2 * Routines for TCP packet disassembly
4 * $Id: packet-tcp.c,v 1.36 1999/10/14 05:10:30 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
34 #ifdef HAVE_NETINET_IN_H
35 # include <netinet/in.h>
45 #ifdef NEED_SNPRINTF_H
51 # include "snprintf.h"
54 #ifndef __PACKET_IP_H__
55 #include "packet-ip.h"
58 extern FILE* data_out_file;
60 static gchar info_str[COL_MAX_LEN];
64 int hf_tcp_srcport = -1;
65 int hf_tcp_dstport = -1;
72 #define TCP_PORT_FTPDATA 20
73 #define TCP_PORT_FTP 21
74 #define TCP_PORT_TELNET 23
75 #define TCP_PORT_SMTP 25
76 #define TCP_PORT_HTTP 80
77 #define TCP_PORT_POP 110
78 #define TCP_PORT_NNTP 119
79 #define TCP_PORT_NTP 123
80 #define TCP_PORT_NBSS 139
81 #define TCP_PORT_PRINTER 515
82 #define TCP_ALT_PORT_HTTP 8080
83 #define TCP_PORT_PPTP 1723
84 #define TCP_PORT_RTSP 554
85 #define TCP_PORT_YHOO 5050
87 /* TCP structs and definitions */
89 typedef struct _e_tcphdr {
94 guint8 th_off_x2; /* combines th_off and th_x2 */
111 #define TCPOPT_NOP 1 /* Padding */
112 #define TCPOPT_EOL 0 /* End of options */
113 #define TCPOPT_MSS 2 /* Segment size negotiating */
114 #define TCPOPT_WINDOW 3 /* Window scaling */
115 #define TCPOPT_SACK_PERM 4 /* SACK Permitted */
116 #define TCPOPT_SACK 5 /* SACK Block */
117 #define TCPOPT_ECHO 6
118 #define TCPOPT_ECHOREPLY 7
119 #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
121 #define TCPOPT_CCNEW 12
122 #define TCPOPT_CCECHO 13
128 #define TCPOLEN_MSS 4
129 #define TCPOLEN_WINDOW 3
130 #define TCPOLEN_SACK_PERM 2
131 #define TCPOLEN_SACK_MIN 2
132 #define TCPOLEN_ECHO 6
133 #define TCPOLEN_ECHOREPLY 6
134 #define TCPOLEN_TIMESTAMP 10
136 #define TCPOLEN_CCNEW 6
137 #define TCPOLEN_CCECHO 6
140 tcp_info_append_uint(const char *abbrev, guint32 val) {
145 add_len = snprintf(&info_str[info_len], COL_MAX_LEN - info_len, " %s=%u",
152 dissect_tcpopt_maxseg(const ip_tcp_opt *optp, const u_char *opd,
153 int offset, guint optlen, proto_tree *opt_tree)
155 proto_tree_add_text(opt_tree, offset, optlen,
156 "%s: %u bytes", optp->name, pntohs(opd));
157 tcp_info_append_uint("MSS", pntohs(opd));
161 dissect_tcpopt_wscale(const ip_tcp_opt *optp, const u_char *opd,
162 int offset, guint optlen, proto_tree *opt_tree)
164 proto_tree_add_text(opt_tree, offset, optlen,
165 "%s: %u bytes", optp->name, *opd);
166 tcp_info_append_uint("WS", *opd);
170 dissect_tcpopt_sack(const ip_tcp_opt *optp, const u_char *opd,
171 int offset, guint optlen, proto_tree *opt_tree)
173 proto_tree *field_tree = NULL;
175 guint leftedge, rightedge;
177 tf = proto_tree_add_text(opt_tree, offset, optlen, "%s:", optp->name);
178 offset += 2; /* skip past type and length */
179 optlen -= 2; /* subtract size of type and length */
181 if (field_tree == NULL) {
182 /* Haven't yet made a subtree out of this option. Do so. */
183 field_tree = proto_item_add_subtree(tf, optp->subtree_index);
186 proto_tree_add_text(field_tree, offset, optlen,
187 "(suboption would go past end of option)");
190 /* XXX - check whether it goes past end of packet */
