Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time
/* packet-tcp.c
* Routines for TCP packet disassembly
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "config.h"
#include <stdio.h>
#include <epan/packet.h>
#include <epan/capture_dissectors.h>
#include <epan/exceptions.h>
#include <epan/addr_resolv.h>
#include <epan/ipproto.h>
#include <epan/expert.h>
#include <epan/ip_opts.h>
#include <epan/follow.h>
#include <epan/prefs.h>
#include <epan/show_exception.h>
#include <epan/conversation_table.h>
#include <epan/conversation_filter.h>
#include <epan/sequence_analysis.h>
#include <epan/reassemble.h>
#include <epan/decode_as.h>
#include <epan/exported_pdu.h>
#include <epan/in_cksum.h>
#include <epan/proto_data.h>
#include <wsutil/utf8_entities.h>
#include <wsutil/str_util.h>
#include <wsutil/wsgcrypt.h>
#include <wsutil/pint.h>
#include "packet-tcp.h"
#include "packet-ip.h"
#include "packet-icmp.h"
void proto_register_tcp(void);
void proto_reg_handoff_tcp(void);
static void conversation_completeness_fill(gchar*, guint32);
static int tcp_tap = -1;
static int tcp_follow_tap = -1;
static int mptcp_tap = -1;
static int exported_pdu_tap = -1;
/* Place TCP summary in proto tree */
static gboolean tcp_summary_in_tree = TRUE;
static inline guint64 KEEP_32MSB_OF_GUINT64(guint64 nb) {
return (nb >> 32) << 32;
}
#define MPTCP_DSS_FLAG_DATA_ACK_PRESENT 0x01
#define MPTCP_DSS_FLAG_DATA_ACK_8BYTES 0x02
#define MPTCP_DSS_FLAG_MAPPING_PRESENT 0x04
#define MPTCP_DSS_FLAG_DSN_8BYTES 0x08
#define MPTCP_DSS_FLAG_DATA_FIN_PRESENT 0x10
/*
* Flag to control whether to check the TCP checksum.
*
* In at least some Solaris network traces, there are packets with bad
* TCP checksums, but the traffic appears to indicate that the packets
* *were* received; the packets were probably sent by the host on which
* the capture was being done, on a network interface to which
* checksumming was offloaded, so that DLPI supplied an un-checksummed
* packet to the capture program but a checksummed packet got put onto
* the wire.
*/
static gboolean tcp_check_checksum = FALSE;
/*
* Window scaling values to be used when not known (set as a preference) */
enum scaling_window_value {
WindowScaling_NotKnown=-1,
WindowScaling_0=0,
WindowScaling_1,
WindowScaling_2,
WindowScaling_3,
WindowScaling_4,
WindowScaling_5,
WindowScaling_6,
WindowScaling_7,
WindowScaling_8,
WindowScaling_9,
WindowScaling_10,
WindowScaling_11,
WindowScaling_12,
WindowScaling_13,
WindowScaling_14
};
/*
* Using enum instead of boolean make API easier
*/
enum mptcp_dsn_conversion {
DSN_CONV_64_TO_32,
DSN_CONV_32_TO_64,
DSN_CONV_NONE
} ;
#define MPTCP_TCPRST_FLAG_T_PRESENT 0x1
#define MPTCP_TCPRST_FLAG_W_PRESENT 0x2
#define MPTCP_TCPRST_FLAG_V_PRESENT 0x4
#define MPTCP_TCPRST_FLAG_U_PRESENT 0x8
static const value_string mp_tcprst_reasons[] = {
{ 0x0, "Unspecified error" },
{ 0x1, "MPTCP-specific error" },
{ 0x2, "Lack of resources" },
{ 0x3, "Administratively prohibited" },
{ 0x4, "Too much outstanding data" },
{ 0x5, "Unacceptable performance" },
{ 0x6, "Middlebox interference" },
{ 0, NULL },
};
static gint tcp_default_window_scaling = (gint)WindowScaling_NotKnown;
static int proto_tcp = -1;
static int proto_ip = -1;
static int proto_icmp = -1;
static int proto_tcp_option_nop = -1;
static int proto_tcp_option_eol = -1;
static int proto_tcp_option_timestamp = -1;
static int proto_tcp_option_mss = -1;
static int proto_tcp_option_wscale = -1;
static int proto_tcp_option_sack_perm = -1;
static int proto_tcp_option_sack = -1;
static int proto_tcp_option_echo = -1;
static int proto_tcp_option_echoreply = -1;
static int proto_tcp_option_cc = -1;
static int proto_tcp_option_cc_new = -1;
static int proto_tcp_option_cc_echo = -1;
static int proto_tcp_option_md5 = -1;
static int proto_tcp_option_ao = -1;
static int proto_tcp_option_scps = -1;
static int proto_tcp_option_snack = -1;
static int proto_tcp_option_scpsrec = -1;
static int proto_tcp_option_scpscor = -1;
static int proto_tcp_option_qs = -1;
static int proto_tcp_option_user_to = -1;
static int proto_tcp_option_tfo = -1;
static int proto_tcp_option_rvbd_probe = -1;
static int proto_tcp_option_rvbd_trpy = -1;
static int proto_tcp_option_exp = -1;
static int proto_tcp_option_unknown = -1;
static int proto_mptcp = -1;
static int hf_tcp_srcport = -1;
static int hf_tcp_dstport = -1;
static int hf_tcp_port = -1;
static int hf_tcp_stream = -1;
static int hf_tcp_completeness = -1;
static int hf_tcp_seq = -1;
static int hf_tcp_seq_abs = -1;
static int hf_tcp_nxtseq = -1;
static int hf_tcp_ack = -1;
static int hf_tcp_ack_abs = -1;
static int hf_tcp_hdr_len = -1;
static int hf_tcp_flags = -1;
static int hf_tcp_flags_res = -1;
static int hf_tcp_flags_ns = -1;
static int hf_tcp_flags_cwr = -1;
static int hf_tcp_flags_ecn = -1;
static int hf_tcp_flags_urg = -1;
static int hf_tcp_flags_ack = -1;
static int hf_tcp_flags_push = -1;
static int hf_tcp_flags_reset = -1;
static int hf_tcp_flags_syn = -1;
static int hf_tcp_flags_fin = -1;
static int hf_tcp_flags_str = -1;
static int hf_tcp_window_size_value = -1;
static int hf_tcp_window_size = -1;
static int hf_tcp_window_size_scalefactor = -1;
static int hf_tcp_checksum = -1;
static int hf_tcp_checksum_status = -1;
static int hf_tcp_checksum_calculated = -1;
static int hf_tcp_len = -1;
static int hf_tcp_urgent_pointer = -1;
static int hf_tcp_analysis = -1;
static int hf_tcp_analysis_flags = -1;
static int hf_tcp_analysis_bytes_in_flight = -1;
static int hf_tcp_analysis_push_bytes_sent = -1;
static int hf_tcp_analysis_acks_frame = -1;
static int hf_tcp_analysis_ack_rtt = -1;
static int hf_tcp_analysis_first_rtt = -1;
static int hf_tcp_analysis_rto = -1;
static int hf_tcp_analysis_rto_frame = -1;
static int hf_tcp_analysis_duplicate_ack = -1;
static int hf_tcp_analysis_duplicate_ack_num = -1;
static int hf_tcp_analysis_duplicate_ack_frame = -1;
static int hf_tcp_continuation_to = -1;
static int hf_tcp_pdu_time = -1;
static int hf_tcp_pdu_size = -1;
static int hf_tcp_pdu_last_frame = -1;
static int hf_tcp_reassembled_in = -1;
static int hf_tcp_reassembled_length = -1;
static int hf_tcp_reassembled_data = -1;
static int hf_tcp_segments = -1;
static int hf_tcp_segment = -1;
static int hf_tcp_segment_overlap = -1;
static int hf_tcp_segment_overlap_conflict = -1;
static int hf_tcp_segment_multiple_tails = -1;
static int hf_tcp_segment_too_long_fragment = -1;
static int hf_tcp_segment_error = -1;
static int hf_tcp_segment_count = -1;
static int hf_tcp_options = -1;
static int hf_tcp_option_kind = -1;
static int hf_tcp_option_len = -1;
static int hf_tcp_option_mss_val = -1;
static int hf_tcp_option_wscale_shift = -1;
static int hf_tcp_option_wscale_multiplier = -1;
static int hf_tcp_option_sack_sle = -1;
static int hf_tcp_option_sack_sre = -1;
static int hf_tcp_option_sack_range_count = -1;
static int hf_tcp_option_sack_dsack_le = -1;
static int hf_tcp_option_sack_dsack_re = -1;
static int hf_tcp_option_echo = -1;
static int hf_tcp_option_timestamp_tsval = -1;
static int hf_tcp_option_timestamp_tsecr = -1;
static int hf_tcp_option_cc = -1;
static int hf_tcp_option_md5_digest = -1;
static int hf_tcp_option_ao_keyid = -1;
static int hf_tcp_option_ao_rnextkeyid = -1;
static int hf_tcp_option_ao_mac = -1;
static int hf_tcp_option_qs_rate = -1;
static int hf_tcp_option_qs_ttl_diff = -1;
static int hf_tcp_option_exp_data = -1;
static int hf_tcp_option_exp_magic_number = -1;
static int hf_tcp_option_unknown_payload = -1;
static int hf_tcp_option_rvbd_probe_version1 = -1;
static int hf_tcp_option_rvbd_probe_version2 = -1;
static int hf_tcp_option_rvbd_probe_type1 = -1;
static int hf_tcp_option_rvbd_probe_type2 = -1;
static int hf_tcp_option_rvbd_probe_prober = -1;
static int hf_tcp_option_rvbd_probe_proxy = -1;
static int hf_tcp_option_rvbd_probe_client = -1;
static int hf_tcp_option_rvbd_probe_proxy_port = -1;
static int hf_tcp_option_rvbd_probe_appli_ver = -1;
static int hf_tcp_option_rvbd_probe_storeid = -1;
static int hf_tcp_option_rvbd_probe_flags = -1;
static int hf_tcp_option_rvbd_probe_flag_last_notify = -1;
static int hf_tcp_option_rvbd_probe_flag_server_connected = -1;
static int hf_tcp_option_rvbd_probe_flag_not_cfe = -1;
static int hf_tcp_option_rvbd_probe_flag_sslcert = -1;
static int hf_tcp_option_rvbd_probe_flag_probe_cache = -1;
static int hf_tcp_option_rvbd_trpy_flags = -1;
static int hf_tcp_option_rvbd_trpy_flag_mode = -1;
static int hf_tcp_option_rvbd_trpy_flag_oob = -1;
static int hf_tcp_option_rvbd_trpy_flag_chksum = -1;
static int hf_tcp_option_rvbd_trpy_flag_fw_rst = -1;
static int hf_tcp_option_rvbd_trpy_flag_fw_rst_inner = -1;
static int hf_tcp_option_rvbd_trpy_flag_fw_rst_probe = -1;
static int hf_tcp_option_rvbd_trpy_src = -1;
static int hf_tcp_option_rvbd_trpy_dst = -1;
static int hf_tcp_option_rvbd_trpy_src_port = -1;
static int hf_tcp_option_rvbd_trpy_dst_port = -1;
static int hf_tcp_option_rvbd_trpy_client_port = -1;
static int hf_tcp_option_mptcp_flags = -1;
static int hf_tcp_option_mptcp_backup_flag = -1;
static int hf_tcp_option_mptcp_checksum_flag = -1;
static int hf_tcp_option_mptcp_B_flag = -1;
static int hf_tcp_option_mptcp_H_v0_flag = -1;
static int hf_tcp_option_mptcp_H_v1_flag = -1;
static int hf_tcp_option_mptcp_F_flag = -1;
static int hf_tcp_option_mptcp_m_flag = -1;
static int hf_tcp_option_mptcp_M_flag = -1;
static int hf_tcp_option_mptcp_a_flag = -1;
static int hf_tcp_option_mptcp_A_flag = -1;
static int hf_tcp_option_mptcp_U_flag = -1;
static int hf_tcp_option_mptcp_V_flag = -1;
static int hf_tcp_option_mptcp_W_flag = -1;
static int hf_tcp_option_mptcp_T_flag = -1;
static int hf_tcp_option_mptcp_tcprst_reason = -1;
static int hf_tcp_option_mptcp_reserved_flag = -1;
static int hf_tcp_option_mptcp_subtype = -1;
static int hf_tcp_option_mptcp_version = -1;
static int hf_tcp_option_mptcp_reserved = -1;
static int hf_tcp_option_mptcp_address_id = -1;
static int hf_tcp_option_mptcp_recv_token = -1;
static int hf_tcp_option_mptcp_sender_key = -1;
static int hf_tcp_option_mptcp_recv_key = -1;
static int hf_tcp_option_mptcp_sender_rand = -1;
static int hf_tcp_option_mptcp_sender_trunc_hmac = -1;
static int hf_tcp_option_mptcp_sender_hmac = -1;
static int hf_tcp_option_mptcp_addaddr_trunc_hmac = -1;
static int hf_tcp_option_mptcp_data_ack_raw = -1;
static int hf_tcp_option_mptcp_data_seq_no_raw = -1;
static int hf_tcp_option_mptcp_subflow_seq_no = -1;
static int hf_tcp_option_mptcp_data_lvl_len = -1;
static int hf_tcp_option_mptcp_checksum = -1;
static int hf_tcp_option_mptcp_ipver = -1;
static int hf_tcp_option_mptcp_echo = -1;
static int hf_tcp_option_mptcp_ipv4 = -1;
static int hf_tcp_option_mptcp_ipv6 = -1;
static int hf_tcp_option_mptcp_port = -1;
static int hf_mptcp_expected_idsn = -1;
static int hf_mptcp_dsn = -1;
static int hf_mptcp_rawdsn64 = -1;
static int hf_mptcp_dss_dsn = -1;
static int hf_mptcp_ack = -1;
static int hf_mptcp_stream = -1;
static int hf_mptcp_expected_token = -1;
static int hf_mptcp_analysis = -1;
static int hf_mptcp_analysis_master = -1;
static int hf_mptcp_analysis_subflows = -1;
static int hf_mptcp_number_of_removed_addresses = -1;
static int hf_mptcp_related_mapping = -1;
static int hf_mptcp_reinjection_of = -1;
static int hf_mptcp_reinjected_in = -1;
static int hf_tcp_option_fast_open_cookie_request = -1;
static int hf_tcp_option_fast_open_cookie = -1;
static int hf_tcp_ts_relative = -1;
static int hf_tcp_ts_delta = -1;
static int hf_tcp_option_scps_vector = -1;
static int hf_tcp_option_scps_binding = -1;
static int hf_tcp_option_scps_binding_len = -1;
static int hf_tcp_scpsoption_flags_bets = -1;
static int hf_tcp_scpsoption_flags_snack1 = -1;
static int hf_tcp_scpsoption_flags_snack2 = -1;
static int hf_tcp_scpsoption_flags_compress = -1;
static int hf_tcp_scpsoption_flags_nlts = -1;
static int hf_tcp_scpsoption_flags_reserved = -1;
static int hf_tcp_scpsoption_connection_id = -1;
static int hf_tcp_option_snack_offset = -1;
static int hf_tcp_option_snack_size = -1;
static int hf_tcp_option_snack_le = -1;
static int hf_tcp_option_snack_re = -1;
static int hf_tcp_option_user_to_granularity = -1;
static int hf_tcp_option_user_to_val = -1;
static int hf_tcp_proc_src_uid = -1;
static int hf_tcp_proc_src_pid = -1;
static int hf_tcp_proc_src_uname = -1;
static int hf_tcp_proc_src_cmd = -1;
static int hf_tcp_proc_dst_uid = -1;
static int hf_tcp_proc_dst_pid = -1;
static int hf_tcp_proc_dst_uname = -1;
static int hf_tcp_proc_dst_cmd = -1;
static int hf_tcp_segment_data = -1;
static int hf_tcp_payload = -1;
static int hf_tcp_reset_cause = -1;
static int hf_tcp_fin_retransmission = -1;
static int hf_tcp_option_rvbd_probe_reserved = -1;
static int hf_tcp_option_scps_binding_data = -1;
static gint ett_tcp = -1;
static gint ett_tcp_flags = -1;
static gint ett_tcp_options = -1;
static gint ett_tcp_option_timestamp = -1;
static gint ett_tcp_option_mss = -1;
static gint ett_tcp_option_wscale = -1;
static gint ett_tcp_option_sack = -1;
static gint ett_tcp_option_snack = -1;
static gint ett_tcp_option_scps = -1;
static gint ett_tcp_scpsoption_flags = -1;
static gint ett_tcp_option_scps_extended = -1;
static gint ett_tcp_option_user_to = -1;
static gint ett_tcp_option_exp = -1;
static gint ett_tcp_option_sack_perm = -1;
static gint ett_tcp_analysis = -1;
static gint ett_tcp_analysis_faults = -1;
static gint ett_tcp_timestamps = -1;
static gint ett_tcp_segments = -1;
static gint ett_tcp_segment = -1;
static gint ett_tcp_checksum = -1;
static gint ett_tcp_process_info = -1;
static gint ett_tcp_option_mptcp = -1;
static gint ett_tcp_opt_rvbd_probe = -1;
static gint ett_tcp_opt_rvbd_probe_flags = -1;
static gint ett_tcp_opt_rvbd_trpy = -1;
static gint ett_tcp_opt_rvbd_trpy_flags = -1;
static gint ett_tcp_opt_echo = -1;
static gint ett_tcp_opt_cc = -1;
static gint ett_tcp_opt_md5 = -1;
static gint ett_tcp_opt_ao = -1;
static gint ett_tcp_opt_qs = -1;
static gint ett_tcp_opt_recbound = -1;
static gint ett_tcp_opt_scpscor = -1;
static gint ett_tcp_unknown_opt = -1;
static gint ett_tcp_option_other = -1;
static gint ett_mptcp_analysis = -1;
static gint ett_mptcp_analysis_subflows = -1;
static expert_field ei_tcp_opt_len_invalid = EI_INIT;
static expert_field ei_tcp_analysis_retransmission = EI_INIT;
static expert_field ei_tcp_analysis_fast_retransmission = EI_INIT;
static expert_field ei_tcp_analysis_spurious_retransmission = EI_INIT;
static expert_field ei_tcp_analysis_out_of_order = EI_INIT;
static expert_field ei_tcp_analysis_reused_ports = EI_INIT;
static expert_field ei_tcp_analysis_lost_packet = EI_INIT;
static expert_field ei_tcp_analysis_ack_lost_packet = EI_INIT;
static expert_field ei_tcp_analysis_window_update = EI_INIT;
static expert_field ei_tcp_analysis_window_full = EI_INIT;
static expert_field ei_tcp_analysis_keep_alive = EI_INIT;
static expert_field ei_tcp_analysis_keep_alive_ack = EI_INIT;
static expert_field ei_tcp_analysis_duplicate_ack = EI_INIT;
static expert_field ei_tcp_analysis_zero_window_probe = EI_INIT;
static expert_field ei_tcp_analysis_zero_window = EI_INIT;
static expert_field ei_tcp_analysis_zero_window_probe_ack = EI_INIT;
static expert_field ei_tcp_analysis_tfo_syn = EI_INIT;
static expert_field ei_tcp_analysis_tfo_ack = EI_INIT;
static expert_field ei_tcp_analysis_tfo_ignored = EI_INIT;
static expert_field ei_tcp_scps_capable = EI_INIT;
static expert_field ei_tcp_option_sack_dsack = EI_INIT;
static expert_field ei_tcp_option_snack_sequence = EI_INIT;
static expert_field ei_tcp_option_wscale_shift_invalid = EI_INIT;
static expert_field ei_tcp_option_mss_absent = EI_INIT;
static expert_field ei_tcp_option_mss_present = EI_INIT;
static expert_field ei_tcp_short_segment = EI_INIT;
static expert_field ei_tcp_ack_nonzero = EI_INIT;
static expert_field ei_tcp_connection_synack = EI_INIT;
static expert_field ei_tcp_connection_syn = EI_INIT;
static expert_field ei_tcp_connection_fin = EI_INIT;
static expert_field ei_tcp_connection_rst = EI_INIT;
static expert_field ei_tcp_connection_fin_active = EI_INIT;
static expert_field ei_tcp_connection_fin_passive = EI_INIT;
static expert_field ei_tcp_checksum_ffff = EI_INIT;
static expert_field ei_tcp_checksum_bad = EI_INIT;
static expert_field ei_tcp_urgent_pointer_non_zero = EI_INIT;
static expert_field ei_tcp_suboption_malformed = EI_INIT;
static expert_field ei_tcp_nop = EI_INIT;
static expert_field ei_tcp_bogus_header_length = EI_INIT;
/* static expert_field ei_mptcp_analysis_unexpected_idsn = EI_INIT; */
static expert_field ei_mptcp_analysis_echoed_key_mismatch = EI_INIT;
static expert_field ei_mptcp_analysis_missing_algorithm = EI_INIT;
static expert_field ei_mptcp_analysis_unsupported_algorithm = EI_INIT;
static expert_field ei_mptcp_infinite_mapping= EI_INIT;
static expert_field ei_mptcp_mapping_missing = EI_INIT;
/* static expert_field ei_mptcp_stream_incomplete = EI_INIT; */
/* static expert_field ei_mptcp_analysis_dsn_out_of_order = EI_INIT; */
/* Some protocols such as encrypted DCE/RPCoverHTTP have dependencies
* from one PDU to the next PDU and require that they are called in sequence.
