2 * Routines for TDS NetLib dissection
3 * Copyright 2000-2002, Brian Bruns <camber@ais.org>
4 * Copyright 2002, Steve Langasek <vorlon@netexpress.net>
6 * $Id: packet-tds.c,v 1.5 2002/11/17 21:47:41 gerald Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 * The NETLIB protocol is a small blocking protocol designed to allow TDS
29 * to be placed within different transports (TCP, DECNet, IPX/SPX). It
30 * consist of an eight byte header containing a two byte size field, a last
31 * packet indicator, a one byte packet type field, and a 4 byte field used in
32 * RPC communications whose purpose is unknown (it is most likely a conversation
33 * number to multiplex multiple conversations over a single socket).
35 * The TDS protocol consists of a number of protocol data units (PDUs) marked
36 * by a one byte field at the start of the PDU. Some PDUs are fixed length
37 * some are variable length with a two byte size field following the type, and
38 * then there is TDS_ROW_TOKEN in which size is determined by analyzing the
39 * result set returned from the server. This in effect means that we are
40 * hopelessly lost if we haven't seen the result set. Also, TDS 4/5 is byte
41 * order negotiable, which is specified in the login packet. We can attempt to
42 * determine it later on, but not with 100% accuracy.
44 * Some preliminary documentation on the packet format can be found at
45 * http://www.freetds.org/tds.html
47 * Much of this code was originally developed for the FreeTDS project.
48 * http://www.freetds.org
52 * Excerpts from Brian's posting to ethereal-dev:
54 * The TDS Protocol is actually a protocol within a protocol. On the outside
55 * there is netlib which is not so much a encapsulation as a blocking of the
56 * data, typically to 512 or 4096 bytes. Between this are the protocol data
57 * units for TDS. Netlib packets may be split over real packets, multiple
58 * netlib packets may appear in single real packets. TDS PDUs may be split
59 * over netlib packets (and real packets) and most certainly can appear
60 * multiple times within a netlib packet.
62 * Because of this, I abandoned my earlier attempt at making two dissectors,
63 * one for netlib and one for TDS. Counterintuitively, a single dissector
64 * turned out to be simpler than splitting it up.
66 * Here are some of the (hefty) limitations of the current code
68 * . We currently do not handle netlib headers that cross packet boundaries.
69 * This should be an easy fix.
70 * . I probably could have used the packet reassembly stuff, but I started
71 * this at version 0.8.20, so c'est la vie. It wouldn't have covered the
72 * netlib stuff anyway, so no big loss.
73 * . The older two layer version of the code dissected the PDU's, but the new
74 * version does not yet, it only labels the names. I need an elegant way to
75 * deal with dissecting data crossing (netlib and tcp) packet boundries. I
76 * think I have one, but ran out of time to do it.
77 * . It will only work on little endian platforms. Or rather I should say,
78 * the client that was captured must be little endian. TDS 7.0/8.0 is
79 * always LE; for TDS 4.2/5.0 look in the code for tvb_get_le*() functions,
80 * there are fields in the login packet which determine byte order.
81 * . result sets that span netlib packets are not working
82 * . TDS 7 and 4.2 result sets are not working yet
84 * All that said, the code does deal gracefully with different boudary
85 * conditions and what remains are the easier bits, IMHO.
100 #include "epan/packet.h"
101 #include "epan/conversation.h"
103 #include "packet-smb-common.h"
105 #define TDS_QUERY_PKT 0x01
106 #define TDS_LOGIN_PKT 0x02
107 #define TDS_RESP_PKT 0x04
108 #define TDS_CANCEL_PKT 0x06
109 #define TDS_QUERY5_PKT 0x0f
110 #define TDS_LOGIN7_PKT 0x10
112 #define is_valid_tds_type(x) \
113 (x==TDS_QUERY_PKT || \
114 x==TDS_LOGIN_PKT || \
116 x==TDS_QUERY5_PKT || \
117 x==TDS_QUERY5_PKT || \
120 /* The following constants are imported more or less directly from FreeTDS */
122 #define TDS5_DYN_TOKEN 231 /* 0xE7 TDS 5.0 only */
123 #define TDS5_DYNRES_TOKEN 236 /* 0xEC TDS 5.0 only */