191 leftedge = pntohl(opd);
195 proto_tree_add_text(field_tree, offset, optlen,
196 "(suboption would go past end of option)");
199 /* XXX - check whether it goes past end of packet */
200 rightedge = pntohl(opd);
203 proto_tree_add_text(field_tree, offset, 8,
204 "left edge = %u, right edge = %u", leftedge, rightedge);
205 tcp_info_append_uint("SLE", leftedge);
206 tcp_info_append_uint("SRE", rightedge);
212 dissect_tcpopt_echo(const ip_tcp_opt *optp, const u_char *opd,
213 int offset, guint optlen, proto_tree *opt_tree)
215 proto_tree_add_text(opt_tree, offset, optlen,
216 "%s: %u", optp->name, pntohl(opd));
217 tcp_info_append_uint("ECHO", pntohl(opd));
221 dissect_tcpopt_timestamp(const ip_tcp_opt *optp, const u_char *opd,
222 int offset, guint optlen, proto_tree *opt_tree)
224 proto_tree_add_text(opt_tree, offset, optlen,
225 "%s: tsval %u, tsecr %u", optp->name, pntohl(opd), pntohl(opd + 4));
226 tcp_info_append_uint("TSV", pntohl(opd));
227 tcp_info_append_uint("TSER", pntohl(opd + 4));
231 dissect_tcpopt_cc(const ip_tcp_opt *optp, const u_char *opd,
232 int offset, guint optlen, proto_tree *opt_tree)
234 proto_tree_add_text(opt_tree, offset, optlen,
235 "%s: %u", optp->name, pntohl(opd));
236 tcp_info_append_uint("CC", pntohl(opd));
239 static const ip_tcp_opt tcpopts[] = {
258 "Maximum segment size",
262 dissect_tcpopt_maxseg
270 dissect_tcpopt_wscale
310 dissect_tcpopt_timestamp
338 #define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
341 dissect_tcp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
343 proto_tree *tcp_tree = NULL, *field_tree = NULL;
345 gchar flags[64] = "<None>";
346 gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG"};
351 guint packet_max = pi.len;
353 /* To do: Check for {cap len,pkt len} < struct len */
354 /* Avoids alignment problems on many architectures. */
355 memcpy(&th, &pd[offset], sizeof(e_tcphdr));
356 th.th_sport = ntohs(th.th_sport);
357 th.th_dport = ntohs(th.th_dport);
358 th.th_win = ntohs(th.th_win);
359 th.th_sum = ntohs(th.th_sum);
360 th.th_urp = ntohs(th.th_urp);
361 th.th_seq = ntohl(th.th_seq);
362 th.th_ack = ntohl(th.th_ack);
366 if (check_col(fd, COL_PROTOCOL) || tree) {
367 for (i = 0; i < 6; i++) {
369 if (th.th_flags & bpos) {
371 strcpy(&flags[fpos], ", ");
374 strcpy(&flags[fpos], fstr[i]);
381 hlen = hi_nibble(th.th_off_x2) * 4; /* TCP header length, in bytes */
383 if (check_col(fd, COL_RES_SRC_PORT))
384 col_add_str(fd, COL_RES_SRC_PORT, get_tcp_port(th.th_sport));
385 if (check_col(fd, COL_UNRES_SRC_PORT))
386 col_add_fstr(fd, COL_UNRES_SRC_PORT, "%u", th.th_sport);
387 if (check_col(fd, COL_RES_DST_PORT))
388 col_add_str(fd, COL_RES_DST_PORT, get_tcp_port(th.th_dport));
389 if (check_col(fd, COL_UNRES_DST_PORT))
390 col_add_fstr(fd, COL_UNRES_DST_PORT, "%u", th.th_dport);
391 if (check_col(fd, COL_PROTOCOL))
392 col_add_str(fd, COL_PROTOCOL, "TCP");
393 if (check_col(fd, COL_INFO)) {
394 /* Copy the data into info_str in case one of the option handling
395 routines needs to append to it. */