* These protocols would not be able to handle PDUs coming out of order
* or for example when a PDU is seen twice, like for retransmissions.
* This preference can be set for such protocols to make sure that we don't
* invoke the subdissectors for retransmitted or out-of-order segments.
*/
static gboolean tcp_no_subdissector_on_error = TRUE;
/*
* FF: (draft-ietf-tcpm-experimental-options-03)
* With this flag set we assume the option structure for experimental
* codepoints (253, 254) has a magic number field (first field after the
* Kind and Length). The magic number is used to differentiate different
* experiments and thus will be used in data dissection.
*/
static gboolean tcp_exp_options_with_magic = TRUE;
/*
* This flag indicates which of Fast Retransmission or Out-of-Order
* interpretation should supersede when analyzing an ambiguous packet as
* things are not always clear. The user is authorized to change this
* behavior.
* When set, we keep the historical interpretation (Fast RT > OOO)
*/
static gboolean tcp_fastrt_precedence = TRUE;
/* Process info, currently discovered via IPFIX */
static gboolean tcp_display_process_info = FALSE;
/*
* TCP option
*/
#define TCPOPT_NOP 1 /* Padding */
#define TCPOPT_EOL 0 /* End of options */
#define TCPOPT_MSS 2 /* Segment size negotiating */
#define TCPOPT_WINDOW 3 /* Window scaling */
#define TCPOPT_SACK_PERM 4 /* SACK Permitted */
#define TCPOPT_SACK 5 /* SACK Block */
#define TCPOPT_ECHO 6
#define TCPOPT_ECHOREPLY 7
#define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
#define TCPOPT_CC 11
#define TCPOPT_CCNEW 12
#define TCPOPT_CCECHO 13
#define TCPOPT_MD5 19 /* RFC2385 */
#define TCPOPT_SCPS 20 /* SCPS Capabilities */
#define TCPOPT_SNACK 21 /* SCPS SNACK */
#define TCPOPT_RECBOUND 22 /* SCPS Record Boundary */
#define TCPOPT_CORREXP 23 /* SCPS Corruption Experienced */
#define TCPOPT_QS 27 /* RFC4782 Quick-Start Response */
#define TCPOPT_USER_TO 28 /* RFC5482 User Timeout Option */
#define TCPOPT_AO 29 /* RFC5925 The TCP Authentication Option */
#define TCPOPT_MPTCP 30 /* RFC6824 Multipath TCP */
#define TCPOPT_TFO 34 /* RFC7413 TCP Fast Open Cookie */
#define TCPOPT_EXP_FD 0xfd /* Experimental, reserved */
#define TCPOPT_EXP_FE 0xfe /* Experimental, reserved */
/* Non IANA registered option numbers */
#define TCPOPT_RVBD_PROBE 76 /* Riverbed probe option */
#define TCPOPT_RVBD_TRPY 78 /* Riverbed transparency option */
/*
* TCP option lengths
*/
#define TCPOLEN_MSS 4
#define TCPOLEN_WINDOW 3
#define TCPOLEN_SACK_PERM 2
#define TCPOLEN_SACK_MIN 2
#define TCPOLEN_ECHO 6
#define TCPOLEN_ECHOREPLY 6
#define TCPOLEN_TIMESTAMP 10
#define TCPOLEN_CC 6
#define TCPOLEN_CCNEW 6
#define TCPOLEN_CCECHO 6
#define TCPOLEN_MD5 18
#define TCPOLEN_SCPS 4
#define TCPOLEN_SNACK 6
#define TCPOLEN_RECBOUND 2
#define TCPOLEN_CORREXP 2
#define TCPOLEN_QS 8
#define TCPOLEN_USER_TO 4
#define TCPOLEN_MPTCP_MIN 3
#define TCPOLEN_TFO_MIN 2
#define TCPOLEN_RVBD_PROBE_MIN 3
#define TCPOLEN_RVBD_TRPY_MIN 16
#define TCPOLEN_EXP_MIN 2
/*
* Multipath TCP subtypes
*/
#define TCPOPT_MPTCP_MP_CAPABLE 0x0 /* Multipath TCP Multipath Capable */
#define TCPOPT_MPTCP_MP_JOIN 0x1 /* Multipath TCP Join Connection */
#define TCPOPT_MPTCP_DSS 0x2 /* Multipath TCP Data Sequence Signal */
#define TCPOPT_MPTCP_ADD_ADDR 0x3 /* Multipath TCP Add Address */
#define TCPOPT_MPTCP_REMOVE_ADDR 0x4 /* Multipath TCP Remove Address */
#define TCPOPT_MPTCP_MP_PRIO 0x5 /* Multipath TCP Change Subflow Priority */
#define TCPOPT_MPTCP_MP_FAIL 0x6 /* Multipath TCP Fallback */
#define TCPOPT_MPTCP_MP_FASTCLOSE 0x7 /* Multipath TCP Fast Close */
#define TCPOPT_MPTCP_MP_TCPRST 0x8 /* Multipath TCP Reset */
/*
* Conversation Completeness values
*/
#define TCP_COMPLETENESS_SYNSENT 0x01 /* TCP SYN SENT */
#define TCP_COMPLETENESS_SYNACK 0x02 /* TCP SYN ACK */
#define TCP_COMPLETENESS_ACK 0x04 /* TCP ACK */
#define TCP_COMPLETENESS_DATA 0x08 /* TCP data */
#define TCP_COMPLETENESS_FIN 0x10 /* TCP FIN */
#define TCP_COMPLETENESS_RST 0x20 /* TCP RST */
static const true_false_string tcp_option_user_to_granularity = {
"Minutes", "Seconds"
};
static const value_string tcp_option_kind_vs[] = {
{ TCPOPT_EOL, "End of Option List" },
{ TCPOPT_NOP, "No-Operation" },
{ TCPOPT_MSS, "Maximum Segment Size" },
{ TCPOPT_WINDOW, "Window Scale" },
{ TCPOPT_SACK_PERM, "SACK Permitted" },
{ TCPOPT_SACK, "SACK" },
{ TCPOPT_ECHO, "Echo" },
{ TCPOPT_ECHOREPLY, "Echo Reply" },
{ TCPOPT_TIMESTAMP, "Time Stamp Option" },
{ 9, "Partial Order Connection Permitted" },
{ 10, "Partial Order Service Profile" },
{ TCPOPT_CC, "CC" },
{ TCPOPT_CCNEW, "CC.NEW" },
{ TCPOPT_CCECHO, "CC.ECHO" },
{ 14, "TCP Alternate Checksum Request" },
{ 15, "TCP Alternate Checksum Data" },
{ 16, "Skeeter" },
{ 17, "Bubba" },
{ 18, "Trailer Checksum Option" },
{ TCPOPT_MD5, "MD5 Signature Option" },
{ TCPOPT_SCPS, "SCPS Capabilities" },
{ TCPOPT_SNACK, "Selective Negative Acknowledgements" },
{ TCPOPT_RECBOUND, "Record Boundaries" },
{ TCPOPT_CORREXP, "Corruption experienced" },
{ 24, "SNAP" },
{ 25, "Unassigned" },
{ 26, "TCP Compression Filter" },
{ TCPOPT_QS, "Quick-Start Response" },
{ TCPOPT_USER_TO, "User Timeout Option" },
{ TCPOPT_AO, "The TCP Authentication Option" },
{ TCPOPT_MPTCP, "Multipath TCP" },
{ TCPOPT_TFO, "TCP Fast Open Cookie" },
{ TCPOPT_RVBD_PROBE, "Riverbed Probe" },
{ TCPOPT_RVBD_TRPY, "Riverbed Transparency" },
{ TCPOPT_EXP_FD, "RFC3692-style Experiment 1" },
{ TCPOPT_EXP_FE, "RFC3692-style Experiment 2" },
{ 0, NULL }
};
static value_string_ext tcp_option_kind_vs_ext = VALUE_STRING_EXT_INIT(tcp_option_kind_vs);
/* not all of the hf_fields below make sense for TCP but we have to provide
them anyways to comply with the API (which was aimed for IP fragment
reassembly) */
static const fragment_items tcp_segment_items = {
&ett_tcp_segment,
&ett_tcp_segments,
&hf_tcp_segments,
&hf_tcp_segment,
&hf_tcp_segment_overlap,
&hf_tcp_segment_overlap_conflict,
&hf_tcp_segment_multiple_tails,
&hf_tcp_segment_too_long_fragment,
&hf_tcp_segment_error,
&hf_tcp_segment_count,
&hf_tcp_reassembled_in,
&hf_tcp_reassembled_length,
&hf_tcp_reassembled_data,
"Segments"
};
static const value_string mptcp_subtype_vs[] = {
{ TCPOPT_MPTCP_MP_CAPABLE, "Multipath Capable" },
{ TCPOPT_MPTCP_MP_JOIN, "Join Connection" },
{ TCPOPT_MPTCP_DSS, "Data Sequence Signal" },
{ TCPOPT_MPTCP_ADD_ADDR, "Add Address"},
{ TCPOPT_MPTCP_REMOVE_ADDR, "Remove Address" },
{ TCPOPT_MPTCP_MP_PRIO, "Change Subflow Priority" },
{ TCPOPT_MPTCP_MP_FAIL, "TCP Fallback" },
{ TCPOPT_MPTCP_MP_FASTCLOSE, "Fast Close" },
{ TCPOPT_MPTCP_MP_TCPRST, "TCP Reset" },
{ 0, NULL }
};
static dissector_table_t subdissector_table;
static dissector_table_t tcp_option_table;
static heur_dissector_list_t heur_subdissector_list;
static dissector_handle_t data_handle;
static dissector_handle_t tcp_handle;
static dissector_handle_t sport_handle;
static dissector_handle_t tcp_opt_unknown_handle;
static guint32 tcp_stream_count;
static guint32 mptcp_stream_count;
/*
* Maps an MPTCP token to a mptcp_analysis structure
* Collisions are not handled
*/
static wmem_tree_t *mptcp_tokens = NULL;
static int * const tcp_option_mptcp_capable_v0_flags[] = {
&hf_tcp_option_mptcp_checksum_flag,
&hf_tcp_option_mptcp_B_flag,
&hf_tcp_option_mptcp_H_v0_flag,
&hf_tcp_option_mptcp_reserved_flag,
NULL
};
static int * const tcp_option_mptcp_capable_v1_flags[] = {
&hf_tcp_option_mptcp_checksum_flag,
&hf_tcp_option_mptcp_B_flag,
&hf_tcp_option_mptcp_H_v1_flag,
&hf_tcp_option_mptcp_reserved_flag,
NULL
};
static int * const tcp_option_mptcp_join_flags[] = {
&hf_tcp_option_mptcp_backup_flag,
NULL
};
static int * const tcp_option_mptcp_dss_flags[] = {
&hf_tcp_option_mptcp_F_flag,
&hf_tcp_option_mptcp_m_flag,
&hf_tcp_option_mptcp_M_flag,
&hf_tcp_option_mptcp_a_flag,
&hf_tcp_option_mptcp_A_flag,
NULL
};
static int * const tcp_option_mptcp_tcprst_flags[] = {
&hf_tcp_option_mptcp_U_flag,
&hf_tcp_option_mptcp_V_flag,
&hf_tcp_option_mptcp_W_flag,
&hf_tcp_option_mptcp_T_flag,
NULL
};
static const unit_name_string units_64bit_version = { " (64bits version)", NULL };
static char *
tcp_flags_to_str(wmem_allocator_t *scope, const struct tcpheader *tcph)
{
static const char flags[][4] = { "FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECN", "CWR", "NS" };
const int maxlength = 64; /* upper bounds, max 53B: 8 * 3 + 2 + strlen("Reserved") + 9 * 2 + 1 */
char *pbuf;
char *buf;
int i;
buf = pbuf = (char *) wmem_alloc(scope, maxlength);
*pbuf = '\0';
for (i = 0; i < 9; i++) {
if (tcph->th_flags & (1 << i)) {
if (buf[0])
pbuf = g_stpcpy(pbuf, ", ");
pbuf = g_stpcpy(pbuf, flags[i]);
}
}
if (tcph->th_flags & TH_RES) {
if (buf[0])
pbuf = g_stpcpy(pbuf, ", ");
g_stpcpy(pbuf, "Reserved");
}
if (buf[0] == '\0')
buf = "<None>";
return buf;
}
static char *
tcp_flags_to_str_first_letter(const struct tcpheader *tcph)
{
wmem_strbuf_t *buf = wmem_strbuf_new(wmem_packet_scope(), "");
unsigned i;
const unsigned flags_count = 12;
const char first_letters[] = "RRRNCEUAPRSF";
/* upper three bytes are marked as reserved ('R'). */
for (i = 0; i < flags_count; i++) {
if (((tcph->th_flags >> (flags_count - 1 - i)) & 1)) {
wmem_strbuf_append_c(buf, first_letters[i]);
} else {
wmem_strbuf_append(buf, UTF8_MIDDLE_DOT);
}
}
return wmem_strbuf_finalize(buf);
}
static void
tcp_src_prompt(packet_info *pinfo, gchar *result)
{
guint32 port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num));
g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "source (%u%s)", port, UTF8_RIGHTWARDS_ARROW);
}
static gpointer
tcp_src_value(packet_info *pinfo)
{
return p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num);
}
static void
tcp_dst_prompt(packet_info *pinfo, gchar *result)
{
guint32 port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, port);
}
static gpointer
tcp_dst_value(packet_info *pinfo)
{
return p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num);
}
static void
tcp_both_prompt(packet_info *pinfo, gchar *result)
{
guint32 srcport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num)),
destport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport);
}
static const char* tcp_conv_get_filter_type(conv_item_t* conv, conv_filter_type_e filter)
{
if (filter == CONV_FT_SRC_PORT)
return "tcp.srcport";
if (filter == CONV_FT_DST_PORT)
return "tcp.dstport";
if (filter == CONV_FT_ANY_PORT)
return "tcp.port";
if(!conv) {
return CONV_FILTER_INVALID;
}
if (filter == CONV_FT_SRC_ADDRESS) {
if (conv->src_address.type == AT_IPv4)
return "ip.src";
if (conv->src_address.type == AT_IPv6)
return "ipv6.src";
}
if (filter == CONV_FT_DST_ADDRESS) {
if (conv->dst_address.type == AT_IPv4)
return "ip.dst";
if (conv->dst_address.type == AT_IPv6)
return "ipv6.dst";
}
if (filter == CONV_FT_ANY_ADDRESS) {
if (conv->src_address.type == AT_IPv4)
return "ip.addr";
if (conv->src_address.type == AT_IPv6)
return "ipv6.addr";
}
return CONV_FILTER_INVALID;
}
static ct_dissector_info_t tcp_ct_dissector_info = {&tcp_conv_get_filter_type};
static tap_packet_status
tcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
{
conv_hash_t *hash = (conv_hash_t*) pct;
const struct tcpheader *tcphdr=(const struct tcpheader *)vip;
add_conversation_table_data_with_conv_id(hash, &tcphdr->ip_src, &tcphdr->ip_dst, tcphdr->th_sport, tcphdr->th_dport, (conv_id_t) tcphdr->th_stream, 1, pinfo->fd->pkt_len,
&pinfo->rel_ts, &pinfo->abs_ts, &tcp_ct_dissector_info, ENDPOINT_TCP);
return TAP_PACKET_REDRAW;
}
static tap_packet_status
mptcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
{
conv_hash_t *hash = (conv_hash_t*) pct;
const struct tcp_analysis *tcpd=(const struct tcp_analysis *)vip;
