2 * Routines for TCP packet disassembly
4 * $Id: packet-tcp.c,v 1.29 1999/07/31 13:55:16 deniel Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
34 #ifdef HAVE_NETINET_IN_H
35 # include <netinet/in.h>
45 #ifdef NEED_SNPRINTF_H
51 # include "snprintf.h"
54 #ifndef __PACKET_IP_H__
55 #include "packet-ip.h"
58 extern FILE* data_out_file;
59 extern packet_info pi;
61 static gchar info_str[COL_MAX_LEN];
65 int hf_tcp_srcport = -1;
66 int hf_tcp_dstport = -1;
73 #define TCP_PORT_FTPDATA 20
74 #define TCP_PORT_FTP 21
75 #define TCP_PORT_TELNET 23
76 #define TCP_PORT_SMTP 25
77 #define TCP_PORT_HTTP 80
78 #define TCP_PORT_POP 110
79 #define TCP_PORT_NNTP 119
80 #define TCP_PORT_NBSS 139
81 #define TCP_PORT_PRINTER 515
82 #define TCP_ALT_PORT_HTTP 8080
83 #define TCP_PORT_PPTP 1723
84 #define TCP_PORT_RTSP 554
86 /* TCP structs and definitions */
88 typedef struct _e_tcphdr {
93 guint8 th_off_x2; /* combines th_off and th_x2 */
110 #define TCPOPT_NOP 1 /* Padding */
111 #define TCPOPT_EOL 0 /* End of options */
112 #define TCPOPT_MSS 2 /* Segment size negotiating */
113 #define TCPOPT_WINDOW 3 /* Window scaling */
114 #define TCPOPT_SACK_PERM 4 /* SACK Permitted */
115 #define TCPOPT_SACK 5 /* SACK Block */
116 #define TCPOPT_ECHO 6
117 #define TCPOPT_ECHOREPLY 7
118 #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
120 #define TCPOPT_CCNEW 12
121 #define TCPOPT_CCECHO 13
127 #define TCPOLEN_MSS 4
128 #define TCPOLEN_WINDOW 3
129 #define TCPOLEN_SACK_PERM 2
130 #define TCPOLEN_SACK_MIN 2
131 #define TCPOLEN_ECHO 6
132 #define TCPOLEN_ECHOREPLY 6
133 #define TCPOLEN_TIMESTAMP 10
135 #define TCPOLEN_CCNEW 6
136 #define TCPOLEN_CCECHO 6
139 tcp_info_append_uint(const char *abbrev, guint32 val) {
144 add_len = snprintf(&info_str[info_len], COL_MAX_LEN - info_len, " %s=%u",
151 dissect_tcpopt_maxseg(proto_tree *opt_tree, const char *name, const u_char *opd,
152 int offset, guint optlen)
154 proto_tree_add_text(opt_tree, offset, optlen,
155 "%s: %u bytes", name, pntohs(opd));
156 tcp_info_append_uint("MSS", pntohs(opd));
160 dissect_tcpopt_wscale(proto_tree *opt_tree, const char *name, const u_char *opd,
161 int offset, guint optlen)
163 proto_tree_add_text(opt_tree, offset, optlen,
164 "%s: %u bytes", name, *opd);
165 tcp_info_append_uint("WS", *opd);
169 dissect_tcpopt_sack(proto_tree *opt_tree, const char *name, const u_char *opd,
170 int offset, guint optlen)
172 proto_tree *field_tree = NULL;
174 guint leftedge, rightedge;
176 tf = proto_tree_add_text(opt_tree, offset, optlen, "%s:", name);
177 offset += 2; /* skip past type and length */
178 optlen -= 2; /* subtract size of type and length */
180 if (field_tree == NULL) {
181 /* Haven't yet made a subtree out of this option. Do so. */
182 field_tree = proto_item_add_subtree(tf, ETT_TCP_OPTION_SACK);
185 proto_tree_add_text(field_tree, offset, optlen,
186 "(suboption would go past end of option)");
189 /* XXX - check whether it goes past end of packet */
