2 * Routines for TCP packet disassembly
4 * $Id: packet-tcp.c,v 1.158 2002/09/11 09:08:07 sahlberg Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
34 #include <epan/resolv.h>
38 #include "packet-tcp.h"
39 #include "packet-ip.h"
40 #include "packet-frame.h"
41 #include <epan/conversation.h>
42 #include <epan/strutil.h>
43 #include "reassemble.h"
45 /* Place TCP summary in proto tree */
46 static gboolean tcp_summary_in_tree = TRUE;
49 * Flag to control whether to check the TCP checksum.
51 * In at least some Solaris network traces, there are packets with bad
52 * TCP checksums, but the traffic appears to indicate that the packets
53 * *were* received; the packets were probably sent by the host on which
54 * the capture was being done, on a network interface to which
55 * checksumming was offloaded, so that DLPI supplied an un-checksummed
56 * packet to the capture program but a checksummed packet got put onto
59 static gboolean tcp_check_checksum = TRUE;
61 extern FILE* data_out_file;
63 static int proto_tcp = -1;
64 static int hf_tcp_srcport = -1;
65 static int hf_tcp_dstport = -1;
66 static int hf_tcp_port = -1;
67 static int hf_tcp_seq = -1;
68 static int hf_tcp_nxtseq = -1;
69 static int hf_tcp_ack = -1;
70 static int hf_tcp_hdr_len = -1;
71 static int hf_tcp_flags = -1;
72 static int hf_tcp_flags_cwr = -1;
73 static int hf_tcp_flags_ecn = -1;
74 static int hf_tcp_flags_urg = -1;
75 static int hf_tcp_flags_ack = -1;
76 static int hf_tcp_flags_push = -1;
77 static int hf_tcp_flags_reset = -1;
78 static int hf_tcp_flags_syn = -1;
79 static int hf_tcp_flags_fin = -1;
80 static int hf_tcp_window_size = -1;
81 static int hf_tcp_checksum = -1;
82 static int hf_tcp_checksum_bad = -1;
83 static int hf_tcp_len = -1;
84 static int hf_tcp_urgent_pointer = -1;
85 static int hf_tcp_analysis_flags = -1;
86 static int hf_tcp_analysis_acks_frame = -1;
87 static int hf_tcp_analysis_ack_rtt = -1;
88 static int hf_tcp_analysis_retransmission = -1;
89 static int hf_tcp_analysis_lost_packet = -1;
90 static int hf_tcp_analysis_ack_lost_packet = -1;
91 static int hf_tcp_analysis_keep_alive = -1;
93 static gint ett_tcp = -1;
94 static gint ett_tcp_flags = -1;
95 static gint ett_tcp_options = -1;
96 static gint ett_tcp_option_sack = -1;
97 static gint ett_tcp_segments = -1;
98 static gint ett_tcp_analysis = -1;
99 static gint ett_tcp_analysis_faults = -1;
101 static dissector_table_t subdissector_table;
102 static heur_dissector_list_t heur_subdissector_list;
103 static dissector_handle_t data_handle;
105 /* TCP structs and definitions */
119 /* **************************************************************************
120 * stuff to analyze TCP sequencenumbers for retransmissions, missing segments,
121 * RTT and reltive sequence numbers.
122 * **************************************************************************/
123 static gboolean tcp_analyze_seq = FALSE;
124 static gboolean tcp_relative_seq = FALSE;
126 static GMemChunk *tcp_unacked_chunk = NULL;
127 static int tcp_unacked_count = 500; /* one for each packet until it is acked*/
129 struct tcp_unacked *next;
136 /* Idea for gt: either x > y, or y is much bigger (assume wrap) */
137 #define GT_SEQ(x, y) ((x > y) || ((y - x) > 0x80000000))
138 #define LT_SEQ(x, y) ((x < y) || ((x - y) > 0x80000000))
139 #define GE_SEQ(x, y) ((x >= y) || ((y - x) > 0x80000000))
140 #define LE_SEQ(x, y) ((x <= y) || ((x - y) > 0x80000000))
141 #define EQ_SEQ(x, y) (x == y)
143 static GMemChunk *tcp_acked_chunk = NULL;
144 static int tcp_acked_count = 5000; /* one for almost every other segment in the capture */
145 #define TCP_A_RETRANSMISSION 0x01
146 #define TCP_A_LOST_PACKET 0x02
147 #define TCP_A_ACK_LOST_PACKET 0x04
148 #define TCP_A_KEEP_ALIVE 0x08
154 static GHashTable *tcp_analyze_acked_table = NULL;
156 static GMemChunk *tcp_rel_seq_chunk = NULL;
157 static int tcp_rel_seq_count = 10000; /* one for each segment in the capture */
162 static GHashTable *tcp_rel_seq_table = NULL;
164 static GMemChunk *tcp_analysis_chunk = NULL;
165 static int tcp_analysis_count = 20; /* one for each conversation */
166 struct tcp_analysis {
167 /* These two structs are managed based on comparing the source
168 * and destination addresses and, if they're equal, comparing
169 * the source and destination ports.
171 * If the source is greater than the destination, then stuff
172 * sent from src is in ual1.
174 * If the source is less than the destination, then stuff
175 * sent from src is in ual2.
177 * XXX - if the addresses and ports are equal, we don't guarantee
180 struct tcp_unacked *ual1; /* UnAcked List 1*/
182 struct tcp_unacked *ual2; /* UnAcked List 2*/
187 tcp_get_relative_seq_ack(guint32 frame, guint32 *seq, guint32 *ack)
189 struct tcp_rel_seq *trs;
191 trs=g_hash_table_lookup(tcp_rel_seq_table, (void *)frame);
196 (*seq) -= trs->seq_base;
197 (*ack) -= trs->ack_base;
200 static struct tcp_acked *
201 tcp_analyze_get_acked_struct(guint32 frame, gboolean createflag)
203 struct tcp_acked *ta;
205 ta=g_hash_table_lookup(tcp_analyze_acked_table, (void *)frame);
206 if((!ta) && createflag){
207 ta=g_mem_chunk_alloc(tcp_acked_chunk);
212 g_hash_table_insert(tcp_analyze_acked_table, (void *)frame, ta);
218 tcp_analyze_sequence_number(packet_info *pinfo, guint32 seq, guint32 ack, guint32 seglen, guint8 flags)
220 conversation_t *conv=NULL;
221 struct tcp_analysis *tcpd=NULL;
223 struct tcp_unacked *ual1=NULL;
224 struct tcp_unacked *ual2=NULL;
225 struct tcp_unacked *ual=NULL;
229 /* Have we seen this conversation before? */
230 if( (conv=find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0)) == NULL){
231 /* No this is a new conversation. */
232 conv=conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
235 /* check if we have any data for this conversation */
236 tcpd=conversation_get_proto_data(conv, proto_tcp);
238 /* No no such data yet. Allocate and init it */
239 tcpd=g_mem_chunk_alloc(tcp_analysis_chunk);
244 conversation_add_proto_data(conv, proto_tcp, tcpd);
247 /* check direction and get ua lists */
248 direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
249 /* if the addresses are equal, match the ports instead */
251 direction= (pinfo->srcport > pinfo->destport);
256 base_seq=tcpd->base_seq1;
257 base_ack=tcpd->base_seq2;
261 base_seq=tcpd->base_seq2;
262 base_ack=tcpd->base_seq1;
272 /* handle the sequence numbers */
273 /* if this was a SYN packet, then remove existing list and
274 * put SEQ+1 first the list */
276 for(ual=ual1;ual1;ual1=ual){
278 g_mem_chunk_free(tcp_unacked_chunk, ual1);
280 ual1=g_mem_chunk_alloc(tcp_unacked_chunk);
282 ual1->frame=pinfo->fd->num;
285 ual1->ts.secs=pinfo->fd->abs_secs;
286 ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
292 /* if this is the first segment we see then just add it */
294 ual1=g_mem_chunk_alloc(tcp_unacked_chunk);
296 ual1->frame=pinfo->fd->num;
298 ual1->nextseq=seq+seglen;
299 ual1->ts.secs=pinfo->fd->abs_secs;
300 ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
305 /* if we get past here we know that ual1 points to a segment */
307 /* To handle FIN, just pretend they have a length of 1.
