/* packet-tcp.c
* Routines for TCP packet disassembly
*
- * $Id: packet-tcp.c,v 1.109 2001/09/28 23:34:03 guy Exp $
+ * $Id: packet-tcp.c,v 1.156 2002/08/22 19:47:15 guy Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
# include "config.h"
#endif
-#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-
-#ifdef HAVE_NETINET_IN_H
-# include <netinet/in.h>
-#endif
-
#include <stdio.h>
#include <string.h>
#include <glib.h>
#include "in_cksum.h"
-#ifdef NEED_SNPRINTF_H
-# include "snprintf.h"
-#endif
-
-#include "resolv.h"
+#include <epan/resolv.h>
#include "ipproto.h"
#include "follow.h"
#include "prefs.h"
#include "packet-tcp.h"
#include "packet-ip.h"
-#include "conversation.h"
-#include "strutil.h"
+#include "packet-frame.h"
+#include <epan/conversation.h>
+#include <epan/strutil.h>
#include "reassemble.h"
/* Place TCP summary in proto tree */
static gboolean tcp_summary_in_tree = TRUE;
-extern FILE* data_out_file;
+/*
+ * Flag to control whether to check the TCP checksum.
+ *
+ * In at least some Solaris network traces, there are packets with bad
+ * TCP checksums, but the traffic appears to indicate that the packets
+ * *were* received; the packets were probably sent by the host on which
+ * the capture was being done, on a network interface to which
+ * checksumming was offloaded, so that DLPI supplied an un-checksummed
+ * packet to the capture program but a checksummed packet got put onto
+ * the wire.
+ */
+static gboolean tcp_check_checksum = TRUE;
-guint16 tcp_urgent_pointer;
+extern FILE* data_out_file;
static int proto_tcp = -1;
static int hf_tcp_srcport = -1;
static int hf_tcp_window_size = -1;
static int hf_tcp_checksum = -1;
static int hf_tcp_checksum_bad = -1;
+static int hf_tcp_len = -1;
static int hf_tcp_urgent_pointer = -1;
+static int hf_tcp_analysis_flags = -1;
+static int hf_tcp_analysis_acks_frame = -1;
+static int hf_tcp_analysis_ack_rtt = -1;
+static int hf_tcp_analysis_retransmission = -1;
+static int hf_tcp_analysis_lost_packet = -1;
+static int hf_tcp_analysis_ack_lost_packet = -1;
+static int hf_tcp_analysis_keep_alive = -1;
static gint ett_tcp = -1;
static gint ett_tcp_flags = -1;
static gint ett_tcp_options = -1;
static gint ett_tcp_option_sack = -1;
static gint ett_tcp_segments = -1;
+static gint ett_tcp_analysis = -1;
+static gint ett_tcp_analysis_faults = -1;
static dissector_table_t subdissector_table;
static heur_dissector_list_t heur_subdissector_list;
-static conv_dissector_list_t conv_subdissector_list;
+static dissector_handle_t data_handle;
/* TCP structs and definitions */
-typedef struct _e_tcphdr {
- guint16 th_sport;
- guint16 th_dport;
- guint32 th_seq;
- guint32 th_ack;
- guint8 th_off_x2; /* combines th_off and th_x2 */
- guint8 th_flags;
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
#define TH_URG 0x20
#define TH_ECN 0x40
#define TH_CWR 0x80
- guint16 th_win;
- guint16 th_sum;
- guint16 th_urp;
-} e_tcphdr;
+
+
+
+
+/* **************************************************************************
+ * stuff to analyze TCP sequencenumbers for retransmissions, missing segments,
+ * RTT and reltive sequence numbers.
+ * **************************************************************************/
+static gboolean tcp_analyze_seq = FALSE;
+static gboolean tcp_relative_seq = FALSE;
+
+static GMemChunk *tcp_unacked_chunk = NULL;
+static int tcp_unacked_count = 500; /* one for each packet until it is acked*/
+struct tcp_unacked {
+ struct tcp_unacked *next;
+ guint32 frame;
+ guint32 seq;
+ guint32 nextseq;
+ nstime_t ts;
+};
+
+/* Idea for gt: either x > y, or y is much bigger (assume wrap) */
+#define GT_SEQ(x, y) ((x > y) || ((y - x) > 0x80000000))
+#define LT_SEQ(x, y) ((x < y) || ((x - y) > 0x80000000))
+#define GE_SEQ(x, y) ((x >= y) || ((y - x) > 0x80000000))
+#define LE_SEQ(x, y) ((x <= y) || ((x - y) > 0x80000000))
+#define EQ_SEQ(x, y) (x == y)
+
+static GMemChunk *tcp_acked_chunk = NULL;
+static int tcp_acked_count = 5000; /* one for almost every other segment in the capture */
+#define TCP_A_RETRANSMISSION 0x01
+#define TCP_A_LOST_PACKET 0x02
+#define TCP_A_ACK_LOST_PACKET 0x04
+#define TCP_A_KEEP_ALIVE 0x08
+struct tcp_acked {
+ guint32 frame_acked;
+ nstime_t ts;
+ guint8 flags;
+};
+static GHashTable *tcp_analyze_acked_table = NULL;
+
+static GMemChunk *tcp_rel_seq_chunk = NULL;
+static int tcp_rel_seq_count = 10000; /* one for each segment in the capture */
+struct tcp_rel_seq {
+ guint32 seq_base;
+ guint32 ack_base;
+};
+static GHashTable *tcp_rel_seq_table = NULL;
+
+static GMemChunk *tcp_analysis_chunk = NULL;
+static int tcp_analysis_count = 20; /* one for each conversation */
+struct tcp_analysis {
+ /* These two structs are managed based on comparing the source
+ * and destination addresses and, if they're equal, comparing
+ * the source and destination ports.
+ *
+ * If the source is greater than the destination, then stuff
+ * sent from src is in ual1.
+ *
+ * If the source is less than the destination, then stuff
+ * sent from src is in ual2.
+ *
+ * XXX - if the addresses and ports are equal, we don't guarantee
+ * the behavior.
+ */
+ struct tcp_unacked *ual1; /* UnAcked List 1*/
+ guint32 base_seq1;
+ struct tcp_unacked *ual2; /* UnAcked List 2*/
+ guint32 base_seq2;
+};
+
+static void
+tcp_get_relative_seq_ack(guint32 frame, guint32 *seq, guint32 *ack)
+{
+ struct tcp_rel_seq *trs;
+
+ trs=g_hash_table_lookup(tcp_rel_seq_table, (void *)frame);
+ if(!trs){
+ return;
+ }
+
+ (*seq) -= trs->seq_base;
+ (*ack) -= trs->ack_base;
+}
+
+static struct tcp_acked *
+tcp_analyze_get_acked_struct(guint32 frame, gboolean createflag)
+{
+ struct tcp_acked *ta;
+
+ ta=g_hash_table_lookup(tcp_analyze_acked_table, (void *)frame);
+ if((!ta) && createflag){
+ ta=g_mem_chunk_alloc(tcp_acked_chunk);
+ ta->frame_acked=0;
+ ta->ts.secs=0;
+ ta->ts.nsecs=0;
+ ta->flags=0;
+ g_hash_table_insert(tcp_analyze_acked_table, (void *)frame, ta);
+ }
+ return ta;
+}
+
+static void
+tcp_analyze_sequence_number(packet_info *pinfo, guint32 seq, guint32 ack, guint32 seglen, guint8 flags)
+{
+ conversation_t *conv=NULL;
+ struct tcp_analysis *tcpd=NULL;
+ int direction;
+ struct tcp_unacked *ual1=NULL;
+ struct tcp_unacked *ual2=NULL;
+ struct tcp_unacked *ual=NULL;
+ guint32 base_seq;
+ guint32 base_ack;
+
+ /* Have we seen this conversation before? */
+ if( (conv=find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0)) == NULL){
+ /* No this is a new conversation. */
+ conv=conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
+ }
+
+ /* check if we have any data for this conversation */
+ tcpd=conversation_get_proto_data(conv, proto_tcp);
+ if(!tcpd){
+ /* No no such data yet. Allocate and init it */
+ tcpd=g_mem_chunk_alloc(tcp_analysis_chunk);
+ tcpd->ual1=NULL;
+ tcpd->base_seq1=0;
+ tcpd->ual2=NULL;
+ tcpd->base_seq2=0;
+ conversation_add_proto_data(conv, proto_tcp, tcpd);
+ }
+
+ /* check direction and get ua lists */
+ direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
+ if(direction==0)
+ direction=pinfo->srcport - pinfo->destport;
+ if(direction>=0){
+ /*
+ * XXX - if direction == 0, that'll be true for packets
+ * from both sides of the connection, so this won't
+ * work.
+ *
+ * That'd be a connection from a given port on a machine
+ * to that same port on the same machine; does that ever
+ * happen?