396 if (th.th_flags & TH_URG)
397 info_len = snprintf(info_str, COL_MAX_LEN, "%s > %s [%s] Seq=%u Ack=%u Win=%u Urg=%u",
398 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
399 th.th_seq, th.th_ack, th.th_win, th.th_urp);
401 info_len = snprintf(info_str, COL_MAX_LEN, "%s > %s [%s] Seq=%u Ack=%u Win=%u",
402 get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
403 th.th_seq, th.th_ack, th.th_win);
404 /* The info column is actually written after the options are decoded */
408 ti = proto_tree_add_item(tree, proto_tcp, offset, hlen, NULL);
409 tcp_tree = proto_item_add_subtree(ti, ETT_TCP);
410 proto_tree_add_item_format(tcp_tree, hf_tcp_srcport, offset, 2, th.th_sport,
411 "Source port: %s (%u)", get_tcp_port(th.th_sport), th.th_sport);
412 proto_tree_add_item_format(tcp_tree, hf_tcp_dstport, offset + 2, 2, th.th_dport,
413 "Destination port: %s (%u)", get_tcp_port(th.th_dport), th.th_dport);
414 proto_tree_add_item_hidden(tcp_tree, hf_tcp_port, offset, 2, th.th_sport);
415 proto_tree_add_item_hidden(tcp_tree, hf_tcp_port, offset + 2, 2, th.th_dport);
416 proto_tree_add_item(tcp_tree, hf_tcp_seq, offset + 4, 4, th.th_seq);
417 if (th.th_flags & TH_ACK)
418 proto_tree_add_item(tcp_tree, hf_tcp_ack, offset + 8, 4, th.th_ack);
419 proto_tree_add_text(tcp_tree, offset + 12, 1, "Header length: %u bytes", hlen);
420 tf = proto_tree_add_text(tcp_tree, offset + 13, 1, "Flags: 0x%x", th.th_flags);
421 field_tree = proto_item_add_subtree(tf, ETT_TCP_FLAGS);
422 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
423 decode_boolean_bitfield(th.th_flags, TH_URG, sizeof (th.th_flags)*8,
424 "Urgent pointer", "No urgent pointer"));
425 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
426 decode_boolean_bitfield(th.th_flags, TH_ACK, sizeof (th.th_flags)*8,
427 "Acknowledgment", "No acknowledgment"));
428 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
429 decode_boolean_bitfield(th.th_flags, TH_PUSH, sizeof (th.th_flags)*8,
431 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
432 decode_boolean_bitfield(th.th_flags, TH_RST, sizeof (th.th_flags)*8,
433 "Reset", "No reset"));
434 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
435 decode_boolean_bitfield(th.th_flags, TH_SYN, sizeof (th.th_flags)*8,
437 proto_tree_add_text(field_tree, offset + 13, 1, "%s",
438 decode_boolean_bitfield(th.th_flags, TH_FIN, sizeof (th.th_flags)*8,
440 proto_tree_add_text(tcp_tree, offset + 14, 2, "Window size: %u", th.th_win);
441 proto_tree_add_text(tcp_tree, offset + 16, 2, "Checksum: 0x%04x", th.th_sum);
442 if (th.th_flags & TH_URG)
443 proto_tree_add_text(tcp_tree, offset + 18, 2, "Urgent pointer: 0x%04x",
447 /* Decode TCP options, if any. */
448 if (tree && hlen > sizeof (e_tcphdr)) {
449 /* There's more than just the fixed-length header. Decode the
451 optlen = hlen - sizeof (e_tcphdr); /* length of options, in bytes */
452 tf = proto_tree_add_text(tcp_tree, offset + 20, optlen,
453 "Options: (%d bytes)", optlen);
454 field_tree = proto_item_add_subtree(tf, ETT_TCP_OPTIONS);