const mptcp_meta_flow_t *meta=(const mptcp_meta_flow_t *)tcpd->fwd->mptcp_subflow->meta;
add_conversation_table_data_with_conv_id(hash, &meta->ip_src, &meta->ip_dst,
meta->sport, meta->dport, (conv_id_t) tcpd->mptcp_analysis->stream, 1, pinfo->fd->pkt_len,
&pinfo->rel_ts, &pinfo->abs_ts, &tcp_ct_dissector_info, ENDPOINT_TCP);
return TAP_PACKET_REDRAW;
}
static const char* tcp_host_get_filter_type(hostlist_talker_t* host, conv_filter_type_e filter)
{
if (filter == CONV_FT_SRC_PORT)
return "tcp.srcport";
if (filter == CONV_FT_DST_PORT)
return "tcp.dstport";
if (filter == CONV_FT_ANY_PORT)
return "tcp.port";
if(!host) {
return CONV_FILTER_INVALID;
}
if (filter == CONV_FT_SRC_ADDRESS) {
if (host->myaddress.type == AT_IPv4)
return "ip.src";
if (host->myaddress.type == AT_IPv6)
return "ipv6.src";
}
if (filter == CONV_FT_DST_ADDRESS) {
if (host->myaddress.type == AT_IPv4)
return "ip.dst";
if (host->myaddress.type == AT_IPv6)
return "ipv6.dst";
}
if (filter == CONV_FT_ANY_ADDRESS) {
if (host->myaddress.type == AT_IPv4)
return "ip.addr";
if (host->myaddress.type == AT_IPv6)
return "ipv6.addr";
}
return CONV_FILTER_INVALID;
}
static hostlist_dissector_info_t tcp_host_dissector_info = {&tcp_host_get_filter_type};
static tap_packet_status
tcpip_hostlist_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
{
conv_hash_t *hash = (conv_hash_t*) pit;
const struct tcpheader *tcphdr=(const struct tcpheader *)vip;
/* Take two "add" passes per packet, adding for each direction, ensures that all
packets are counted properly (even if address is sending to itself)
XXX - this could probably be done more efficiently inside hostlist_table */
add_hostlist_table_data(hash, &tcphdr->ip_src, tcphdr->th_sport, TRUE, 1, pinfo->fd->pkt_len, &tcp_host_dissector_info, ENDPOINT_TCP);
add_hostlist_table_data(hash, &tcphdr->ip_dst, tcphdr->th_dport, FALSE, 1, pinfo->fd->pkt_len, &tcp_host_dissector_info, ENDPOINT_TCP);
return TAP_PACKET_REDRAW;
}
static gboolean
tcp_filter_valid(packet_info *pinfo)
{
return proto_is_frame_protocol(pinfo->layers, "tcp");
}
static gchar*
tcp_build_filter(packet_info *pinfo)
{
if( pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4 ) {
/* TCP over IPv4 */
return g_strdup_printf("(ip.addr eq %s and ip.addr eq %s) and (tcp.port eq %d and tcp.port eq %d)",
address_to_str(pinfo->pool, &pinfo->net_src),
address_to_str(pinfo->pool, &pinfo->net_dst),
pinfo->srcport, pinfo->destport );
}
if( pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6 ) {
/* TCP over IPv6 */
return g_strdup_printf("(ipv6.addr eq %s and ipv6.addr eq %s) and (tcp.port eq %d and tcp.port eq %d)",
address_to_str(pinfo->pool, &pinfo->net_src),
address_to_str(pinfo->pool, &pinfo->net_dst),
pinfo->srcport, pinfo->destport );
}
return NULL;
}
/****************************************************************************/
/* whenever a TCP packet is seen by the tap listener */
/* Add a new tcp frame into the graph */
static tap_packet_status
tcp_seq_analysis_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U_, const void *tcp_info)
{
seq_analysis_info_t *sainfo = (seq_analysis_info_t *) ptr;
const struct tcpheader *tcph = (const struct tcpheader *)tcp_info;
char* flags;
seq_analysis_item_t *sai = sequence_analysis_create_sai_with_addresses(pinfo, sainfo);
if (!sai)
return TAP_PACKET_DONT_REDRAW;
sai->frame_number = pinfo->num;
sai->port_src=pinfo->srcport;
sai->port_dst=pinfo->destport;
flags = tcp_flags_to_str(NULL, tcph);
if ((tcph->th_have_seglen)&&(tcph->th_seglen!=0)){
sai->frame_label = g_strdup_printf("%s - Len: %u",flags, tcph->th_seglen);
}
else{
sai->frame_label = g_strdup(flags);
}
wmem_free(NULL, flags);
if (tcph->th_flags & TH_ACK)
sai->comment = g_strdup_printf("Seq = %u Ack = %u",tcph->th_seq, tcph->th_ack);
else
sai->comment = g_strdup_printf("Seq = %u",tcph->th_seq);
sai->line_style = 1;
sai->conv_num = (guint16) tcph->th_stream;
sai->display = TRUE;
g_queue_push_tail(sainfo->items, sai);
return TAP_PACKET_REDRAW;
}
gchar *tcp_follow_conv_filter(epan_dissect_t *edt _U_, packet_info *pinfo, guint *stream, guint *sub_stream _U_)
{
conversation_t *conv;
struct tcp_analysis *tcpd;
if (((pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4) ||
(pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6))
&& (conv=find_conversation_pinfo(pinfo, 0)) != NULL )
{
/* TCP over IPv4/6 */
tcpd=get_tcp_conversation_data(conv, pinfo);
if (tcpd == NULL)
return NULL;
*stream = tcpd->stream;
return g_strdup_printf("tcp.stream eq %u", tcpd->stream);
}
return NULL;
}
gchar *tcp_follow_index_filter(guint stream, guint sub_stream _U_)
{
return g_strdup_printf("tcp.stream eq %u", stream);
}
gchar *tcp_follow_address_filter(address *src_addr, address *dst_addr, int src_port, int dst_port)
{
const gchar *ip_version = src_addr->type == AT_IPv6 ? "v6" : "";
gchar src_addr_str[WS_INET6_ADDRSTRLEN];
gchar dst_addr_str[WS_INET6_ADDRSTRLEN];
address_to_str_buf(src_addr, src_addr_str, sizeof(src_addr_str));
address_to_str_buf(dst_addr, dst_addr_str, sizeof(dst_addr_str));
return g_strdup_printf("((ip%s.src eq %s and tcp.srcport eq %d) and "
"(ip%s.dst eq %s and tcp.dstport eq %d))"
" or "
"((ip%s.src eq %s and tcp.srcport eq %d) and "
"(ip%s.dst eq %s and tcp.dstport eq %d))",
ip_version, src_addr_str, src_port,
ip_version, dst_addr_str, dst_port,
ip_version, dst_addr_str, dst_port,
ip_version, src_addr_str, src_port);
}
typedef struct tcp_follow_tap_data
{
tvbuff_t *tvb;
struct tcpheader* tcph;
struct tcp_analysis *tcpd;
} tcp_follow_tap_data_t;
/*
* Tries to apply segments from fragments list to the reconstructed payload.
* Fragments that can be appended to the end of the payload will be applied (and
* removed from the list). Fragments that should have been received (according
* to the ack number) will also be appended to the payload (preceded by some
* dummy data to mark packet loss if any).
*
* Returns TRUE if one fragment has been applied or FALSE if no more fragments
* can be added the the payload (there might still be unacked fragments with
* missing segments before them).
*/
static gboolean
check_follow_fragments(follow_info_t *follow_info, gboolean is_server, guint32 acknowledged, guint32 packet_num)
{
GList *fragment_entry;
follow_record_t *fragment, *follow_record;
guint32 lowest_seq = 0;
gchar *dummy_str;
fragment_entry = g_list_first(follow_info->fragments[is_server]);
if (fragment_entry == NULL)
return FALSE;
fragment = (follow_record_t*)fragment_entry->data;
lowest_seq = fragment->seq;
for (; fragment_entry != NULL; fragment_entry = g_list_next(fragment_entry))
{
fragment = (follow_record_t*)fragment_entry->data;
if( GT_SEQ(lowest_seq, fragment->seq) ) {
lowest_seq = fragment->seq;
}
if( LT_SEQ(fragment->seq, follow_info->seq[is_server]) ) {
guint32 newseq;
/* this sequence number seems dated, but
check the end to make sure it has no more
info than we have already seen */
newseq = fragment->seq + fragment->data->len;
if( GT_SEQ(newseq, follow_info->seq[is_server]) ) {
guint32 new_pos;
/* this one has more than we have seen. let's get the
payload that we have not seen. This happens when
part of this frame has been retransmitted */
new_pos = follow_info->seq[is_server] - fragment->seq;
if ( fragment->data->len > new_pos ) {
guint32 new_frag_size = fragment->data->len - new_pos;
follow_record = g_new0(follow_record_t,1);
follow_record->is_server = is_server;
follow_record->packet_num = fragment->packet_num;
follow_record->seq = follow_info->seq[is_server] + new_frag_size;
follow_record->data = g_byte_array_append(g_byte_array_new(),
fragment->data->data + new_pos,
new_frag_size);
follow_info->payload = g_list_prepend(follow_info->payload, follow_record);
}
follow_info->seq[is_server] += (fragment->data->len - new_pos);
}
/* Remove the fragment from the list as the "new" part of it
* has been processed or its data has been seen already in
* another packet. */
g_byte_array_free(fragment->data, TRUE);
g_free(fragment);
follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
return TRUE;
}
if( EQ_SEQ(fragment->seq, follow_info->seq[is_server]) ) {
/* this fragment fits the stream */
if( fragment->data->len > 0 ) {
follow_info->payload = g_list_prepend(follow_info->payload, fragment);
}
follow_info->seq[is_server] += fragment->data->len;
follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
return TRUE;
}
}
if( GT_SEQ(acknowledged, lowest_seq) ) {
/* There are frames missing in the capture file that were seen
* by the receiving host. Add dummy stream chunk with the data
* "[xxx bytes missing in capture file]".
*/
dummy_str = g_strdup_printf("[%d bytes missing in capture file]",
(int)(lowest_seq - follow_info->seq[is_server]) );
// XXX the dummy replacement could be larger than the actual missing bytes.
follow_record = g_new0(follow_record_t,1);
follow_record->data = g_byte_array_append(g_byte_array_new(),
(guchar*)dummy_str,
(guint)strlen(dummy_str)+1);
g_free(dummy_str);
follow_record->is_server = is_server;
follow_record->packet_num = packet_num;
follow_record->seq = lowest_seq;
follow_info->seq[is_server] = lowest_seq;
follow_info->payload = g_list_prepend(follow_info->payload, follow_record);
return TRUE;
}
return FALSE;
}
static tap_packet_status
follow_tcp_tap_listener(void *tapdata, packet_info *pinfo,
epan_dissect_t *edt _U_, const void *data)
{
follow_record_t *follow_record;
follow_info_t *follow_info = (follow_info_t *)tapdata;
const tcp_follow_tap_data_t *follow_data = (const tcp_follow_tap_data_t *)data;
gboolean is_server;
guint32 sequence = follow_data->tcph->th_seq;
guint32 length = follow_data->tcph->th_seglen;
guint32 data_offset = 0;
guint32 data_length = tvb_captured_length(follow_data->tvb);
if (follow_data->tcph->th_flags & TH_SYN) {
sequence++;
}
if (follow_info->client_port == 0) {
follow_info->client_port = pinfo->srcport;
copy_address(&follow_info->client_ip, &pinfo->src);
follow_info->server_port = pinfo->destport;
copy_address(&follow_info->server_ip, &pinfo->dst);
}
is_server = !(addresses_equal(&follow_info->client_ip, &pinfo->src) && follow_info->client_port == pinfo->srcport);
/* Check whether this frame ACKs fragments in flow from the other direction.
* This happens when frames are not in the capture file, but were actually
* seen by the receiving host (Fixes bug 592).
*/
if (follow_info->fragments[!is_server] != NULL) {
while (check_follow_fragments(follow_info, !is_server, follow_data->tcph->th_ack, pinfo->fd->num));
}
/*
* If this is the first segment of this stream, initialize the next expected
* sequence number. If there is any data, it will be added below.
*/
if (follow_info->bytes_written[is_server] == 0 && follow_info->seq[is_server] == 0) {
follow_info->seq[is_server] = sequence;
}
/* We have already seen this src (and received some segments), let's figure
* out whether this segment extends the stream or overlaps a previous gap. */
if (LT_SEQ(sequence, follow_info->seq[is_server])) {
/* This sequence number seems dated, but check the end in case it was a
* retransmission with more data. */
guint32 nextseq = sequence + length;
if (GT_SEQ(nextseq, follow_info->seq[is_server])) {
/* The begin of the segment was already seen, try to add the
* remaining data that we have not seen to the payload. */
data_offset = follow_info->seq[is_server] - sequence;
if (data_length <= data_offset) {
data_length = 0;
} else {
data_length -= data_offset;
}
sequence = follow_info->seq[is_server];
length = nextseq - follow_info->seq[is_server];
}
}
/*
* Ignore segments that have no new data (either because it was empty, or
* because it was fully overlapping with previously received data).