190 leftedge = pntohl(opd);
194 proto_tree_add_text(field_tree, offset, optlen,
195 "(suboption would go past end of option)");
198 /* XXX - check whether it goes past end of packet */
199 rightedge = pntohl(opd);
202 proto_tree_add_text(field_tree, offset, 8,
203 "left edge = %u, right edge = %u", leftedge, rightedge);
204 tcp_info_append_uint("SLE", leftedge);
205 tcp_info_append_uint("SRE", rightedge);
211 dissect_tcpopt_echo(proto_tree *opt_tree, const char *name, const u_char *opd,
212 int offset, guint optlen)
214 proto_tree_add_text(opt_tree, offset, optlen,
215 "%s: %u", name, pntohl(opd));
216 tcp_info_append_uint("ECHO", pntohl(opd));
220 dissect_tcpopt_timestamp(proto_tree *opt_tree, const char *name,
221 const u_char *opd, int offset, guint optlen)
223 proto_tree_add_text(opt_tree, offset, optlen,
224 "%s: tsval %u, tsecr %u", name, pntohl(opd), pntohl(opd + 4));
225 tcp_info_append_uint("TSV", pntohl(opd));
226 tcp_info_append_uint("TSER", pntohl(opd + 4));
230 dissect_tcpopt_cc(proto_tree *opt_tree, const char *name, const u_char *opd,
231 int offset, guint optlen)
233 proto_tree_add_text(opt_tree, offset, optlen,
234 "%s: %u", name, pntohl(opd));
235 tcp_info_append_uint("CC", pntohl(opd));
238 static ip_tcp_opt tcpopts[] = {
255 "Maximum segment size",
258 dissect_tcpopt_maxseg
265 dissect_tcpopt_wscale
300 dissect_tcpopt_timestamp
325 #define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
328 dissect_tcp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
330 proto_tree *tcp_tree = NULL, *field_tree = NULL;
332 gchar flags[64] = "<None>";
333 gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG"};
338 guint packet_max = pi.payload + offset;
341 /* To do: Check for {cap len,pkt len} < struct len */
342 /* Avoids alignment problems on many architectures. */
343 memcpy(&th, &pd[offset], sizeof(e_tcphdr));
344 th.th_sport = ntohs(th.th_sport);
345 th.th_dport = ntohs(th.th_dport);
346 th.th_win = ntohs(th.th_win);
347 th.th_sum = ntohs(th.th_sum);
348 th.th_urp = ntohs(th.th_urp);
349 th.th_seq = ntohl(th.th_seq);
350 th.th_ack = ntohl(th.th_ack);
354 if (check_col(fd, COL_PROTOCOL) || tree) {
355 for (i = 0; i < 6; i++) {
357 if (th.th_flags & bpos) {
359 strcpy(&flags[fpos], ", ");
362 strcpy(&flags[fpos], fstr[i]);
369 hlen = hi_nibble(th.th_off_x2) * 4; /* TCP header length, in bytes */
371 payload = pi.payload - hlen;
373 if (check_col(fd, COL_RES_SRC_PORT))
374 col_add_str(fd, COL_RES_SRC_PORT, get_tcp_port(th.th_sport));
375 if (check_col(fd, COL_UNRES_SRC_PORT))
376 col_add_fstr(fd, COL_UNRES_SRC_PORT, "%u", th.th_sport);
377 if (check_col(fd, COL_RES_DST_PORT))
378 col_add_str(fd, COL_RES_DST_PORT, get_tcp_port(th.th_dport));
379 if (check_col(fd, COL_UNRES_DST_PORT))
380 col_add_fstr(fd, COL_UNRES_DST_PORT, "%u", th.th_dport);
381 if (check_col(fd, COL_PROTOCOL))
382 col_add_str(fd, COL_PROTOCOL, "TCP");
383 if (check_col(fd, COL_INFO)) {