308 else the ACK following the FIN-ACK will look like it was
309 outside the window. */
310 if( (!seglen) && (flags&TH_FIN) ){
314 /* if seq is beyond ual1->nextseq we have lost a segment */
315 if (GT_SEQ(seq, ual1->nextseq)) {
316 struct tcp_acked *ta;
318 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
319 ta->flags|=TCP_A_LOST_PACKET;
321 /* just add the segment to the beginning of the list */
322 ual=g_mem_chunk_alloc(tcp_unacked_chunk);
324 ual->frame=pinfo->fd->num;
326 ual->nextseq=seq+seglen;
327 ual->ts.secs=pinfo->fd->abs_secs;
328 ual->ts.nsecs=pinfo->fd->abs_usecs*1000;
333 /* keep-alives are empty semgents with a sequence number -1 of what
336 if( (!seglen) && EQ_SEQ(seq, (ual1->nextseq-1)) ){
337 struct tcp_acked *ta;
339 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
340 ta->flags|=TCP_A_KEEP_ALIVE;
345 /* if this is an empty segment, just skip it all */
350 /* check if the sequence number is lower than expected, i.e. retransmission */
351 if( LT_SEQ(seq, ual1->nextseq )){
352 struct tcp_acked *ta;
354 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
355 ta->flags|=TCP_A_RETRANSMISSION;
357 /* did this segment contain any more data we havent seen yet?
358 * if so we can just increase nextseq
360 if(GT_SEQ((seq+seglen), ual1->nextseq)){
361 ual1->nextseq=seq+seglen;
362 ual1->frame=pinfo->fd->num;
363 ual1->ts.secs=pinfo->fd->abs_secs;
364 ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
369 /* just add the segment to the beginning of the list */
370 ual=g_mem_chunk_alloc(tcp_unacked_chunk);
372 ual->frame=pinfo->fd->num;
374 ual->nextseq=seq+seglen;
375 ual->ts.secs=pinfo->fd->abs_secs;
376 ual->ts.nsecs=pinfo->fd->abs_usecs*1000;
382 /* handle the ack numbers */
384 /* if we dont have the ack flag its not much we can do */
385 if( !(flags&TH_ACK)){
389 /* if we havent seen anything yet in the other direction we dont
390 * know what this one acks */
395 /* if we dont have any real segments in the other direction not
396 * acked yet (as we see from the magic frame==0 entry)
397 * then there is no point in continuing
403 /* if we get here we know ual2 is valid */
405 /* if we are acking beyong what we have seen in the other direction
406 * we must have lost packets. Not much point in keeping the segments
407 * in the other direction either.
409 if( GT_SEQ(ack, ual2->nextseq )){
410 struct tcp_acked *ta;
412 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
413 ta->flags|=TCP_A_ACK_LOST_PACKET;
414 for(ual=ual2;ual2;ual2=ual){
416 g_mem_chunk_free(tcp_unacked_chunk, ual2);
422 /* does this ACK ack all semgents we have seen in the other direction?*/
423 if( EQ_SEQ(ack, ual2->nextseq )){
424 struct tcp_acked *ta;
426 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
427 ta->frame_acked=ual2->frame;
428 ta->ts.secs=pinfo->fd->abs_secs-ual2->ts.secs;
429 ta->ts.nsecs=pinfo->fd->abs_usecs*1000-ual2->ts.nsecs;
431 ta->ts.nsecs+=1000000000;
435 /* its all been ACKed so we dont need to keep them anymore */
436 for(ual=ual2;ual2;ual2=ual){
438 g_mem_chunk_free(tcp_unacked_chunk, ual2);
443 /* ok it only ACKs part of what we have seen. Find out how much
444 * update and remove the ACKed segments
446 for(ual=ual2;ual->next;ual=ual->next){
447 if( GE_SEQ(ack, ual->next->nextseq)){
452 struct tcp_unacked *tmpual=NULL;
453 struct tcp_unacked *ackedual=NULL;
454 struct tcp_acked *ta;
459 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
460 ta->frame_acked=ackedual->frame;
461 ta->ts.secs=pinfo->fd->abs_secs-ackedual->ts.secs;
462 ta->ts.nsecs=pinfo->fd->abs_usecs*1000-ackedual->ts.nsecs;
464 ta->ts.nsecs+=1000000000;
468 /* just delete all ACKed segments */
471 for(ual=tmpual;ual;ual=tmpual){
473 g_mem_chunk_free(tcp_unacked_chunk, ual);
480 /* we might have deleted the entire ual2 list, if this is an ACK,
481 make sure ual2 at least has a dummy entry for the current ACK */
482 if( (!ual2) && (flags&TH_ACK) ){
483 ual2=g_mem_chunk_alloc(tcp_unacked_chunk);
493 /* store the lists back in our struct */
496 * XXX - if direction == 0, that'll be true for packets
497 * from both sides of the connection, so this won't
500 * That'd be a connection from a given port on a machine
501 * to that same port on the same machine; does that ever
506 tcpd->base_seq1=base_seq;
510 tcpd->base_seq2=base_seq;
513 if(tcp_relative_seq){
514 struct tcp_rel_seq *trs;
515 /* remember relative seq/ack number base for this packet */
516 trs=g_mem_chunk_alloc(tcp_rel_seq_chunk);
517 trs->seq_base=base_seq;
518 trs->ack_base=base_ack;
519 g_hash_table_insert(tcp_rel_seq_table, (void *)pinfo->fd->num, trs);
524 tcp_print_sequence_number_analysis(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree)
526 struct tcp_acked *ta;
530 ta=tcp_analyze_get_acked_struct(pinfo->fd->num, FALSE);
535 item=proto_tree_add_text(parent_tree, tvb, 0, 0, "SEQ/ACK analysis");
536 tree=proto_item_add_subtree(item, ett_tcp_analysis);
538 /* encapsulate all proto_tree_add_xxx in ifs so we only print what
539 data we actually have */
541 proto_tree_add_uint(tree, hf_tcp_analysis_acks_frame,
542 tvb, 0, 0, ta->frame_acked);
544 if( ta->ts.secs || ta->ts.nsecs ){
545 proto_tree_add_time(tree, hf_tcp_analysis_ack_rtt,
550 proto_item *flags_item=NULL;
551 proto_tree *flags_tree=NULL;
553 flags_item = proto_tree_add_item(tree, hf_tcp_analysis_flags, tvb, 0, -1, FALSE);
554 flags_tree=proto_item_add_subtree(flags_item, ett_tcp_analysis);
555 if( ta->flags&TCP_A_RETRANSMISSION ){
556 proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_retransmission, tvb, 0, 0, TRUE, "This frame is a (suspected) retransmission");
557 if(check_col(pinfo->cinfo, COL_INFO)){
558 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Retransmission] ");
561 if( ta->flags&TCP_A_LOST_PACKET ){
562 proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_lost_packet, tvb, 0, 0, TRUE, "A segment before this frame was lost");
563 if(check_col(pinfo->cinfo, COL_INFO)){
564 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Previous segment lost] ");
567 if( ta->flags&TCP_A_ACK_LOST_PACKET ){
568 proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_ack_lost_packet, tvb, 0, 0, TRUE, "This frame ACKs a segment we have not seen (lost?)");
569 if(check_col(pinfo->cinfo, COL_INFO)){
570 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ACKed lost segment] ");
573 if( ta->flags&TCP_A_KEEP_ALIVE ){
574 proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_keep_alive, tvb, 0, 0, TRUE, "This is a TCP keep-alive segment");
575 if(check_col(pinfo->cinfo, COL_INFO)){
576 col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive] ");
584 /* Do we still need to do this ...remove_all() even though we dont need
585 * to do anything special? The glib docs are not clear on this and
586 * its better safe than sorry
589 free_all_acked(gpointer key_arg _U_, gpointer value _U_, gpointer user_data _U_)
595 tcp_acked_hash(gconstpointer k)
597 guint32 frame = (guint32)k;
602 tcp_acked_equal(gconstpointer k1, gconstpointer k2)
604 guint32 frame1 = (guint32)k1;
605 guint32 frame2 = (guint32)k2;
607 return frame1==frame2;
611 tcp_analyze_seq_init(void)
613 /* first destroy the tables */
614 if( tcp_analyze_acked_table ){
615 g_hash_table_foreach_remove(tcp_analyze_acked_table,
616 free_all_acked, NULL);
617 g_hash_table_destroy(tcp_analyze_acked_table);
618 tcp_analyze_acked_table = NULL;
620 if( tcp_rel_seq_table ){
621 g_hash_table_foreach_remove(tcp_rel_seq_table,
622 free_all_acked, NULL);
623 g_hash_table_destroy(tcp_rel_seq_table);
624 tcp_rel_seq_table = NULL;
628 * Now destroy the chunk from which the conversation table
629 * structures were allocated.
