Permalink
Switch branches/tags
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
7850 lines (6673 sloc) 316 KB
/* packet-tcp.c
* Routines for TCP packet disassembly
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "config.h"
#include <stdio.h>
#include <epan/packet.h>
#include <epan/capture_dissectors.h>
#include <epan/exceptions.h>
#include <epan/addr_resolv.h>
#include <epan/ipproto.h>
#include <epan/expert.h>
#include <epan/ip_opts.h>
#include <epan/follow.h>
#include <epan/prefs.h>
#include <epan/show_exception.h>
#include <epan/conversation_table.h>
#include <epan/dissector_filters.h>
#include <epan/sequence_analysis.h>
#include <epan/reassemble.h>
#include <epan/decode_as.h>
#include <epan/exported_pdu.h>
#include <epan/in_cksum.h>
#include <epan/proto_data.h>
#include <wsutil/utf8_entities.h>
#include <wsutil/str_util.h>
#include <wsutil/wsgcrypt.h>
#include <wsutil/pint.h>
#include "packet-tcp.h"
#include "packet-ip.h"
#include "packet-icmp.h"
void proto_register_tcp(void);
void proto_reg_handoff_tcp(void);
static int tcp_tap = -1;
static int tcp_follow_tap = -1;
static int mptcp_tap = -1;
static int exported_pdu_tap = -1;
/* Place TCP summary in proto tree */
static gboolean tcp_summary_in_tree = TRUE;
static inline guint64 KEEP_32MSB_OF_GUINT64(guint64 nb) {
return (nb >> 32) << 32;
}
#define MPTCP_DSS_FLAG_DATA_ACK_PRESENT 0x01
#define MPTCP_DSS_FLAG_DATA_ACK_8BYTES 0x02
#define MPTCP_DSS_FLAG_MAPPING_PRESENT 0x04
#define MPTCP_DSS_FLAG_DSN_8BYTES 0x08
#define MPTCP_DSS_FLAG_DATA_FIN_PRESENT 0x10
/*
* Flag to control whether to check the TCP checksum.
*
* In at least some Solaris network traces, there are packets with bad
* TCP checksums, but the traffic appears to indicate that the packets
* *were* received; the packets were probably sent by the host on which
* the capture was being done, on a network interface to which
* checksumming was offloaded, so that DLPI supplied an un-checksummed
* packet to the capture program but a checksummed packet got put onto
* the wire.
*/
static gboolean tcp_check_checksum = FALSE;
/*
* Window scaling values to be used when not known (set as a preference) */
enum scaling_window_value {
WindowScaling_NotKnown=-1,
WindowScaling_0=0,
WindowScaling_1,
WindowScaling_2,
WindowScaling_3,
WindowScaling_4,
WindowScaling_5,
WindowScaling_6,
WindowScaling_7,
WindowScaling_8,
WindowScaling_9,
WindowScaling_10,
WindowScaling_11,
WindowScaling_12,
WindowScaling_13,
WindowScaling_14
};
/*
* Using enum instead of boolean make API easier
*/
enum mptcp_dsn_conversion {
DSN_CONV_64_TO_32,
DSN_CONV_32_TO_64,
DSN_CONV_NONE
} ;
static gint tcp_default_window_scaling = (gint)WindowScaling_NotKnown;
static int proto_tcp = -1;
static int proto_ip = -1;
static int proto_icmp = -1;
static int proto_tcp_option_nop = -1;
static int proto_tcp_option_eol = -1;
static int proto_tcp_option_timestamp = -1;
static int proto_tcp_option_mss = -1;
static int proto_tcp_option_wscale = -1;
static int proto_tcp_option_sack_perm = -1;
static int proto_tcp_option_sack = -1;
static int proto_tcp_option_echo = -1;
static int proto_tcp_option_echoreply = -1;
static int proto_tcp_option_cc = -1;
static int proto_tcp_option_cc_new = -1;
static int proto_tcp_option_cc_echo = -1;
static int proto_tcp_option_md5 = -1;
static int proto_tcp_option_scps = -1;
static int proto_tcp_option_snack = -1;
static int proto_tcp_option_scpsrec = -1;
static int proto_tcp_option_scpscor = -1;
static int proto_tcp_option_qs = -1;
static int proto_tcp_option_user_to = -1;
static int proto_tcp_option_tfo = -1;
static int proto_tcp_option_rvbd_probe = -1;
static int proto_tcp_option_rvbd_trpy = -1;
static int proto_tcp_option_exp = -1;
static int proto_tcp_option_unknown = -1;
static int proto_mptcp = -1;
static int hf_tcp_srcport = -1;
static int hf_tcp_dstport = -1;
static int hf_tcp_port = -1;
static int hf_tcp_stream = -1;
static int hf_tcp_seq = -1;