+ */
+ ual1=tcpd->ual1;
+ ual2=tcpd->ual2;
+ base_seq=tcpd->base_seq1;
+ base_ack=tcpd->base_seq2;
+ } else {
+ ual1=tcpd->ual2;
+ ual2=tcpd->ual1;
+ base_seq=tcpd->base_seq2;
+ base_ack=tcpd->base_seq1;
+ }
+
+ if(base_seq==0){
+ base_seq=seq;
+ }
+ if(base_ack==0){
+ base_ack=ack;
+ }
+
+ /* handle the sequence numbers */
+ /* if this was a SYN packet, then remove existing list and
+ * put SEQ+1 first the list */
+ if(flags&TH_SYN){
+ for(ual=ual1;ual1;ual1=ual){
+ ual=ual1->next;
+ g_mem_chunk_free(tcp_unacked_chunk, ual1);
+ }
+ ual1=g_mem_chunk_alloc(tcp_unacked_chunk);
+ ual1->next=NULL;
+ ual1->frame=pinfo->fd->num;
+ ual1->seq=seq+1;
+ ual1->nextseq=seq+1;
+ ual1->ts.secs=pinfo->fd->abs_secs;
+ ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
+ base_seq=seq;
+ base_ack=ack;
+ goto seq_finished;
+ }
+
+ /* if this is the first segment we see then just add it */
+ if( !ual1 ){
+ ual1=g_mem_chunk_alloc(tcp_unacked_chunk);
+ ual1->next=NULL;
+ ual1->frame=pinfo->fd->num;
+ ual1->seq=seq;
+ ual1->nextseq=seq+seglen;
+ ual1->ts.secs=pinfo->fd->abs_secs;
+ ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
+ base_seq=seq;
+ goto seq_finished;
+ }
+
+ /* if we get past here we know that ual1 points to a segment */
+
+ /* To handle FIN, just pretend they have a length of 1.
+ else the ACK following the FIN-ACK will look like it was
+ outside the window. */
+ if( (!seglen) && (flags&TH_FIN) ){
+ seglen=1;
+ }
+
+ /* if seq is beyond ual1->nextseq we have lost a segment */
+ if (GT_SEQ(seq, ual1->nextseq)) {
+ struct tcp_acked *ta;
+
+ ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
+ ta->flags|=TCP_A_LOST_PACKET;
+
+ /* just add the segment to the beginning of the list */
+ ual=g_mem_chunk_alloc(tcp_unacked_chunk);
+ ual->next=ual1;
+ ual->frame=pinfo->fd->num;
+ ual->seq=seq;
+ ual->nextseq=seq+seglen;
+ ual->ts.secs=pinfo->fd->abs_secs;
+ ual->ts.nsecs=pinfo->fd->abs_usecs*1000;
+ ual1=ual;
+ goto seq_finished;
+ }
+
+ /* keep-alives are empty semgents with a sequence number -1 of what
+ * we would expect.
+ */
+ if( (!seglen) && EQ_SEQ(seq, (ual1->nextseq-1)) ){
+ struct tcp_acked *ta;
+
+ ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
+ ta->flags|=TCP_A_KEEP_ALIVE;
+ goto seq_finished;
+ }
+
+
+ /* if this is an empty segment, just skip it all */
+ if( !seglen ){
+ goto seq_finished;
+ }
+
+ /* check if the sequence number is lower than expected, i.e. retransmission */
+ if( LT_SEQ(seq, ual1->nextseq )){
+ struct tcp_acked *ta;
+
+ ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
+ ta->flags|=TCP_A_RETRANSMISSION;
+
+ /* did this segment contain any more data we havent seen yet?
+ * if so we can just increase nextseq
+ */
+ if(GT_SEQ((seq+seglen), ual1->nextseq)){
+ ual1->nextseq=seq+seglen;
+ ual1->frame=pinfo->fd->num;
+ ual1->ts.secs=pinfo->fd->abs_secs;
+ ual1->ts.nsecs=pinfo->fd->abs_usecs*1000;
+ }
+ goto seq_finished;
+ }
+
+ /* just add the segment to the beginning of the list */
+ ual=g_mem_chunk_alloc(tcp_unacked_chunk);
+ ual->next=ual1;
+ ual->frame=pinfo->fd->num;
+ ual->seq=seq;
+ ual->nextseq=seq+seglen;
+ ual->ts.secs=pinfo->fd->abs_secs;
+ ual->ts.nsecs=pinfo->fd->abs_usecs*1000;
+ ual1=ual;
+
+seq_finished:
+
+
+ /* handle the ack numbers */
+
+ /* if we dont have the ack flag its not much we can do */
+ if( !(flags&TH_ACK)){
+ goto ack_finished;
+ }
+
+ /* if we havent seen anything yet in the other direction we dont
+ * know what this one acks */
+ if( !ual2 ){
+ goto ack_finished;
+ }
+
+ /* if we dont have any real segments in the other direction not
+ * acked yet (as we see from the magic frame==0 entry)
+ * then there is no point in continuing
+ */
+ if( !ual2->frame ){
+ goto ack_finished;
+ }
+
+ /* if we get here we know ual2 is valid */
+
+ /* if we are acking beyong what we have seen in the other direction
+ * we must have lost packets. Not much point in keeping the segments
+ * in the other direction either.
+ */
+ if( GT_SEQ(ack, ual2->nextseq )){
+ struct tcp_acked *ta;
+
+ ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
+ ta->flags|=TCP_A_ACK_LOST_PACKET;
+ for(ual=ual2;ual2;ual2=ual){
+ ual=ual2->next;
+ g_mem_chunk_free(tcp_unacked_chunk, ual2);
+ }
+ goto ack_finished;
+ }
+
+
+ /* does this ACK ack all semgents we have seen in the other direction?*/
+ if( EQ_SEQ(ack, ual2->nextseq )){
+ struct tcp_acked *ta;
+
+ ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
+ ta->frame_acked=ual2->frame;
+ ta->ts.secs=pinfo->fd->abs_secs-ual2->ts.secs;
+ ta->ts.nsecs=pinfo->fd->abs_usecs*1000-ual2->ts.nsecs;
+ if(ta->ts.nsecs<0){
+ ta->ts.nsecs+=1000000000;
+ ta->ts.secs--;
+ }
+
+ /* its all been ACKed so we dont need to keep them anymore */
+ for(ual=ual2;ual2;ual2=ual){
+ ual=ual2->next;
+ g_mem_chunk_free(tcp_unacked_chunk, ual2);
+ }
+ goto ack_finished;
+ }
+
+ /* ok it only ACKs part of what we have seen. Find out how much
+ * update and remove the ACKed segments
+ */
+ for(ual=ual2;ual->next;ual=ual->next){
+ if( GE_SEQ(ack, ual->next->nextseq)){
+ break;
+ }
+ }
+ if(ual->next){
+ struct tcp_unacked *tmpual=NULL;
+ struct tcp_unacked *ackedual=NULL;
+ struct tcp_acked *ta;
+
+ /* XXX normal ACK*/
+ ackedual=ual->next;
+
+ ta=tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE);
+ ta->frame_acked=ackedual->frame;
+ ta->ts.secs=pinfo->fd->abs_secs-ackedual->ts.secs;
+ ta->ts.nsecs=pinfo->fd->abs_usecs*1000-ackedual->ts.nsecs;
+ if(ta->ts.nsecs<0){
+ ta->ts.nsecs+=1000000000;
+ ta->ts.secs--;
+ }
+
+ /* just delete all ACKed segments */
+ tmpual=ual->next;
+ ual->next=NULL;
+ for(ual=tmpual;ual;ual=tmpual){
+ tmpual=ual->next;
+ g_mem_chunk_free(tcp_unacked_chunk, ual);
+ }
+
+ }
+
+
+ack_finished:
+ /* we might have deleted the entire ual2 list, if this is an ACK,
+ make sure ual2 at least has a dummy entry for the current ACK */
+ if( (!ual2) && (flags&TH_ACK) ){
+ ual2=g_mem_chunk_alloc(tcp_unacked_chunk);
+ ual2->next=NULL;
+ ual2->frame=0;
+ ual2->seq=ack;
+ ual2->nextseq=ack;
+ ual2->ts.secs=0;
+ ual2->ts.nsecs=0;
+ }
+
+
+ /* store the lists back in our struct */
+ if(direction>=0){
+ /*
+ * XXX - if direction == 0, that'll be true for packets
+ * from both sides of the connection, so this won't
+ * work.
+ *
+ * That'd be a connection from a given port on a machine
+ * to that same port on the same machine; does that ever
+ * happen?