631 if (tcp_analysis_chunk) {
632 g_mem_chunk_destroy(tcp_analysis_chunk);
633 tcp_analysis_chunk = NULL;
635 if (tcp_unacked_chunk) {
636 g_mem_chunk_destroy(tcp_unacked_chunk);
637 tcp_unacked_chunk = NULL;
639 if (tcp_acked_chunk) {
640 g_mem_chunk_destroy(tcp_acked_chunk);
641 tcp_acked_chunk = NULL;
643 if (tcp_rel_seq_chunk) {
644 g_mem_chunk_destroy(tcp_rel_seq_chunk);
645 tcp_rel_seq_chunk = NULL;
649 tcp_analyze_acked_table = g_hash_table_new(tcp_acked_hash,
651 tcp_rel_seq_table = g_hash_table_new(tcp_acked_hash,
653 tcp_analysis_chunk = g_mem_chunk_new("tcp_analysis_chunk",
654 sizeof(struct tcp_analysis),
655 tcp_analysis_count * sizeof(struct tcp_analysis),
657 tcp_unacked_chunk = g_mem_chunk_new("tcp_unacked_chunk",
658 sizeof(struct tcp_unacked),
659 tcp_unacked_count * sizeof(struct tcp_unacked),
661 tcp_acked_chunk = g_mem_chunk_new("tcp_acked_chunk",
662 sizeof(struct tcp_acked),
663 tcp_acked_count * sizeof(struct tcp_acked),
665 if(tcp_relative_seq){
666 tcp_rel_seq_chunk = g_mem_chunk_new("tcp_rel_seq_chunk",
667 sizeof(struct tcp_rel_seq),
668 tcp_rel_seq_count * sizeof(struct tcp_rel_seq),
675 /* **************************************************************************
676 * End of tcp sequence number analysis
677 * **************************************************************************/
682 /* Minimum TCP header length. */
683 #define TCPH_MIN_LEN 20
689 #define TCPOPT_NOP 1 /* Padding */
690 #define TCPOPT_EOL 0 /* End of options */
691 #define TCPOPT_MSS 2 /* Segment size negotiating */
692 #define TCPOPT_WINDOW 3 /* Window scaling */
693 #define TCPOPT_SACK_PERM 4 /* SACK Permitted */
694 #define TCPOPT_SACK 5 /* SACK Block */
695 #define TCPOPT_ECHO 6
696 #define TCPOPT_ECHOREPLY 7
697 #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
699 #define TCPOPT_CCNEW 12
700 #define TCPOPT_CCECHO 13
701 #define TCPOPT_MD5 19 /* RFC2385 */
707 #define TCPOLEN_MSS 4
708 #define TCPOLEN_WINDOW 3
709 #define TCPOLEN_SACK_PERM 2
710 #define TCPOLEN_SACK_MIN 2
711 #define TCPOLEN_ECHO 6
712 #define TCPOLEN_ECHOREPLY 6
713 #define TCPOLEN_TIMESTAMP 10
715 #define TCPOLEN_CCNEW 6
716 #define TCPOLEN_CCECHO 6
717 #define TCPOLEN_MD5 18
721 /* Desegmentation of TCP streams */
722 /* table to hold defragmented TCP streams */
723 static GHashTable *tcp_fragment_table = NULL;
725 tcp_fragment_init(void)
727 fragment_table_init(&tcp_fragment_table);
730 /* functions to trace tcp segments */
731 /* Enable desegmenting of TCP streams */
732 static gboolean tcp_desegment = FALSE;
734 static GHashTable *tcp_segment_table = NULL;
735 static GMemChunk *tcp_segment_key_chunk = NULL;
736 static int tcp_segment_init_count = 200;
737 static GMemChunk *tcp_segment_address_chunk = NULL;
738 static int tcp_segment_address_init_count = 500;
740 typedef struct _tcp_segment_key {
741 /* for own bookkeeping inside packet-tcp.c */
752 free_all_segments(gpointer key_arg, gpointer value _U_, gpointer user_data _U_)
754 tcp_segment_key *key = key_arg;
756 if((key->src)&&(key->src->data)){
757 g_free((gpointer)key->src->data);
761 if((key->dst)&&(key->dst->data)){
762 g_free((gpointer)key->dst->data);
770 tcp_segment_hash(gconstpointer k)
772 tcp_segment_key *key = (tcp_segment_key *)k;
778 tcp_segment_equal(gconstpointer k1, gconstpointer k2)
780 tcp_segment_key *key1 = (tcp_segment_key *)k1;
781 tcp_segment_key *key2 = (tcp_segment_key *)k2;
783 return ( ( (key1->seq==key2->seq)
784 &&(ADDRESSES_EQUAL(key1->src, key2->src))
785 &&(ADDRESSES_EQUAL(key1->dst, key2->dst))
790 tcp_desegment_init(void)
793 * Free this before freeing any memory chunks; those
794 * chunks contain data we'll look at in "free_all_segments()".
796 if(tcp_segment_table){
797 g_hash_table_foreach_remove(tcp_segment_table,
798 free_all_segments, NULL);
799 g_hash_table_destroy(tcp_segment_table);
800 tcp_segment_table = NULL;
803 if(tcp_segment_key_chunk){
804 g_mem_chunk_destroy(tcp_segment_key_chunk);
805 tcp_segment_key_chunk = NULL;
807 if(tcp_segment_address_chunk){
808 g_mem_chunk_destroy(tcp_segment_address_chunk);
809 tcp_segment_address_chunk = NULL;
812 /* dont allocate any hash table or memory chunks unless the user
813 really uses this option
819 tcp_segment_table = g_hash_table_new(tcp_segment_hash,
822 tcp_segment_key_chunk = g_mem_chunk_new("tcp_segment_key_chunk",
823 sizeof(tcp_segment_key),
824 tcp_segment_init_count*sizeof(tcp_segment_key),
827 tcp_segment_address_chunk = g_mem_chunk_new("tcp_segment_address_chunk",
829 tcp_segment_address_init_count*sizeof(address),
834 desegment_tcp(tvbuff_t *tvb, packet_info *pinfo, int offset,
835 guint32 seq, guint32 nxtseq,
836 guint32 sport, guint32 dport,
837 proto_tree *tree, proto_tree *tcp_tree)
839 struct tcpinfo *tcpinfo = pinfo->private_data;
840 fragment_data *ipfd_head;
841 tcp_segment_key old_tsk, *tsk;
842 gboolean must_desegment = FALSE;
843 gboolean called_dissector = FALSE;
849 * Initialize these to assume no desegmentation.
850 * If that's not the case, these will be set appropriately
851 * by the subdissector.
853 pinfo->desegment_offset = 0;
854 pinfo->desegment_len = 0;
857 * Initialize this to assume that this segment will just be
858 * added to the middle of a desegmented chunk of data, so
859 * that we should show it all as data.
860 * If that's not the case, it will be set appropriately.
862 deseg_offset = offset;
864 /* First we must check if this TCP segment should be desegmented.
865 This is only to check if we should desegment this packet,
866 so we dont spend time doing COPY_ADDRESS/g_free.