124 #define TDS5_DYN3_TOKEN 215 /* 0xD7 TDS 5.0 only */
125 #define TDS_LANG_TOKEN 33 /* 0x21 TDS 5.0 only */
126 #define TDS_CLOSE_TOKEN 113 /* 0x71 TDS 5.0 only? ct_close() */
127 #define TDS_RET_STAT_TOKEN 121 /* 0x79 */
128 #define TDS_124_TOKEN 124 /* 0x7C TDS 4.2 only - TDS_PROCID */
129 #define TDS7_RESULT_TOKEN 129 /* 0x81 TDS 7.0 only */
130 #define TDS_COL_NAME_TOKEN 160 /* 0xA0 TDS 4.2 only */
131 #define TDS_COL_INFO_TOKEN 161 /* 0xA1 TDS 4.2 only - TDS_COLFMT */
132 /*#define TDS_TABNAME 164 */
133 /*#define TDS_COL_INFO 165 */
134 #define TDS_167_TOKEN 167 /* 0xA7 */
135 #define TDS_168_TOKEN 168 /* 0xA8 */
136 #define TDS_ORDER_BY_TOKEN 169 /* 0xA9 TDS_ORDER */
137 #define TDS_ERR_TOKEN 170 /* 0xAA */
138 #define TDS_MSG_TOKEN 171 /* 0xAB */
139 #define TDS_PARAM_TOKEN 172 /* 0xAC RETURNVALUE? */
140 #define TDS_LOGIN_ACK_TOKEN 173 /* 0xAD */
141 #define TDS_174_TOKEN 174 /* 0xAE TDS_CONTROL */
142 #define TDS_ROW_TOKEN 209 /* 0xD1 */
143 #define TDS_CMP_ROW_TOKEN 211 /* 0xD3 */
144 #define TDS_CAP_TOKEN 226 /* 0xE2 */
145 #define TDS_ENV_CHG_TOKEN 227 /* 0xE3 */
146 #define TDS_EED_TOKEN 229 /* 0xE5 */
147 #define TDS_AUTH_TOKEN 237 /* 0xED */
148 #define TDS_RESULT_TOKEN 238 /* 0xEE */
149 #define TDS_DONE_TOKEN 253 /* 0xFD TDS_DONE */
150 #define TDS_DONEPROC_TOKEN 254 /* 0xFE TDS_DONEPROC */
151 #define TDS_DONEINPROC_TOKEN 255 /* 0xFF TDS_DONEINPROC */
153 #define SYBCHAR 47 /* 0x2F */
154 #define SYBVARCHAR 39 /* 0x27 */
155 #define SYBINTN 38 /* 0x26 */
156 #define SYBINT1 48 /* 0x30 */
157 #define SYBINT2 52 /* 0x34 */
158 #define SYBINT4 56 /* 0x38 */
159 #define SYBINT8 127 /* 0x7F */
160 #define SYBFLT8 62 /* 0x3E */
161 #define SYBDATETIME 61 /* 0x3D */
162 #define SYBBIT 50 /* 0x32 */
163 #define SYBTEXT 35 /* 0x23 */
164 #define SYBNTEXT 99 /* 0x63 */
165 #define SYBIMAGE 34 /* 0x22 */
166 #define SYBMONEY4 122 /* 0x7A */
167 #define SYBMONEY 60 /* 0x3C */
168 #define SYBDATETIME4 58 /* 0x3A */
169 #define SYBREAL 59 /* 0x3B */
170 #define SYBBINARY 45 /* 0x2D */
171 #define SYBVOID 31 /* 0x1F */
172 #define SYBVARBINARY 37 /* 0x25 */
173 #define SYBNVARCHAR 103 /* 0x67 */
174 #define SYBBITN 104 /* 0x68 */
175 #define SYBNUMERIC 108 /* 0x6C */
176 #define SYBDECIMAL 106 /* 0x6A */
177 #define SYBFLTN 109 /* 0x6D */
178 #define SYBMONEYN 110 /* 0x6E */
179 #define SYBDATETIMN 111 /* 0x6F */
180 #define XSYBCHAR 167 /* 0xA7 */
181 #define XSYBVARCHAR 175 /* 0xAF */
182 #define XSYBNVARCHAR 231 /* 0xE7 */
183 #define XSYBNCHAR 239 /* 0xEF */
184 #define SYBUNIQUE 0x24
185 #define SYBVARIANT 0x62
187 #define is_fixed_coltype(x) (x==SYBINT1 || \
200 /* Initialize the protocol and registered fields */
201 static int proto_tds = -1;
202 static int hf_netlib_size = -1;
203 static int hf_netlib_type = -1;
204 static int hf_netlib_last = -1;
206 /* Initialize the subtree pointers */
207 static gint ett_netlib = -1;
208 static gint ett_tds = -1;
209 static gint ett_tds_pdu = -1;
210 static gint ett_tds7_login = -1;
211 static gint ett_tds7_hdr = -1;
213 static heur_dissector_list_t netlib_heur_subdissector_list;
215 static dissector_handle_t ntlmssp_handle = NULL;
217 /* These correspond to the netlib packet type field */
218 static const value_string packet_type_names[] = {
219 {TDS_QUERY_PKT, "Query Packet"},
220 {TDS_LOGIN_PKT, "Login Packet"},
221 {TDS_RESP_PKT, "Response Packet"},
222 {TDS_CANCEL_PKT, "Cancel Packet"},
223 {TDS_QUERY5_PKT, "TDS5 Query Packet"},
224 {TDS_LOGIN7_PKT, "TDS7/8 Login Packet"},
228 /* The one byte token at the start of each TDS PDU */
229 static const value_string token_names[] = {
230 {TDS5_DYN_TOKEN, "Dynamic SQL"},
231 {TDS5_DYNRES_TOKEN, "Dynamic Results"},
232 {TDS5_DYN3_TOKEN, "Dynamic (Unknown)"},
233 {TDS_LANG_TOKEN, "Language"},
234 {TDS_CLOSE_TOKEN, "Close Connection"},
235 {TDS_RET_STAT_TOKEN, "Return Status"},
236 {TDS_124_TOKEN, "Proc ID"},
237 {TDS7_RESULT_TOKEN, "Results"},
238 {TDS_COL_NAME_TOKEN, "Column Names"},
239 {TDS_COL_INFO_TOKEN, "Column Info"},
240 {TDS_167_TOKEN, "Unknown (167)"},
241 {TDS_168_TOKEN, "Unknown (168)"},
242 {TDS_ORDER_BY_TOKEN, "Order By"},
243 {TDS_ERR_TOKEN, "Error Message"},
244 {TDS_MSG_TOKEN, "Info Message"},