+ */
+ tcpd->ual1=ual1;
+ tcpd->ual2=ual2;
+ tcpd->base_seq1=base_seq;
+ } else {
+ tcpd->ual1=ual2;
+ tcpd->ual2=ual1;
+ tcpd->base_seq2=base_seq;
+ }
+
+ if(tcp_relative_seq){
+ struct tcp_rel_seq *trs;
+ /* remember relative seq/ack number base for this packet */
+ trs=g_mem_chunk_alloc(tcp_rel_seq_chunk);
+ trs->seq_base=base_seq;
+ trs->ack_base=base_ack;
+ g_hash_table_insert(tcp_rel_seq_table, (void *)pinfo->fd->num, trs);
+ }
+}
+
+static void
+tcp_print_sequence_number_analysis(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree)
+{
+ struct tcp_acked *ta;
+ proto_item *item;
+ proto_tree *tree;
+
+ ta=tcp_analyze_get_acked_struct(pinfo->fd->num, FALSE);
+ if(!ta){
+ return;
+ }
+
+ item=proto_tree_add_text(parent_tree, tvb, 0, 0, "SEQ/ACK analysis");
+ tree=proto_item_add_subtree(item, ett_tcp_analysis);
+
+ /* encapsulate all proto_tree_add_xxx in ifs so we only print what
+ data we actually have */
+ if(ta->frame_acked){
+ proto_tree_add_uint(tree, hf_tcp_analysis_acks_frame,
+ tvb, 0, 0, ta->frame_acked);
+ }
+ if( ta->ts.secs || ta->ts.nsecs ){
+ proto_tree_add_time(tree, hf_tcp_analysis_ack_rtt,
+ tvb, 0, 0, &ta->ts);
+ }
+
+ if(ta->flags){
+ proto_item *flags_item=NULL;
+ proto_tree *flags_tree=NULL;
+
+ flags_item = proto_tree_add_item(tree, hf_tcp_analysis_flags, tvb, 0, -1, FALSE);
+ flags_tree=proto_item_add_subtree(flags_item, ett_tcp_analysis);
+ if( ta->flags&TCP_A_RETRANSMISSION ){
+ proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_retransmission, tvb, 0, 0, TRUE, "This frame is a (suspected) retransmission");
+ if(check_col(pinfo->cinfo, COL_INFO)){
+ col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Retransmission] ");
+ }
+ }
+ if( ta->flags&TCP_A_LOST_PACKET ){
+ proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_lost_packet, tvb, 0, 0, TRUE, "A segment before this frame was lost");
+ if(check_col(pinfo->cinfo, COL_INFO)){
+ col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Previous segment lost] ");
+ }
+ }
+ if( ta->flags&TCP_A_ACK_LOST_PACKET ){
+ proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_ack_lost_packet, tvb, 0, 0, TRUE, "This frame ACKs a segment we have not seen (lost?)");
+ if(check_col(pinfo->cinfo, COL_INFO)){
+ col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP ACKed lost segment] ");
+ }
+ }
+ if( ta->flags&TCP_A_KEEP_ALIVE ){
+ proto_tree_add_boolean_format(flags_tree, hf_tcp_analysis_keep_alive, tvb, 0, 0, TRUE, "This is a TCP keep-alive segment");
+ if(check_col(pinfo->cinfo, COL_INFO)){
+ col_prepend_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive] ");
+ }
+ }
+ }
+
+}
+
+
+/* Do we still need to do this ...remove_all() even though we dont need
+ * to do anything special? The glib docs are not clear on this and
+ * its better safe than sorry
+ */
+static gboolean
+free_all_acked(gpointer key_arg _U_, gpointer value _U_, gpointer user_data _U_)
+{
+ return TRUE;
+}
+
+static guint
+tcp_acked_hash(gconstpointer k)
+{
+ guint32 frame = (guint32)k;
+
+ return frame;
+}
+static gint
+tcp_acked_equal(gconstpointer k1, gconstpointer k2)
+{
+ guint32 frame1 = (guint32)k1;
+ guint32 frame2 = (guint32)k2;
+
+ return frame1==frame2;
+}
+
+static void
+tcp_analyze_seq_init(void)
+{
+ /* first destroy the tables */
+ if( tcp_analyze_acked_table ){
+ g_hash_table_foreach_remove(tcp_analyze_acked_table,
+ free_all_acked, NULL);
+ g_hash_table_destroy(tcp_analyze_acked_table);
+ tcp_analyze_acked_table = NULL;
+ }
+ if( tcp_rel_seq_table ){
+ g_hash_table_foreach_remove(tcp_rel_seq_table,
+ free_all_acked, NULL);
+ g_hash_table_destroy(tcp_rel_seq_table);
+ tcp_rel_seq_table = NULL;
+ }
+
+ /*
+ * Now destroy the chunk from which the conversation table
+ * structures were allocated.
+ */
+ if (tcp_analysis_chunk) {
+ g_mem_chunk_destroy(tcp_analysis_chunk);
+ tcp_analysis_chunk = NULL;
+ }
+ if (tcp_unacked_chunk) {
+ g_mem_chunk_destroy(tcp_unacked_chunk);
+ tcp_unacked_chunk = NULL;
+ }
+ if (tcp_acked_chunk) {
+ g_mem_chunk_destroy(tcp_acked_chunk);
+ tcp_acked_chunk = NULL;
+ }
+ if (tcp_rel_seq_chunk) {
+ g_mem_chunk_destroy(tcp_rel_seq_chunk);
+ tcp_rel_seq_chunk = NULL;
+ }
+
+ if(tcp_analyze_seq){
+ tcp_analyze_acked_table = g_hash_table_new(tcp_acked_hash,
+ tcp_acked_equal);
+ tcp_rel_seq_table = g_hash_table_new(tcp_acked_hash,
+ tcp_acked_equal);
+ tcp_analysis_chunk = g_mem_chunk_new("tcp_analysis_chunk",
+ sizeof(struct tcp_analysis),
+ tcp_analysis_count * sizeof(struct tcp_analysis),
+ G_ALLOC_ONLY);
+ tcp_unacked_chunk = g_mem_chunk_new("tcp_unacked_chunk",
+ sizeof(struct tcp_unacked),
+ tcp_unacked_count * sizeof(struct tcp_unacked),
+ G_ALLOC_ONLY);
+ tcp_acked_chunk = g_mem_chunk_new("tcp_acked_chunk",
+ sizeof(struct tcp_acked),
+ tcp_acked_count * sizeof(struct tcp_acked),
+ G_ALLOC_ONLY);
+ if(tcp_relative_seq){
+ tcp_rel_seq_chunk = g_mem_chunk_new("tcp_rel_seq_chunk",
+ sizeof(struct tcp_rel_seq),
+ tcp_rel_seq_count * sizeof(struct tcp_rel_seq),
+ G_ALLOC_ONLY);
+ }
+ }
+
+}
+
+/* **************************************************************************
+ * End of tcp sequence number analysis
+ * **************************************************************************/
+
+
+
/* Minimum TCP header length. */
#define TCPH_MIN_LEN 20
static GHashTable *tcp_segment_table = NULL;
static GMemChunk *tcp_segment_key_chunk = NULL;
static int tcp_segment_init_count = 200;
+static GMemChunk *tcp_segment_address_chunk = NULL;
+static int tcp_segment_address_init_count = 500;
typedef struct _tcp_segment_key {
- /* for ouwn bookkeeping inside packet-tcp.c */
+ /* for own bookkeeping inside packet-tcp.c */
address *src;
address *dst;
guint32 seq;
} tcp_segment_key;
static gboolean
-free_all_segments(gpointer key_arg, gpointer value, gpointer user_data)
+free_all_segments(gpointer key_arg, gpointer value _U_, gpointer user_data _U_)
{
tcp_segment_key *key = key_arg;
if((key->src)&&(key->src->data)){
g_free((gpointer)key->src->data);
key->src->data=NULL;
- g_free((gpointer)key->src);
- key->src=NULL;
}
+
if((key->dst)&&(key->dst->data)){
g_free((gpointer)key->dst->data);
key->dst->data=NULL;
- g_free((gpointer)key->dst);
- key->dst=NULL;
}
return TRUE;
static void
tcp_desegment_init(void)
{
-
- /* dont allocate any memory chunks unless the user really
- uses this option
- */
- if(!tcp_desegment){
- return;
- }
-
+ /*
+ * Free this before freeing any memory chunks; those
+ * chunks contain data we'll look at in "free_all_segments()".
+ */
if(tcp_segment_table){
g_hash_table_foreach_remove(tcp_segment_table,
free_all_segments, NULL);
- } else {
- tcp_segment_table = g_hash_table_new(tcp_segment_hash,
- tcp_segment_equal);
+ g_hash_table_destroy(tcp_segment_table);
+ tcp_segment_table = NULL;
}
if(tcp_segment_key_chunk){
g_mem_chunk_destroy(tcp_segment_key_chunk);
+ tcp_segment_key_chunk = NULL;
+ }
+ if(tcp_segment_address_chunk){
+ g_mem_chunk_destroy(tcp_segment_address_chunk);
+ tcp_segment_address_chunk = NULL;
+ }
+
+ /* dont allocate any hash table or memory chunks unless the user
+ really uses this option
+ */
+ if(!tcp_desegment){
+ return;
}
+
+ tcp_segment_table = g_hash_table_new(tcp_segment_hash,
+ tcp_segment_equal);
+
tcp_segment_key_chunk = g_mem_chunk_new("tcp_segment_key_chunk",
sizeof(tcp_segment_key),
tcp_segment_init_count*sizeof(tcp_segment_key),
G_ALLOC_ONLY);
+
+ tcp_segment_address_chunk = g_mem_chunk_new("tcp_segment_address_chunk",
+ sizeof(address),
+ tcp_segment_address_init_count*sizeof(address),
+ G_ALLOC_ONLY);
}
static void
guint32 sport, guint32 dport,
proto_tree *tree, proto_tree *tcp_tree)
{
+ struct tcpinfo *tcpinfo = pinfo->private_data;
fragment_data *ipfd_head;
tcp_segment_key old_tsk, *tsk;
gboolean must_desegment = FALSE;
gboolean called_dissector = FALSE;
int deseg_offset;
+ guint32 deseg_seq;
+ gint nbytes;
/*
* Initialize these to assume no desegmentation.
sport, dport);
called_dissector = TRUE;
- /*
- * Advance the offset to the first byte that the
- * subdissector didn't process.
- */
- offset += pinfo->desegment_offset;
-
/* Did the subdissector ask us to desegment some more data
before it could handle the packet?
If so we have to create some structures in our table but
* of the first byte of data that the
* subdissector didn't process.