*/
if (data_length == 0 || LT_SEQ(sequence, follow_info->seq[is_server])) {
return TAP_PACKET_DONT_REDRAW;
}
follow_record = g_new0(follow_record_t, 1);
follow_record->is_server = is_server;
follow_record->packet_num = pinfo->fd->num;
follow_record->seq = sequence; /* start of fragment, used by check_follow_fragments. */
follow_record->data = g_byte_array_append(g_byte_array_new(),
tvb_get_ptr(follow_data->tvb, data_offset, data_length),
data_length);
if (EQ_SEQ(sequence, follow_info->seq[is_server])) {
/* The segment overlaps or extends the previous end of stream. */
follow_info->seq[is_server] += length;
follow_info->bytes_written[is_server] += follow_record->data->len;
follow_info->payload = g_list_prepend(follow_info->payload, follow_record);
/* done with the packet, see if it caused a fragment to fit */
while(check_follow_fragments(follow_info, is_server, 0, pinfo->fd->num));
} else {
/* Out of order packet (more preceding segments are expected). */
follow_info->fragments[is_server] = g_list_append(follow_info->fragments[is_server], follow_record);
}
return TAP_PACKET_DONT_REDRAW;
}
#define EXP_PDU_TCP_INFO_DATA_LEN 19
#define EXP_PDU_TCP_INFO_VERSION 1
static int exp_pdu_tcp_dissector_data_size(packet_info *pinfo _U_, void* data _U_)
{
return EXP_PDU_TCP_INFO_DATA_LEN+4;
}
static int exp_pdu_tcp_dissector_data_populate_data(packet_info *pinfo _U_, void* data, guint8 *tlv_buffer, guint32 buffer_size _U_)
{
struct tcpinfo* dissector_data = (struct tcpinfo*)data;
tlv_buffer[0] = 0;
tlv_buffer[1] = EXP_PDU_TAG_TCP_INFO_DATA;
tlv_buffer[2] = 0;
tlv_buffer[3] = EXP_PDU_TCP_INFO_DATA_LEN; /* tag length */
tlv_buffer[4] = 0;
tlv_buffer[5] = EXP_PDU_TCP_INFO_VERSION;
tlv_buffer[6] = (dissector_data->seq & 0xff000000) >> 24;
tlv_buffer[7] = (dissector_data->seq & 0x00ff0000) >> 16;
tlv_buffer[8] = (dissector_data->seq & 0x0000ff00) >> 8;
tlv_buffer[9] = (dissector_data->seq & 0x000000ff);
tlv_buffer[10] = (dissector_data->nxtseq & 0xff000000) >> 24;
tlv_buffer[11] = (dissector_data->nxtseq & 0x00ff0000) >> 16;
tlv_buffer[12] = (dissector_data->nxtseq & 0x0000ff00) >> 8;
tlv_buffer[13] = (dissector_data->nxtseq & 0x000000ff);
tlv_buffer[14] = (dissector_data->lastackseq & 0xff000000) >> 24;
tlv_buffer[15] = (dissector_data->lastackseq & 0x00ff0000) >> 16;
tlv_buffer[16] = (dissector_data->lastackseq & 0x0000ff00) >> 8;
tlv_buffer[17] = (dissector_data->lastackseq & 0x000000ff);
tlv_buffer[18] = dissector_data->is_reassembled;
tlv_buffer[19] = (dissector_data->flags & 0xff00) >> 8;
tlv_buffer[20] = (dissector_data->flags & 0x00ff);
tlv_buffer[21] = (dissector_data->urgent_pointer & 0xff00) >> 8;
tlv_buffer[22] = (dissector_data->urgent_pointer & 0x00ff);
return exp_pdu_tcp_dissector_data_size(pinfo, data);
}
static void
handle_export_pdu_dissection_table(packet_info *pinfo, tvbuff_t *tvb, guint32 port, struct tcpinfo *tcpinfo)
{
if (have_tap_listener(exported_pdu_tap)) {
exp_pdu_data_item_t exp_pdu_data_table_value = {exp_pdu_data_dissector_table_num_value_size, exp_pdu_data_dissector_table_num_value_populate_data, NULL};
exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
const exp_pdu_data_item_t *tcp_exp_pdu_items[] = {
&exp_pdu_data_src_ip,
&exp_pdu_data_dst_ip,
&exp_pdu_data_port_type,
&exp_pdu_data_src_port,
&exp_pdu_data_dst_port,
&exp_pdu_data_orig_frame_num,
&exp_pdu_data_table_value,
&exp_pdu_data_dissector_data,
NULL
};
exp_pdu_data_t *exp_pdu_data;
exp_pdu_data_table_value.data = GUINT_TO_POINTER(port);
exp_pdu_data_dissector_data.data = tcpinfo;
exp_pdu_data = export_pdu_create_tags(pinfo, "tcp.port", EXP_PDU_TAG_DISSECTOR_TABLE_NAME, tcp_exp_pdu_items);
exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
exp_pdu_data->pdu_tvb = tvb;
tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
}
}
static void
handle_export_pdu_heuristic(packet_info *pinfo, tvbuff_t *tvb, heur_dtbl_entry_t *hdtbl_entry, struct tcpinfo *tcpinfo)
{
exp_pdu_data_t *exp_pdu_data = NULL;
if (have_tap_listener(exported_pdu_tap)) {
if ((!hdtbl_entry->enabled) ||
(hdtbl_entry->protocol != NULL && !proto_is_protocol_enabled(hdtbl_entry->protocol))) {
exp_pdu_data = export_pdu_create_common_tags(pinfo, "data", EXP_PDU_TAG_PROTO_NAME);
} else if (hdtbl_entry->protocol != NULL) {
exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
const exp_pdu_data_item_t *tcp_exp_pdu_items[] = {
&exp_pdu_data_src_ip,
&exp_pdu_data_dst_ip,
&exp_pdu_data_port_type,
&exp_pdu_data_src_port,
&exp_pdu_data_dst_port,
&exp_pdu_data_orig_frame_num,
&exp_pdu_data_dissector_data,
NULL
};
exp_pdu_data_dissector_data.data = tcpinfo;
exp_pdu_data = export_pdu_create_tags(pinfo, hdtbl_entry->short_name, EXP_PDU_TAG_HEUR_PROTO_NAME, tcp_exp_pdu_items);
}
if (exp_pdu_data != NULL) {
exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
exp_pdu_data->pdu_tvb = tvb;
tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
}
}
}
static void
handle_export_pdu_conversation(packet_info *pinfo, tvbuff_t *tvb, int src_port, int dst_port, struct tcpinfo *tcpinfo)
{
if (have_tap_listener(exported_pdu_tap)) {
conversation_t *conversation = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, ENDPOINT_TCP, src_port, dst_port, 0);
if (conversation != NULL)
{
dissector_handle_t handle = (dissector_handle_t)wmem_tree_lookup32_le(conversation->dissector_tree, pinfo->num);
if (handle != NULL)
{
exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
const exp_pdu_data_item_t *tcp_exp_pdu_items[] = {
&exp_pdu_data_src_ip,
&exp_pdu_data_dst_ip,
&exp_pdu_data_port_type,
&exp_pdu_data_src_port,
&exp_pdu_data_dst_port,
&exp_pdu_data_orig_frame_num,
&exp_pdu_data_dissector_data,
NULL
};
exp_pdu_data_t *exp_pdu_data;
exp_pdu_data_dissector_data.data = tcpinfo;
exp_pdu_data = export_pdu_create_tags(pinfo, dissector_handle_get_dissector_name(handle), EXP_PDU_TAG_PROTO_NAME, tcp_exp_pdu_items);
exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
exp_pdu_data->pdu_tvb = tvb;
tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
}
}
}
}
/*
* display the TCP Conversation Completeness
* we of course pay much attention on complete conversations but also incomplete ones which
* have a regular start, as in practice we are often looking for such thing
*/
static void conversation_completeness_fill(gchar *buf, guint32 value)
{
switch(value) {
case TCP_COMPLETENESS_SYNSENT:
g_snprintf(buf, ITEM_LABEL_LENGTH, "Incomplete, SYN_SENT (%u)", value);
break;
case (TCP_COMPLETENESS_SYNSENT|
TCP_COMPLETENESS_SYNACK):
g_snprintf(buf, ITEM_LABEL_LENGTH, "Incomplete, CLIENT_ESTABLISHED (%u)", value);
break;
case (TCP_COMPLETENESS_SYNSENT|
TCP_COMPLETENESS_SYNACK|
TCP_COMPLETENESS_ACK):
g_snprintf(buf, ITEM_LABEL_LENGTH, "Incomplete, ESTABLISHED (%u)", value);
break;
case (TCP_COMPLETENESS_SYNSENT|
TCP_COMPLETENESS_SYNACK|
TCP_COMPLETENESS_ACK|
TCP_COMPLETENESS_DATA):
g_snprintf(buf, ITEM_LABEL_LENGTH, "Incomplete, DATA (%u)", value);
break;
case (TCP_COMPLETENESS_SYNSENT|
TCP_COMPLETENESS_SYNACK|
TCP_COMPLETENESS_ACK|
TCP_COMPLETENESS_DATA|
TCP_COMPLETENESS_FIN):
case (TCP_COMPLETENESS_SYNSENT|
TCP_COMPLETENESS_SYNACK|
TCP_COMPLETENESS_ACK|
TCP_COMPLETENESS_DATA|
TCP_COMPLETENESS_RST):
case (TCP_COMPLETENESS_SYNSENT|
TCP_COMPLETENESS_SYNACK|
TCP_COMPLETENESS_ACK|
TCP_COMPLETENESS_DATA|
TCP_COMPLETENESS_FIN|
TCP_COMPLETENESS_RST):
g_snprintf(buf, ITEM_LABEL_LENGTH, "Complete, WITH_DATA (%u)", value);
break;
case (TCP_COMPLETENESS_SYNSENT|
TCP_COMPLETENESS_SYNACK|
TCP_COMPLETENESS_ACK|
TCP_COMPLETENESS_FIN):
case (TCP_COMPLETENESS_SYNSENT|
TCP_COMPLETENESS_SYNACK|
TCP_COMPLETENESS_ACK|
TCP_COMPLETENESS_RST):
case (TCP_COMPLETENESS_SYNSENT|
TCP_COMPLETENESS_SYNACK|
TCP_COMPLETENESS_ACK|
TCP_COMPLETENESS_FIN|
TCP_COMPLETENESS_RST):
g_snprintf(buf, ITEM_LABEL_LENGTH, "Complete, NO_DATA (%u)", value);
break;
default:
g_snprintf(buf, ITEM_LABEL_LENGTH, "Incomplete (%u)", value);
break;
}
}
/* TCP structs and definitions */
/* **************************************************************************
* RTT, relative sequence numbers, window scaling & etc.
* **************************************************************************/
static gboolean tcp_analyze_seq = TRUE;
static gboolean tcp_relative_seq = TRUE;
static gboolean tcp_track_bytes_in_flight = TRUE;
static gboolean tcp_calculate_ts = TRUE;
static gboolean tcp_analyze_mptcp = TRUE;
static gboolean mptcp_relative_seq = TRUE;
static gboolean mptcp_analyze_mappings = FALSE;
static gboolean mptcp_intersubflows_retransmission = FALSE;
#define TCP_A_RETRANSMISSION 0x0001
#define TCP_A_LOST_PACKET 0x0002
#define TCP_A_ACK_LOST_PACKET 0x0004
#define TCP_A_KEEP_ALIVE 0x0008
#define TCP_A_DUPLICATE_ACK 0x0010
#define TCP_A_ZERO_WINDOW 0x0020
#define TCP_A_ZERO_WINDOW_PROBE 0x0040
#define TCP_A_ZERO_WINDOW_PROBE_ACK 0x0080
#define TCP_A_KEEP_ALIVE_ACK 0x0100
#define TCP_A_OUT_OF_ORDER 0x0200
#define TCP_A_FAST_RETRANSMISSION 0x0400
#define TCP_A_WINDOW_UPDATE 0x0800
#define TCP_A_WINDOW_FULL 0x1000
#define TCP_A_REUSED_PORTS 0x2000
#define TCP_A_SPURIOUS_RETRANSMISSION 0x4000
/* Static TCP flags. Set in tcp_flow_t:static_flags */
#define TCP_S_BASE_SEQ_SET 0x01
#define TCP_S_SAW_SYN 0x03
#define TCP_S_SAW_SYNACK 0x05
/* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
#define MPTCP_META_HAS_BASE_DSN_MSB 0x01
#define MPTCP_META_HAS_KEY 0x03
#define MPTCP_META_HAS_TOKEN 0x04
#define MPTCP_META_HAS_ADDRESSES 0x08
/* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
#define MPTCP_SUBFLOW_HAS_NONCE 0x01
#define MPTCP_SUBFLOW_HAS_ADDRESS_ID 0x02
/* MPTCP meta analysis related */
#define MPTCP_META_CHECKSUM_REQUIRED 0x0002
/* if we have no key for this connection, some conversion become impossible,
* thus return false
*/
static
gboolean
mptcp_convert_dsn(guint64 dsn, mptcp_meta_flow_t *meta, enum mptcp_dsn_conversion conv, gboolean relative, guint64 *result ) {
*result = dsn;
/* if relative is set then we need the 64 bits version anyway
* we assume no wrapping was done on the 32 lsb so this may be wrong for elphant flows
*/
if(conv == DSN_CONV_32_TO_64 || relative) {
if(!(meta->static_flags & MPTCP_META_HAS_BASE_DSN_MSB)) {
/* can't do those without the expected_idsn based on the key */
return FALSE;
}
}
if(conv == DSN_CONV_32_TO_64) {
*result = KEEP_32MSB_OF_GUINT64(meta->base_dsn) | dsn;
}
if(relative) {
*result -= meta->base_dsn;
}
if(conv == DSN_CONV_64_TO_32) {
*result = (guint32) *result;
}
return TRUE;
}
static void
process_tcp_payload(tvbuff_t *tvb, volatile int offset, packet_info *pinfo,
proto_tree *tree, proto_tree *tcp_tree, int src_port, int dst_port,
guint32 seq, guint32 nxtseq, gboolean is_tcp_segment,
struct tcp_analysis *tcpd, struct tcpinfo *tcpinfo);
static struct tcp_analysis *
init_tcp_conversation_data(packet_info *pinfo)
{
struct tcp_analysis *tcpd;
/* Initialize the tcp protocol data structure to add to the tcp conversation */
tcpd=wmem_new0(wmem_file_scope(), struct tcp_analysis);
tcpd->flow1.win_scale=-1;
tcpd->flow1.window = G_MAXUINT32;
tcpd->flow1.multisegment_pdus=wmem_tree_new(wmem_file_scope());
tcpd->flow2.window = G_MAXUINT32;
tcpd->flow2.win_scale=-1;
tcpd->flow2.multisegment_pdus=wmem_tree_new(wmem_file_scope());
/* Only allocate the data if its actually going to be analyzed */
if (tcp_analyze_seq)
{
tcpd->flow1.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
tcpd->flow2.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
}
/* Only allocate the data if its actually going to be displayed */
if (tcp_display_process_info)
{
tcpd->flow1.process_info = wmem_new0(wmem_file_scope(), struct tcp_process_info_t);
tcpd->flow2.process_info = wmem_new0(wmem_file_scope(), struct tcp_process_info_t);
}
tcpd->acked_table=wmem_tree_new(wmem_file_scope());
tcpd->ts_first.secs=pinfo->abs_ts.secs;
tcpd->ts_first.nsecs=pinfo->abs_ts.nsecs;
nstime_set_zero(&tcpd->ts_mru_syn);
nstime_set_zero(&tcpd->ts_first_rtt);
tcpd->ts_prev.secs=pinfo->abs_ts.secs;
tcpd->ts_prev.nsecs=pinfo->abs_ts.nsecs;
tcpd->flow1.valid_bif = 1;
tcpd->flow2.valid_bif = 1;
tcpd->flow1.push_bytes_sent = 0;
tcpd->flow2.push_bytes_sent = 0;
tcpd->flow1.push_set_last = FALSE;
tcpd->flow2.push_set_last = FALSE;
tcpd->flow1.closing_initiator = FALSE;
tcpd->flow2.closing_initiator = FALSE;
tcpd->stream = tcp_stream_count++;
tcpd->server_port = 0;
return tcpd;
}
/* setup meta as well */
static void
mptcp_init_subflow(tcp_flow_t *flow)
{
struct mptcp_subflow *sf = wmem_new0(wmem_file_scope(), struct mptcp_subflow);
DISSECTOR_ASSERT(flow->mptcp_subflow == 0);
flow->mptcp_subflow = sf;
sf->ssn2dsn_mappings = wmem_itree_new(wmem_file_scope());
sf->dsn2packet_map = wmem_itree_new(wmem_file_scope());
}
/* add a new subflow to an mptcp connection */
static void
mptcp_attach_subflow(struct mptcp_analysis* mptcpd, struct tcp_analysis* tcpd) {
if(!wmem_list_find(mptcpd->subflows, tcpd)) {
wmem_list_prepend(mptcpd->subflows, tcpd);
}
/* in case we merge 2 mptcp connections */
tcpd->mptcp_analysis = mptcpd;
}
struct tcp_analysis *
get_tcp_conversation_data(conversation_t *conv, packet_info *pinfo)
{
int direction;
struct tcp_analysis *tcpd;
gboolean clear_ta = TRUE;
/* Did the caller supply the conversation pointer? */
if( conv==NULL ) {
/* If the caller didn't supply a conversation, don't
* clear the analysis, it may be needed */
clear_ta = FALSE;
conv = find_or_create_conversation(pinfo);
}
/* Get the data for this conversation */
tcpd=(struct tcp_analysis *)conversation_get_proto_data(conv, proto_tcp);
/* If the conversation was just created or it matched a
* conversation with template options, tcpd will not
* have been initialized. So, initialize
* a new tcpd structure for the conversation.