245 {TDS_PARAM_TOKEN, "Paramater"},
246 {TDS_LOGIN_ACK_TOKEN, "Login Acknowledgement"},
247 {TDS_174_TOKEN, "Unknown (174)"},
248 {TDS_ROW_TOKEN, "Row"},
249 {TDS_CMP_ROW_TOKEN, "Compute Row"},
250 {TDS_CAP_TOKEN, "Capabilities"},
251 {TDS_ENV_CHG_TOKEN, "Environment Change"},
252 {TDS_EED_TOKEN, "Extended Error"},
253 {TDS_AUTH_TOKEN, "Authentication"},
254 {TDS_RESULT_TOKEN, "Results"},
255 {TDS_DONE_TOKEN, "Done"},
256 {TDS_DONEPROC_TOKEN, "Done Proc"},
257 {TDS_DONEINPROC_TOKEN, "Done In Proc"},
261 static const value_string env_chg_names[] = {
266 {5, "Unicode Locale ID"},
267 {6, "Unicode Comparison Style"},
271 static const value_string login_field_names[] = {
285 #define MAX_COLUMNS 256
286 #define REM_BUF_SIZE 4096
289 * this is where we store the column information to be used in decoding the
290 * TDS_ROW_TOKEN PDU's
300 * The first time ethereal decodes a stream it calls each packet in order.
301 * We use this structure to pass data from the dissection of one packet to
302 * the next. After the initial dissection, this structure is largely unused.
305 guint netlib_unread_bytes;
307 struct _tds_col *columns[MAX_COLUMNS];
308 guint tds_bytes_left;
309 guint8 tds_remainder[REM_BUF_SIZE];
313 * Now on the first dissection of a packet copy the global (_conv_data)
314 * to the packet data so that we may retrieve out of order later.
316 struct _packet_data {
317 guint netlib_unread_bytes;
319 struct _tds_col *columns[MAX_COLUMNS];
320 guint tds_bytes_left;
321 guint8 tds_remainder[REM_BUF_SIZE];
325 * and finally a place for netlib packets within tcp packets
327 struct _netlib_data {
331 guint netlib_unread_bytes;
333 struct _tds_col *columns[MAX_COLUMNS];
334 guint tds_bytes_left;
335 guint8 tds_remainder[REM_BUF_SIZE];
338 /* all the standard memory management stuff */
339 #define netlib_win_length (sizeof(struct _conv_data))
340 #define netlib_packet_length (sizeof(struct _packet_data))
341 #define tds_column_length (sizeof(struct _tds_col))
343 #define netlib_win_init_count 4
344 #define netlib_packet_init_count 10
345 #define tds_column_init_count 10
347 static GMemChunk *netlib_window = NULL;
348 static GMemChunk *netlib_pdata = NULL;
349 static GMemChunk *tds_column = NULL;
351 static void netlib_reinit(void);
353 /* support routines */
354 static void dissect_tds_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint offset, guint length)
356 tvbuff_t *ntlmssp_tvb = NULL;
358 ntlmssp_tvb = tvb_new_subset(tvb, offset, length, length);
360 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP Data");
361 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
364 static void dissect_tds7_login(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint length)
366 guint offset, i, offset2, len;
368 gboolean is_unicode = TRUE;
371 proto_item *login_hdr;
372 proto_tree *login_tree;
373 proto_item *header_hdr;
374 proto_tree *header_tree;
380 tds7_tvb = tvb_new_subset(tvb, 8, length, length);
383 /* create display subtree for the protocol */
384 login_hdr = proto_tree_add_text(tree, tds7_tvb, 0, length,
385 "TDS7 Login Packet");
386 login_tree = proto_item_add_subtree(login_hdr, ett_tds7_login);
388 header_hdr = proto_tree_add_text(login_tree, tds7_tvb, offset, 50, "Login Packet Header");
389 header_tree = proto_item_add_subtree(header_hdr, ett_tds7_hdr);
390 for (i = 0; i < 9; i++) {
391 offset2 = tvb_get_letohs(tds7_tvb, offset + i*4);
392 len = tvb_get_letohs(tds7_tvb, offset + i*4 + 2);
393 proto_tree_add_text(header_tree, tds7_tvb, offset + i*4, 2,
394 "%s offset: %d",val_to_str(i,login_field_names,"Unknown"),
396 proto_tree_add_text(header_tree, tds7_tvb, offset + i*4 + 2, 2,
397 "%s length: %d",val_to_str(i,login_field_names,"Unknown"),
400 if (is_unicode == TRUE)
402 val = get_unicode_or_ascii_string(tds7_tvb, &offset2,
403 is_unicode, &len, TRUE, TRUE, &bc);
404 proto_tree_add_text(login_tree, tds7_tvb, offset2, len,
405 "%s: %s", val_to_str(i, login_field_names, "Unknown"), val);
409 if (offset2 + len < length) {
410 dissect_tds_ntlmssp(tds7_tvb, pinfo, login_tree, offset2 + len, length - offset2);
414 static int get_size_by_coltype(int servertype)