867 We just "borrow" some address structures from pinfo instead. Cheaper.
869 old_tsk.src = &pinfo->src;
870 old_tsk.dst = &pinfo->dst;
872 tsk = g_hash_table_lookup(tcp_segment_table, &old_tsk);
875 /* OK, this segment was found, which means it continues
876 a higher-level PDU. This means we must desegment it.
877 Add it to the defragmentation lists.
879 ipfd_head = fragment_add(tvb, offset, pinfo, tsk->start_seq,
881 seq - tsk->start_seq,
883 (nxtseq < (tsk->start_seq + tsk->tot_len)) );
886 /* fragment_add() returned NULL, This means that
887 desegmentation is not completed yet.
888 (its like defragmentation but we know we will
889 always add the segments in order).
890 XXX - no, we don't; there is no guarantee that
891 TCP segments are in order on the wire.
893 we must add next segment to our table so we will
896 tcp_segment_key *new_tsk;
898 new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
899 memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
901 g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
904 /* This segment was not found in our table, so it doesn't
905 contain a continuation of a higher-level PDU.
906 Call the normal subdissector.
908 decode_tcp_ports(tvb, offset, pinfo, tree,
910 called_dissector = TRUE;
912 /* Did the subdissector ask us to desegment some more data
913 before it could handle the packet?
914 If so we have to create some structures in our table but
915 this is something we only do the first time we see this
918 if(pinfo->desegment_len) {
919 if (!pinfo->fd->flags.visited)
920 must_desegment = TRUE;
923 * Set "deseg_offset" to the offset in "tvb"
924 * of the first byte of data that the
925 * subdissector didn't process.
927 deseg_offset = offset + pinfo->desegment_offset;
930 /* Either no desegmentation is necessary, or this is
931 segment contains the beginning but not the end of
932 a higher-level PDU and thus isn't completely
938 /* is it completely desegmented? */
941 proto_tree *st = NULL;
942 proto_item *si = NULL;
945 * Yes, we think it is.
946 * We only call subdissector for the last segment.
947 * Note that the last segment may include more than what
950 if(nxtseq >= (tsk->start_seq + tsk->tot_len)){
952 * OK, this is the last segment.
953 * Let's call the subdissector with the desegmented
959 /* create a new TVB structure for desegmented data */
960 next_tvb = tvb_new_real_data(ipfd_head->data,
961 ipfd_head->datalen, ipfd_head->datalen);
963 /* add this tvb as a child to the original one */
964 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
966 /* add desegmented data to the data source list */
967 add_new_data_source(pinfo, next_tvb, "Desegmented");
970 * Supply the sequence number of the first of the
973 tcpinfo->seq = tsk->start_seq;
975 /* indicate that this is reassembled data */
976 tcpinfo->is_reassembled = TRUE;
978 /* call subdissector */
979 decode_tcp_ports(next_tvb, 0, pinfo, tree,
981 called_dissector = TRUE;
984 * OK, did the subdissector think it was completely
985 * desegmented, or does it think we need even more
988 old_len=(int)(tvb_reported_length(next_tvb)-tvb_reported_length_remaining(tvb, offset));
989 if(pinfo->desegment_len &&
990 pinfo->desegment_offset<=old_len){
991 tcp_segment_key *new_tsk;
994 * "desegment_len" isn't 0, so it needs more
995 * data for something - and "desegment_offset"
996 * is before "old_len", so it needs more data
997 * to dissect the stuff we thought was
998 * completely desegmented (as opposed to the
999 * stuff at the beginning being completely
1000 * desegmented, but the stuff at the end
1001 * being a new higher-level PDU that also
1002 * needs desegmentation).
1004 fragment_set_partial_reassembly(pinfo,tsk->start_seq,tcp_fragment_table);
1005 tsk->tot_len = tvb_reported_length(next_tvb) + pinfo->desegment_len;
1008 * Update tsk structure.
1009 * Can ask ->next->next because at least there's a hdr and one
1010 * entry in fragment_add()
1012 for(ipfd=ipfd_head->next; ipfd->next; ipfd=ipfd->next){
1013 old_tsk.seq = tsk->start_seq + ipfd->offset;
1014 new_tsk = g_hash_table_lookup(tcp_segment_table, &old_tsk);
1015 new_tsk->tot_len = tsk->tot_len;
1018 /* this is the next segment in the sequence we want */
1019 new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
1020 memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
1021 new_tsk->seq = nxtseq;
1022 g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
1025 * Show the stuff in this TCP segment as
1026 * just raw TCP segment data.
1029 tvb_reported_length_remaining(tvb, offset);
1030 proto_tree_add_text(tcp_tree, tvb, offset, -1,
1031 "TCP segment data (%u byte%s)", nbytes,
1032 plurality(nbytes, "", "s"));
1035 * The subdissector thought it was completely
1036 * desegmented (although the stuff at the
1037 * end may, in turn, require desegmentation),
1038 * so we show a tree with all segments.
1040 si = proto_tree_add_text(tcp_tree, next_tvb,
1042 st = proto_item_add_subtree(si, ett_tcp_segments);
1043 for(ipfd=ipfd_head->next; ipfd; ipfd=ipfd->next){
1044 proto_tree_add_text(st, next_tvb,
1045 ipfd->offset, ipfd->len,
1046 "Frame:%u seq#:%u-%u [%u-%u]",
1048 tsk->start_seq + ipfd->offset,
1049 tsk->start_seq + ipfd->offset + ipfd->len-1,
1051 ipfd->offset + ipfd->len - 1);
1054 /* Did the subdissector ask us to desegment
1055 some more data? This means that the data
1056 at the beginning of this segment completed
1057 a higher-level PDU, but the data at the
1058 end of this segment started a higher-level
1059 PDU but didn't complete it.
1061 If so, we have to create some structures
1062 in our table, but this is something we
1063 only do the first time we see this packet.
1065 if(pinfo->desegment_len) {
1066 if (!pinfo->fd->flags.visited)
1067 must_desegment = TRUE;
1069 /* The stuff we couldn't dissect
1070 must have come from this segment,
1071 so it's all in "tvb".
1073 "pinfo->desegment_offset" is
1074 relative to the beginning of
1075 "next_tvb"; we want an offset
1076 relative to the beginning of "tvb".
1078 First, compute the offset relative
1079 to the *end* of "next_tvb" - i.e.,
1080 the number of bytes before the end
1081 of "next_tvb" at which the
1082 subdissector stopped. That's the
1083 length of "next_tvb" minus the
1084 offset, relative to the beginning
1085 of "next_tvb, at which the
1086 subdissector stopped.
1089 ipfd_head->datalen - pinfo->desegment_offset;
1091 /* "tvb" and "next_tvb" end at the
1092 same byte of data, so the offset
1093 relative to the end of "next_tvb"
1094 of the byte at which we stopped
1095 is also the offset relative to
1096 the end of "tvb" of the byte at
1099 Convert that back into an offset
1100 relative to the beginninng of
1101 "tvb", by taking the length of
1102 "tvb" and subtracting the offset
1103 relative to the end.
1105 deseg_offset=tvb_reported_length(tvb) - deseg_offset;
1111 if (must_desegment) {
1112 tcp_segment_key *tsk, *new_tsk;
1115 * The sequence number at which the stuff to be desegmented
1116 * starts is the sequence number of the byte at an offset
1117 * of "deseg_offset" into "tvb".
1119 * The sequence number of the byte at an offset of "offset"
1120 * is "seq", i.e. the starting sequence number of this
1121 * segment, so the sequence number of the byte at
1122 * "deseg_offset" is "seq + (deseg_offset - offset)".
1124 deseg_seq = seq + (deseg_offset - offset);
1127 * XXX - how do we detect out-of-order transmissions?
1128 * We can't just check for "nxtseq" being greater than
1129 * "tsk->start_seq"; for now, we check for the difference
1130 * being less than a megabyte, but this is a really
1131 * gross hack - we really need to handle out-of-order
1132 * transmissions correctly.