*/
if (!tcpd) {
tcpd = init_tcp_conversation_data(pinfo);
conversation_add_proto_data(conv, proto_tcp, tcpd);
}
if (!tcpd) {
return NULL;
}
/* check direction and get ua lists */
direction=cmp_address(&pinfo->src, &pinfo->dst);
/* if the addresses are equal, match the ports instead */
if(direction==0) {
direction= (pinfo->srcport > pinfo->destport) ? 1 : -1;
}
if(direction>=0) {
tcpd->fwd=&(tcpd->flow1);
tcpd->rev=&(tcpd->flow2);
} else {
tcpd->fwd=&(tcpd->flow2);
tcpd->rev=&(tcpd->flow1);
}
if (clear_ta) {
tcpd->ta=NULL;
}
return tcpd;
}
/* Attach process info to a flow */
/* XXX - We depend on the TCP dissector finding the conversation first */
void
add_tcp_process_info(guint32 frame_num, address *local_addr, address *remote_addr, guint16 local_port, guint16 remote_port, guint32 uid, guint32 pid, gchar *username, gchar *command) {
conversation_t *conv;
struct tcp_analysis *tcpd;
tcp_flow_t *flow = NULL;
if (!tcp_display_process_info)
return;
conv = find_conversation(frame_num, local_addr, remote_addr, ENDPOINT_TCP, local_port, remote_port, 0);
if (!conv) {
return;
}
tcpd = (struct tcp_analysis *)conversation_get_proto_data(conv, proto_tcp);
if (!tcpd) {
return;
}
if (cmp_address(local_addr, conversation_key_addr1(conv->key_ptr)) == 0 && local_port == conversation_key_port1(conv->key_ptr)) {
flow = &tcpd->flow1;
} else if (cmp_address(remote_addr, conversation_key_addr1(conv->key_ptr)) == 0 && remote_port == conversation_key_port1(conv->key_ptr)) {
flow = &tcpd->flow2;
}
if (!flow || (flow->process_info && flow->process_info->command)) {
return;
}
if (flow->process_info == NULL)
flow->process_info = wmem_new0(wmem_file_scope(), struct tcp_process_info_t);
flow->process_info->process_uid = uid;
flow->process_info->process_pid = pid;
flow->process_info->username = wmem_strdup(wmem_file_scope(), username);
flow->process_info->command = wmem_strdup(wmem_file_scope(), command);
}
/* Return the current stream count */
guint32 get_tcp_stream_count(void)
{
return tcp_stream_count;
}
/* Return the mptcp current stream count */
guint32 get_mptcp_stream_count(void)
{
return mptcp_stream_count;
}
/* Calculate the timestamps relative to this conversation */
static void
tcp_calculate_timestamps(packet_info *pinfo, struct tcp_analysis *tcpd,
struct tcp_per_packet_data_t *tcppd)
{
if( !tcppd ) {
tcppd = wmem_new(wmem_file_scope(), struct tcp_per_packet_data_t);
p_add_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num, tcppd);
}
if (!tcpd)
return;
nstime_delta(&tcppd->ts_del, &pinfo->abs_ts, &tcpd->ts_prev);
tcpd->ts_prev.secs=pinfo->abs_ts.secs;
tcpd->ts_prev.nsecs=pinfo->abs_ts.nsecs;
}
/* Add a subtree with the timestamps relative to this conversation */
static void
tcp_print_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree, struct tcp_analysis *tcpd, struct tcp_per_packet_data_t *tcppd)
{
proto_item *item;
proto_tree *tree;
nstime_t ts;
if (!tcpd)
return;
tree=proto_tree_add_subtree(parent_tree, tvb, 0, 0, ett_tcp_timestamps, &item, "Timestamps");
proto_item_set_generated(item);
nstime_delta(&ts, &pinfo->abs_ts, &tcpd->ts_first);
item = proto_tree_add_time(tree, hf_tcp_ts_relative, tvb, 0, 0, &ts);
proto_item_set_generated(item);
if( !tcppd )
tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
if( tcppd ) {
item = proto_tree_add_time(tree, hf_tcp_ts_delta, tvb, 0, 0,
&tcppd->ts_del);
proto_item_set_generated(item);
}
}
static void
print_pdu_tracking_data(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tcp_tree, struct tcp_multisegment_pdu *msp)
{
proto_item *item;
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[Continuation to #%u] ", msp->first_frame);
item=proto_tree_add_uint(tcp_tree, hf_tcp_continuation_to,
tvb, 0, 0, msp->first_frame);
proto_item_set_generated(item);
}
/* if we know that a PDU starts inside this segment, return the adjusted
offset to where that PDU starts or just return offset back
and let TCP try to find out what it can about this segment
*/
static int
scan_for_next_pdu(tvbuff_t *tvb, proto_tree *tcp_tree, packet_info *pinfo, int offset, guint32 seq, guint32 nxtseq, wmem_tree_t *multisegment_pdus)
{
struct tcp_multisegment_pdu *msp=NULL;
if(!pinfo->fd->visited) {
msp=(struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(multisegment_pdus, seq-1);
if(msp) {
/* If this is a continuation of a PDU started in a
* previous segment we need to update the last_frame
* variables.
*/
if(seq>msp->seq && seq<msp->nxtpdu) {
msp->last_frame=pinfo->num;
msp->last_frame_time=pinfo->abs_ts;
print_pdu_tracking_data(pinfo, tvb, tcp_tree, msp);
}
/* If this segment is completely within a previous PDU
* then we just skip this packet
*/
if(seq>msp->seq && nxtseq<=msp->nxtpdu) {
return -1;
}
if(seq<msp->nxtpdu && nxtseq>msp->nxtpdu) {
offset+=msp->nxtpdu-seq;
return offset;
}
}
} else {
/* First we try to find the start and transfer time for a PDU.
* We only print this for the very first segment of a PDU
* and only for PDUs spanning multiple segments.
* Se we look for if there was any multisegment PDU started
* just BEFORE the end of this segment. I.e. either inside this
* segment or in a previous segment.
* Since this might also match PDUs that are completely within
* this segment we also verify that the found PDU does span
* beyond the end of this segment.
*/
msp=(struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(multisegment_pdus, nxtseq-1);
if(msp) {
if(pinfo->num==msp->first_frame) {
proto_item *item;
nstime_t ns;
item=proto_tree_add_uint(tcp_tree, hf_tcp_pdu_last_frame, tvb, 0, 0, msp->last_frame);
proto_item_set_generated(item);
nstime_delta(&ns, &msp->last_frame_time, &pinfo->abs_ts);
item = proto_tree_add_time(tcp_tree, hf_tcp_pdu_time,
tvb, 0, 0, &ns);
proto_item_set_generated(item);
}
}
/* Second we check if this segment is part of a PDU started
* prior to the segment (seq-1)
*/
msp=(struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(multisegment_pdus, seq-1);
if(msp) {
/* If this segment is completely within a previous PDU
* then we just skip this packet
*/
if(seq>msp->seq && nxtseq<=msp->nxtpdu) {
print_pdu_tracking_data(pinfo, tvb, tcp_tree, msp);
return -1;
}
if(seq<msp->nxtpdu && nxtseq>msp->nxtpdu) {
offset+=msp->nxtpdu-seq;
return offset;
}
}
}
return offset;
}
/* if we saw a PDU that extended beyond the end of the segment,
use this function to remember where the next pdu starts
*/
struct tcp_multisegment_pdu *
pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, guint32 seq, guint32 nxtpdu, wmem_tree_t *multisegment_pdus)
{
struct tcp_multisegment_pdu *msp;
msp=wmem_new(wmem_file_scope(), struct tcp_multisegment_pdu);
msp->nxtpdu=nxtpdu;
msp->seq=seq;
msp->first_frame=pinfo->num;
msp->first_frame_with_seq=pinfo->num;
msp->last_frame=pinfo->num;
msp->last_frame_time=pinfo->abs_ts;
msp->flags=0;
wmem_tree_insert32(multisegment_pdus, seq, (void *)msp);
/*g_warning("pdu_store_sequencenumber_of_next_pdu: seq %u", seq);*/
return msp;
}
/* This is called for SYN and SYN+ACK packets and the purpose is to verify
* that we have seen window scaling in both directions.
* If we can't find window scaling being set in both directions
* that means it was present in the SYN but not in the SYN+ACK
* (or the SYN was missing) and then we disable the window scaling
* for this tcp session.
*/
static void
verify_tcp_window_scaling(gboolean is_synack, struct tcp_analysis *tcpd)
{
if( tcpd->fwd->win_scale==-1 ) {
/* We know window scaling will not be used as:
* a) this is the SYN and it does not have the WS option
* (we set the reverse win_scale also in case we miss
* the SYN/ACK)
* b) this is the SYN/ACK and either the SYN packet has not
* been seen or it did have the WS option. As the SYN/ACK
* does not have the WS option, window scaling will not be used.
*
* Setting win_scale to -2 to indicate that we can
* trust the window_size value in the TCP header.
*/
tcpd->fwd->win_scale = -2;
tcpd->rev->win_scale = -2;
} else if( is_synack && tcpd->rev->win_scale==-2 ) {
/* The SYN/ACK has the WS option, while the SYN did not,
* this should not happen, but the endpoints will not
* have used window scaling, so we will neither
*/
tcpd->fwd->win_scale = -2;
}
}
/* given a tcpd, returns the mptcp_subflow that sides with meta */
static struct mptcp_subflow *
mptcp_select_subflow_from_meta(const struct tcp_analysis *tcpd, const mptcp_meta_flow_t *meta)
{
/* select the tcp_flow with appropriate direction */
if( tcpd->flow1.mptcp_subflow->meta == meta) {
return tcpd->flow1.mptcp_subflow;
}
else {
return tcpd->flow2.mptcp_subflow;
}
}
/* if we saw a window scaling option, store it for future reference
*/
static void
pdu_store_window_scale_option(guint8 ws, struct tcp_analysis *tcpd)
{
if (tcpd)
tcpd->fwd->win_scale=ws;
}
/* when this function returns, it will (if createflag) populate the ta pointer.
*/
static void
tcp_analyze_get_acked_struct(guint32 frame, guint32 seq, guint32 ack, gboolean createflag, struct tcp_analysis *tcpd)
{
wmem_tree_key_t key[4];
key[0].length = 1;
key[0].key = &frame;
key[1].length = 1;
key[1].key = &seq;
key[2].length = 1;
key[2].key = &ack;
key[3].length = 0;
key[3].key = NULL;
if (!tcpd) {
return;
}
tcpd->ta = (struct tcp_acked *)wmem_tree_lookup32_array(tcpd->acked_table, key);
if((!tcpd->ta) && createflag) {
tcpd->ta = wmem_new0(wmem_file_scope(), struct tcp_acked);
wmem_tree_insert32_array(tcpd->acked_table, key, (void *)tcpd->ta);
}
}
/* fwd contains a list of all segments processed but not yet ACKed in the
* same direction as the current segment.
* rev contains a list of all segments received but not yet ACKed in the
* opposite direction to the current segment.
*
* New segments are always added to the head of the fwd/rev lists.
*
* Changes below should be synced with ChAdvTCPAnalysis in the User's
* Guide: docbook/wsug_src/WSUG_chapter_advanced.adoc
*/
static void
tcp_analyze_sequence_number(packet_info *pinfo, guint32 seq, guint32 ack, guint32 seglen, guint16 flags, guint32 window, struct tcp_analysis *tcpd)
{
tcp_unacked_t *ual=NULL;
tcp_unacked_t *prevual=NULL;
guint32 nextseq;
int ackcount;
#if 0
printf("\nanalyze_sequence numbers frame:%u\n",pinfo->num);
printf("FWD list lastflags:0x%04x base_seq:%u: nextseq:%u lastack:%u\n",tcpd->fwd->lastsegmentflags,tcpd->fwd->base_seq,tcpd->fwd->tcp_analyze_seq_info->nextseq,tcpd->rev->tcp_analyze_seq_info->lastack);
for(ual=tcpd->fwd->tcp_analyze_seq_info->segments; ual; ual=ual->next)
printf("Frame:%d Seq:%u Nextseq:%u\n",ual->frame,ual->seq,ual->nextseq);
printf("REV list lastflags:0x%04x base_seq:%u nextseq:%u lastack:%u\n",tcpd->rev->lastsegmentflags,tcpd->rev->base_seq,tcpd->rev->tcp_analyze_seq_info->nextseq,tcpd->fwd->tcp_analyze_seq_info->lastack);
for(ual=tcpd->rev->tcp_analyze_seq_info->segments; ual; ual=ual->next)
printf("Frame:%d Seq:%u Nextseq:%u\n",ual->frame,ual->seq,ual->nextseq);
#endif
if (!tcpd) {
return;
}
/* if this is the first segment for this list we need to store the
* base_seq
* We use TCP_S_SAW_SYN/SYNACK to distinguish between client and server
*
* Start relative seq and ack numbers at 1 if this
* is not a SYN packet. This makes the relative
* seq/ack numbers to be displayed correctly in the
* event that the SYN or SYN/ACK packet is not seen
* (this solves bug 1542)
*/
if( !(tcpd->fwd->static_flags & TCP_S_BASE_SEQ_SET)) {
if(flags & TH_SYN) {
tcpd->fwd->base_seq = seq;
tcpd->fwd->static_flags |= (flags & TH_ACK) ? TCP_S_SAW_SYNACK : TCP_S_SAW_SYN;
}
else {
tcpd->fwd->base_seq = seq-1;
}
tcpd->fwd->static_flags |= TCP_S_BASE_SEQ_SET;
}
/* Only store reverse sequence if this isn't the SYN
* There's no guarantee that the ACK field of a SYN
* contains zeros; get the ISN from the first segment
* with the ACK bit set instead (usually the SYN/ACK).
*
* If the SYN and SYN/ACK were received out-of-order,
* the ISN is ack-1. If we missed the SYN/ACK, but got
* the last ACK of the 3WHS, the ISN is ack-1. For all
* other packets the ISN is unknown, so ack-1 is
* as good a guess as ack.
*/
if( !(tcpd->rev->static_flags & TCP_S_BASE_SEQ_SET) && (flags & TH_ACK) ) {
tcpd->rev->base_seq = ack-1;
tcpd->rev->static_flags |= TCP_S_BASE_SEQ_SET;
}
if( flags & TH_ACK ) {
tcpd->rev->valid_bif = 1;
}
/* ZERO WINDOW PROBE
* it is a zero window probe if
* the sequence number is the next expected one
* the window in the other direction is 0
* the segment is exactly 1 byte
*/
if( seglen==1
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& tcpd->rev->window==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_ZERO_WINDOW_PROBE;
goto finished_fwd;
}
/* ZERO WINDOW
* a zero window packet has window == 0 but none of the SYN/FIN/RST set
*/
if( window==0
&& (flags&(TH_RST|TH_FIN|TH_SYN))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_ZERO_WINDOW;
}
/* LOST PACKET
* If this segment is beyond the last seen nextseq we must
* have missed some previous segment
*
* We only check for this if we have actually seen segments prior to this
* one.
* RST packets are not checked for this.
*/
if( tcpd->fwd->tcp_analyze_seq_info->nextseq
&& GT_SEQ(seq, tcpd->fwd->tcp_analyze_seq_info->nextseq)
&& (flags&(TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_LOST_PACKET;
/* Disable BiF until an ACK is seen in the other direction */
tcpd->fwd->valid_bif = 0;
}
/* KEEP ALIVE
* a keepalive contains 0 or 1 bytes of data and starts one byte prior
* to what should be the next sequence number.