418 case SYBINT1: return 1; break;
419 case SYBINT2: return 2; break;
420 case SYBINT4: return 4; break;
421 case SYBINT8: return 8; break;
422 case SYBREAL: return 4; break;
423 case SYBFLT8: return 8; break;
424 case SYBDATETIME: return 8; break;
425 case SYBDATETIME4: return 4; break;
426 case SYBBIT: return 1; break;
427 case SYBBITN: return 1; break;
428 case SYBMONEY: return 8; break;
429 case SYBMONEY4: return 4; break;
430 case SYBUNIQUE: return 16; break;
431 default: return -1; break;
434 static int tds_is_fixed_token(int token)
438 case TDS_DONEPROC_TOKEN:
439 case TDS_DONEINPROC_TOKEN:
440 case TDS_RET_STAT_TOKEN:
446 static int tds_get_token_size(int token)
450 case TDS_DONEPROC_TOKEN:
451 case TDS_DONEINPROC_TOKEN:
453 case TDS_RET_STAT_TOKEN:
463 * data_to_string should take column data and turn it into something we can
464 * display on the tree.
466 static char *data_to_string(void *data, guint col_type, guint col_size)
468 static char result[256];
473 /* strncpy(result, (char *)data, col_size); */
474 for (i=0;i<col_size && i<(256-1);i++)
475 if (!isprint(((char *)data)[i])) result[i]='.';
476 else result[i]=((char *)data)[i];
480 sprintf(result, "%d", *(short *)data);
483 sprintf(result, "%d", *(int *)data);
486 sprintf(result, "Unexpected column_type %d", col_type);
493 * This function computes the number of bytes remaining from a PDU started in
494 * the previous netlib packet.
495 * XXX - needs some more PDU types added.
498 get_skip_count(tvbuff_t *tvb, guint offset, struct _netlib_data *nl_data, guint last_byte)
507 /* none leftover? none to skip */
508 if (!nl_data->tds_bytes_left)
511 token = nl_data->tds_remainder[0];
514 buf = nl_data->tds_remainder;
516 for (i = 0; i < nl_data->num_cols; i++) {
517 if (! is_fixed_coltype(nl_data->columns[i]->ctype)) {
518 if (!switched && cur >= nl_data->tds_bytes_left) {
520 cur = cur - nl_data->tds_bytes_left;
521 buf = tvb_get_ptr(tvb, offset, tvb_length(tvb)-offset);
526 csize = get_size_by_coltype(nl_data->columns[i]->ctype);
528 /* printf("2value %d %d %d %s\n", i, cur, csize, data_to_string(&buf[cur], nl_data->columns[i]->ctype, csize)); */
530 if (switched && cur > last_byte - offset)
537 printf("unhandled case for token %d\n",token);
546 * Since rows are special PDUs in that they are not fixed and lack a size field,
547 * the length must be computed using the column information seen in the result
548 * PDU. This function does just that.
551 tds_get_row_size(tvbuff_t *tvb, struct _netlib_data *nl_data, guint offset, guint last_byte)
556 for (i=0;i<nl_data->num_cols;i++) {
557 if (! is_fixed_coltype(nl_data->columns[i]->ctype)) {
558 if (cur>=last_byte) return 0;
559 csize = tvb_get_guint8(tvb,cur);
562 csize = get_size_by_coltype(nl_data->columns[i]->ctype);
566 if (cur>last_byte) return 0;
568 return (cur - offset + 1);
571 * read the results PDU and store the relevent information in the _netlib_data
572 * structure for later use (see tds_get_row_size)
573 * XXX - assumes that result token will be entirely contained within packet
577 read_results_tds5(tvbuff_t *tvb, struct _netlib_data *nl_data, guint offset)
583 len = tvb_get_letohs(tvb, offset+1);
587 * This would be the logical place to check for little/big endianess if we
588 * didn't see the login packet.
590 nl_data->num_cols = tvb_get_letohs(tvb, cur);
591 if (nl_data->num_cols > MAX_COLUMNS) {
592 nl_data->num_cols = 0;
598 for (i = 0; i < nl_data->num_cols; i++) {
599 nl_data->columns[i] = g_mem_chunk_alloc(tds_column);
600 name_len = tvb_get_guint8(tvb,cur);
604 cur ++; /* unknown */
606 nl_data->columns[i]->utype = tvb_get_letohs(tvb, cur);
609 cur += 2; /* unknown */
611 nl_data->columns[i]->ctype = tvb_get_guint8(tvb,cur);
614 if (!is_fixed_coltype(nl_data->columns[i]->ctype)) {
615 nl_data->columns[i]->csize = tvb_get_guint8(tvb,cur);
618 nl_data->columns[i]->csize = get_size_by_coltype(nl_data->columns[i]->ctype);
620 cur ++; /* unknown */
625 * This function copies information about data crossing the netlib packet
626 * boundary from _netlib_data to _conv_data it is called at the end of packet
627 * dissection during the first decoding.
