*
* Guy Harris <guy@alum.mit.edu>
*
- * $Id: packet-http.c,v 1.37 2001/01/22 08:54:06 guy Exp $
+ * Copyright 2002, Tim Potter <tpot@samba.org>
+ * Copyright 1999, Andrew Tridgell <tridge@samba.org>
+ *
+ * $Id: packet-http.c,v 1.55 2002/08/14 23:34:20 tpot Exp $
*
* Ethereal - Network traffic analyzer
- * By Gerald Combs <gerald@zing.org>
+ * By Gerald Combs <gerald@ethereal.com>
* Copyright 1998 Gerald Combs
- *
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- *
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-
#include <string.h>
#include <ctype.h>
#include <glib.h>
-#include "packet.h"
-#include "strutil.h"
+#include <epan/packet.h>
+#include <epan/strutil.h>
#include "packet-http.h"
static int hf_http_request = -1;
static gint ett_http = -1;
+static gint ett_http_ntlmssp = -1;
+
+static dissector_handle_t data_handle;
+static dissector_handle_t http_handle;
#define TCP_PORT_HTTP 80
#define TCP_PORT_PROXY_HTTP 3128
#define TCP_PORT_SSDP 1900
#define UDP_PORT_SSDP 1900
+/*
+ * Some headers that we dissect more deeply - Microsoft's abomination
+ * called NTLMSSP over HTTP.
+ */
+#define NTLMSSP_AUTH "Authorization: NTLM "
+#define NTLMSSP_WWWAUTH "WWW-Authenticate: NTLM "
+
/*
* Protocols implemented atop HTTP.
*/
PROTO_SSDP /* Simple Service Discovery Protocol */
} http_proto_t;
-static int is_http_request_or_reply(const u_char *data, int linelen, http_type_t *type);
+static int is_http_request_or_reply(const guchar *data, int linelen, http_type_t *type);
static dissector_table_t subdissector_table;
+static heur_dissector_list_t heur_subdissector_list;
+
+static dissector_handle_t ntlmssp_handle=NULL;
+
+/* Decode a base64 string in-place - simple and slow algorithm.
+ Return length of result. Taken from rproxy/librsync/base64.c by
+ Andrew Tridgell. */
+
+static size_t base64_decode(char *s)
+{
+ const char *b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+ int bit_offset, byte_offset, idx, i, n;
+ unsigned char *d = (unsigned char *)s;
+ char *p;
+
+ n=i=0;
+
+ while (*s && (p=strchr(b64, *s))) {
+ idx = (int)(p - b64);
+ byte_offset = (i*6)/8;
+ bit_offset = (i*6)%8;
+ d[byte_offset] &= ~((1<<(8-bit_offset))-1);
+ if (bit_offset < 3) {
+ d[byte_offset] |= (idx << (2-bit_offset));
+ n = byte_offset+1;
+ } else {
+ d[byte_offset] |= (idx >> (bit_offset-2));
+ d[byte_offset+1] = 0;
+ d[byte_offset+1] |= (idx << (8-(bit_offset-2))) & 0xFF;
+ n = byte_offset+2;
+ }
+ s++; i++;
+ }
+
+ return n;
+}
+
+/* Return a tvb that contains the binary representation of a base64
+ string */
+
+static tvbuff_t *
+base64_to_tvb(char *base64)
+{
+ tvbuff_t *tvb;
+ char *data = g_strdup(base64);
+ size_t len;
+
+ len = base64_decode(data);
+ tvb = tvb_new_real_data(data, len, len);
+
+ tvb_set_free_cb(tvb, g_free);
+
+ return tvb;
+}
+
+static void
+dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, char *line)
+{
+ tvbuff_t *ntlmssp_tvb;
+
+ ntlmssp_tvb = base64_to_tvb(line);
+ tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb);
+ add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP Data");
+
+ call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
+}
static void
dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
proto_tree *http_tree = NULL;
proto_item *ti = NULL;
gint offset = 0;
- const u_char *line;
+ const guchar *line;
gint next_offset;
- const u_char *linep, *lineend;
+ const guchar *linep, *lineend;
int linelen;
- u_char c;
+ guchar c;
http_type_t http_type;
int datalen;
break;
}
- if (check_col(pinfo->fd, COL_PROTOCOL))
- col_set_str(pinfo->fd, COL_PROTOCOL, proto_tag);
- if (check_col(pinfo->fd, COL_INFO)) {
+ if (check_col(pinfo->cinfo, COL_PROTOCOL))
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
+ if (check_col(pinfo->cinfo, COL_INFO)) {
/*
* Put the first line from the buffer into the summary
* if it's an HTTP request or reply (but leave out the
* is not longer than what's in the buffer, so the
* "tvb_get_ptr()" call won't throw an exception.