* SYN/FIN/RST segments are never keepalives
*/
if( (seglen==0||seglen==1)
&& seq==(tcpd->fwd->tcp_analyze_seq_info->nextseq-1)
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_KEEP_ALIVE;
}
/* WINDOW UPDATE
* A window update is a 0 byte segment with the same SEQ/ACK numbers as
* the previous seen segment and with a new window value
*/
if( seglen==0
&& window
&& window!=tcpd->fwd->window
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& ack==tcpd->fwd->tcp_analyze_seq_info->lastack
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_WINDOW_UPDATE;
}
/* WINDOW FULL
* If we know the window scaling
* and if this segment contains data and goes all the way to the
* edge of the advertised window
* then we mark it as WINDOW FULL
* SYN/RST/FIN packets are never WINDOW FULL
*/
if( seglen>0
&& tcpd->rev->win_scale!=-1
&& (seq+seglen)==(tcpd->rev->tcp_analyze_seq_info->lastack+(tcpd->rev->window<<(tcpd->rev->is_first_ack?0:(tcpd->rev->win_scale==-2?0:tcpd->rev->win_scale))))
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_WINDOW_FULL;
}
/* KEEP ALIVE ACK
* It is a keepalive ack if it repeats the previous ACK and if
* the last segment in the reverse direction was a keepalive
*/
if( seglen==0
&& window
&& window==tcpd->fwd->window
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& ack==tcpd->fwd->tcp_analyze_seq_info->lastack
&& (tcpd->rev->lastsegmentflags&TCP_A_KEEP_ALIVE)
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_KEEP_ALIVE_ACK;
goto finished_fwd;
}
/* ZERO WINDOW PROBE ACK
* It is a zerowindowprobe ack if it repeats the previous ACK and if
* the last segment in the reverse direction was a zerowindowprobe
* It also repeats the previous zero window indication
*/
if( seglen==0
&& window==0
&& window==tcpd->fwd->window
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& ack==tcpd->fwd->tcp_analyze_seq_info->lastack
&& (tcpd->rev->lastsegmentflags&TCP_A_ZERO_WINDOW_PROBE)
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_ZERO_WINDOW_PROBE_ACK;
goto finished_fwd;
}
/* DUPLICATE ACK
* It is a duplicate ack if window/seq/ack is the same as the previous
* segment and if the segment length is 0
*/
if( seglen==0
&& window
&& window==tcpd->fwd->window
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& ack==tcpd->fwd->tcp_analyze_seq_info->lastack
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
/* MPTCP tolerates duplicate acks in some circumstances, see RFC 8684 4. */
if(tcpd->mptcp_analysis && (tcpd->mptcp_analysis->mp_operations!=tcpd->fwd->mp_operations)) {
/* just ignore this DUPLICATE ACK */
} else {
tcpd->fwd->tcp_analyze_seq_info->dupacknum++;
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_DUPLICATE_ACK;
tcpd->ta->dupack_num=tcpd->fwd->tcp_analyze_seq_info->dupacknum;
tcpd->ta->dupack_frame=tcpd->fwd->tcp_analyze_seq_info->lastnondupack;
}
}
finished_fwd:
/* If the ack number changed we must reset the dupack counters */
if( ack != tcpd->fwd->tcp_analyze_seq_info->lastack ) {
tcpd->fwd->tcp_analyze_seq_info->lastnondupack=pinfo->num;
tcpd->fwd->tcp_analyze_seq_info->dupacknum=0;
}
/* ACKED LOST PACKET
* If this segment acks beyond the 'max seq to be acked' in the other direction
* then that means we have missed packets going in the
* other direction
*
* We only check this if we have actually seen some seq numbers
* in the other direction.
*/
if( tcpd->rev->tcp_analyze_seq_info->maxseqtobeacked
&& GT_SEQ(ack, tcpd->rev->tcp_analyze_seq_info->maxseqtobeacked )
&& (flags&(TH_ACK))!=0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_ACK_LOST_PACKET;
/* update 'max seq to be acked' in the other direction so we don't get
* this indication again.
*/
tcpd->rev->tcp_analyze_seq_info->maxseqtobeacked=tcpd->rev->tcp_analyze_seq_info->nextseq;
}
/* RETRANSMISSION/FAST RETRANSMISSION/OUT-OF-ORDER
* If the segment contains data (or is a SYN or a FIN) and
* if it does not advance the sequence number, it must be one
* of these three.
* Only test for this if we know what the seq number should be
* (tcpd->fwd->nextseq)
*
* Note that a simple KeepAlive is not a retransmission
*/
if (seglen>0 || flags&(TH_SYN|TH_FIN)) {
gboolean seq_not_advanced = tcpd->fwd->tcp_analyze_seq_info->nextseq
&& (LT_SEQ(seq, tcpd->fwd->tcp_analyze_seq_info->nextseq));
guint64 t;
guint64 ooo_thres;
if(tcpd->ta && (tcpd->ta->flags&TCP_A_KEEP_ALIVE) ) {
goto finished_checking_retransmission_type;
}
/* This segment is *not* considered a retransmission/out-of-order if
* the segment length is larger than one (it really adds new data)
* the sequence number is one less than the previous nextseq and
* (the previous segment is possibly a zero window probe)
*
* We should still try to flag Spurious Retransmissions though.
*/
if (seglen > 1 && tcpd->fwd->tcp_analyze_seq_info->nextseq - 1 == seq) {
seq_not_advanced = FALSE;
}
/* Check for spurious retransmission. If the current seq + segment length
* is less than or equal to the current lastack, the packet contains
* duplicate data and may be considered spurious.
*/
if ( seglen > 0
&& tcpd->rev->tcp_analyze_seq_info->lastack
&& LE_SEQ(seq + seglen, tcpd->rev->tcp_analyze_seq_info->lastack) ) {
if(!tcpd->ta){
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_SPURIOUS_RETRANSMISSION;
goto finished_checking_retransmission_type;
}
gboolean precedence_count = tcp_fastrt_precedence;
do {
switch(precedence_count) {
case TRUE:
/* If there were >=2 duplicate ACKs in the reverse direction
* (there might be duplicate acks missing from the trace)
* and if this sequence number matches those ACKs
* and if the packet occurs within 20ms of the last
* duplicate ack
* then this is a fast retransmission
*/
t=(pinfo->abs_ts.secs-tcpd->rev->tcp_analyze_seq_info->lastacktime.secs)*1000000000;
t=t+(pinfo->abs_ts.nsecs)-tcpd->rev->tcp_analyze_seq_info->lastacktime.nsecs;
if( seq_not_advanced
&& tcpd->rev->tcp_analyze_seq_info->dupacknum>=2
&& tcpd->rev->tcp_analyze_seq_info->lastack==seq
&& t<20000000 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_FAST_RETRANSMISSION;
goto finished_checking_retransmission_type;
}
precedence_count=!precedence_count;
break;
case FALSE:
/* If the segment came relatively close since the segment with the highest
* seen sequence number and it doesn't look like a retransmission
* then it is an OUT-OF-ORDER segment.
*/
t=(pinfo->abs_ts.secs-tcpd->fwd->tcp_analyze_seq_info->nextseqtime.secs)*1000000000;
t=t+(pinfo->abs_ts.nsecs)-tcpd->fwd->tcp_analyze_seq_info->nextseqtime.nsecs;
if (tcpd->ts_first_rtt.nsecs == 0 && tcpd->ts_first_rtt.secs == 0) {
ooo_thres = 3000000;
} else {
ooo_thres = tcpd->ts_first_rtt.nsecs + tcpd->ts_first_rtt.secs*1000000000;
}
if( seq_not_advanced // XXX is this neccessary?
&& t < ooo_thres
&& tcpd->fwd->tcp_analyze_seq_info->nextseq >= seq + seglen ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_OUT_OF_ORDER;
goto finished_checking_retransmission_type;
}
precedence_count=!precedence_count;
break;
}
} while (precedence_count!=tcp_fastrt_precedence) ;
if (seq_not_advanced) {
/* Then it has to be a generic retransmission */
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_RETRANSMISSION;
/*
* worst case scenario: if we don't have better than a recent packet,
* use it as the reference for RTO
*/
nstime_delta(&tcpd->ta->rto_ts, &pinfo->abs_ts, &tcpd->fwd->tcp_analyze_seq_info->nextseqtime);
tcpd->ta->rto_frame=tcpd->fwd->tcp_analyze_seq_info->nextseqframe;
/*
* better case scenario: if we have a list of the previous unacked packets,
* go back to the eldest one, which in theory is likely to be the one retransmitted here.
* It's not always the perfect match, particularly when original captured packet used LSO
*/
ual = tcpd->fwd->tcp_analyze_seq_info->segments;
while(ual) {
nstime_delta(&tcpd->ta->rto_ts, &pinfo->abs_ts, &ual->ts );
tcpd->ta->rto_frame=ual->frame;
ual=ual->next;
}
}
}
finished_checking_retransmission_type:
nextseq = seq+seglen;
if ((seglen || flags&(TH_SYN|TH_FIN)) && tcpd->fwd->tcp_analyze_seq_info->segment_count < TCP_MAX_UNACKED_SEGMENTS) {
/* Add this new sequence number to the fwd list. But only if there
* aren't "too many" unacked segments (e.g., we're not seeing the ACKs).
*/
ual = wmem_new(wmem_file_scope(), tcp_unacked_t);
ual->next=tcpd->fwd->tcp_analyze_seq_info->segments;
tcpd->fwd->tcp_analyze_seq_info->segments=ual;
tcpd->fwd->tcp_analyze_seq_info->segment_count++;
ual->frame=pinfo->num;
ual->seq=seq;
ual->ts=pinfo->abs_ts;
/* next sequence number is seglen bytes away, plus SYN/FIN which counts as one byte */
if( (flags&(TH_SYN|TH_FIN)) ) {
nextseq+=1;
}
ual->nextseq=nextseq;
}
/* Store the highest number seen so far for nextseq so we can detect
* when we receive segments that arrive with a "hole"
* If we don't have anything since before, just store what we got.
* ZeroWindowProbes are special and don't really advance the nextseq
*/
if(GT_SEQ(nextseq, tcpd->fwd->tcp_analyze_seq_info->nextseq) || !tcpd->fwd->tcp_analyze_seq_info->nextseq) {
if( !tcpd->ta || !(tcpd->ta->flags&TCP_A_ZERO_WINDOW_PROBE) ) {
tcpd->fwd->tcp_analyze_seq_info->nextseq=nextseq;
tcpd->fwd->tcp_analyze_seq_info->nextseqframe=pinfo->num;
tcpd->fwd->tcp_analyze_seq_info->nextseqtime.secs=pinfo->abs_ts.secs;
tcpd->fwd->tcp_analyze_seq_info->nextseqtime.nsecs=pinfo->abs_ts.nsecs;
}
}
/* Store the highest continuous seq number seen so far for 'max seq to be acked',
so we can detect TCP_A_ACK_LOST_PACKET condition
*/
if(EQ_SEQ(seq, tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) || !tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) {
if( !tcpd->ta || !(tcpd->ta->flags&TCP_A_ZERO_WINDOW_PROBE) ) {
tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked=tcpd->fwd->tcp_analyze_seq_info->nextseq;
}
}
/* remember what the ack/window is so we can track window updates and retransmissions */
tcpd->fwd->window=window;
tcpd->fwd->tcp_analyze_seq_info->lastack=ack;
tcpd->fwd->tcp_analyze_seq_info->lastacktime.secs=pinfo->abs_ts.secs;
tcpd->fwd->tcp_analyze_seq_info->lastacktime.nsecs=pinfo->abs_ts.nsecs;
/* remember the MPTCP operations if any */
if( tcpd->mptcp_analysis ) {
tcpd->fwd->mp_operations=tcpd->mptcp_analysis->mp_operations;
}
/* if there were any flags set for this segment we need to remember them
* we only remember the flags for the very last segment though.
*/
if(tcpd->ta) {
tcpd->fwd->lastsegmentflags=tcpd->ta->flags;
} else {
tcpd->fwd->lastsegmentflags=0;
}
/* remove all segments this ACKs and we don't need to keep around any more
*/
ackcount=0;
prevual = NULL;
ual = tcpd->rev->tcp_analyze_seq_info->segments;
while(ual) {
tcp_unacked_t *tmpual;
/* If this ack matches the segment, process accordingly */
if(ack==ual->nextseq) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
tcpd->ta->frame_acked=ual->frame;
nstime_delta(&tcpd->ta->ts, &pinfo->abs_ts, &ual->ts);
}
/* If this acknowledges part of the segment, adjust the segment info for the acked part */
else if (GT_SEQ(ack, ual->seq) && LE_SEQ(ack, ual->nextseq)) {
ual->seq = ack;
continue;
}
/* If this acknowledges a segment prior to this one, leave this segment alone and move on */
else if (GT_SEQ(ual->nextseq,ack)) {
prevual = ual;
ual = ual->next;
continue;
}
/* This segment is old, or an exact match. Delete the segment from the list */
ackcount++;
tmpual=ual->next;
if (tcpd->rev->scps_capable) {
/* Track largest segment successfully sent for SNACK analysis*/
if ((ual->nextseq - ual->seq) > tcpd->fwd->maxsizeacked) {
tcpd->fwd->maxsizeacked = (ual->nextseq - ual->seq);
}
}
if (!prevual) {
tcpd->rev->tcp_analyze_seq_info->segments = tmpual;
}
else{
prevual->next = tmpual;
}
wmem_free(wmem_file_scope(), ual);
ual = tmpual;
tcpd->rev->tcp_analyze_seq_info->segment_count--;
}
/* how many bytes of data are there in flight after this frame
* was sent
*/
ual=tcpd->fwd->tcp_analyze_seq_info->segments;
if (tcp_track_bytes_in_flight && seglen!=0 && ual && tcpd->fwd->valid_bif) {
guint32 first_seq, last_seq, in_flight;
guint32 delivered = 0;
first_seq = ual->seq - tcpd->fwd->base_seq;
last_seq = ual->nextseq - tcpd->fwd->base_seq;
while (ual) {
if ((ual->nextseq-tcpd->fwd->base_seq)>last_seq) {
last_seq = ual->nextseq-tcpd->fwd->base_seq;
}
if ((ual->seq-tcpd->fwd->base_seq)<first_seq) {
first_seq = ual->seq-tcpd->fwd->base_seq;
}
ual = ual->next;
}
in_flight = last_seq-first_seq;
/* subtract any SACK block */
if(tcpd->rev->tcp_analyze_seq_info->num_sack_ranges > 0) {
int i;
for(i = 0; i<tcpd->rev->tcp_analyze_seq_info->num_sack_ranges; i++) {
delivered += (tcpd->rev->tcp_analyze_seq_info->sack_right_edge[i+1] -
tcpd->rev->tcp_analyze_seq_info->sack_left_edge[i+1]);
}
in_flight -= delivered;
}
if (in_flight>0 && in_flight<2000000000) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->bytes_in_flight = in_flight;
/* Decrement in_flight bytes by one when we have a SYN or FIN bit
* flag set as it is only virtual.