*/
- deseg_offset = offset;
+ deseg_offset = offset + pinfo->desegment_offset;
}
/* Either no desegmentation is necessary, or this is
proto_tree *st = NULL;
proto_item *si = NULL;
- /* first we show a tree with all segments */
- si = proto_tree_add_text(tcp_tree, tvb, 0, 0,
- "Segments");
- st = proto_item_add_subtree(si, ett_tcp_segments);
- for(ipfd=ipfd_head->next; ipfd; ipfd=ipfd->next){
- proto_tree_add_text(st, tvb, 0, 0,
- "Frame:%d seq#:%d-%d [%d-%d]",
- ipfd->frame,
- tsk->start_seq + ipfd->offset,
- tsk->start_seq + ipfd->offset + ipfd->len - 1,
- ipfd->offset,
- ipfd->offset + ipfd->len - 1);
- }
-
/*
+ * Yes, we think it is.
* We only call subdissector for the last segment.
* Note that the last segment may include more than what
* we needed.
*/
if(nxtseq >= (tsk->start_seq + tsk->tot_len)){
- /* ok, lest call subdissector with desegmented data */
- packet_info save_pi;
+ /*
+ * OK, this is the last segment.
+ * Let's call the subdissector with the desegmented
+ * data.
+ */
tvbuff_t *next_tvb;
+ int old_len;
/* create a new TVB structure for desegmented data */
next_tvb = tvb_new_real_data(ipfd_head->data,
- ipfd_head->datalen, ipfd_head->datalen,
- "Desegmented");
+ ipfd_head->datalen, ipfd_head->datalen);
/* add this tvb as a child to the original one */
tvb_set_child_real_data_tvbuff(tvb, next_tvb);
/* add desegmented data to the data source list */
- pinfo->fd->data_src = g_slist_append(pinfo->fd->data_src, next_tvb);
+ add_new_data_source(pinfo, next_tvb, "Desegmented");
+
+ /*
+ * Supply the sequence number of the first of the
+ * reassembled bytes.
+ */
+ tcpinfo->seq = tsk->start_seq;
- /* save current value of *pinfo across call to
- dissector */
- save_pi = *pinfo;
- pinfo->compat_top_tvb = next_tvb;
- pinfo->len = tvb_reported_length(next_tvb);
- pinfo->captured_len = tvb_length(next_tvb);
+ /* indicate that this is reassembled data */
+ tcpinfo->is_reassembled = TRUE;
/* call subdissector */
decode_tcp_ports(next_tvb, 0, pinfo, tree,
called_dissector = TRUE;
/*
- * Don't trash the new values of "desegment_offset"
- * and "desegment_len".
+ * OK, did the subdissector think it was completely
+ * desegmented, or does it think we need even more
+ * data?
*/
- save_pi.desegment_offset = pinfo->desegment_offset;
- save_pi.desegment_len = pinfo->desegment_len;
- *pinfo = save_pi;
-
- /* Did the subdissector ask us to desegment some more
- data? This means that the data at the beginning
- of this segment completed a higher-level PDU,
- but the data at the end of this segment started
- a higher-level PDU but didn't complete it.
-
- If so we have to create some structures in our
- table but this is something we only do the first
- time we see this packet.
- */
- if(pinfo->desegment_len) {
- if (!pinfo->fd->flags.visited)
- must_desegment = TRUE;
+ old_len=(int)(tvb_reported_length(next_tvb)-tvb_reported_length_remaining(tvb, offset));
+ if(pinfo->desegment_len &&
+ pinfo->desegment_offset<=old_len){
+ tcp_segment_key *new_tsk;
+
+ /*
+ * "desegment_len" isn't 0, so it needs more
+ * data for something - and "desegment_offset"
+ * is before "old_len", so it needs more data
+ * to dissect the stuff we thought was
+ * completely desegmented (as opposed to the
+ * stuff at the beginning being completely
+ * desegmented, but the stuff at the end
+ * being a new higher-level PDU that also
+ * needs desegmentation).
+ */
+ fragment_set_partial_reassembly(pinfo,tsk->start_seq,tcp_fragment_table);
+ tsk->tot_len = tvb_reported_length(next_tvb) + pinfo->desegment_len;
/*
- * The stuff we couldn't dissect must have
- * come from this segment, so it's all in
- * "tvb".
- *
- * "pinfo->desegment_offset" is relative
- * to the beginning of "next_tvb";
- * we want an offset relative to the
- * beginning of "tvb".
- *
- * First, compute the offset relative to
- * the *end* of "next_tvb" - i.e., the number
- * of bytes before the end of "next_tvb"
- * at which the subdissector stopped.
- * That's the length of "next_tvb" minus
- * the offset, relative to the beginning
- * of "next_tvb, at which the subdissector
- * stopped.
+ * Update tsk structure.
+ * Can ask ->next->next because at least there's a hdr and one
+ * entry in fragment_add()
+ */
+ for(ipfd=ipfd_head->next; ipfd->next; ipfd=ipfd->next){
+ old_tsk.seq = tsk->start_seq + ipfd->offset;
+ new_tsk = g_hash_table_lookup(tcp_segment_table, &old_tsk);
+ new_tsk->tot_len = tsk->tot_len;
+ }
+
+ /* this is the next segment in the sequence we want */
+ new_tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
+ memcpy(new_tsk, tsk, sizeof(tcp_segment_key));
+ new_tsk->seq = nxtseq;
+ g_hash_table_insert(tcp_segment_table,new_tsk,new_tsk);
+ } else {
+ /*
+ * Show the stuff in this TCP segment as
+ * just raw TCP segment data.
*/
- deseg_offset =
- ipfd_head->datalen - pinfo->desegment_offset;
+ nbytes =
+ tvb_reported_length_remaining(tvb, offset);
+ proto_tree_add_text(tcp_tree, tvb, offset, -1,
+ "TCP segment data (%u byte%s)", nbytes,
+ plurality(nbytes, "", "s"));
/*
- * "tvb" and "next_tvb" end at the same byte
- * of data, so the offset relative to the
- * end of "next_tvb" of the byte at which
- * we stopped is also the offset relative
- * to the end of "tvb" of the byte at which
- * we stopped.
- *
- * Convert that back into an offset relative
- * to the beginninng of "tvb", by taking
- * the length of "tvb" and subtracting the
- * offset relative to the end.
+ * The subdissector thought it was completely
+ * desegmented (although the stuff at the
+ * end may, in turn, require desegmentation),
+ * so we show a tree with all segments.
*/
- deseg_offset = tvb_length(tvb) - deseg_offset;
+ si = proto_tree_add_text(tcp_tree, next_tvb,
+ 0, -1, "Segments");
+ st = proto_item_add_subtree(si, ett_tcp_segments);
+ for(ipfd=ipfd_head->next; ipfd; ipfd=ipfd->next){
+ proto_tree_add_text(st, next_tvb,
+ ipfd->offset, ipfd->len,
+ "Frame:%u seq#:%u-%u [%u-%u]",
+ ipfd->frame,
+ tsk->start_seq + ipfd->offset,
+ tsk->start_seq + ipfd->offset + ipfd->len-1,
+ ipfd->offset,
+ ipfd->offset + ipfd->len - 1);
+ }
+
+ /* Did the subdissector ask us to desegment
+ some more data? This means that the data
+ at the beginning of this segment completed
+ a higher-level PDU, but the data at the
+ end of this segment started a higher-level
+ PDU but didn't complete it.
+
+ If so, we have to create some structures
+ in our table, but this is something we
+ only do the first time we see this packet.
+ */
+ if(pinfo->desegment_len) {
+ if (!pinfo->fd->flags.visited)
+ must_desegment = TRUE;
+
+ /* The stuff we couldn't dissect
+ must have come from this segment,
+ so it's all in "tvb".
+
+ "pinfo->desegment_offset" is
+ relative to the beginning of
+ "next_tvb"; we want an offset
+ relative to the beginning of "tvb".
+
+ First, compute the offset relative
+ to the *end* of "next_tvb" - i.e.,
+ the number of bytes before the end
+ of "next_tvb" at which the
+ subdissector stopped. That's the
+ length of "next_tvb" minus the
+ offset, relative to the beginning
+ of "next_tvb, at which the
+ subdissector stopped.
+ */
+ deseg_offset =
+ ipfd_head->datalen - pinfo->desegment_offset;
+
+ /* "tvb" and "next_tvb" end at the
+ same byte of data, so the offset
+ relative to the end of "next_tvb"
+ of the byte at which we stopped
+ is also the offset relative to
+ the end of "tvb" of the byte at
+ which we stopped.
+
+ Convert that back into an offset
+ relative to the beginninng of
+ "tvb", by taking the length of
+ "tvb" and subtracting the offset
+ relative to the end.
+ */
+ deseg_offset=tvb_reported_length(tvb) - deseg_offset;
+ }
}
}
}
if (must_desegment) {
tcp_segment_key *tsk, *new_tsk;
+ /*
+ * The sequence number at which the stuff to be desegmented
+ * starts is the sequence number of the byte at an offset
+ * of "deseg_offset" into "tvb".
+ *
+ * The sequence number of the byte at an offset of "offset"
+ * is "seq", i.e. the starting sequence number of this
+ * segment, so the sequence number of the byte at
+ * "deseg_offset" is "seq + (deseg_offset - offset)".
+ */
+ deseg_seq = seq + (deseg_offset - offset);
+
/*
* XXX - how do we detect out-of-order transmissions?