630 store_conv_data(packet_info *pinfo, struct _netlib_data *nl_data)
632 conversation_t *conv;
633 struct _conv_data *conv_data;
635 /* check for an existing conversation */
636 conv = find_conversation (&pinfo->src, &pinfo->dst, pinfo->ptype,
637 pinfo->srcport, pinfo->destport, 0);
639 conv_data = conversation_get_proto_data(conv,proto_tds);
640 /* first packet seen ? */
642 conv_data = g_mem_chunk_alloc(netlib_window);
644 conv_data->netlib_unread_bytes = nl_data->netlib_unread_bytes;
645 conv_data->num_cols = nl_data->num_cols;
646 memcpy(conv_data->columns, nl_data->columns, sizeof(struct _tds_col *) * MAX_COLUMNS);
647 conv_data->tds_bytes_left = nl_data->tds_bytes_left;
648 memcpy(conv_data->tds_remainder, nl_data->tds_remainder, REM_BUF_SIZE);
650 conversation_add_proto_data(conv,proto_tds, conv_data);
653 * This function copies information about data crossing the netlib packet
654 * boundary from _netlib_data to _pkt_data it is called after load_nelib_data
655 * during packet dissection when the packet has not previously been seen.
658 store_pkt_data(packet_info *pinfo, struct _netlib_data *nl_data)
660 struct _packet_data *p_data;
662 p_data = p_get_proto_data(pinfo->fd, proto_tds);
664 /* only store it the first time through */
669 p_data = g_mem_chunk_alloc(netlib_pdata);
672 p_data->netlib_unread_bytes = nl_data->netlib_unread_bytes;
673 p_data->num_cols = nl_data->num_cols;
674 memcpy(p_data->columns, nl_data->columns, sizeof(struct _tds_col *) * MAX_COLUMNS);
675 p_data->tds_bytes_left = nl_data->tds_bytes_left;
676 memcpy(p_data->tds_remainder, nl_data->tds_remainder, REM_BUF_SIZE);
679 p_add_proto_data( pinfo->fd, proto_tds, (void*)p_data);
681 /* load conversation data into packet_data */
683 load_packet_data(packet_info *pinfo, struct _packet_data *pkt_data)
685 conversation_t *conv;
686 struct _conv_data *conv_data;
688 /* check for an existing conversation */
689 conv = find_conversation (&pinfo->src, &pinfo->dst, pinfo->ptype,
690 pinfo->srcport, pinfo->destport, 0);
692 conv_data = conversation_get_proto_data(conv,proto_tds);
693 /* first packet seen ? */
696 memset(pkt_data, 0, sizeof(struct _packet_data));
699 pkt_data->netlib_unread_bytes = conv_data->netlib_unread_bytes;
700 pkt_data->num_cols = conv_data->num_cols;
701 memcpy(pkt_data->columns, conv_data->columns, sizeof(struct _tds_col *) * MAX_COLUMNS);
702 pkt_data->tds_bytes_left = conv_data->tds_bytes_left;
703 memcpy(pkt_data->tds_remainder, conv_data->tds_remainder, REM_BUF_SIZE);
706 /* load packet data into netlib_data */
708 load_netlib_data(packet_info *pinfo, struct _netlib_data *nl_data)
710 struct _packet_data *pkt_data;
712 pkt_data = p_get_proto_data(pinfo->fd, proto_tds);
717 nl_data->netlib_unread_bytes = pkt_data->netlib_unread_bytes;
718 nl_data->num_cols = pkt_data->num_cols;
719 memcpy(nl_data->columns, pkt_data->columns, sizeof(struct _tds_col *) * MAX_COLUMNS);
720 nl_data->tds_bytes_left = pkt_data->tds_bytes_left;
721 memcpy(nl_data->tds_remainder, pkt_data->tds_remainder, REM_BUF_SIZE);
726 * read the eight byte netlib header, write the interesting parts into
727 * netlib_data, and return false if this is illegal (for heuristics)
730 netlib_read_header(tvbuff_t *tvb, guint offset, struct _netlib_data *nl_data)
732 nl_data->packet_type = tvb_get_guint8( tvb, offset);
733 nl_data->packet_last = tvb_get_guint8( tvb, offset+1);
734 nl_data->packet_size = tvb_get_ntohs( tvb, offset+2);
736 /* do validity checks on header fields */
738 if (!is_valid_tds_type(nl_data->packet_type)) {
741 /* Valid values are 0 and 1 */
742 if (nl_data->packet_last > 1) {
745 if (nl_data->packet_size == 0) {
749 if (tvb_length(tvb) != nl_data->packet_size) {
757 * If the packet type from the netlib header is a login packet, then dig into
758 * the packet to see if this is a supported TDS version and verify the otherwise
759 * weak heuristics of the netlib check.