*/
if (flags&(TH_SYN|TH_FIN)) {
tcpd->ta->bytes_in_flight -= 1;
}
}
if((flags & TH_PUSH) && !tcpd->fwd->push_set_last) {
tcpd->fwd->push_bytes_sent += seglen;
tcpd->fwd->push_set_last = TRUE;
} else if ((flags & TH_PUSH) && tcpd->fwd->push_set_last) {
tcpd->fwd->push_bytes_sent = seglen;
tcpd->fwd->push_set_last = TRUE;
} else if (tcpd->fwd->push_set_last) {
tcpd->fwd->push_bytes_sent = seglen;
tcpd->fwd->push_set_last = FALSE;
} else {
tcpd->fwd->push_bytes_sent += seglen;
}
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->fd->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->push_bytes_sent = tcpd->fwd->push_bytes_sent;
}
}
/*
* Prints results of the sequence number analysis concerning tcp segments
* retransmitted or out-of-order
*/
static void
tcp_sequence_number_analysis_print_retransmission(packet_info * pinfo,
tvbuff_t * tvb,
proto_tree * flags_tree, proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Retransmission */
if (ta->flags & TCP_A_RETRANSMISSION) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_retransmission);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Retransmission] ");
if (ta->rto_ts.secs || ta->rto_ts.nsecs) {
flags_item = proto_tree_add_time(flags_tree, hf_tcp_analysis_rto,
tvb, 0, 0, &ta->rto_ts);
proto_item_set_generated(flags_item);
flags_item=proto_tree_add_uint(flags_tree, hf_tcp_analysis_rto_frame,
tvb, 0, 0, ta->rto_frame);
proto_item_set_generated(flags_item);
}
}
/* TCP Fast Retransmission */
if (ta->flags & TCP_A_FAST_RETRANSMISSION) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_fast_retransmission);
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_retransmission);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Fast Retransmission] ");
}
/* TCP Spurious Retransmission */
if (ta->flags & TCP_A_SPURIOUS_RETRANSMISSION) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_spurious_retransmission);
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_retransmission);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Spurious Retransmission] ");
}
/* TCP Out-Of-Order */
if (ta->flags & TCP_A_OUT_OF_ORDER) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_out_of_order);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Out-Of-Order] ");
}
}
/* Prints results of the sequence number analysis concerning reused ports */
static void
tcp_sequence_number_analysis_print_reused(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Ports Reused */
if (ta->flags & TCP_A_REUSED_PORTS) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_reused_ports);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Port numbers reused] ");
}
}
/* Prints results of the sequence number analysis concerning lost tcp segments */
static void
tcp_sequence_number_analysis_print_lost(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Lost Segment */
if (ta->flags & TCP_A_LOST_PACKET) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_lost_packet);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Previous segment not captured] ");
}
/* TCP Ack lost segment */
if (ta->flags & TCP_A_ACK_LOST_PACKET) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_ack_lost_packet);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP ACKed unseen segment] ");
}
}
/* Prints results of the sequence number analysis concerning tcp window */
static void
tcp_sequence_number_analysis_print_window(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Window Update */
if (ta->flags & TCP_A_WINDOW_UPDATE) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_window_update);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Window Update] ");
}
/* TCP Full Window */
if (ta->flags & TCP_A_WINDOW_FULL) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_window_full);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Window Full] ");
}
}
/* Prints results of the sequence number analysis concerning tcp keepalive */
static void
tcp_sequence_number_analysis_print_keepalive(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/*TCP Keep Alive */
if (ta->flags & TCP_A_KEEP_ALIVE) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_keep_alive);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive] ");
}
/* TCP Ack Keep Alive */
if (ta->flags & TCP_A_KEEP_ALIVE_ACK) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_keep_alive_ack);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive ACK] ");
}
}
/* Prints results of the sequence number analysis concerning tcp duplicate ack */
static void
tcp_sequence_number_analysis_print_duplicate(packet_info * pinfo,
tvbuff_t * tvb,
proto_tree * flags_tree,
struct tcp_acked *ta,
proto_tree * tree
)
{
proto_item * flags_item;
/* TCP Duplicate ACK */
if (ta->dupack_num) {
if (ta->flags & TCP_A_DUPLICATE_ACK ) {
flags_item=proto_tree_add_none_format(flags_tree,
hf_tcp_analysis_duplicate_ack,
tvb, 0, 0,
"This is a TCP duplicate ack"
);
proto_item_set_generated(flags_item);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Dup ACK %u#%u] ",
ta->dupack_frame,
ta->dupack_num
);
}
flags_item=proto_tree_add_uint(tree, hf_tcp_analysis_duplicate_ack_num,
tvb, 0, 0, ta->dupack_num);
proto_item_set_generated(flags_item);
flags_item=proto_tree_add_uint(tree, hf_tcp_analysis_duplicate_ack_frame,
tvb, 0, 0, ta->dupack_frame);
proto_item_set_generated(flags_item);
expert_add_info_format(pinfo, flags_item, &ei_tcp_analysis_duplicate_ack, "Duplicate ACK (#%u)", ta->dupack_num);
}
}
/* Prints results of the sequence number analysis concerning tcp zero window */
static void
tcp_sequence_number_analysis_print_zero_window(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Zero Window Probe */
if (ta->flags & TCP_A_ZERO_WINDOW_PROBE) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_zero_window_probe);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindowProbe] ");
}
/* TCP Zero Window */
if (ta->flags&TCP_A_ZERO_WINDOW) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_zero_window);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindow] ");
}
/* TCP Zero Window Probe Ack */
if (ta->flags & TCP_A_ZERO_WINDOW_PROBE_ACK) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_zero_window_probe_ack);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP ZeroWindowProbeAck] ");
}
}
/* Prints results of the sequence number analysis concerning how many bytes of data are in flight */
static void
tcp_sequence_number_analysis_print_bytes_in_flight(packet_info * pinfo _U_,
tvbuff_t * tvb,
proto_tree * flags_tree,
struct tcp_acked *ta
)
{
proto_item * flags_item;
if (tcp_track_bytes_in_flight) {
flags_item=proto_tree_add_uint(flags_tree,
hf_tcp_analysis_bytes_in_flight,
tvb, 0, 0, ta->bytes_in_flight);
proto_item_set_generated(flags_item);
}
}
/* Generate the initial data sequence number and MPTCP connection token from the key. */
static void
mptcp_cryptodata_sha1(const guint64 key, guint32 *token, guint64 *idsn)
{
guint8 digest_buf[HASH_SHA1_LENGTH];
guint64 pseudokey = GUINT64_TO_BE(key);
guint32 _token;
guint64 _isdn;
gcry_md_hash_buffer(GCRY_MD_SHA1, digest_buf, (const guint8 *)&pseudokey, 8);
/* memcpy to prevent -Wstrict-aliasing errors with GCC 4 */
memcpy(&_token, digest_buf, sizeof(_token));
*token = GUINT32_FROM_BE(_token);
memcpy(&_isdn, digest_buf + HASH_SHA1_LENGTH - sizeof(_isdn), sizeof(_isdn));
*idsn = GUINT64_FROM_BE(_isdn);
}
/* Generate the initial data sequence number and MPTCP connection token from the key. */
static void
mptcp_cryptodata_sha256(const guint64 key, guint32 *token, guint64 *idsn)
{
guint8 digest_buf[HASH_SHA2_256_LENGTH];
guint64 pseudokey = GUINT64_TO_BE(key);
guint32 _token;
guint64 _isdn;
gcry_md_hash_buffer(GCRY_MD_SHA256, digest_buf, (const guint8 *)&pseudokey, 8);
/* memcpy to prevent -Wstrict-aliasing errors with GCC 4 */
memcpy(&_token, digest_buf, sizeof(_token));
*token = GUINT32_FROM_BE(_token);
memcpy(&_isdn, digest_buf + HASH_SHA2_256_LENGTH - sizeof(_isdn), sizeof(_isdn));
*idsn = GUINT64_FROM_BE(_isdn);
}
/* Print formatted list of tcp stream ids that are part of the connection */
static void
mptcp_analysis_add_subflows(packet_info *pinfo _U_, tvbuff_t *tvb,
proto_tree *parent_tree, struct mptcp_analysis* mptcpd)
{
wmem_list_frame_t *it;
proto_item *item;
wmem_strbuf_t *val = wmem_strbuf_new(wmem_packet_scope(), "");
/* for the analysis, we set each subflow tcp stream id */
for(it = wmem_list_head(mptcpd->subflows); it != NULL; it = wmem_list_frame_next(it)) {
struct tcp_analysis *sf = (struct tcp_analysis *)wmem_list_frame_data(it);
wmem_strbuf_append_printf(val, "%u ", sf->stream);
}
item = proto_tree_add_string(parent_tree, hf_mptcp_analysis_subflows, tvb, 0, 0, wmem_strbuf_get_str(val));
proto_item_set_generated(item);
}
/* Compute raw dsn if relative tcp seq covered by DSS mapping */
static gboolean
mptcp_map_relssn_to_rawdsn(mptcp_dss_mapping_t *mapping, guint32 relssn, guint64 *dsn)
{
if( (relssn < mapping->ssn_low) || (relssn > mapping->ssn_high)) {
return FALSE;
}
*dsn = mapping->rawdsn + (relssn - mapping->ssn_low);
return TRUE;
}
/* Add duplicated data */
static mptcp_dsn2packet_mapping_t *
mptcp_add_duplicated_dsn(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, struct mptcp_subflow *subflow,
guint64 rawdsn64low, guint64 rawdsn64high
)
{
wmem_list_t *results = NULL;
wmem_list_frame_t *packet_it = NULL;
mptcp_dsn2packet_mapping_t *packet = NULL;
proto_item *item = NULL;
results = wmem_itree_find_intervals(subflow->dsn2packet_map,
wmem_packet_scope(),
rawdsn64low,
rawdsn64high
);
for(packet_it = wmem_list_head(results);
packet_it != NULL;
packet_it = wmem_list_frame_next(packet_it))
{
packet = (mptcp_dsn2packet_mapping_t *) wmem_list_frame_data(packet_it);
DISSECTOR_ASSERT(packet);
if(pinfo->num > packet->frame) {
item = proto_tree_add_uint(tree, hf_mptcp_reinjection_of, tvb, 0, 0, packet->frame);
}
else {
item = proto_tree_add_uint(tree, hf_mptcp_reinjected_in, tvb, 0, 0, packet->frame);
}
proto_item_set_generated(item);
}
return packet;
}
/* Lookup mappings that describe the packet and then converts the tcp seq number
* into the MPTCP Data Sequence Number (DSN)
*/
static void
mptcp_analysis_dsn_lookup(packet_info *pinfo , tvbuff_t *tvb,
proto_tree *parent_tree, struct tcp_analysis* tcpd, struct tcpheader * tcph, mptcp_per_packet_data_t *mptcppd)
{
struct mptcp_analysis* mptcpd = tcpd->mptcp_analysis;
proto_item *item = NULL;
mptcp_dss_mapping_t *mapping = NULL;
guint32 relseq;
guint64 rawdsn = 0;
enum mptcp_dsn_conversion convert;
if(!mptcp_analyze_mappings)
{
/* abort analysis */
return;
}
/* for this to work, we need to know the original seq number from the SYN, not from a subsequent packet
* hence, we abort if we didn't capture the SYN
*/
if(!(tcpd->fwd->static_flags & ~TCP_S_BASE_SEQ_SET & (TCP_S_SAW_SYN | TCP_S_SAW_SYNACK))) {
return;
}
/* if seq not relative yet, we compute it */
relseq = (tcp_relative_seq) ? tcph->th_seq : tcph->th_seq - tcpd->fwd->base_seq;
DISSECTOR_ASSERT(mptcpd);
DISSECTOR_ASSERT(mptcppd);
/* in case of a SYN, there is no mapping covering the DSN */
if(tcph->th_flags & TH_SYN) {
rawdsn = tcpd->fwd->mptcp_subflow->meta->base_dsn;
convert = DSN_CONV_NONE;
}
/* if it's a non-syn packet without data (just used to convey TCP options)
* then there would be no mappings */
else if(relseq == 1 && tcph->th_seglen == 0) {
rawdsn = tcpd->fwd->mptcp_subflow->meta->base_dsn + 1;
convert = DSN_CONV_NONE;
}
else {
wmem_list_frame_t *dss_it = NULL;
wmem_list_t *results = NULL;
guint32 ssn_low = relseq;
guint32 seglen = tcph->th_seglen;
results = wmem_itree_find_intervals(tcpd->fwd->mptcp_subflow->ssn2dsn_mappings,
wmem_packet_scope(),
ssn_low,
(seglen) ? ssn_low + seglen - 1 : ssn_low
);
dss_it = wmem_list_head(results); /* assume it's always ok */
if(dss_it) {
mapping = (mptcp_dss_mapping_t *) wmem_list_frame_data(dss_it);
}
if(dss_it == NULL || mapping == NULL) {
expert_add_info(pinfo, parent_tree, &ei_mptcp_mapping_missing);
return;
}
else {
mptcppd->mapping = mapping;
}
DISSECTOR_ASSERT(mapping);
if(seglen) {
/* Finds mappings that cover the sent data and adds them to the dissection tree */
for(dss_it = wmem_list_head(results);
dss_it != NULL;
dss_it = wmem_list_frame_next(dss_it))
{
mapping = (mptcp_dss_mapping_t *) wmem_list_frame_data(dss_it);
DISSECTOR_ASSERT(mapping);
item = proto_tree_add_uint(parent_tree, hf_mptcp_related_mapping, tvb, 0, 0, mapping->frame);
proto_item_set_generated(item);
}
}
convert = (mapping->extended_dsn) ? DSN_CONV_NONE : DSN_CONV_32_TO_64;
DISSECTOR_ASSERT(mptcp_map_relssn_to_rawdsn(mapping, relseq, &rawdsn));
}
/* Make sure we have the 64bit raw DSN */
if(mptcp_convert_dsn(rawdsn, tcpd->fwd->mptcp_subflow->meta,
convert, FALSE, &tcph->th_mptcp->mh_rawdsn64)) {
/* always display the rawdsn64 (helpful for debug) */
item = proto_tree_add_uint64(parent_tree, hf_mptcp_rawdsn64, tvb, 0, 0, tcph->th_mptcp->mh_rawdsn64);
/* converts to relative if required */
if (mptcp_relative_seq
&& mptcp_convert_dsn(tcph->th_mptcp->mh_rawdsn64, tcpd->fwd->mptcp_subflow->meta, DSN_CONV_NONE, TRUE, &tcph->th_mptcp->mh_dsn)) {
item = proto_tree_add_uint64(parent_tree, hf_mptcp_dsn, tvb, 0, 0, tcph->th_mptcp->mh_dsn);
proto_item_append_text(item, " (Relative)");
}
/* register dsn->packet mapping */
if(mptcp_intersubflows_retransmission
&& !PINFO_FD_VISITED(pinfo)
&& tcph->th_seglen > 0
) {
mptcp_dsn2packet_mapping_t *packet = 0;
packet = wmem_new0(wmem_file_scope(), mptcp_dsn2packet_mapping_t);
packet->frame = pinfo->fd->num;
packet->subflow = tcpd;
wmem_itree_insert(tcpd->fwd->mptcp_subflow->dsn2packet_map,
tcph->th_mptcp->mh_rawdsn64,
tcph->th_mptcp->mh_rawdsn64 + (tcph->th_seglen - 1 ),
packet
);
}
proto_item_set_generated(item);
/* We can do this only if rawdsn64 is valid !
if enabled, look for overlapping mappings on other subflows */
if(mptcp_intersubflows_retransmission
&& tcph->th_have_seglen
&& tcph->th_seglen) {
wmem_list_frame_t *subflow_it = NULL;
/* results should be some kind of list in case 2 DSS are needed to cover this packet */
for(subflow_it = wmem_list_head(mptcpd->subflows); subflow_it != NULL; subflow_it = wmem_list_frame_next(subflow_it)) {
struct tcp_analysis *sf_tcpd = (struct tcp_analysis *)wmem_list_frame_data(subflow_it);
struct mptcp_subflow *sf = mptcp_select_subflow_from_meta(sf_tcpd, tcpd->fwd->mptcp_subflow->meta);
/* for current subflow */
if (sf == tcpd->fwd->mptcp_subflow) {
/* skip, this is the current subflow */
}
/* in case there were retransmissions on other subflows */
else {
mptcp_add_duplicated_dsn(pinfo, parent_tree, tvb, sf,
tcph->th_mptcp->mh_rawdsn64,
tcph->th_mptcp->mh_rawdsn64 + tcph->th_seglen-1);
}
}
}
}
else {
/* could not get the rawdsn64, ignore and continue */
}
}
/* Print subflow list */
static void
mptcp_add_analysis_subtree(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree,
struct tcp_analysis *tcpd, struct mptcp_analysis *mptcpd, struct tcpheader * tcph)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
mptcp_per_packet_data_t *mptcppd = NULL;
if(mptcpd == NULL) {
return;
}
item=proto_tree_add_item(parent_tree, hf_mptcp_analysis, tvb, 0, 0, ENC_NA);
proto_item_set_generated(item);
tree=proto_item_add_subtree(item, ett_mptcp_analysis);
proto_item_set_generated(tree);
/* set field with mptcp stream */
if(mptcpd->master) {
item = proto_tree_add_boolean_format_value(tree, hf_mptcp_analysis_master, tvb, 0,
0, (mptcpd->master->stream == tcpd->stream) ? TRUE : FALSE
, "Master is tcp stream %u", mptcpd->master->stream
);
}
else {
item = proto_tree_add_boolean(tree, hf_mptcp_analysis_master, tvb, 0,
0, FALSE);
}
proto_item_set_generated(item);
/* store the TCP Options related to MPTCP then we will avoid false DUP ACKs later */
guint8 nbOptionsChanged = 0;
if((tcpd->mptcp_analysis->mp_operations&(0x01))!=tcph->th_mptcp->mh_mpc) {
tcpd->mptcp_analysis->mp_operations |= 0x01;
nbOptionsChanged++;
}
if((tcpd->mptcp_analysis->mp_operations&(0x02))!=tcph->th_mptcp->mh_join) {
tcpd->mptcp_analysis->mp_operations |= 0x02;
nbOptionsChanged++;
}
if((tcpd->mptcp_analysis->mp_operations&(0x04))!=tcph->th_mptcp->mh_dss) {
tcpd->mptcp_analysis->mp_operations |= 0x04;
nbOptionsChanged++;
}
if((tcpd->mptcp_analysis->mp_operations&(0x08))!=tcph->th_mptcp->mh_add) {
tcpd->mptcp_analysis->mp_operations |= 0x08;
nbOptionsChanged++;
}
if((tcpd->mptcp_analysis->mp_operations&(0x10))!=tcph->th_mptcp->mh_remove) {
tcpd->mptcp_analysis->mp_operations |= 0x10;
nbOptionsChanged++;
}
if((tcpd->mptcp_analysis->mp_operations&(0x20))!=tcph->th_mptcp->mh_prio) {
tcpd->mptcp_analysis->mp_operations |= 0x20;
nbOptionsChanged++;
}
if((tcpd->mptcp_analysis->mp_operations&(0x40))!=tcph->th_mptcp->mh_fail) {
tcpd->mptcp_analysis->mp_operations |= 0x40;
nbOptionsChanged++;
}
if((tcpd->mptcp_analysis->mp_operations&(0x80))!=tcph->th_mptcp->mh_fastclose) {
tcpd->mptcp_analysis->mp_operations |= 0x80;
nbOptionsChanged++;
}
/* we could track MPTCP option changes here, with nbOptionsChanged */
item = proto_tree_add_uint(tree, hf_mptcp_stream, tvb, 0, 0, mptcpd->stream);
proto_item_set_generated(item);
/* retrieve saved analysis of packets, else create it */
mptcppd = (mptcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_mptcp, pinfo->curr_layer_num);
if(!mptcppd) {
mptcppd = (mptcp_per_packet_data_t *)wmem_new0(wmem_file_scope(), mptcp_per_packet_data_t);
p_add_proto_data(wmem_file_scope(), pinfo, proto_mptcp, pinfo->curr_layer_num, mptcppd);
}
/* Print formatted list of tcp stream ids that are part of the connection */
mptcp_analysis_add_subflows(pinfo, tvb, tree, mptcpd);
/* Converts TCP seq number into its MPTCP DSN */
mptcp_analysis_dsn_lookup(pinfo, tvb, tree, tcpd, tcph, mptcppd);
}
static void
tcp_sequence_number_analysis_print_push_bytes_sent(packet_info * pinfo _U_,
tvbuff_t * tvb,
proto_tree * flags_tree,
struct tcp_acked *ta
)
{
proto_item * flags_item;
if (tcp_track_bytes_in_flight) {
flags_item=proto_tree_add_uint(flags_tree,
hf_tcp_analysis_push_bytes_sent,
tvb, 0, 0, ta->push_bytes_sent);
proto_item_set_generated(flags_item);
}
}
static void
tcp_print_sequence_number_analysis(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree,
struct tcp_analysis *tcpd, guint32 seq, guint32 ack)
{
struct tcp_acked *ta = NULL;
proto_item *item;
proto_tree *tree;
proto_tree *flags_tree=NULL;
if (!tcpd) {
return;
}
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, FALSE, tcpd);
}
ta=tcpd->ta;
if(!ta) {
return;
}
item=proto_tree_add_item(parent_tree, hf_tcp_analysis, tvb, 0, 0, ENC_NA);
proto_item_set_generated(item);
tree=proto_item_add_subtree(item, ett_tcp_analysis);
/* encapsulate all proto_tree_add_xxx in ifs so we only print what
data we actually have */
if(ta->frame_acked) {
item = proto_tree_add_uint(tree, hf_tcp_analysis_acks_frame,
tvb, 0, 0, ta->frame_acked);
proto_item_set_generated(item);
/* only display RTT if we actually have something we are acking */
if( ta->ts.secs || ta->ts.nsecs ) {
item = proto_tree_add_time(tree, hf_tcp_analysis_ack_rtt,
tvb, 0, 0, &ta->ts);
proto_item_set_generated(item);
}
}
if (!nstime_is_zero(&tcpd->ts_first_rtt)) {
item = proto_tree_add_time(tree, hf_tcp_analysis_first_rtt,
tvb, 0, 0, &(tcpd->ts_first_rtt));
proto_item_set_generated(item);
}
if(ta->bytes_in_flight) {
/* print results for amount of data in flight */
tcp_sequence_number_analysis_print_bytes_in_flight(pinfo, tvb, tree, ta);
tcp_sequence_number_analysis_print_push_bytes_sent(pinfo, tvb, tree, ta);
}
if(ta->flags) {
item = proto_tree_add_item(tree, hf_tcp_analysis_flags, tvb, 0, 0, ENC_NA);
proto_item_set_generated(item);
flags_tree=proto_item_add_subtree(item, ett_tcp_analysis);
/* print results for reused tcp ports */
tcp_sequence_number_analysis_print_reused(pinfo, item, ta);
/* print results for retransmission and out-of-order segments */
tcp_sequence_number_analysis_print_retransmission(pinfo, tvb, flags_tree, item, ta);
/* print results for lost tcp segments */
tcp_sequence_number_analysis_print_lost(pinfo, item, ta);
/* print results for tcp window information */
tcp_sequence_number_analysis_print_window(pinfo, item, ta);
/* print results for tcp keep alive information */
tcp_sequence_number_analysis_print_keepalive(pinfo, item, ta);
/* print results for tcp duplicate acks */
tcp_sequence_number_analysis_print_duplicate(pinfo, tvb, flags_tree, ta, tree);
/* print results for tcp zero window */
tcp_sequence_number_analysis_print_zero_window(pinfo, item, ta);
}
}
static void
print_tcp_fragment_tree(fragment_head *ipfd_head, proto_tree *tree, proto_tree *tcp_tree, packet_info *pinfo, tvbuff_t *next_tvb)
{
proto_item *tcp_tree_item, *frag_tree_item;
/*
* The subdissector thought it was completely
* desegmented (although the stuff at the
* end may, in turn, require desegmentation),
* so we show a tree with all segments.