* We can't just check for "nxtseq" being greater than
* gross hack - we really need to handle out-of-order
* transmissions correctly.
*/
- if ((nxtseq - (seq + pinfo->desegment_offset)) <= 1024*1024) {
+ if ((nxtseq - deseg_seq) <= 1024*1024) {
/* OK, subdissector wants us to desegment
some data before it can process it. Add
what remains of this packet and set
We must remember this segment
*/
tsk = g_mem_chunk_alloc(tcp_segment_key_chunk);
- tsk->src = g_malloc(sizeof(address));
+ tsk->src = g_mem_chunk_alloc(tcp_segment_address_chunk);
COPY_ADDRESS(tsk->src, &pinfo->src);
- tsk->dst = g_malloc(sizeof(address));
+ tsk->dst = g_mem_chunk_alloc(tcp_segment_address_chunk);
COPY_ADDRESS(tsk->dst, &pinfo->dst);
- tsk->seq = seq + pinfo->desegment_offset;
+ tsk->seq = deseg_seq;
tsk->start_seq = tsk->seq;
tsk->tot_len = nxtseq - tsk->start_seq + pinfo->desegment_len;
tsk->first_frame = pinfo->fd->num;
* of the payload, and that's 0).
* Just mark this as TCP.
*/
- if (check_col(pinfo->fd, COL_PROTOCOL)){
- col_set_str(pinfo->fd, COL_PROTOCOL, "TCP");
+ if (check_col(pinfo->cinfo, COL_PROTOCOL)){
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
}
- if (check_col(pinfo->fd, COL_INFO)){
- col_set_str(pinfo->fd, COL_INFO, "[Desegmented TCP]");
+ if (check_col(pinfo->cinfo, COL_INFO)){
+ col_set_str(pinfo->cinfo, COL_INFO, "[Desegmented TCP]");
}
}
/*
- * Show what's left in the packet as data.
+ * Show what's left in the packet as just raw TCP segment
+ * data.
+ * XXX - remember what protocol the last subdissector
+ * was, and report it as a continuation of that, instead?
*/
- dissect_data(tvb, deseg_offset, pinfo, tree);
+ nbytes = tvb_reported_length_remaining(tvb, deseg_offset);
+ proto_tree_add_text(tcp_tree, tvb, deseg_offset, -1,
+ "TCP segment data (%u byte%s)", nbytes,
+ plurality(nbytes, "", "s"));
}
+ pinfo->can_desegment=0;
+ pinfo->desegment_offset = 0;
+ pinfo->desegment_len = 0;
}
+/*
+ * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
+ * consists of a fixed-length chunk of data that contains enough information
+ * to determine the length of the PDU, followed by rest of the PDU.
+ *
+ * The first three arguments are the arguments passed to the dissector
+ * that calls this routine.
+ *
+ * "proto_desegment" is the dissector's flag controlling whether it should
+ * desegment PDUs that cross TCP segment boundaries.
+ *
+ * "fixed_len" is the length of the fixed-length part of the PDU.
+ *
+ * "get_pdu_len()" is a routine called to get the length of the PDU from
+ * the fixed-length part of the PDU; it's passed "tvb" and "offset".
+ *
+ * "dissect_pdu()" is the routine to dissect a PDU.
+ */
+void
+tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+ gboolean proto_desegment, guint fixed_len,
+ guint (*get_pdu_len)(tvbuff_t *, int),
+ void (*dissect_pdu)(tvbuff_t *, packet_info *, proto_tree *))
+{
+ volatile int offset = 0;
+ guint length_remaining;
+ guint plen;
+ guint length;
+ tvbuff_t *next_tvb;
+ while (tvb_reported_length_remaining(tvb, offset) != 0) {
+ /*
+ * We use "tvb_ensure_length_remaining()" to make sure there actually
+ * *is* data remaining. The protocol we're handling could conceivably
+ * consists of a sequence of fixed-length PDUs, and therefore the
+ * "get_pdu_len" routine might not actually fetch anything from
+ * the tvbuff, and thus might not cause an exception to be thrown if
+ * we've run past the end of the tvbuff.
+ *
+ * This means we're guaranteed that "length_remaining" is positive.
+ */
+ length_remaining = tvb_ensure_length_remaining(tvb, offset);
+
+ /*
+ * Can we do reassembly?
+ */
+ if (proto_desegment && pinfo->can_desegment) {
+ /*
+ * Yes - is the fixed-length part of the PDU split across segment
+ * boundaries?
+ */
+ if (length_remaining < fixed_len) {
+ /*
+ * Yes. Tell the TCP dissector where the data for this message
+ * starts in the data it handed us, and how many more bytes we
+ * need, and return.
+ */
+ pinfo->desegment_offset = offset;
+ pinfo->desegment_len = fixed_len - length_remaining;
+ return;
+ }
+ }
+
+ /*
+ * Get the length of the PDU.
+ */
+ plen = (*get_pdu_len)(tvb, offset);
+
+ /*
+ * Can we do reassembly?
+ */
+ if (proto_desegment && pinfo->can_desegment) {
+ /*
+ * Yes - is the PDU split across segment boundaries?
+ */
+ if (length_remaining < plen) {
+ /*
+ * Yes. Tell the TCP dissector where the data for this message
+ * starts in the data it handed us, and how many more bytes we
+ * need, and return.
+ */
+ pinfo->desegment_offset = offset;
+ pinfo->desegment_len = plen - length_remaining;
+ return;
+ }
+ }
+
+ /*
+ * Construct a tvbuff containing the amount of the payload we have
+ * available. Make its reported length the amount of data in the PDU.
+ *
+ * XXX - if reassembly isn't enabled. the subdissector will throw a
+ * BoundsError exception, rather than a ReportedBoundsError exception.
+ * We really want a tvbuff where the length is "length", the reported
+ * length is "plen", and the "if the snapshot length were infinite"
+ * length is the minimum of the reported length of the tvbuff handed
+ * to us and "plen", with a new type of exception thrown if the offset
+ * is within the reported length but beyond that third length, with
+ * that exception getting the "Unreassembled Packet" error.
+ */
+ if (plen < fixed_len) {
+ /*
+ * The PDU length from the fixed-length portion probably didn't
+ * include the fixed-length portion's length, and was probably so
+ * large that the total length overflowed.
+ *
+ * Report this as an error.
+ */
+ show_reported_bounds_error(tvb, pinfo, tree);
+ return;
+ }
+ length = length_remaining;
+ if (length > plen)
+ length = plen;
+ next_tvb = tvb_new_subset(tvb, offset, length, plen);
+
+ /*
+ * Dissect the PDU.
+ *
+ * Catch the ReportedBoundsError exception; if this particular message
+ * happens to get a ReportedBoundsError exception, that doesn't mean
+ * that we should stop dissecting PDUs within this frame or chunk of
+ * reassembled data.
+ *
+ * If it gets a BoundsError, we can stop, as there's nothing more to
+ * see, so we just re-throw it.
+ */
+ TRY {
+ (*dissect_pdu)(next_tvb, pinfo, tree);
+ }
+ CATCH(BoundsError) {
+ RETHROW;
+ }
+ CATCH(ReportedBoundsError) {
+ show_reported_bounds_error(tvb, pinfo, tree);
+ }
+ ENDTRY;
+ /*
+ * Step to the next PDU.