1134 if ((nxtseq - deseg_seq) <= 1024*1024) {
1135 /* OK, subdissector wants us to desegment
1136 some data before it can process it. Add
1137 what remains of this packet and set
1138 up next packet/sequence number as well.
1140 We must remember this segment
1142 tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
1143 tsk->src = g_mem_chunk_alloc(tcp_segment_address_chunk);
1144 COPY_ADDRESS(tsk->src, &pinfo->src);
1145 tsk->dst = g_mem_chunk_alloc(tcp_segment_address_chunk);
1146 COPY_ADDRESS(tsk->dst, &pinfo->dst);
1147 tsk->seq = deseg_seq;
1148 tsk->start_seq = tsk->seq;
1149 tsk->tot_len = nxtseq - tsk->start_seq + pinfo->desegment_len;
1150 tsk->first_frame = pinfo->fd->num;
1151 g_hash_table_insert(tcp_segment_table, tsk, tsk);
1153 /* Add portion of segment unprocessed by the subdissector
1154 to defragmentation lists */
1155 fragment_add(tvb, deseg_offset, pinfo, tsk->start_seq,
1157 tsk->seq - tsk->start_seq,
1158 nxtseq - tsk->start_seq,
1159 (nxtseq < tsk->start_seq + tsk->tot_len));
1161 /* this is the next segment in the sequence we want */
1162 new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
1163 memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
1164 new_tsk->seq = nxtseq;
1165 g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
1169 if (!called_dissector || pinfo->desegment_len != 0) {
1171 * Either we didn't call the subdissector at all (i.e.,
1172 * this is a segment that contains the middle of a
1173 * higher-level PDU, but contains neither the beginning
1174 * nor the end), or the subdissector couldn't dissect it
1175 * all, as some data was missing (i.e., it set
1176 * "pinfo->desegment_len" to the amount of additional
1179 if (pinfo->desegment_offset == 0) {
1181 * It couldn't, in fact, dissect any of it (the
1182 * first byte it couldn't dissect is at an offset
1183 * of "pinfo->desegment_offset" from the beginning
1184 * of the payload, and that's 0).
1185 * Just mark this as TCP.
1187 if (check_col(pinfo->cinfo, COL_PROTOCOL)){
1188 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
1190 if (check_col(pinfo->cinfo, COL_INFO)){
1191 col_set_str(pinfo->cinfo, COL_INFO, "[Desegmented TCP]");
1196 * Show what's left in the packet as just raw TCP segment
1198 * XXX - remember what protocol the last subdissector
1199 * was, and report it as a continuation of that, instead?
1201 nbytes = tvb_reported_length_remaining(tvb, deseg_offset);
1202 proto_tree_add_text(tcp_tree, tvb, deseg_offset, -1,
1203 "TCP segment data (%u byte%s)", nbytes,
1204 plurality(nbytes, "", "s"));
1206 pinfo->can_desegment=0;
1207 pinfo->desegment_offset = 0;
1208 pinfo->desegment_len = 0;
1212 * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
1213 * consists of a fixed-length chunk of data that contains enough information
1214 * to determine the length of the PDU, followed by rest of the PDU.
1216 * The first three arguments are the arguments passed to the dissector
1217 * that calls this routine.
1219 * "proto_desegment" is the dissector's flag controlling whether it should
1220 * desegment PDUs that cross TCP segment boundaries.
1222 * "fixed_len" is the length of the fixed-length part of the PDU.
1224 * "get_pdu_len()" is a routine called to get the length of the PDU from
1225 * the fixed-length part of the PDU; it's passed "tvb" and "offset".
1227 * "dissect_pdu()" is the routine to dissect a PDU.
1230 tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
1231 gboolean proto_desegment, guint fixed_len,
1232 guint (*get_pdu_len)(tvbuff_t *, int),
1233 void (*dissect_pdu)(tvbuff_t *, packet_info *, proto_tree *))
1235 volatile int offset = 0;
1236 guint length_remaining;
1241 while (tvb_reported_length_remaining(tvb, offset) != 0) {
1243 * We use "tvb_ensure_length_remaining()" to make sure there actually
1244 * *is* data remaining. The protocol we're handling could conceivably
1245 * consists of a sequence of fixed-length PDUs, and therefore the
1246 * "get_pdu_len" routine might not actually fetch anything from
1247 * the tvbuff, and thus might not cause an exception to be thrown if
1248 * we've run past the end of the tvbuff.
1250 * This means we're guaranteed that "length_remaining" is positive.
1252 length_remaining = tvb_ensure_length_remaining(tvb, offset);
1255 * Can we do reassembly?
1257 if (proto_desegment && pinfo->can_desegment) {
1259 * Yes - is the fixed-length part of the PDU split across segment
1262 if (length_remaining < fixed_len) {
1264 * Yes. Tell the TCP dissector where the data for this message
1265 * starts in the data it handed us, and how many more bytes we
1268 pinfo->desegment_offset = offset;
1269 pinfo->desegment_len = fixed_len - length_remaining;
1275 * Get the length of the PDU.
1277 plen = (*get_pdu_len)(tvb, offset);
1280 * Can we do reassembly?
1282 if (proto_desegment && pinfo->can_desegment) {
1284 * Yes - is the PDU split across segment boundaries?
1286 if (length_remaining < plen) {
1288 * Yes. Tell the TCP dissector where the data for this message
1289 * starts in the data it handed us, and how many more bytes we
1292 pinfo->desegment_offset = offset;
1293 pinfo->desegment_len = plen - length_remaining;
1299 * Construct a tvbuff containing the amount of the payload we have
1300 * available. Make its reported length the amount of data in the PDU.
1302 * XXX - if reassembly isn't enabled. the subdissector will throw a
1303 * BoundsError exception, rather than a ReportedBoundsError exception.
1304 * We really want a tvbuff where the length is "length", the reported
1305 * length is "plen", and the "if the snapshot length were infinite"
1306 * length is the minimum of the reported length of the tvbuff handed
1307 * to us and "plen", with a new type of exception thrown if the offset
1308 * is within the reported length but beyond that third length, with
1309 * that exception getting the "Unreassembled Packet" error.
1311 if (plen < fixed_len) {
1313 * The PDU length from the fixed-length portion probably didn't
1314 * include the fixed-length portion's length, and was probably so
1315 * large that the total length overflowed.
1317 * Report this as an error.
1319 show_reported_bounds_error(tvb, pinfo, tree);
1322 length = length_remaining;
1325 next_tvb = tvb_new_subset(tvb, offset, length, plen);
1330 * Catch the ReportedBoundsError exception; if this particular message
1331 * happens to get a ReportedBoundsError exception, that doesn't mean
1332 * that we should stop dissecting PDUs within this frame or chunk of
1335 * If it gets a BoundsError, we can stop, as there's nothing more to
1336 * see, so we just re-throw it.
1339 (*dissect_pdu)(next_tvb, pinfo, tree);
1341 CATCH(BoundsError) {
1344 CATCH(ReportedBoundsError) {
1345 show_reported_bounds_error(tvb, pinfo, tree);
1350 * Step to the next PDU.