762 netlib_check_login_pkt(tvbuff_t *tvb, guint offset, packet_info *pinfo, struct _netlib_data *nl_data)
764 guint tds_major, bytes_avail;
766 bytes_avail = tvb_length(tvb) - offset;
769 * we have two login packet styles, one for TDS 4.2 and 5.0
771 if (nl_data->packet_type==TDS_LOGIN_PKT) {
772 /* Use major version number to validate TDS 4/5 login
775 /* Login packet is first in stream and should not be fragmented...
776 * if it is we are screwed */
777 if (bytes_avail < 467) return FALSE;
778 tds_major = tvb_get_guint8(tvb, 466);
779 if (tds_major != 4 && tds_major != 5) {
783 * and one added by Microsoft in SQL Server 7
785 } else if (nl_data->packet_type==TDS_LOGIN7_PKT) {
786 if (bytes_avail < 16) return FALSE;
787 tds_major = tvb_get_guint8(tvb, 15);
788 if (tds_major != 0x70 && tds_major != 0x80) {
791 } else if (nl_data->packet_type==TDS_QUERY5_PKT) {
792 if (bytes_avail < 9) return FALSE;
793 /* if this is a TDS 5.0 query check the token */
794 if (tvb_get_guint8(tvb, 8) != TDS_LANG_TOKEN) {
797 /* check if it is MS SQL default port */
798 } else if (pinfo->srcport != 1433 &&
799 pinfo->destport != 1433) {
800 /* otherwise, we can not ensure this is netlib */
801 /* beyond a reasonable doubt. */
809 dissect_tds_env_chg(tvbuff_t *tvb, struct _netlib_data *nl_data _U_, guint offset, guint last_byte _U_, proto_tree *tree)
813 guint old_len, new_len, old_len_offset;
814 const char *new_val = NULL, *old_val = NULL;
815 guint32 string_offset;
817 gboolean is_unicode = FALSE;
819 /* FIXME: if we have to take a negative offset, isn't that
820 defeating the purpose? */
821 packet_len = tvb_get_letohs(tvb, offset - 2);
823 env_type = tvb_get_guint8(tvb, offset);
824 proto_tree_add_text(tree, tvb, offset, 1, "Type: %d (%s)", env_type,
825 val_to_str(env_type, env_chg_names, "Unknown"));
827 new_len = tvb_get_guint8(tvb, offset+1);
828 old_len_offset = offset + new_len + 2;
829 old_len = tvb_get_guint8(tvb, old_len_offset);
831 /* If our lengths don't add up to the packet length, it must be UCS2. */
832 if (old_len + new_len + 3 != packet_len) {
834 old_len_offset = offset + (new_len * 2) + 2;
835 old_len = tvb_get_guint8(tvb, old_len_offset);
838 proto_tree_add_text(tree, tvb, offset + 1, 1, "New Value Length: %d", new_len);
840 if (is_unicode == TRUE) {
843 string_offset = offset + 2;
844 new_val = get_unicode_or_ascii_string(tvb, &string_offset,
845 is_unicode, &new_len,
848 proto_tree_add_text(tree, tvb, string_offset, new_len, "New Value: %s", new_val);
851 proto_tree_add_text(tree, tvb, old_len_offset, 1, "Old Value Length: %d", old_len);
853 if (is_unicode == TRUE) {
856 string_offset = old_len_offset + 1;
857 old_val = get_unicode_or_ascii_string(tvb, &string_offset,
858 is_unicode, &old_len,
861 proto_tree_add_text(tree, tvb, string_offset, old_len, "Old Value: %s", old_val);
867 /* note that dissect_tds is called only for TDS_RESP_PKT netlib packets */
869 dissect_tds(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, struct _netlib_data *nl_data, guint offset)
873 proto_tree *tds_tree;
874 guint last_byte, end_of_pkt;
875 guint pos, token_sz = 0;
878 proto_tree *pdu_tree;
881 * if we have unprocessed bytes from the previous dissection then we deal
884 if (nl_data->netlib_unread_bytes) {
885 end_of_pkt = nl_data->netlib_unread_bytes;
888 * otherwise the end of the packet is where we are now plus the
889 * packet_size minus the 8 header bytes.