+ */
+ offset += plen;
+ }
+}
static void
-tcp_info_append_uint(frame_data *fd, const char *abbrev, guint32 val)
+tcp_info_append_uint(packet_info *pinfo, const char *abbrev, guint32 val)
{
- if (check_col(fd, COL_INFO))
- col_append_fstr(fd, COL_INFO, " %s=%u", abbrev, val);
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, " %s=%u", abbrev, val);
}
static void
dissect_tcpopt_maxseg(const ip_tcp_opt *optp, tvbuff_t *tvb,
- int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
+ int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
{
guint16 mss;
mss = tvb_get_ntohs(tvb, offset + 2);
proto_tree_add_text(opt_tree, tvb, offset, optlen,
"%s: %u bytes", optp->name, mss);
- tcp_info_append_uint(fd, "MSS", mss);
+ tcp_info_append_uint(pinfo, "MSS", mss);
}
static void
dissect_tcpopt_wscale(const ip_tcp_opt *optp, tvbuff_t *tvb,
- int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
+ int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
{
guint8 ws;
ws = tvb_get_guint8(tvb, offset + 2);
proto_tree_add_text(opt_tree, tvb, offset, optlen,
- "%s: %u bytes", optp->name, ws);
- tcp_info_append_uint(fd, "WS", ws);
+ "%s: %u (multiply by %u)", optp->name, ws, 1 << ws);
+ tcp_info_append_uint(pinfo, "WS", ws);
}
static void
dissect_tcpopt_sack(const ip_tcp_opt *optp, tvbuff_t *tvb,
- int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
+ int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
{
proto_tree *field_tree = NULL;
proto_item *tf;
optlen -= 4;
proto_tree_add_text(field_tree, tvb, offset, 8,
"left edge = %u, right edge = %u", leftedge, rightedge);
- tcp_info_append_uint(fd, "SLE", leftedge);
- tcp_info_append_uint(fd, "SRE", rightedge);
+ tcp_info_append_uint(pinfo, "SLE", leftedge);
+ tcp_info_append_uint(pinfo, "SRE", rightedge);
offset += 8;
}
}
static void
dissect_tcpopt_echo(const ip_tcp_opt *optp, tvbuff_t *tvb,
- int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
+ int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
{
guint32 echo;
echo = tvb_get_ntohl(tvb, offset + 2);
proto_tree_add_text(opt_tree, tvb, offset, optlen,
"%s: %u", optp->name, echo);
- tcp_info_append_uint(fd, "ECHO", echo);
+ tcp_info_append_uint(pinfo, "ECHO", echo);
}
static void
dissect_tcpopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
- int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
+ int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
{
guint32 tsv, tser;
tser = tvb_get_ntohl(tvb, offset + 6);
proto_tree_add_text(opt_tree, tvb, offset, optlen,
"%s: tsval %u, tsecr %u", optp->name, tsv, tser);
- tcp_info_append_uint(fd, "TSV", tsv);
- tcp_info_append_uint(fd, "TSER", tser);
+ tcp_info_append_uint(pinfo, "TSV", tsv);
+ tcp_info_append_uint(pinfo, "TSER", tser);
}
static void
dissect_tcpopt_cc(const ip_tcp_opt *optp, tvbuff_t *tvb,
- int offset, guint optlen, frame_data *fd, proto_tree *opt_tree)
+ int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
{
guint32 cc;
cc = tvb_get_ntohl(tvb, offset + 2);
proto_tree_add_text(opt_tree, tvb, offset, optlen,
"%s: %u", optp->name, cc);
- tcp_info_append_uint(fd, "CC", cc);
+ tcp_info_append_uint(pinfo, "CC", cc);
}
static const ip_tcp_opt tcpopts[] = {
#define N_TCP_OPTS (sizeof tcpopts / sizeof tcpopts[0])
-/* TCP flags flag */
-static const true_false_string flags_set_truth = {
- "Set",
- "Not set"
-};
-
-
/* Determine if there is a sub-dissector and call it. This has been */
/* separated into a stand alone routine to other protocol dissectors */
/* can call to it, ie. socks */
proto_tree *tree, int src_port, int dst_port)
{
tvbuff_t *next_tvb;
+ int low_port, high_port;
next_tvb = tvb_new_subset(tvb, offset, -1, -1);
src_port, dst_port, next_tvb, pinfo, tree))
return;
- /* do lookup with the subdissector table */
- if (dissector_try_port(subdissector_table, src_port, next_tvb, pinfo, tree) ||
- dissector_try_port(subdissector_table, dst_port, next_tvb, pinfo, tree))
+ /* Do lookups with the subdissector table.
+ We try the port number with the lower value first, followed by the
+ port number with the higher value. This means that, for packets
+ where a dissector is registered for *both* port numbers:
+
+ 1) we pick the same dissector for traffic going in both directions;
+
+ 2) we prefer the port number that's more likely to be the right
+ one (as that prefers well-known ports to reserved ports);
+
+ although there is, of course, no guarantee that any such strategy
+ will always pick the right port number.
+
+ XXX - we ignore port numbers of 0, as some dissectors use a port
+ number of 0 to disable the port. */
+ if (src_port > dst_port) {
+ low_port = dst_port;
+ high_port = src_port;
+ } else {
+ low_port = src_port;
+ high_port = dst_port;
+ }
+ if (low_port != 0 &&
+ dissector_try_port(subdissector_table, low_port, next_tvb, pinfo, tree))
+ return;
+ if (high_port != 0 &&
+ dissector_try_port(subdissector_table, high_port, next_tvb, pinfo, tree))
return;
/* do lookup with the heuristic subdissector table */
return;
/* Oh, well, we don't know this; dissect it as data. */
- dissect_data(next_tvb, 0, pinfo, tree);
+ call_dissector(data_handle,next_tvb, pinfo, tree);
}
static void
dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
- e_tcphdr th;
+ guint16 th_sport;
+ guint16 th_dport;
+ guint32 th_seq;
+ guint32 th_ack;
+ guint8 th_off_x2; /* combines th_off and th_x2 */
+ guint8 th_flags;
+ guint16 th_win;
+ guint16 th_sum;
+ guint16 th_urp;
proto_tree *tcp_tree = NULL, *field_tree = NULL;
- proto_item *ti, *tf;
+ proto_item *ti = NULL, *tf;
int offset = 0;
gchar flags[64] = "<None>";
gchar *fstr[] = {"FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECN", "CWR" };
guint32 phdr[2];
guint16 computed_cksum;
guint length_remaining;
+ gboolean desegment_ok;
+ struct tcpinfo tcpinfo;
+ gboolean save_fragmented;
- if (check_col(pinfo->fd, COL_PROTOCOL))
- col_set_str(pinfo->fd, COL_PROTOCOL, "TCP");
+ if (check_col(pinfo->cinfo, COL_PROTOCOL))
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCP");
/* Clear out the Info column. */
- if (check_col(pinfo->fd, COL_INFO))
- col_clear(pinfo->fd, COL_INFO);
-
- /* Avoids alignment problems on many architectures. */
- tvb_memcpy(tvb, (guint8 *)&th, offset, sizeof(e_tcphdr));
- th.th_sport = ntohs(th.th_sport);
- th.th_dport = ntohs(th.th_dport);
- th.th_win = ntohs(th.th_win);
- th.th_sum = ntohs(th.th_sum);
- th.th_urp = ntohs(th.th_urp);
- th.th_seq = ntohl(th.th_seq);
- th.th_ack = ntohl(th.th_ack);
-
- /* Export the urgent pointer, for the benefit of protocols such as
- rlogin. */
- tcp_urgent_pointer = th.th_urp;
-
- if (check_col(pinfo->fd, COL_INFO) || tree) {
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_clear(pinfo->cinfo, COL_INFO);
+
+ th_sport = tvb_get_ntohs(tvb, offset);
+ th_dport = tvb_get_ntohs(tvb, offset + 2);
+ if (check_col(pinfo->cinfo, COL_INFO)) {
+ col_append_fstr(pinfo->cinfo, COL_INFO, "%s > %s",
+ get_tcp_port(th_sport), get_tcp_port(th_dport));
+ }
+ if (tree) {
+ if (tcp_summary_in_tree) {
+ ti = proto_tree_add_protocol_format(tree, proto_tcp, tvb, 0, -1,
+ "Transmission Control Protocol, Src Port: %s (%u), Dst Port: %s (%u)",
+ get_tcp_port(th_sport), th_sport,
+ get_tcp_port(th_dport), th_dport);
+ }
+ else {
+ ti = proto_tree_add_item(tree, proto_tcp, tvb, 0, -1, FALSE);
+ }
+ tcp_tree = proto_item_add_subtree(ti, ett_tcp);
+ proto_tree_add_uint_format(tcp_tree, hf_tcp_srcport, tvb, offset, 2, th_sport,
+ "Source port: %s (%u)", get_tcp_port(th_sport), th_sport);
+ proto_tree_add_uint_format(tcp_tree, hf_tcp_dstport, tvb, offset + 2, 2, th_dport,
+ "Destination port: %s (%u)", get_tcp_port(th_dport), th_dport);
+ proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset, 2, th_sport);
+ proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset + 2, 2, th_dport);
+ }
+
+ /* Set the source and destination port numbers as soon as we get them,
+ so that they're available to the "Follow TCP Stream" code even if
+ we throw an exception dissecting the rest of the TCP header. */
+ pinfo->ptype = PT_TCP;
+ pinfo->srcport = th_sport;
+ pinfo->destport = th_dport;
+
+ th_seq = tvb_get_ntohl(tvb, offset + 4);
+ th_ack = tvb_get_ntohl(tvb, offset + 8);
+ th_off_x2 = tvb_get_guint8(tvb, offset + 12);
+ th_flags = tvb_get_guint8(tvb, offset + 13);
+ th_win = tvb_get_ntohs(tvb, offset + 14);
+ hlen = hi_nibble(th_off_x2) * 4; /* TCP header length, in bytes */
+
+ reported_len = tvb_reported_length(tvb);
+ len = tvb_length(tvb);
+
+ /* Compute the length of data in this segment. */
+ seglen = reported_len - hlen;
+
+ if (tree) { /* Add the seglen as an invisible field */
+
+ proto_tree_add_uint_hidden(ti, hf_tcp_len, tvb, offset, 4, seglen);
+
+ }
+
+ /* handle TCP seq# analysis parse all new segments we see */
+ if(tcp_analyze_seq){
+ if(!(pinfo->fd->flags.visited)){
+ tcp_analyze_sequence_number(pinfo, th_seq, th_ack, seglen, th_flags);
+ }
+ if(tcp_relative_seq){
+ tcp_get_relative_seq_ack(pinfo->fd->num, &th_seq, &th_ack);
+ }
+ }
+
+
+ /* Compute the sequence number of next octet after this segment. */
+ nxtseq = th_seq + seglen;
+
+ if (check_col(pinfo->cinfo, COL_INFO) || tree) {
for (i = 0; i < 8; i++) {
bpos = 1 << i;
- if (th.th_flags & bpos) {
+ if (th_flags & bpos) {
if (fpos) {
strcpy(&flags[fpos], ", ");
fpos += 2;
}
flags[fpos] = '\0';
}
-
- hlen = hi_nibble(th.th_off_x2) * 4; /* TCP header length, in bytes */
- reported_len = tvb_reported_length(tvb);
- len = tvb_length(tvb);
-