1357 tcp_info_append_uint(packet_info *pinfo, const char *abbrev, guint32 val)
1359 if (check_col(pinfo->cinfo, COL_INFO))
1360 col_append_fstr(pinfo->cinfo, COL_INFO, " %s=%u", abbrev, val);
1364 dissect_tcpopt_maxseg(const ip_tcp_opt *optp, tvbuff_t *tvb,
1365 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1369 mss = tvb_get_ntohs(tvb, offset + 2);
1370 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1371 "%s: %u bytes", optp->name, mss);
1372 tcp_info_append_uint(pinfo, "MSS", mss);
1376 dissect_tcpopt_wscale(const ip_tcp_opt *optp, tvbuff_t *tvb,
1377 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1381 ws = tvb_get_guint8(tvb, offset + 2);
1382 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1383 "%s: %u (multiply by %u)", optp->name, ws, 1 << ws);
1384 tcp_info_append_uint(pinfo, "WS", ws);
1388 dissect_tcpopt_sack(const ip_tcp_opt *optp, tvbuff_t *tvb,
1389 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1391 proto_tree *field_tree = NULL;
1393 guint leftedge, rightedge;
1395 tf = proto_tree_add_text(opt_tree, tvb, offset, optlen, "%s:", optp->name);
1396 offset += 2; /* skip past type and length */
1397 optlen -= 2; /* subtract size of type and length */
1398 while (optlen > 0) {
1399 if (field_tree == NULL) {
1400 /* Haven't yet made a subtree out of this option. Do so. */
1401 field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
1404 proto_tree_add_text(field_tree, tvb, offset, optlen,
1405 "(suboption would go past end of option)");
1408 leftedge = tvb_get_ntohl(tvb, offset);
1411 proto_tree_add_text(field_tree, tvb, offset, optlen,
1412 "(suboption would go past end of option)");
1415 /* XXX - check whether it goes past end of packet */
1416 rightedge = tvb_get_ntohl(tvb, offset + 4);
1418 proto_tree_add_text(field_tree, tvb, offset, 8,
1419 "left edge = %u, right edge = %u", leftedge, rightedge);
1420 tcp_info_append_uint(pinfo, "SLE", leftedge);
1421 tcp_info_append_uint(pinfo, "SRE", rightedge);
1427 dissect_tcpopt_echo(const ip_tcp_opt *optp, tvbuff_t *tvb,
1428 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1432 echo = tvb_get_ntohl(tvb, offset + 2);
1433 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1434 "%s: %u", optp->name, echo);
1435 tcp_info_append_uint(pinfo, "ECHO", echo);
1439 dissect_tcpopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
1440 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1444 tsv = tvb_get_ntohl(tvb, offset + 2);
1445 tser = tvb_get_ntohl(tvb, offset + 6);
1446 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1447 "%s: tsval %u, tsecr %u", optp->name, tsv, tser);
1448 tcp_info_append_uint(pinfo, "TSV", tsv);
1449 tcp_info_append_uint(pinfo, "TSER", tser);
1453 dissect_tcpopt_cc(const ip_tcp_opt *optp, tvbuff_t *tvb,
1454 int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
1458 cc = tvb_get_ntohl(tvb, offset + 2);
1459 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1460 "%s: %u", optp->name, cc);
1461 tcp_info_append_uint(pinfo, "CC", cc);
1464 static const ip_tcp_opt tcpopts[] = {
1483 "Maximum segment size",
1487 dissect_tcpopt_maxseg
1495 dissect_tcpopt_wscale
1508 &ett_tcp_option_sack,
1535 dissect_tcpopt_timestamp
1563 "TCP MD5 signature",
1571 #define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
1573 /* Determine if there is a sub-dissector and call it. This has been */
1574 /* separated into a stand alone routine to other protocol dissectors */
1575 /* can call to it, ie. socks */
1578 decode_tcp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
1579 proto_tree *tree, int src_port, int dst_port)
1582 int low_port, high_port;
1584 next_tvb = tvb_new_subset(tvb, offset, -1, -1);
1586 /* determine if this packet is part of a conversation and call dissector */
1587 /* for the conversation if available */
1589 if (try_conversation_dissector(&pinfo->src, &pinfo->dst, PT_TCP,
1590 src_port, dst_port, next_tvb, pinfo, tree))
1593 /* Do lookups with the subdissector table.
1594 We try the port number with the lower value first, followed by the
1595 port number with the higher value. This means that, for packets
1596 where a dissector is registered for *both* port numbers:
1598 1) we pick the same dissector for traffic going in both directions;
1600 2) we prefer the port number that's more likely to be the right
1601 one (as that prefers well-known ports to reserved ports);
1603 although there is, of course, no guarantee that any such strategy
1604 will always pick the right port number.
1606 XXX - we ignore port numbers of 0, as some dissectors use a port
1607 number of 0 to disable the port. */
1608 if (src_port > dst_port) {
1609 low_port = dst_port;
1610 high_port = src_port;
1612 low_port = src_port;
1613 high_port = dst_port;
1615 if (low_port != 0 &&
1616 dissector_try_port(subdissector_table, low_port, next_tvb, pinfo, tree))
1618 if (high_port != 0 &&
1619 dissector_try_port(subdissector_table, high_port, next_tvb, pinfo, tree))
1622 /* do lookup with the heuristic subdissector table */
1623 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))
1626 /* Oh, well, we don't know this; dissect it as data. */
1627 call_dissector(data_handle,next_tvb, pinfo, tree);
1632 dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1638 guint8 th_off_x2; /* combines th_off and th_x2 */
1643 proto_tree *tcp_tree = NULL, *field_tree = NULL;
1644 proto_item *ti = NULL, *tf;
1646 gchar flags[64] = "<None>";
1647 gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECN", "CWR" };
1658 guint16 computed_cksum;
1659 guint length_remaining;
1660 gboolean desegment_ok;
1661 struct tcpinfo tcpinfo;
1662 gboolean save_fragmented;
1664 if (check_col(pinfo->cinfo, COL_PROTOCOL))
1665 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
1667 /* Clear out the Info column. */
1668 if (check_col(pinfo->cinfo, COL_INFO))
1669 col_clear(pinfo->cinfo, COL_INFO);
1671 th_sport = tvb_get_ntohs(tvb, offset);
1672 th_dport = tvb_get_ntohs(tvb, offset + 2);
1673 if (check_col(pinfo->cinfo, COL_INFO)) {
1674 col_append_fstr(pinfo->cinfo, COL_INFO, "%s > %s",
1675 get_tcp_port(th_sport), get_tcp_port(th_dport));
1678 if (tcp_summary_in_tree) {
1679 ti = proto_tree_add_protocol_format(tree, proto_tcp, tvb, 0, -1,
1680 "Transmission Control Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
1681 get_tcp_port(th_sport), th_sport,
1682 get_tcp_port(th_dport), th_dport);
1685 ti = proto_tree_add_item(tree, proto_tcp, tvb, 0, -1, FALSE);
1687 tcp_tree = proto_item_add_subtree(ti, ett_tcp);
1688 proto_tree_add_uint_format(tcp_tree, hf_tcp_srcport, tvb, offset, 2, th_sport,
1689 "Source port: %s (%u)", get_tcp_port(th_sport), th_sport);
1690 proto_tree_add_uint_format(tcp_tree, hf_tcp_dstport, tvb, offset + 2, 2, th_dport,
1691 "Destination port: %s (%u)", get_tcp_port(th_dport), th_dport);
1692 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset, 2, th_sport);
1693 proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset + 2, 2, th_dport);
1696 /* Set the source and destination port numbers as soon as we get them,
1697 so that they're available to the "Follow TCP Stream" code even if
1698 we throw an exception dissecting the rest of the TCP header. */
1699 pinfo->ptype = PT_TCP;
1700 pinfo->srcport = th_sport;
1701 pinfo->destport = th_dport;
1703 th_seq = tvb_get_ntohl(tvb, offset + 4);
1704 th_ack = tvb_get_ntohl(tvb, offset + 8);
1705 th_off_x2 = tvb_get_guint8(tvb, offset + 12);
1706 th_flags = tvb_get_guint8(tvb, offset + 13);
1707 th_win = tvb_get_ntohs(tvb, offset + 14);
1708 hlen = hi_nibble(th_off_x2) * 4; /* TCP header length, in bytes */
1710 reported_len = tvb_reported_length(tvb);
1711 len = tvb_length(tvb);
1713 /* Compute the length of data in this segment. */
1714 seglen = reported_len - hlen;
1716 if (tree) { /* Add the seglen as an invisible field */