*/
- linelen = tvb_find_line_end(tvb, offset, -1, &next_offset);
+ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
+ FALSE);
line = tvb_get_ptr(tvb, offset, linelen);
http_type = HTTP_OTHERS; /* type not known yet */
if (is_http_request_or_reply(line, linelen, &http_type))
- col_add_str(pinfo->fd, COL_INFO,
+ col_add_str(pinfo->cinfo, COL_INFO,
format_text(line, linelen));
else
- col_set_str(pinfo->fd, COL_INFO, "Continuation");
+ col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
}
if (tree) {
- ti = proto_tree_add_item(tree, proto_http, tvb, offset,
- tvb_length_remaining(tvb, offset), FALSE);
+ ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
+ FALSE);
http_tree = proto_item_add_subtree(ti, ett_http);
}
/*
* Find the end of the line.
*/
- linelen = tvb_find_line_end(tvb, offset, -1, &next_offset);
+ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
+ FALSE);
/*
* Get a buffer that refers to the line.
* Put this line.
*/
if (tree) {
- proto_tree_add_text(http_tree, tvb, offset,
- next_offset - offset, "%s",
- tvb_format_text(tvb, offset, next_offset - offset));
+ proto_tree *hdr_tree;
+ proto_item *hdr_item;
+ char *text;
+
+ text = tvb_format_text(tvb, offset, next_offset - offset);
+
+ hdr_item = proto_tree_add_text(http_tree, tvb, offset,
+ next_offset - offset, "%s", text);
+
+ if (strncmp(text, NTLMSSP_AUTH, strlen(NTLMSSP_AUTH)) == 0) {
+ hdr_tree = proto_item_add_subtree(
+ hdr_item, ett_http_ntlmssp);
+ text += strlen(NTLMSSP_AUTH);
+ dissect_http_ntlmssp(tvb, pinfo, hdr_tree, text);
+ }
+
+ if (strncmp(text, NTLMSSP_WWWAUTH, strlen(NTLMSSP_WWWAUTH)) == 0) {
+ hdr_tree = proto_item_add_subtree(
+ hdr_item, ett_http_ntlmssp);
+ text += strlen(NTLMSSP_WWWAUTH);
+ dissect_http_ntlmssp(tvb, pinfo, hdr_tree, text);
+ }
}
offset = next_offset;
}
*/
if (ti != NULL)
proto_item_set_len(ti, offset);
- } else
- dissect_data(tvb, offset, pinfo, http_tree);
+ } else if(dissector_try_heuristic(heur_subdissector_list,
+ next_tvb,pinfo,tree)){
+ /*
+ * Yes. Fix up the top-level item so that it
+ * doesn't include the stuff for that protocol.
+ */
+ if (ti != NULL)
+ proto_item_set_len(ti, offset);
+ } else {
+ call_dissector(data_handle,
+ tvb_new_subset(tvb, offset, -1, -1), pinfo,
+ http_tree);
+ }
}
}
* anyway.
*/
static int
-is_http_request_or_reply(const u_char *data, int linelen, http_type_t *type)
+is_http_request_or_reply(const guchar *data, int linelen, http_type_t *type)
{
+ int isHttpRequestOrReply = FALSE;
+
/*
* From RFC 2774 - An HTTP Extension Framework
*
* Support the command prefix that identifies the presence of
* a "mandatory" header.