384 /* Copy the data into info_str in case one of the option handling
385 routines needs to append to it. */
386 if (th.th_flags & TH_URG)
387 info_len = snprintf(info_str, COL_MAX_LEN, "%s > %s [%s] Seq=%u Ack=%u Win=%u Urg=%u",
388 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
389 th.th_seq, th.th_ack, th.th_win, th.th_urp);
391 info_len = snprintf(info_str, COL_MAX_LEN, "%s > %s [%s] Seq=%u Ack=%u Win=%u",
392 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
393 th.th_seq, th.th_ack, th.th_win);
394 /* The info column is actually written after the options are decoded */
398 ti = proto_tree_add_item(tree, proto_tcp, offset, hlen, NULL);
399 tcp_tree = proto_item_add_subtree(ti, ETT_TCP);
400 proto_tree_add_item_format(tcp_tree, hf_tcp_srcport, offset, 2, th.th_sport,
401 "Source port: %s (%u)", get_tcp_port(th.th_sport), th.th_sport);
402 proto_tree_add_item_format(tcp_tree, hf_tcp_dstport, offset + 2, 2, th.th_dport,
403 "Destination port: %s (%u)", get_tcp_port(th.th_dport), th.th_dport);
404 proto_tree_add_item_hidden(tcp_tree, hf_tcp_port, offset, 2, th.th_sport);
405 proto_tree_add_item_hidden(tcp_tree, hf_tcp_port, offset + 2, 2, th.th_dport);
406 proto_tree_add_item(tcp_tree, hf_tcp_seq, offset + 4, 4, th.th_seq);
407 if (th.th_flags & TH_ACK)
408 proto_tree_add_item(tcp_tree, hf_tcp_ack, offset + 8, 4, th.th_ack);
409 proto_tree_add_text(tcp_tree, offset + 12, 1, "Header length: %u bytes", hlen);
410 tf = proto_tree_add_text(tcp_tree, offset + 13, 1, "Flags: 0x%x", th.th_flags);
411 field_tree = proto_item_add_subtree(tf, ETT_TCP_FLAGS);
412 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
413 decode_boolean_bitfield(th.th_flags, TH_URG, sizeof (th.th_flags)*8,
414 "Urgent pointer", "No urgent pointer"));
415 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
416 decode_boolean_bitfield(th.th_flags, TH_ACK, sizeof (th.th_flags)*8,
417 "Acknowledgment", "No acknowledgment"));
418 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
419 decode_boolean_bitfield(th.th_flags, TH_PUSH, sizeof (th.th_flags)*8,
421 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
422 decode_boolean_bitfield(th.th_flags, TH_RST, sizeof (th.th_flags)*8,
423 "Reset", "No reset"));
424 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
425 decode_boolean_bitfield(th.th_flags, TH_SYN, sizeof (th.th_flags)*8,
427 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
428 decode_boolean_bitfield(th.th_flags, TH_FIN, sizeof (th.th_flags)*8,
430 proto_tree_add_text(tcp_tree, offset + 14, 2, "Window size: %u", th.th_win);
431 proto_tree_add_text(tcp_tree, offset + 16, 2, "Checksum: 0x%04x", th.th_sum);
432 if (th.th_flags & TH_URG)
433 proto_tree_add_text(tcp_tree, offset + 18, 2, "Urgent pointer: 0x%04x",
437 /* Decode TCP options, if any. */
438 if (tree && hlen > sizeof (e_tcphdr)) {
439 /* There's more than just the fixed-length header. Decode the