1718 proto_tree_add_uint_hidden(ti, hf_tcp_len, tvb, offset, 4, seglen);
1722 /* handle TCP seq# analysis parse all new segments we see */
1723 if(tcp_analyze_seq){
1724 if(!(pinfo->fd->flags.visited)){
1725 tcp_analyze_sequence_number(pinfo, th_seq, th_ack, seglen, th_flags);
1727 if(tcp_relative_seq){
1728 tcp_get_relative_seq_ack(pinfo->fd->num, &th_seq, &th_ack);
1733 /* Compute the sequence number of next octet after this segment. */
1734 nxtseq = th_seq + seglen;
1736 if (check_col(pinfo->cinfo, COL_INFO) || tree) {
1737 for (i = 0; i < 8; i++) {
1739 if (th_flags & bpos) {
1741 strcpy(&flags[fpos], ", ");
1744 strcpy(&flags[fpos], fstr[i]);
1751 if (check_col(pinfo->cinfo, COL_INFO)) {
1752 col_append_fstr(pinfo->cinfo, COL_INFO, " [%s] Seq=%u Ack=%u Win=%u",
1753 flags, th_seq, th_ack, th_win);
1757 if (tcp_summary_in_tree)
1758 proto_item_append_text(ti, ", Seq: %u", th_seq);
1759 proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, th_seq);
1762 if (hlen < TCPH_MIN_LEN) {
1763 /* Give up at this point; we put the source and destination port in
1764 the tree, before fetching the header length, so that they'll
1765 show up if this is in the failing packet in an ICMP error packet,
1766 but it's now time to give up if the header length is bogus. */
1767 if (check_col(pinfo->cinfo, COL_INFO))
1768 col_append_fstr(pinfo->cinfo, COL_INFO, ", bogus TCP header length (%u, must be at least %u)",
1769 hlen, TCPH_MIN_LEN);
1771 proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, hlen,
1772 "Header length: %u bytes (bogus, must be at least %u)", hlen,
1779 if (tcp_summary_in_tree)
1780 proto_item_append_text(ti, ", Ack: %u, Len: %u", th_ack, seglen);
1781 proto_item_set_len(ti, hlen);
1782 if (nxtseq != th_seq)
1783 proto_tree_add_uint(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq);
1784 if (th_flags & TH_ACK)
1785 proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, th_ack);
1786 proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, hlen,
1787 "Header length: %u bytes", hlen);
1788 tf = proto_tree_add_uint_format(tcp_tree, hf_tcp_flags, tvb, offset + 13, 1,
1789 th_flags, "Flags: 0x%04x (%s)", th_flags, flags);
1790 field_tree = proto_item_add_subtree(tf, ett_tcp_flags);
1791 proto_tree_add_boolean(field_tree, hf_tcp_flags_cwr, tvb, offset + 13, 1, th_flags);
1792 proto_tree_add_boolean(field_tree, hf_tcp_flags_ecn, tvb, offset + 13, 1, th_flags);
1793 proto_tree_add_boolean(field_tree, hf_tcp_flags_urg, tvb, offset + 13, 1, th_flags);
1794 proto_tree_add_boolean(field_tree, hf_tcp_flags_ack, tvb, offset + 13, 1, th_flags);
1795 proto_tree_add_boolean(field_tree, hf_tcp_flags_push, tvb, offset + 13, 1, th_flags);
1796 proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, th_flags);
1797 proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, th_flags);
1798 proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, th_flags);
1799 proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, th_win);
1802 /* Supply the sequence number of the first byte. */
1803 tcpinfo.seq = th_seq;
1805 /* Assume we'll pass un-reassembled data to subdissectors. */
1806 tcpinfo.is_reassembled = FALSE;
1808 pinfo->private_data = &tcpinfo;
1811 * Assume, initially, that we can't desegment.
1813 pinfo->can_desegment = 0;
1815 th_sum = tvb_get_ntohs(tvb, offset + 16);
1816 if (!pinfo->fragmented && len >= reported_len) {
1817 /* The packet isn't part of an un-reassembled fragmented datagram
1818 and isn't truncated. This means we have all the data, and thus
1819 can checksum it and, unless it's being returned in an error
1820 packet, are willing to allow subdissectors to request reassembly
1823 if (tcp_check_checksum) {
1824 /* We haven't turned checksum checking off; checksum it. */
1826 /* Set up the fields of the pseudo-header. */
1827 cksum_vec[0].ptr = pinfo->src.data;
1828 cksum_vec[0].len = pinfo->src.len;
1829 cksum_vec[1].ptr = pinfo->dst.data;
1830 cksum_vec[1].len = pinfo->dst.len;
1831 cksum_vec[2].ptr = (const guint8 *)&phdr;
1832 switch (pinfo->src.type) {
1835 phdr[0] = g_htonl((IP_PROTO_TCP<<16) + reported_len);
1836 cksum_vec[2].len = 4;
1840 phdr[0] = g_htonl(reported_len);
1841 phdr[1] = g_htonl(IP_PROTO_TCP);
1842 cksum_vec[2].len = 8;
1846 /* TCP runs only atop IPv4 and IPv6.... */
1847 g_assert_not_reached();
1850 cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, len);
1851 cksum_vec[3].len = reported_len;
1852 computed_cksum = in_cksum(&cksum_vec[0], 4);
1853 if (computed_cksum == 0) {
1854 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
1855 offset + 16, 2, th_sum, "Checksum: 0x%04x (correct)", th_sum);
1857 /* Checksum is valid, so we're willing to desegment it. */
1858 desegment_ok = TRUE;
1860 proto_tree_add_boolean_hidden(tcp_tree, hf_tcp_checksum_bad, tvb,
1861 offset + 16, 2, TRUE);
1862 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
1863 offset + 16, 2, th_sum,
1864 "Checksum: 0x%04x (incorrect, should be 0x%04x)", th_sum,
1865 in_cksum_shouldbe(th_sum, computed_cksum));
1867 /* Checksum is invalid, so we're not willing to desegment it. */
1868 desegment_ok = FALSE;
1871 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
1872 offset + 16, 2, th_sum, "Checksum: 0x%04x", th_sum);
1874 /* We didn't check the checksum, and don't care if it's valid,
1875 so we're willing to desegment it. */
1876 desegment_ok = TRUE;
1879 /* We don't have all the packet data, so we can't checksum it... */
1880 proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
1881 offset + 16, 2, th_sum, "Checksum: 0x%04x", th_sum);
1883 /* ...and aren't willing to desegment it. */
1884 desegment_ok = FALSE;
1888 /* We're willing to desegment this. Is desegmentation enabled? */
1889 if (tcp_desegment) {
1890 /* Yes - is this segment being returned in an error packet? */
1891 if (!pinfo->in_error_pkt) {
1892 /* No - indicate that we will desegment.
1893 We do NOT want to desegment segments returned in error
1894 packets, as they're not part of a TCP connection. */
1895 pinfo->can_desegment = 2;
1900 if (th_flags & TH_URG) {
1901 th_urp = tvb_get_ntohs(tvb, offset + 18);
1902 /* Export the urgent pointer, for the benefit of protocols such as
1904 tcpinfo.urgent = TRUE;
1905 tcpinfo.urgent_pointer = th_urp;
1906 if (check_col(pinfo->cinfo, COL_INFO))
1907 col_append_fstr(pinfo->cinfo, COL_INFO, " Urg=%u", th_urp);
1908 if (tcp_tree != NULL)
1909 proto_tree_add_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, th_urp);
1911 tcpinfo.urgent = FALSE;
1913 if (check_col(pinfo->cinfo, COL_INFO))
1914 col_append_fstr(pinfo->cinfo, COL_INFO, " Len=%u", seglen);
1916 /* Decode TCP options, if any. */
1917 if (tree && hlen > TCPH_MIN_LEN) {
1918 /* There's more than just the fixed-length header. Decode the
1920 optlen = hlen - TCPH_MIN_LEN; /* length of options, in bytes */
1921 tf = proto_tree_add_text(tcp_tree, tvb, offset + 20, optlen,
1922 "Options: (%u bytes)", optlen);
1923 field_tree = proto_item_add_subtree(tf, ett_tcp_options);
1924 dissect_ip_tcp_options(tvb, offset + 20, optlen,
1925 tcpopts, N_TCP_OPTS, TCPOPT_EOL, pinfo, field_tree);
1928 /* Skip over header + options */
1931 /* Check the packet length to see if there's more data
1932 (it could be an ACK-only packet) */
1933 length_remaining = tvb_length_remaining(tvb, offset);
1935 if( data_out_file ) {
1936 reassemble_tcp( th_seq, /* sequence number */
1937 seglen, /* data length */
1938 tvb_get_ptr(tvb, offset, length_remaining), /* data */
1939 length_remaining, /* captured data length */
1940 ( th_flags & TH_SYN ), /* is syn set? */
1947 if (length_remaining != 0) {
1948 if (th_flags & TH_RST) {
1952 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
1954 * A TCP SHOULD allow a received RST segment to include data.