*/
show_fragment_tree(ipfd_head, &tcp_segment_items,
tree, pinfo, next_tvb, &frag_tree_item);
/*
* The toplevel fragment subtree is now
* behind all desegmented data; move it
* right behind the TCP tree.
*/
tcp_tree_item = proto_tree_get_parent(tcp_tree);
if(frag_tree_item && tcp_tree_item) {
proto_tree_move_item(tree, tcp_tree_item, frag_tree_item);
}
}
/* **************************************************************************
* End of tcp sequence number analysis
* **************************************************************************/
/* Minimum TCP header length. */
#define TCPH_MIN_LEN 20
/* Desegmentation of TCP streams */
static reassembly_table tcp_reassembly_table;
/* functions to trace tcp segments */
/* Enable desegmenting of TCP streams */
static gboolean tcp_desegment = TRUE;
/* Enable buffering of out-of-order TCP segments before passing it to a
* subdissector (depends on "tcp_desegment"). */
static gboolean tcp_reassemble_out_of_order = FALSE;
/* Returns true iff any gap exists in the segments associated with msp up to the
* given sequence number (it ignores any gaps after the sequence number). */
static gboolean
missing_segments(packet_info *pinfo, struct tcp_multisegment_pdu *msp, guint32 seq)
{
fragment_head *fd_head;
guint32 frag_offset = seq - msp->seq;
if ((gint32)frag_offset <= 0) {
return FALSE;
}
fd_head = fragment_get(&tcp_reassembly_table, pinfo, msp->first_frame, NULL);
/* msp implies existence of fragments, this should never be NULL. */
DISSECTOR_ASSERT(fd_head);
/* Find length of contiguous fragments. */
guint32 max = 0;
for (fragment_item *frag = fd_head; frag; frag = frag->next) {
guint32 frag_end = frag->offset + frag->len;
if (frag->offset <= max && max < frag_end) {
max = frag_end;
}
}
return max < frag_offset;
}
static void
desegment_tcp(tvbuff_t *tvb, packet_info *pinfo, int offset,
guint32 seq, guint32 nxtseq,
guint32 sport, guint32 dport,
proto_tree *tree, proto_tree *tcp_tree,
struct tcp_analysis *tcpd, struct tcpinfo *tcpinfo)
{
fragment_head *ipfd_head;
int last_fragment_len;
gboolean must_desegment;
gboolean called_dissector;
int another_pdu_follows;
int deseg_offset;
guint32 deseg_seq;
gint nbytes;
proto_item *item;
struct tcp_multisegment_pdu *msp;
gboolean cleared_writable = col_get_writable(pinfo->cinfo, COL_PROTOCOL);
const gboolean reassemble_ooo = tcp_desegment && tcp_reassemble_out_of_order;
again:
ipfd_head = NULL;
last_fragment_len = 0;
must_desegment = FALSE;
called_dissector = FALSE;
another_pdu_follows = 0;
msp = NULL;
/*
* Initialize these to assume no desegmentation.
* If that's not the case, these will be set appropriately
* by the subdissector.
*/
pinfo->desegment_offset = 0;
pinfo->desegment_len = 0;
/*
* Initialize this to assume that this segment will just be
* added to the middle of a desegmented chunk of data, so
* that we should show it all as data.
* If that's not the case, it will be set appropriately.
*/
deseg_offset = offset;
if (tcpd) {
/* Have we seen this PDU before (and is it the start of a multi-
* segment PDU)?
*
* If the sequence number was seen before, it is part of a
* retransmission if the whole segment fits within the MSP.
* (But if this is this frame was already visited and the first frame of
* the MSP matches the current frame, then it is not a retransmission,
* but the start of a new MSP.)
*
* If only part of the segment fits in the MSP, then either:
* - The previous segment included with the MSP was a Zero Window Probe
* with one byte of data and the subdissector just asked for one more
* byte. Do not mark it as retransmission (Bug 15427).
* - Data was actually being retransmitted, but with additional data
* (Bug 13523). Do not mark it as retransmission to handle the extra
* bytes. (NOTE Due to the TCP_A_RETRANSMISSION check below, such
* extra data will still be ignored.)
* - The MSP contains multiple segments, but the subdissector finished
* reassembly using a subset of the final segment (thus "msp->nxtpdu"
* is smaller than the nxtseq of the previous segment). If that final
* segment was retransmitted, then "nxtseq > msp->nxtpdu".
* Unfortunately that will *not* be marked as retransmission here.
* The next TCP_A_RETRANSMISSION hopefully takes care of it though.
*
* Only shortcircuit here when the first segment of the MSP is known,
* and when this this first segment is not one to complete the MSP.
*/
if ((msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(tcpd->fwd->multisegment_pdus, seq)) &&
nxtseq <= msp->nxtpdu &&
!(msp->flags & MSP_FLAGS_MISSING_FIRST_SEGMENT) && msp->last_frame != pinfo->num) {
const char* str;
gboolean is_retransmission = FALSE;
/* Yes. This could be because we've dissected this frame before
* or because this is a retransmission of a previously-seen
* segment. Either way, we don't need to hand it off to the
* subdissector and we certainly don't want to re-add it to the
* multisegment_pdus list: if we did, subsequent lookups would
* find this retransmission instead of the original transmission
* (breaking desegmentation if we'd already linked other segments
* to the original transmission's entry).
*
* Cases to handle here:
* - In-order stream, pinfo->num matches begin of MSP.
* - In-order stream, but pinfo->num does not match the begin of the
* MSP. Must be a retransmission.
* - OoO stream where this segment fills the gap in the begin of the
* MSP. msp->first_frame is the start where the gap was detected
* (and does NOT match pinfo->num).
*/
if (msp->first_frame == pinfo->num || msp->first_frame_with_seq == pinfo->num) {
str = "";
col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "[TCP segment of a reassembled PDU]");
} else {
str = "Retransmitted ";
is_retransmission = TRUE;
/* TCP analysis already flags this (in COL_INFO) as a retransmission--if it's enabled */
}
/* Fix for bug 3264: look up ipfd for this (first) segment,
so can add tcp.reassembled_in generated field on this code path. */
if (!is_retransmission) {
ipfd_head = fragment_get(&tcp_reassembly_table, pinfo, msp->first_frame, NULL);
if (ipfd_head) {
if (ipfd_head->reassembled_in != 0) {
item = proto_tree_add_uint(tcp_tree, hf_tcp_reassembled_in, tvb, 0,
0, ipfd_head->reassembled_in);
proto_item_set_generated(item);
}
}
}
nbytes = tvb_reported_length_remaining(tvb, offset);
proto_tree_add_bytes_format(tcp_tree, hf_tcp_segment_data, tvb, offset,
nbytes, NULL, "%sTCP segment data (%u byte%s)", str, nbytes,
plurality(nbytes, "", "s"));
return;
}
/* The above code only finds retransmission if the PDU boundaries and the seq coincide I think
* If we have sequence analysis active use the TCP_A_RETRANSMISSION flag.
* XXXX Could the above code be improved?
* XXX the following check works great for filtering duplicate
* retransmissions, but could there be a case where it prevents
* "tcp_reassemble_out_of_order" from functioning due to skipping
* retransmission of a lost segment?
* If the latter is enabled, it could use use "maxnextseq" for ignoring
* retransmitted single-segment PDUs (that would require storing
* per-packet state (tcp_per_packet_data_t) to make it work for two-pass
* and random access dissection). Retransmitted segments that are part
* of a MSP should already be passed only once to subdissectors due to
* the "reassembled_in" check below.
*/
if(tcpd->ta) {
/* Spurious Retransmission is the most obvious case to handle, just ignore it.
* See issue 10289
*/
if((tcpd->ta->flags&TCP_A_SPURIOUS_RETRANSMISSION) == TCP_A_SPURIOUS_RETRANSMISSION) {
return;
}
if((tcpd->ta->flags&TCP_A_RETRANSMISSION) == TCP_A_RETRANSMISSION) {
const char* str = "Retransmitted ";
nbytes = tvb_reported_length_remaining(tvb, offset);
proto_tree_add_bytes_format(tcp_tree, hf_tcp_segment_data, tvb, offset,
nbytes, NULL, "%sTCP segment data (%u byte%s)", str, nbytes,
plurality(nbytes, "", "s"));
return;
}
}
/* Else, find the most previous PDU starting before this sequence number */
if (!msp) {
msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(tcpd->fwd->multisegment_pdus, seq-1);
}
}
if (reassemble_ooo && tcpd && !(tcpd->fwd->flags & TCP_FLOW_REASSEMBLE_UNTIL_FIN) && !PINFO_FD_VISITED(pinfo)) {
/* If there is a gap between this segment and any previous ones (that
* is, seqno is larger than the maximum expected seqno), then it is
* possibly an out-of-order segment. The very first segment is expected
* to be in-order though (otherwise captures starting in midst of a
* connection would never be reassembled).
*
* Do not bother checking for OoO segments for streams that are
* reassembled at FIN, the order of segments before FIN does not matter
* as reordering and reassembly occurs at FIN.
*/
if (tcpd->fwd->maxnextseq) {
/* Segments may be missing due to packet loss (assume later
* retransmission) or out-of-order (assume it will appear later).
*
* Extend an unfinished MSP when (1) missing segments exist between
* the start of the previous, (2) unfinished MSP and new segment.
*
* Create a new MSP when no (1) previous MSP exists and (2) a gap is
* detected between the previous largest nxtseq and the new segment.
*/
/* Whether a previous MSP exists with missing segments. */
gboolean has_unfinished_msp = msp && !(msp->flags & MSP_FLAGS_GOT_ALL_SEGMENTS);
/* Whether the new segment creates a new gap. */
gboolean has_gap = LT_SEQ(tcpd->fwd->maxnextseq, seq);
if (has_unfinished_msp && missing_segments(pinfo, msp, seq)) {
/* The last PDU is part of a MSP which still needed more data,
* extend it (if necessary) to cover the entire new segment.
*/
if (LT_SEQ(msp->nxtpdu, nxtseq)) {
msp->nxtpdu = nxtseq;
}
} else if (!has_unfinished_msp && has_gap) {
/* Either the previous segment was a single PDU that did not
* belong to a MSP, or the previous MSP was completed and cannot
* be extended.
* Create a new one starting at the expected next position and
* extend it to the end of the new segment.
*/
msp = pdu_store_sequencenumber_of_next_pdu(pinfo,
tcpd->fwd->maxnextseq, nxtseq,
tcpd->fwd->multisegment_pdus);
msp->flags |= MSP_FLAGS_MISSING_FIRST_SEGMENT;
}
/* Now that the MSP is updated or created, continue adding the
* segments to the MSP below. The subdissector will not be called as
* the MSP is not complete yet. */
}
if (tcpd->fwd->maxnextseq == 0 || LT_SEQ(tcpd->fwd->maxnextseq, nxtseq)) {
/* Update the maximum expected seqno if no SYN packet was seen
* before, or if the new segment succeeds previous segments. */
tcpd->fwd->maxnextseq = nxtseq;
}
}
if (msp && LE_SEQ(msp->seq, seq) && GT_SEQ(msp->nxtpdu, seq)) {
int len;
if (!PINFO_FD_VISITED(pinfo)) {
msp->last_frame=pinfo->num;
msp->last_frame_time=pinfo->abs_ts;
}
/* OK, this PDU was found, which means the segment continues
* a higher-level PDU and that we must desegment it.
*/
if (msp->flags&MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) {
/* The dissector asked for the entire segment */
len = tvb_captured_length_remaining(tvb, offset);
} else {
/* Wraparound is possible, so subtraction does not
* distribute across MIN(x, y)
*/
len = MIN(nxtseq - seq, msp->nxtpdu - seq);
}
last_fragment_len = len;
if (reassemble_ooo && tcpd && !(tcpd->fwd->flags & TCP_FLOW_REASSEMBLE_UNTIL_FIN)) {
/*
* If the previous segment requested more data (setting
* FD_PARTIAL_REASSEMBLY as the next segment length is unknown), but
* subsequently an OoO segment was received (for an earlier hole),
* then "fragment_add" would truncate the reassembled PDU to the end
* of this OoO segment. To prevent that, explicitly specify the MSP
* length before calling "fragment_add".
*
* When a subdissector requests reassembly at the end of the
* connection (DESEGMENT_UNTIL_FIN), then it is not
* possible for an earlier segment to complete reassembly
* (more_frags for fragment_add is always TRUE). Thus we do not
* have to worry about increasing the fragment length here.
*/
fragment_reset_tot_len(&tcp_reassembly_table, pinfo,
msp->first_frame, NULL,
MAX(seq + len, msp->nxtpdu) - msp->seq);
}
ipfd_head = fragment_add(&tcp_reassembly_table, tvb, offset,
pinfo, msp->first_frame, NULL,
seq - msp->seq, len,
(LT_SEQ (nxtseq,msp->nxtpdu)) );
if (!PINFO_FD_VISITED(pinfo)
&& msp->flags & MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) {
msp->