441 optlen = hlen - sizeof (e_tcphdr); /* length of options, in bytes */
442 tf = proto_tree_add_text(tcp_tree, offset + 20, optlen,
443 "Options: (%d bytes)", optlen);
444 field_tree = proto_item_add_subtree(tf, ETT_TCP_OPTIONS);
445 dissect_ip_tcp_options(field_tree, &pd[offset + 20], offset + 20, optlen,
446 tcpopts, N_TCP_OPTS, TCPOPT_EOL);
449 if (check_col(fd, COL_INFO))
450 col_add_str(fd, COL_INFO, info_str);
452 /* Skip over header + options */
455 pi.srcport = th.th_sport;
456 pi.destport = th.th_dport;
458 /* Check the packet length to see if there's more data
459 (it could be an ACK-only packet) */
460 if (packet_max > offset) {
461 /* XXX - this should be handled the way UDP handles this, with a table
462 of port numbers to which stuff can be added */
463 #define PORT_IS(port) (th.th_sport == port || th.th_dport == port)
464 if (PORT_IS(TCP_PORT_PRINTER))
465 dissect_lpd(pd, offset, fd, tree);
466 else if (PORT_IS(TCP_PORT_TELNET)) {
467 pi.match_port = TCP_PORT_TELNET;
468 dissect_telnet(pd, offset, fd, tree, payload);
469 } else if (PORT_IS(TCP_PORT_FTPDATA)) {
470 pi.match_port = TCP_PORT_FTPDATA;
471 dissect_ftpdata(pd, offset, fd, tree, payload);
472 } else if (PORT_IS(TCP_PORT_FTP)) {
473 pi.match_port = TCP_PORT_FTP;
474 dissect_ftp(pd, offset, fd, tree, payload);
475 } else if (PORT_IS(TCP_PORT_POP)) {
476 pi.match_port = TCP_PORT_POP;
477 dissect_pop(pd, offset, fd, tree, payload);
478 } else if (PORT_IS(TCP_PORT_NNTP)) {
479 pi.match_port = TCP_PORT_NNTP;
480 dissect_nntp(pd, offset, fd, tree, payload);
481 } else if (PORT_IS(TCP_PORT_PPTP)) {
482 pi.match_port = TCP_PORT_PPTP;
483 dissect_pptp(pd, offset, fd, tree);
484 } else if (PORT_IS(TCP_PORT_HTTP) || PORT_IS(TCP_ALT_PORT_HTTP))
485 dissect_http(pd, offset, fd, tree);
486 else if (PORT_IS(TCP_PORT_NBSS)) {
487 pi.match_port = TCP_PORT_NBSS;
488 dissect_nbss(pd, offset, fd, tree, payload);
489 } else if (PORT_IS(TCP_PORT_RTSP))
490 dissect_rtsp(pd, offset, fd, tree);
492 /* check existence of high level protocols */
494 if (memcmp(&pd[offset], "GIOP", 4) == 0) {
495 dissect_giop(pd, offset, fd, tree);
498 dissect_data(pd, offset, fd, tree);
503 if( data_out_file ) {
504 reassemble_tcp( th.th_seq, /* sequence number */
505 ( pi.iplen -( pi.iphdrlen * 4 )-( hi_nibble(th.th_off_x2) * 4 ) ), /* length */
506 ( pd+offset ), /* data */
507 ( fd->cap_len - offset ), /* captured data length */
508 ( th.th_flags & 0x02 ), /* is syn set? */
517 proto_register_tcp(void)
519 static hf_register_info hf[] = {
522 { "Source Port", "tcp.srcport", FT_UINT16, NULL }},
525 { "Destination Port", "tcp.dstport", FT_UINT16, NULL }},
528 { "Source or Destination Port", "tcp.port", FT_UINT16, NULL }},
531 { "Sequence number", "tcp.seq", FT_UINT32, NULL }},
534 { "Acknowledgement number", "tcp.ack", FT_UINT32, NULL }},
537 proto_tcp = proto_register_protocol ("Transmission Control Protocol", "tcp");
538 proto_register_field_array(proto_tcp, hf, array_length(hf));