1957 * It has been suggested that a RST segment could contain
1958 * ASCII text that encoded and explained the cause of the
1959 * RST. No standard has yet been established for such
1962 * so for segments with RST we just display the data as text.
1964 proto_tree_add_text(tcp_tree, tvb, offset, length_remaining,
1966 tvb_format_text(tvb, offset, length_remaining));
1968 /* Can we desegment this segment? */
1969 if (pinfo->can_desegment) {
1971 desegment_tcp(tvb, pinfo, offset, th_seq, nxtseq, th_sport, th_dport, tree, tcp_tree);
1973 /* No - just call the subdissector.
1974 Mark this as fragmented, so if somebody throws an exception,
1975 we don't report it as a malformed frame. */
1976 save_fragmented = pinfo->fragmented;
1977 pinfo->fragmented = TRUE;
1978 decode_tcp_ports(tvb, offset, pinfo, tree, th_sport, th_dport);
1979 pinfo->fragmented = save_fragmented;
1984 /* handle TCP seq# analysis, print any extra SEQ/ACK data for this segment*/
1985 if(tcp_analyze_seq){
1986 tcp_print_sequence_number_analysis(pinfo, tvb, tcp_tree);
1991 proto_register_tcp(void)
1993 static hf_register_info hf[] = {
1996 { "Source Port", "tcp.srcport", FT_UINT16, BASE_DEC, NULL, 0x0,
2000 { "Destination Port", "tcp.dstport", FT_UINT16, BASE_DEC, NULL, 0x0,
2004 { "Source or Destination Port", "tcp.port", FT_UINT16, BASE_DEC, NULL, 0x0,
2008 { "Sequence number", "tcp.seq", FT_UINT32, BASE_DEC, NULL, 0x0,
2012 { "Next sequence number", "tcp.nxtseq", FT_UINT32, BASE_DEC, NULL, 0x0,
2016 { "Acknowledgement number", "tcp.ack", FT_UINT32, BASE_DEC, NULL, 0x0,
2020 { "Header Length", "tcp.hdr_len", FT_UINT8, BASE_DEC, NULL, 0x0,
2024 { "Flags", "tcp.flags", FT_UINT8, BASE_HEX, NULL, 0x0,
2027 { &hf_tcp_flags_cwr,
2028 { "Congestion Window Reduced (CWR)", "tcp.flags.cwr", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_CWR,
2031 { &hf_tcp_flags_ecn,
2032 { "ECN-Echo", "tcp.flags.ecn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ECN,
2035 { &hf_tcp_flags_urg,
2036 { "Urgent", "tcp.flags.urg", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_URG,
2039 { &hf_tcp_flags_ack,
2040 { "Acknowledgment", "tcp.flags.ack", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_ACK,
2043 { &hf_tcp_flags_push,
2044 { "Push", "tcp.flags.push", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_PUSH,
2047 { &hf_tcp_flags_reset,
2048 { "Reset", "tcp.flags.reset", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_RST,
2051 { &hf_tcp_flags_syn,
2052 { "Syn", "tcp.flags.syn", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_SYN,
2055 { &hf_tcp_flags_fin,
2056 { "Fin", "tcp.flags.fin", FT_BOOLEAN, 8, TFS(&flags_set_truth), TH_FIN,
2059 { &hf_tcp_window_size,
2060 { "Window size", "tcp.window_size", FT_UINT16, BASE_DEC, NULL, 0x0,
2064 { "Checksum", "tcp.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
2067 { &hf_tcp_checksum_bad,
2068 { "Bad Checksum", "tcp.checksum_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2071 { &hf_tcp_analysis_flags,
2072 { "TCP Analysis Flags", "tcp.analysis.flags", FT_NONE, BASE_NONE, NULL, 0x0,
2073 "This frame has some of the TCP analysis flags set", HFILL }},
2075 { &hf_tcp_analysis_retransmission,
2076 { "", "tcp.analysis.retransmission", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2077 "This frame is a suspected TCP retransmission", HFILL }},
2079 { &hf_tcp_analysis_lost_packet,
2080 { "", "tcp.analysis.lost_segment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2081 "A segment before this one was lost from the capture", HFILL }},
2083 { &hf_tcp_analysis_ack_lost_packet,
2084 { "", "tcp.analysis.ack_lost_segment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2085 "This frame ACKs a lost segment", HFILL }},
2087 { &hf_tcp_analysis_keep_alive,
2088 { "", "tcp.analysis.keep_alive", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2089 "This is a keep-alive segment", HFILL }},
2092 { "TCP Segment Len", "tcp.len", FT_UINT32, BASE_DEC, NULL, 0x0,
2095 { &hf_tcp_analysis_acks_frame,
2096 { "This is an ACK to the segment in frame", "tcp.analysis.acks_frame", FT_UINT32, BASE_DEC, NULL, 0x0,
2097 "Which previous segment is this an ACK for", HFILL}},
2099 { &hf_tcp_analysis_ack_rtt,
2100 { "The RTT to ACK the segment was", "tcp.analysis.ack_rtt", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
2101 "How long time it took to ACK the segment (RTT)", HFILL}},
2103 { &hf_tcp_urgent_pointer,
2104 { "Urgent pointer", "tcp.urgent_pointer", FT_UINT16, BASE_DEC, NULL, 0x0,
2107 static gint *ett[] = {
2111 &ett_tcp_option_sack,
2113 &ett_tcp_analysis_faults,
2116 module_t *tcp_module;
2118 proto_tcp = proto_register_protocol("Transmission Control Protocol",
2120 proto_register_field_array(proto_tcp, hf, array_length(hf));
2121 proto_register_subtree_array(ett, array_length(ett));
2123 /* subdissector code */
2124 subdissector_table = register_dissector_table("tcp.port",
2125 "TCP port", FT_UINT16, BASE_DEC);
2126 register_heur_dissector_list("tcp", &heur_subdissector_list);
2128 /* Register configuration preferences */
2129 tcp_module = prefs_register_protocol(proto_tcp, NULL);
2130 prefs_register_bool_preference(tcp_module, "tcp_summary_in_tree",
2131 "Show TCP summary in protocol tree",
2132 "Whether the TCP summary line should be shown in the protocol tree",
2133 &tcp_summary_in_tree);
2134 prefs_register_bool_preference(tcp_module, "check_checksum",
2135 "Check the validity of the TCP checksum when possible",
2136 "Whether to check the validity of the TCP checksum",
2137 &tcp_check_checksum);
2138 prefs_register_bool_preference(tcp_module, "desegment_tcp_streams",
2139 "Allow subdissector to desegment TCP streams",
2140 "Whether subdissector can request TCP streams to be desegmented",
2142 prefs_register_bool_preference(tcp_module, "tcp_analyze_sequence_numbers",
2143 "Analyze TCP sequence numbers",
2144 "Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT",
2146 prefs_register_bool_preference(tcp_module, "tcp_relative_sequence_numbers",
2147 "Use relative sequence numbers",
2148 "Make the TCP dissector use relative sequence numbers instead of absolute ones. To use this option you must also enable \"Analyze TCP sequence numbers\".",
2151 register_init_routine(tcp_analyze_seq_init);
2152 register_init_routine(tcp_desegment_init);
2153 register_init_routine(tcp_fragment_init);
2157 proto_reg_handoff_tcp(void)
2159 dissector_handle_t tcp_handle;
2161 tcp_handle = create_dissector_handle(dissect_tcp, proto_tcp);
2162 dissector_add("ip.proto", IP_PROTO_TCP, tcp_handle);
2163 data_handle = find_dissector("data");