455 dissect_ip_tcp_options(&pd[offset + 20], offset + 20, optlen,
456 tcpopts, N_TCP_OPTS, TCPOPT_EOL, field_tree);
459 if (check_col(fd, COL_INFO))
460 col_add_str(fd, COL_INFO, info_str);
462 /* Skip over header + options */
465 pi.srcport = th.th_sport;
466 pi.destport = th.th_dport;
468 /* Check the packet length to see if there's more data
469 (it could be an ACK-only packet) */
470 if (packet_max > offset) {
471 /* XXX - this should be handled the way UDP handles this, with a table
472 of port numbers to which stuff can be added */
473 #define PORT_IS(port) (th.th_sport == port || th.th_dport == port)
474 if (PORT_IS(TCP_PORT_PRINTER))
475 dissect_lpd(pd, offset, fd, tree);
476 else if (PORT_IS(TCP_PORT_TELNET)) {
477 pi.match_port = TCP_PORT_TELNET;
478 dissect_telnet(pd, offset, fd, tree);
479 } else if (PORT_IS(TCP_PORT_FTPDATA)) {
480 pi.match_port = TCP_PORT_FTPDATA;
481 dissect_ftpdata(pd, offset, fd, tree);
482 } else if (PORT_IS(TCP_PORT_FTP)) {
483 pi.match_port = TCP_PORT_FTP;
484 dissect_ftp(pd, offset, fd, tree);
485 } else if (PORT_IS(TCP_PORT_POP)) {
486 pi.match_port = TCP_PORT_POP;
487 dissect_pop(pd, offset, fd, tree);
488 } else if (PORT_IS(TCP_PORT_NNTP)) {
489 pi.match_port = TCP_PORT_NNTP;
490 dissect_nntp(pd, offset, fd, tree);
491 } else if (PORT_IS(TCP_PORT_NTP)) {
492 pi.match_port = TCP_PORT_NTP;
493 dissect_ntp(pd, offset, fd, tree);
494 } else if (PORT_IS(TCP_PORT_PPTP)) {
495 pi.match_port = TCP_PORT_PPTP;
496 dissect_pptp(pd, offset, fd, tree);
497 } else if (PORT_IS(TCP_PORT_HTTP) || PORT_IS(TCP_ALT_PORT_HTTP)
499 dissect_http(pd, offset, fd, tree);
500 else if (PORT_IS(TCP_PORT_NBSS)) {
501 pi.match_port = TCP_PORT_NBSS;
502 dissect_nbss(pd, offset, fd, tree);
503 } else if (PORT_IS(TCP_PORT_RTSP))
504 dissect_rtsp(pd, offset, fd, tree);
506 /* check existence of high level protocols */
508 if (memcmp(&pd[offset], "GIOP", 4) == 0) {
509 dissect_giop(pd, offset, fd, tree);
511 else if ( PORT_IS(TCP_PORT_YHOO) &&
512 (memcmp(&pd[offset], "YPNS", 4) == 0 ||
513 memcmp(&pd[offset], "YHOO", 4) == 0 )) {
514 dissect_yhoo(pd, offset, fd, tree);
517 dissect_data(pd, offset, fd, tree);
522 if( data_out_file ) {
523 reassemble_tcp( th.th_seq, /* sequence number */
524 ( pi.len - offset ), /* data length */
525 ( pd+offset ), /* data */
526 ( pi.captured_len - offset ), /* captured data length */
527 ( th.th_flags & TH_SYN ), /* is syn set? */
536 proto_register_tcp(void)
538 static hf_register_info hf[] = {
541 { "Source Port", "tcp.srcport", FT_UINT16, BASE_DEC, NULL, 0x0,
545 { "Destination Port", "tcp.dstport", FT_UINT16, BASE_DEC, NULL, 0x0,
549 { "Source or Destination Port", "tcp.port", FT_UINT16, BASE_DEC, NULL, 0x0,
553 { "Sequence number", "tcp.seq", FT_UINT32, BASE_DEC, NULL, 0x0,
557 { "Acknowledgement number", "tcp.ack", FT_UINT32, BASE_DEC, NULL, 0x0,
561 proto_tcp = proto_register_protocol ("Transmission Control Protocol", "tcp");
562 proto_register_field_array(proto_tcp, hf, array_length(hf));