891 end_of_pkt = offset + nl_data->packet_size - 8;
895 * the last byte to dissect is the end of the netlib packet or the end of
896 * the tcp packet (tvb buffer) which ever comes first
898 last_byte = tvb_length(tvb) > end_of_pkt ? end_of_pkt : tvb_length(tvb);
900 /* create an item to make a TDS tree out of */
901 tds_hdr = proto_tree_add_text(tree, tvb, offset, last_byte - offset,
903 tds_tree = proto_item_add_subtree(tds_hdr, ett_tds);
905 /* is there the second half of a PDU here ? */
906 if (nl_data->tds_bytes_left > 0) {
907 /* XXX - should be calling dissection here */
908 skip_count = get_skip_count(tvb, offset, nl_data, last_byte);
911 * we started with left overs and the data continues to the end of
912 * this packet. Just add it on, and skip to the next packet
914 if (skip_count == -1) {
915 token = nl_data->tds_remainder[0];
916 token_sz = last_byte - offset;
917 ti = proto_tree_add_text(tds_tree, tvb, offset, token_sz,
918 "Token 0x%02x %s (continued)", token, val_to_str(token, token_names,
919 "Unknown Token Type"));
920 tvb_memcpy( tvb, &nl_data->tds_remainder[nl_data->tds_bytes_left],
922 nl_data->tds_bytes_left += token_sz;
923 nl_data->netlib_unread_bytes = 0;
927 /* show something in the tree for this data */
928 token = nl_data->tds_remainder[0];
929 ti = proto_tree_add_text(tds_tree, tvb, offset, skip_count,
930 "Token 0x%02x %s (continued)", token, val_to_str(token, token_names,
931 "Unknown Token Type"));
932 offset += skip_count;
935 /* Ok, all done with the fragments, start clean */
936 nl_data->tds_bytes_left = 0;
937 nl_data->netlib_unread_bytes = 0;
939 /* until we reach the end of the netlib packet or this buffer, read PDUs */
941 while (pos < last_byte) {
943 token = tvb_get_guint8(tvb, pos);
945 if (tds_is_fixed_token(token)) {
946 token_sz = tds_get_token_size(token) + 1;
947 /* rows are special, they have no size field and aren't fixed length */
948 } else if (token == TDS_ROW_TOKEN) {
950 token_sz = tds_get_row_size(tvb, nl_data, pos + 1, last_byte);
954 * partial row, set size to end of packet and stash
955 * the top half for the next packet dissection
957 token_sz = last_byte - pos;
958 nl_data->tds_bytes_left = token_sz;
959 tvb_memcpy(tvb, nl_data->tds_remainder, pos, token_sz);
963 token_sz = tvb_get_letohs(tvb, pos+1) + 3;
966 ti = proto_tree_add_text(tds_tree, tvb, pos, token_sz,
967 "Token 0x%02x %s", token, val_to_str(token, token_names,
968 "Unknown Token Type"));
969 pdu_tree = proto_item_add_subtree(ti, ett_tds_pdu);
971 /* if it's a variable token do it here instead of replicating this
972 * for each subdissector */
973 if (! tds_is_fixed_token(token) && token != TDS_ROW_TOKEN) {
974 proto_tree_add_text(pdu_tree, tvb, pos+1, 2,
975 "Length: %d", tvb_get_letohs(tvb, pos+1));
979 /* XXX - call subdissector here */
981 /* if it's a result token we need to stash the column info */
982 case TDS_RESULT_TOKEN:
983 read_results_tds5(tvb, nl_data, pos);
985 case TDS_ENV_CHG_TOKEN:
986 dissect_tds_env_chg(tvb, nl_data, pos + 3, last_byte, pdu_tree);
989 dissect_tds_ntlmssp(tvb, pinfo, pdu_tree, pos + 3, last_byte - pos - 3);
993 /* and step to the end of the PDU, rinse, lather, repeat */
1000 dissect_netlib_hdr(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, struct _netlib_data *nl_data, guint offset)
1002 proto_item *netlib_hdr;
1003 proto_tree *netlib_tree;
1004 guint bytes_remaining, bytes_avail;
1006 bytes_remaining = tvb_length(tvb) - offset;
1007 bytes_avail = bytes_remaining > nl_data->packet_size ?
1008 nl_data->packet_size : bytes_remaining;
1011 /* In the interest of speed, if "tree" is NULL, don't do any work not
1012 * necessary to generate protocol tree items. */
1015 /* create display subtree for the protocol */
1016 netlib_hdr = proto_tree_add_text(tree, tvb, offset, bytes_avail,
1019 netlib_tree = proto_item_add_subtree(netlib_hdr, ett_netlib);
1020 proto_tree_add_text(netlib_tree, tvb, offset, 1, "Packet Type: %02x %s",
1021 nl_data->packet_type, val_to_str(nl_data->packet_type,
1022 packet_type_names, "Unknown Packet Type"));
1023 proto_tree_add_uint(netlib_tree, hf_netlib_last, tvb, offset+1, 1,
1024 nl_data->packet_last);
1025 proto_tree_add_uint(netlib_tree, hf_netlib_size, tvb, offset+2, 2,
1026 nl_data->packet_size);
1030 /* Code to actually dissect the packets */
1032 dissect_netlib(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1035 /* Set up structures needed to add the protocol subtree and manage it */
1036 conversation_t *conv;
1037 struct _netlib_data nl_data;
1038 struct _packet_data *p_data;
1040 guint bytes_remaining;
1042 p_data = p_get_proto_data(pinfo->fd, proto_tds);
1044 /* check for an existing conversation */
1045 conv = find_conversation (&pinfo->src, &pinfo->dst, pinfo->ptype,
1046 pinfo->srcport, pinfo->destport, 0);
1049 * we don't know if this is our packet yet, so do nothing if we don't have
1054 /* only copy from conv_data to p_data if we've never seen this before */
1056 p_data = g_mem_chunk_alloc(netlib_pdata);
1057 load_packet_data(pinfo, p_data);
1058 p_add_proto_data( pinfo->fd, proto_tds, (void*)p_data);
1060 offset = p_data->netlib_unread_bytes;
1064 printf("offset = %d\n", offset);
1067 load_netlib_data(pinfo, &nl_data);
1070 * if offset is > 0 then we have undecoded data at the front of the
1071 * packet. Call the TDS dissector on it.
