GIOP", 4) == 0) {
457 dissect_giop(pd, offset, fd, tree);
460 dissect_data(pd, offset, fd, tree);
465 pi.srcport = th.th_sport;
466 pi.destport = th.th_dport;
468 if( data_out_file ) {
469 reassemble_tcp( th.th_seq, /* sequence number */
470 ( pi.iplen -( pi.iphdrlen * 4 )-( hi_nibble(th.th_off_x2) * 4 ) ), /* length */
471 ( pd+offset ), /* data */
472 ( th.th_flags & 0x02 ), /* is syn set? */
473 pi.ip_src ); /* src ip */