*/
- if (strncmp(data, "M-", 2) == 0) {
+ if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
data += 2;
linelen -= 2;
}
* From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
* SEARCH
*/
- if (linelen >= 4) {
- if (strncmp(data, "GET ", 4) == 0 ||
- strncmp(data, "PUT ", 4) == 0) {
- if (*type == HTTP_OTHERS)
- *type = HTTP_REQUEST;
- return TRUE;
+ if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
+ *type = HTTP_RESPONSE;
+ isHttpRequestOrReply = TRUE; /* response */
+ } else {
+ guchar * ptr = (guchar *)data;
+ int index = 0;
+
+ /* Look for the space following the Method */
+ while (index < linelen) {
+ if (*ptr == ' ')
+ break;
+ else {
+ ptr++;
+ index++;
+ }
}
- }
- if (linelen >= 5) {
- if (strncmp(data, "HEAD ", 5) == 0 ||
- strncmp(data, "POST ", 5) == 0) {
- if (*type == HTTP_OTHERS)
+
+ /* Check the methods that have same length */
+ switch (index) {
+
+ case 3:
+ if (strncmp(data, "GET", index) == 0 ||
+ strncmp(data, "PUT", index) == 0) {
*type = HTTP_REQUEST;
- return TRUE;
- }
- if (strncmp(data, "HTTP/", 5) == 0) {
- if (*type == HTTP_OTHERS)
- *type = HTTP_RESPONSE;
- return TRUE; /* response */
- }
- }
- if (linelen >= 6) {
- if (strncmp(data, "TRACE ", 6) == 0) {
- if (*type == HTTP_OTHERS)
+ isHttpRequestOrReply = TRUE;
+ }
+ break;
+
+ case 4:
+ if (strncmp(data, "COPY", index) == 0 ||
+ strncmp(data, "HEAD", index) == 0 ||
+ strncmp(data, "LOCK", index) == 0 ||
+ strncmp(data, "MOVE", index) == 0 ||
+ strncmp(data, "POLL", index) == 0 ||
+ strncmp(data, "POST", index) == 0) {
*type = HTTP_REQUEST;
- return TRUE;
- }
- }
- if (linelen >= 7) {
- if (strncmp(data, "DELETE ", 7) == 0) {
- if (*type == HTTP_OTHERS)
+ isHttpRequestOrReply = TRUE;
+ }
+ break;
+
+ case 5:
+ if (strncmp(data, "BCOPY", index) == 0 ||
+ strncmp(data, "BMOVE", index) == 0 ||
+ strncmp(data, "MKCOL", index) == 0 ||
+ strncmp(data, "TRACE", index) == 0) {
*type = HTTP_REQUEST;
- return TRUE;
- }
- if (strncmp(data, "NOTIFY ", 7) == 0 ||
- strncmp(data, "SEARCH ", 7) == 0) {
- if (*type == HTTP_OTHERS)
+ isHttpRequestOrReply = TRUE;
+ }
+ break;
+
+ case 6:
+ if (strncmp(data, "DELETE", index) == 0 ||
+ strncmp(data, "SEARCH", index) == 0 ||
+ strncmp(data, "UNLOCK", index) == 0) {
+ *type = HTTP_REQUEST;
+ isHttpRequestOrReply = TRUE;
+ }
+ else if (strncmp(data, "NOTIFY", index) == 0) {
*type = HTTP_NOTIFICATION;
- return TRUE;
- }
- }
- if (linelen >= 8) {
- if (strncmp(data, "OPTIONS ", 8) == 0 ||
- strncmp(data, "CONNECT ", 8) == 0) {
- if (*type == HTTP_OTHERS)
+ isHttpRequestOrReply = TRUE;
+ }
+ break;
+
+ case 7:
+ if (strncmp(data, "BDELETE", index) == 0 ||
+ strncmp(data, "CONNECT", index) == 0 ||
+ strncmp(data, "OPTIONS", index) == 0) {
*type = HTTP_REQUEST;
- return TRUE;
- }
- }
- if (linelen >= 10) {
- if (strncmp(data, "SUBSCRIBE ", 10) == 0) {
- if (*type == HTTP_OTHERS)
+ isHttpRequestOrReply = TRUE;
+ }
+ break;
+
+ case 8:
+ if (strncmp(data, "PROPFIND", index) == 0) {
+ *type = HTTP_REQUEST;
+ isHttpRequestOrReply = TRUE;
+ }
+ break;
+
+ case 9:
+ if (strncmp(data, "SUBSCRIBE", index) == 0) {
*type = HTTP_NOTIFICATION;
- return TRUE;
- }
- }
- if (linelen >= 12) {
- if (strncmp(data, "UNSUBSCRIBE ", 10) == 0) {
- if (*type == HTTP_OTHERS)
+ isHttpRequestOrReply = TRUE;
+ } else if (strncmp(data, "PROPPATCH", index) == 0 ||
+ strncmp(data, "BPROPFIND", index) == 0) {
+ *type = HTTP_REQUEST;
+ isHttpRequestOrReply = TRUE;
+ }
+ break;
+
+ case 10:
+ if (strncmp(data, "BPROPPATCH", index) == 0) {
+ *type = HTTP_REQUEST;
+ isHttpRequestOrReply = TRUE;
+ }
+ break;
+
+ case 11:
+ if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
*type = HTTP_NOTIFICATION;
- return TRUE;
+ isHttpRequestOrReply = TRUE;
+ }
+ break;
+
+ default:
+ break;
}
}
- return FALSE;
+
+ return isHttpRequestOrReply;
}
+
void
proto_register_http(void)
{
{ &hf_http_notification,
{ "Notification", "http.notification",
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
- "TRUE if HTTP notification" }},
+ "TRUE if HTTP notification", HFILL }},
{ &hf_http_response,
{ "Response", "http.response",
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
- "TRUE if HTTP response" }},
+ "TRUE if HTTP response", HFILL }},
{ &hf_http_request,
{ "Request", "http.request",
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
- "TRUE if HTTP request" }},
+ "TRUE if HTTP request", HFILL }},
};
static gint *ett[] = {
&ett_http,
+ &ett_http_ntlmssp,
};
proto_http = proto_register_protocol("Hypertext Transfer Protocol",
proto_register_field_array(proto_http, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
+ register_dissector("http", dissect_http, proto_http);
+ http_handle = find_dissector("http");
+
/*
* Dissectors shouldn't register themselves in this table;
* instead, they should call "http_dissector_add()", and
* This only works for protocols such as IPP that run over
* HTTP on a specific non-HTTP port.
*/
- subdissector_table = register_dissector_table("http.port");
+ subdissector_table = register_dissector_table("http.port",
+ "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
+
+ /*
+ * Heuristic dissectors SHOULD register themselves in
+ * this table using the standard heur_dissector_add()
+ * function.
+ */
+
+ register_heur_dissector_list("http",&heur_subdissector_list);
+
}
/*
* Called by dissectors for protocols that run atop HTTP/TCP.
*/
void
-http_dissector_add(guint32 port, dissector_t dissector, int proto)
+http_dissector_add(guint32 port, dissector_handle_t handle)
{
/*
* Register ourselves as the handler for that port number
* over TCP.
*/
- dissector_add("tcp.port", port, dissect_http, proto_http);
+ dissector_add("tcp.port", port, http_handle);
/*
* And register them in *our* table for that port.
*/
- dissector_add("http.port", port, dissector, proto);
+ dissector_add("http.port", port, handle);
}
void
proto_reg_handoff_http(void)
{
- dissector_add("tcp.port", TCP_PORT_HTTP, dissect_http, proto_http);
- dissector_add("tcp.port", TCP_ALT_PORT_HTTP, dissect_http, proto_http);
- dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, dissect_http,
- proto_http);
- dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, dissect_http,
- proto_http);
+ data_handle = find_dissector("data");
+ dissector_add("tcp.port", TCP_PORT_HTTP, http_handle);
+ dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle);
+ dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle);
+ dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle);
/*
* XXX - is there anything to dissect in the body of an SSDP
* request or reply? I.e., should there be an SSDP dissector?
*/
- dissector_add("tcp.port", TCP_PORT_SSDP, dissect_http, proto_http);
- dissector_add("udp.port", UDP_PORT_SSDP, dissect_http, proto_http);
+ dissector_add("tcp.port", TCP_PORT_SSDP, http_handle);
+ dissector_add("udp.port", UDP_PORT_SSDP, http_handle);
+
+ ntlmssp_handle = find_dissector("ntlmssp");
}