- /* Compute the length of data in this segment. */
- seglen = reported_len - hlen;
+ if (check_col(pinfo->cinfo, COL_INFO)) {
+ col_append_fstr(pinfo->cinfo, COL_INFO, " [%s] Seq=%u Ack=%u Win=%u",
+ flags, th_seq, th_ack, th_win);
+ }
- /* Compute the sequence number of next octet after this segment. */
- nxtseq = th.th_seq + seglen;
+ if (tree) {
+ if (tcp_summary_in_tree)
+ proto_item_append_text(ti, ", Seq: %u", th_seq);
+ proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, th_seq);
+ }
if (hlen < TCPH_MIN_LEN) {
- if (check_col(pinfo->fd, COL_INFO))
- col_add_fstr(pinfo->fd, COL_INFO, "Bogus TCP header length (%u, must be at least %u)",
- hlen, TCPH_MIN_LEN);
- ti = proto_tree_add_item(tree, proto_tcp, tvb, offset, hlen, FALSE);
- tcp_tree = proto_item_add_subtree(ti, ett_tcp);
+ /* Give up at this point; we put the source and destination port in
+ the tree, before fetching the header length, so that they'll
+ show up if this is in the failing packet in an ICMP error packet,
+ but it's now time to give up if the header length is bogus. */
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", bogus TCP header length (%u, must be at least %u)",
+ hlen, TCPH_MIN_LEN);
if (tree) {
- proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset, 1, hlen,
+ proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, hlen,
"Header length: %u bytes (bogus, must be at least %u)", hlen,
TCPH_MIN_LEN);
}
return;
}
- if (check_col(pinfo->fd, COL_INFO)) {
- if (th.th_flags & TH_URG)
- col_append_fstr(pinfo->fd, COL_INFO, "%s > %s [%s] Seq=%u Ack=%u Win=%u Urg=%u Len=%d",
- get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
- th.th_seq, th.th_ack, th.th_win, th.th_urp, seglen);
- else
- col_append_fstr(pinfo->fd, COL_INFO, "%s > %s [%s] Seq=%u Ack=%u Win=%u Len=%d",
- get_tcp_port(th.th_sport), get_tcp_port(th.th_dport), flags,
- th.th_seq, th.th_ack, th.th_win, seglen);
- }
-
if (tree) {
- if (tcp_summary_in_tree && hlen >= TCPH_MIN_LEN) {
- ti = proto_tree_add_protocol_format(tree, proto_tcp, tvb, offset,
- hlen,
- "Transmission Control Protocol, Src Port: %s (%u), Dst Port: %s (%u), Seq: %u, Ack: %u",
- get_tcp_port(th.th_sport), th.th_sport,
- get_tcp_port(th.th_dport), th.th_dport, th.th_seq, th.th_ack);
- }
- else {
- ti = proto_tree_add_item(tree, proto_tcp, tvb, offset, hlen, FALSE);
- }
- tcp_tree = proto_item_add_subtree(ti, ett_tcp);
- proto_tree_add_uint_format(tcp_tree, hf_tcp_srcport, tvb, offset, 2, th.th_sport,
- "Source port: %s (%u)", get_tcp_port(th.th_sport), th.th_sport);
- proto_tree_add_uint_format(tcp_tree, hf_tcp_dstport, tvb, offset + 2, 2, th.th_dport,
- "Destination port: %s (%u)", get_tcp_port(th.th_dport), th.th_dport);
- proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset, 2, th.th_sport);
- proto_tree_add_uint_hidden(tcp_tree, hf_tcp_port, tvb, offset + 2, 2, th.th_dport);
- proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, th.th_seq);
- if (nxtseq != th.th_seq)
+ if (tcp_summary_in_tree)
+ proto_item_append_text(ti, ", Ack: %u, Len: %u", th_ack, seglen);
+ proto_item_set_len(ti, hlen);
+ if (nxtseq != th_seq)
proto_tree_add_uint(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq);
- if (th.th_flags & TH_ACK)
- proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, th.th_ack);
+ if (th_flags & TH_ACK)
+ proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, th_ack);
proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, hlen,
"Header length: %u bytes", hlen);
tf = proto_tree_add_uint_format(tcp_tree, hf_tcp_flags, tvb, offset + 13, 1,
- th.th_flags, "Flags: 0x%04x (%s)", th.th_flags, flags);
+ th_flags, "Flags: 0x%04x (%s)", th_flags, flags);
field_tree = proto_item_add_subtree(tf, ett_tcp_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_cwr, tvb, offset + 13, 1, th.th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_ecn, tvb, offset + 13, 1, th.th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_urg, tvb, offset + 13, 1, th.th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_ack, tvb, offset + 13, 1, th.th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_push, tvb, offset + 13, 1, th.th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, th.th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, th.th_flags);
- proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, th.th_flags);
- proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, th.th_win);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_cwr, tvb, offset + 13, 1, th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_ecn, tvb, offset + 13, 1, th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_urg, tvb, offset + 13, 1, th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_ack, tvb, offset + 13, 1, th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_push, tvb, offset + 13, 1, th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, th_flags);
+ proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, th_flags);
+ proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, th_win);
}
+ /* Supply the sequence number of the first byte. */
+ tcpinfo.seq = th_seq;
+
+ /* Assume we'll pass un-reassembled data to subdissectors. */
+ tcpinfo.is_reassembled = FALSE;
+
+ pinfo->private_data = &tcpinfo;
+
/*
* Assume, initially, that we can't desegment.
*/
- pinfo->can_desegment = FALSE;
+ pinfo->can_desegment = 0;
+ th_sum = tvb_get_ntohs(tvb, offset + 16);
if (!pinfo->fragmented && len >= reported_len) {
- /* The packet isn't part of a fragmented datagram and isn't
- truncated, so we can checksum it.
- XXX - make a bigger scatter-gather list once we do fragment
- reassembly? */
-
- /* Set up the fields of the pseudo-header. */
- cksum_vec[0].ptr = pinfo->src.data;
- cksum_vec[0].len = pinfo->src.len;
- cksum_vec[1].ptr = pinfo->dst.data;
- cksum_vec[1].len = pinfo->dst.len;
- cksum_vec[2].ptr = (const guint8 *)&phdr;
- switch (pinfo->src.type) {
-
- case AT_IPv4:
- phdr[0] = htonl((IP_PROTO_TCP<<16) + reported_len);
- cksum_vec[2].len = 4;
- break;
-
- case AT_IPv6:
- phdr[0] = htonl(reported_len);
- phdr[1] = htonl(IP_PROTO_TCP);
+ /* The packet isn't part of an un-reassembled fragmented datagram
+ and isn't truncated. This means we have all the data, and thus
+ can checksum it and, unless it's being returned in an error
+ packet, are willing to allow subdissectors to request reassembly
+ on it. */
+
+ if (tcp_check_checksum) {
+ /* We haven't turned checksum checking off; checksum it. */
+
+ /* Set up the fields of the pseudo-header. */
+ cksum_vec[0].ptr = pinfo->src.data;
+ cksum_vec[0].len = pinfo->src.len;
+ cksum_vec[1].ptr = pinfo->dst.data;
+ cksum_vec[1].len = pinfo->dst.len;
+ cksum_vec[2].ptr = (const guint8 *)&phdr;
+ switch (pinfo->src.type) {
+
+ case AT_IPv4:
+ phdr[0] = g_htonl((IP_PROTO_TCP<<16) + reported_len);
+ cksum_vec[2].len = 4;
+ break;
+
+ case AT_IPv6:
+ phdr[0] = g_htonl(reported_len);
+ phdr[1] = g_htonl(IP_PROTO_TCP);
cksum_vec[2].len = 8;
break;
- default:
+ default:
/* TCP runs only atop IPv4 and IPv6.... */
g_assert_not_reached();
break;
- }
- cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, len);
- cksum_vec[3].len = reported_len;
- computed_cksum = in_cksum(&cksum_vec[0], 4);
- if (computed_cksum == 0) {
- /*
- * We have all the data for this TCP segment, and the checksum of
- * the header and the data is good, so we can desegment it.
- * Is desegmentation enabled?
- */
- if (tcp_desegment) {
- /* Yes - indicate that we will desegment. */
- pinfo->can_desegment = TRUE;
}
- proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
- offset + 16, 2, th.th_sum, "Checksum: 0x%04x (correct)", th.th_sum);
- } else {
- proto_tree_add_boolean_hidden(tcp_tree, hf_tcp_checksum_bad, tvb,
+ cksum_vec[3].ptr = tvb_get_ptr(tvb, offset, len);
+ cksum_vec[3].len = reported_len;
+ computed_cksum = in_cksum(&cksum_vec[0], 4);
+ if (computed_cksum == 0) {
+ proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
+ offset + 16, 2, th_sum, "Checksum: 0x%04x (correct)", th_sum);
+
+ /* Checksum is valid, so we're willing to desegment it. */
+ desegment_ok = TRUE;
+ } else {
+ proto_tree_add_boolean_hidden(tcp_tree, hf_tcp_checksum_bad, tvb,
offset + 16, 2, TRUE);
+ proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
+ offset + 16, 2, th_sum,
+ "Checksum: 0x%04x (incorrect, should be 0x%04x)", th_sum,
+ in_cksum_shouldbe(th_sum, computed_cksum));
+
+ /* Checksum is invalid, so we're not willing to desegment it. */
+ desegment_ok = FALSE;
+ }
+ } else {
proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
- offset + 16, 2, th.th_sum,
- "Checksum: 0x%04x (incorrect, should be 0x%04x)", th.th_sum,
- in_cksum_shouldbe(th.th_sum, computed_cksum));
+ offset + 16, 2, th_sum, "Checksum: 0x%04x", th_sum);
+
+ /* We didn't check the checksum, and don't care if it's valid,
+ so we're willing to desegment it. */
+ desegment_ok = TRUE;
}
} else {
+ /* We don't have all the packet data, so we can't checksum it... */
proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb,
- offset + 16, 2, th.th_sum, "Checksum: 0x%04x", th.th_sum);
+ offset + 16, 2, th_sum, "Checksum: 0x%04x", th_sum);
+
+ /* ...and aren't willing to desegment it. */
+ desegment_ok = FALSE;
+ }
+
+ if (desegment_ok) {
+ /* We're willing to desegment this. Is desegmentation enabled? */
+ if (tcp_desegment) {
+ /* Yes - is this segment being returned in an error packet? */
+ if (!pinfo->in_error_pkt) {
+ /* No - indicate that we will desegment.