1073 if (nl_data.packet_type == TDS_RESP_PKT && offset > 0) {
1074 dissect_tds(tvb, pinfo, tree, &nl_data, 0);
1077 bytes_remaining = tvb_length(tvb) - offset;
1079 while (bytes_remaining > 0) {
1082 * if packet is less than 8 characters, its not a
1084 * XXX - This is not entirely correct...fix.
1086 if (bytes_remaining < 8) {
1090 /* read header fields and check their validity */
1091 if (!netlib_read_header(tvb, offset, &nl_data))
1094 /* If we don't have a conversation is this a TDS stream? */
1096 if (!netlib_check_login_pkt(tvb, offset, pinfo, &nl_data)) {
1099 /* first packet checks out, create a conversation */
1100 conv = conversation_new (&pinfo->src, &pinfo->dst,
1101 pinfo->ptype, pinfo->srcport, pinfo->destport,
1105 /* dissect the header */
1106 dissect_netlib_hdr(tvb, pinfo, tree, &nl_data, offset);
1108 /* if this is a response packet decode it further */
1109 if (nl_data.packet_type == TDS_RESP_PKT) {
1110 dissect_tds(tvb, pinfo, tree, &nl_data, offset+8);
1111 } else if (nl_data.packet_type == TDS_LOGIN7_PKT) {
1112 dissect_tds7_login(tvb, pinfo, tree, nl_data.packet_size);
1114 /* we don't want to track left overs for non-response packets */
1115 nl_data.tds_bytes_left = 0;
1118 /* now all the checking is done, we are a TDS stream */
1119 offset += nl_data.packet_size;
1121 bytes_remaining = tvb_length(tvb) - offset;
1123 nl_data.netlib_unread_bytes = offset - tvb_length(tvb);
1126 * copy carry over data to the conversation buffer, to retrieve at beginning
1129 store_conv_data(pinfo, &nl_data);
1131 /* Make entries in Protocol column and Info column on summary display */
1132 if (check_col(pinfo->cinfo, COL_PROTOCOL))
1133 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TDS");
1136 /* set the packet description based on its TDS packet type */
1137 if (check_col(pinfo->cinfo, COL_INFO)) {
1138 col_add_fstr(pinfo->cinfo, COL_INFO, "%s",
1139 val_to_str(nl_data.packet_type, packet_type_names,
1140 "Unknown Packet Type: %u"));
1148 /* Register the protocol with Ethereal */
1150 /* this format is required because a script is used to build the C function
1151 that calls all the protocol registration.
1155 proto_register_netlib(void)
1158 /* Setup list of header fields See Section 1.6.1 for details*/
1159 static hf_register_info hf[] = {
1161 { "Size", "netlib.size",
1162 FT_UINT16, BASE_DEC, NULL, 0x0,
1163 "Packet Size", HFILL }
1166 { "Type", "netlib.type",
1167 FT_UINT8, BASE_HEX, NULL, 0x0,
1168 "Packet Type", HFILL }
1171 { "Last Packet", "netlib.last",
1172 FT_UINT8, BASE_DEC, NULL, 0x0,
1173 "Last Packet Indicator", HFILL }
1177 /* Setup protocol subtree array */
1178 static gint *ett[] = {
1186 /* Register the protocol name and description */
1187 proto_tds = proto_register_protocol("Tabular Data Stream",
1190 /* Required function calls to register the header fields and subtrees used */
1191 proto_register_field_array(proto_tds, hf, array_length(hf));
1192 proto_register_subtree_array(ett, array_length(ett));
1193 register_init_routine(&netlib_reinit);
1195 register_heur_dissector_list("netlib", &netlib_heur_subdissector_list);
1198 static void netlib_reinit( void){
1200 /* Do the cleanup work when a new pass through the packet list is */
1201 /* performed. re-initialize the memory chunks. */
1203 /* mostly ripped from packet-wcp.c -- bsb */
1206 g_mem_chunk_destroy(netlib_window);
1208 netlib_window = g_mem_chunk_new("netlib_window", netlib_win_length,
1209 netlib_win_init_count * netlib_win_length,
1213 g_mem_chunk_destroy(netlib_pdata);
1215 netlib_pdata = g_mem_chunk_new("netlib_pdata", netlib_packet_length,
1216 netlib_packet_init_count * netlib_packet_length,
1220 g_mem_chunk_destroy(tds_column);
1222 tds_column = g_mem_chunk_new("tds_column", tds_column_length,
1223 tds_column_init_count * tds_column_length,
1228 /* If this dissector uses sub-dissector registration add a registration routine.
1229 This format is required because a script is used to find these routines and
1230 create the code that calls these routines.
1233 proto_reg_handoff_netlib(void)
1235 /* dissector_add("tcp.port", 1433, dissect_netlib,
1237 heur_dissector_add ("tcp", dissect_netlib, proto_tds);
1239 ntlmssp_handle = find_dissector("ntlmssp");