+ We do NOT want to desegment segments returned in error
+ packets, as they're not part of a TCP connection. */
+ pinfo->can_desegment = 2;
+ }
+ }
}
- if (th.th_flags & TH_URG)
- proto_tree_add_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, th.th_urp);
+
+ if (th_flags & TH_URG) {
+ th_urp = tvb_get_ntohs(tvb, offset + 18);
+ /* Export the urgent pointer, for the benefit of protocols such as
+ rlogin. */
+ tcpinfo.urgent = TRUE;
+ tcpinfo.urgent_pointer = th_urp;
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, " Urg=%u", th_urp);
+ if (tcp_tree != NULL)
+ proto_tree_add_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, th_urp);
+ } else
+ tcpinfo.urgent = FALSE;
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, " Len=%u", seglen);
/* Decode TCP options, if any. */
- if (tree && hlen > sizeof (e_tcphdr)) {
+ if (tree && hlen > TCPH_MIN_LEN) {
/* There's more than just the fixed-length header. Decode the
options. */
- optlen = hlen - sizeof (e_tcphdr); /* length of options, in bytes */
+ optlen = hlen - TCPH_MIN_LEN; /* length of options, in bytes */
tf = proto_tree_add_text(tcp_tree, tvb, offset + 20, optlen,
- "Options: (%d bytes)", optlen);
+ "Options: (%u bytes)", optlen);
field_tree = proto_item_add_subtree(tf, ett_tcp_options);
dissect_ip_tcp_options(tvb, offset + 20, optlen,
- tcpopts, N_TCP_OPTS, TCPOPT_EOL, pinfo->fd, field_tree);
+ tcpopts, N_TCP_OPTS, TCPOPT_EOL, pinfo, field_tree);
}
/* Skip over header + options */
offset += hlen;
- pinfo->ptype = PT_TCP;
- pinfo->srcport = th.th_sport;
- pinfo->destport = th.th_dport;
-
/* Check the packet length to see if there's more data
(it could be an ACK-only packet) */
length_remaining = tvb_length_remaining(tvb, offset);
+
+ if( data_out_file ) {
+ reassemble_tcp( th_seq, /* sequence number */
+ seglen, /* data length */
+ tvb_get_ptr(tvb, offset, length_remaining), /* data */
+ length_remaining, /* captured data length */
+ ( th_flags & TH_SYN ), /* is syn set? */
+ &pinfo->net_src,
+ &pinfo->net_dst,
+ pinfo->srcport,
+ pinfo->destport);
+ }
+
if (length_remaining != 0) {
- if (th.th_flags & TH_RST) {
+ if (th_flags & TH_RST) {
/*
* RFC1122 says:
*
/* Can we desegment this segment? */
if (pinfo->can_desegment) {
/* Yes. */
- desegment_tcp(tvb, pinfo, offset, th.th_seq, nxtseq, th.th_sport, th.th_dport, tree, tcp_tree);
+ desegment_tcp(tvb, pinfo, offset, th_seq, nxtseq, th_sport, th_dport, tree, tcp_tree);
} else {
- /* No - just call the subdissector. */
- decode_tcp_ports(tvb, offset, pinfo, tree, th.th_sport, th.th_dport);
+ /* No - just call the subdissector.
+ Mark this as fragmented, so if somebody throws an exception,
+ we don't report it as a malformed frame. */
+ save_fragmented = pinfo->fragmented;
+ pinfo->fragmented = TRUE;
+ decode_tcp_ports(tvb, offset, pinfo, tree, th_sport, th_dport);
+ pinfo->fragmented = save_fragmented;
}
}
}
-
- if( data_out_file ) {
- reassemble_tcp( th.th_seq, /* sequence number */
- seglen, /* data length */
- tvb_get_ptr(tvb, offset, length_remaining), /* data */
- length_remaining, /* captured data length */
- ( th.th_flags & TH_SYN ), /* is syn set? */
- &pinfo->net_src,
- &pinfo->net_dst,
- pinfo->srcport,
- pinfo->destport);
+
+ /* handle TCP seq# analysis, print any extra SEQ/ACK data for this segment*/
+ if(tcp_analyze_seq){
+ tcp_print_sequence_number_analysis(pinfo, tvb, tcp_tree);
}
}
{ "Bad Checksum", "tcp.checksum_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
"", HFILL }},
+ { &hf_tcp_analysis_flags,
+ { "TCP Analysis Flags", "tcp.analysis.flags", FT_NONE, BASE_NONE, NULL, 0x0,
+ "This frame has some of the TCP analysis flags set", HFILL }},
+
+ { &hf_tcp_analysis_retransmission,
+ { "", "tcp.analysis.retransmission", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ "This frame is a suspected TCP retransmission", HFILL }},
+
+ { &hf_tcp_analysis_lost_packet,
+ { "", "tcp.analysis.lost_segment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ "A segment before this one was lost from the capture", HFILL }},
+
+ { &hf_tcp_analysis_ack_lost_packet,
+ { "", "tcp.analysis.ack_lost_segment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ "This frame ACKs a lost segment", HFILL }},
+
+ { &hf_tcp_analysis_keep_alive,
+ { "", "tcp.analysis.keep_alive", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+ "This is a keep-alive segment", HFILL }},
+
+ { &hf_tcp_len,
+ { "TCP Segment Len", "tcp.len", FT_UINT32, BASE_DEC, NULL, 0x0,
+ "", HFILL}},
+
+ { &hf_tcp_analysis_acks_frame,
+ { "This is an ACK to the segment in frame", "tcp.analysis.acks_frame", FT_UINT32, BASE_DEC, NULL, 0x0,
+ "Which previous segment is this an ACK for", HFILL}},
+
+ { &hf_tcp_analysis_ack_rtt,
+ { "The RTT to ACK the segment was", "tcp.analysis.ack_rtt", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
+ "How long time it took to ACK the segment (RTT)", HFILL}},
+
{ &hf_tcp_urgent_pointer,
{ "Urgent pointer", "tcp.urgent_pointer", FT_UINT16, BASE_DEC, NULL, 0x0,
"", HFILL }},
&ett_tcp_options,
&ett_tcp_option_sack,
&ett_tcp_segments,
+ &ett_tcp_analysis_faults,
+ &ett_tcp_analysis
};
module_t *tcp_module;
proto_register_subtree_array(ett, array_length(ett));
/* subdissector code */
- subdissector_table = register_dissector_table("tcp.port");
+ subdissector_table = register_dissector_table("tcp.port",
+ "TCP port", FT_UINT16, BASE_DEC);
register_heur_dissector_list("tcp", &heur_subdissector_list);
- register_conv_dissector_list("tcp", &conv_subdissector_list);
/* Register configuration preferences */
tcp_module = prefs_register_protocol(proto_tcp, NULL);
"Show TCP summary in protocol tree",
"Whether the TCP summary line should be shown in the protocol tree",
&tcp_summary_in_tree);
+ prefs_register_bool_preference(tcp_module, "check_checksum",
+ "Check the validity of the TCP checksum when possible",
+"Whether to check the validity of the TCP checksum",
+ &tcp_check_checksum);
prefs_register_bool_preference(tcp_module, "desegment_tcp_streams",
"Allow subdissector to desegment TCP streams",
"Whether subdissector can request TCP streams to be desegmented",
&tcp_desegment);
-
+ prefs_register_bool_preference(tcp_module, "tcp_analyze_sequence_numbers",
+ "Analyze TCP sequence numbers",
+ "Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT",
+ &tcp_analyze_seq);
+ prefs_register_bool_preference(tcp_module, "tcp_relative_sequence_numbers",
+ "Use relative sequence numbers",
+ "Make the TCP dissector use relative sequence numbers instead of absolute ones. To use this option you must also enable \"Analyze TCP sequence numbers\".",
+ &tcp_relative_seq);
+
+ register_init_routine(tcp_analyze_seq_init);
register_init_routine(tcp_desegment_init);
register_init_routine(tcp_fragment_init);
}
void
proto_reg_handoff_tcp(void)
{
- dissector_add("ip.proto", IP_PROTO_TCP, dissect_tcp, proto_tcp);
+ dissector_handle_t tcp_handle;
+
+ tcp_handle = create_dissector_handle(dissect_tcp, proto_tcp);
+ dissector_add("ip.proto", IP_PROTO_TCP, tcp_handle);
+ data_handle = find_dissector("data");
}