static int hf_tcp_nxtseq = -1;
static int hf_tcp_ack = -1;
static int hf_tcp_hdr_len = -1;
static int hf_tcp_flags = -1;
static int hf_tcp_flags_res = -1;
static int hf_tcp_flags_ns = -1;
static int hf_tcp_flags_cwr = -1;
static int hf_tcp_flags_ecn = -1;
static int hf_tcp_flags_urg = -1;
static int hf_tcp_flags_ack = -1;
static int hf_tcp_flags_push = -1;
static int hf_tcp_flags_reset = -1;
static int hf_tcp_flags_syn = -1;
static int hf_tcp_flags_fin = -1;
static int hf_tcp_flags_str = -1;
static int hf_tcp_window_size_value = -1;
static int hf_tcp_window_size = -1;
static int hf_tcp_window_size_scalefactor = -1;
static int hf_tcp_checksum = -1;
static int hf_tcp_checksum_status = -1;
static int hf_tcp_checksum_calculated = -1;
static int hf_tcp_len = -1;
static int hf_tcp_urgent_pointer = -1;
static int hf_tcp_analysis = -1;
static int hf_tcp_analysis_flags = -1;
static int hf_tcp_analysis_bytes_in_flight = -1;
static int hf_tcp_analysis_push_bytes_sent = -1;
static int hf_tcp_analysis_acks_frame = -1;
static int hf_tcp_analysis_ack_rtt = -1;
static int hf_tcp_analysis_first_rtt = -1;
static int hf_tcp_analysis_rto = -1;
static int hf_tcp_analysis_rto_frame = -1;
static int hf_tcp_analysis_duplicate_ack = -1;
static int hf_tcp_analysis_duplicate_ack_num = -1;
static int hf_tcp_analysis_duplicate_ack_frame = -1;
static int hf_tcp_continuation_to = -1;
static int hf_tcp_pdu_time = -1;
static int hf_tcp_pdu_size = -1;
static int hf_tcp_pdu_last_frame = -1;
static int hf_tcp_reassembled_in = -1;
static int hf_tcp_reassembled_length = -1;
static int hf_tcp_reassembled_data = -1;
static int hf_tcp_segments = -1;
static int hf_tcp_segment = -1;
static int hf_tcp_segment_overlap = -1;
static int hf_tcp_segment_overlap_conflict = -1;
static int hf_tcp_segment_multiple_tails = -1;
static int hf_tcp_segment_too_long_fragment = -1;
static int hf_tcp_segment_error = -1;
static int hf_tcp_segment_count = -1;
static int hf_tcp_options = -1;
static int hf_tcp_option_kind = -1;
static int hf_tcp_option_len = -1;
static int hf_tcp_option_mss_val = -1;
static int hf_tcp_option_wscale_shift = -1;
static int hf_tcp_option_wscale_multiplier = -1;
static int hf_tcp_option_sack_sle = -1;
static int hf_tcp_option_sack_sre = -1;
static int hf_tcp_option_sack_range_count = -1;
static int hf_tcp_option_echo = -1;
static int hf_tcp_option_timestamp_tsval = -1;
static int hf_tcp_option_timestamp_tsecr = -1;
static int hf_tcp_option_cc = -1;
static int hf_tcp_option_md5_digest = -1;
static int hf_tcp_option_qs_rate = -1;
static int hf_tcp_option_qs_ttl_diff = -1;
static int hf_tcp_option_exp_data = -1;
static int hf_tcp_option_exp_magic_number = -1;
static int hf_tcp_option_unknown_payload = -1;
static int hf_tcp_option_rvbd_probe_version1 = -1;
static int hf_tcp_option_rvbd_probe_version2 = -1;
static int hf_tcp_option_rvbd_probe_type1 = -1;
static int hf_tcp_option_rvbd_probe_type2 = -1;
static int hf_tcp_option_rvbd_probe_prober = -1;
static int hf_tcp_option_rvbd_probe_proxy = -1;
static int hf_tcp_option_rvbd_probe_client = -1;
static int hf_tcp_option_rvbd_probe_proxy_port = -1;
static int hf_tcp_option_rvbd_probe_appli_ver = -1;
static int hf_tcp_option_rvbd_probe_storeid = -1;
static int hf_tcp_option_rvbd_probe_flags = -1;
static int hf_tcp_option_rvbd_probe_flag_last_notify = -1;
static int hf_tcp_option_rvbd_probe_flag_server_connected = -1;
static int hf_tcp_option_rvbd_probe_flag_not_cfe = -1;
static int hf_tcp_option_rvbd_probe_flag_sslcert = -1;
static int hf_tcp_option_rvbd_probe_flag_probe_cache = -1;
static int hf_tcp_option_rvbd_trpy_flags = -1;
static int hf_tcp_option_rvbd_trpy_flag_mode = -1;
static int hf_tcp_option_rvbd_trpy_flag_oob = -1;
static int hf_tcp_option_rvbd_trpy_flag_chksum = -1;
static int hf_tcp_option_rvbd_trpy_flag_fw_rst = -1;
static int hf_tcp_option_rvbd_trpy_flag_fw_rst_inner = -1;
static int hf_tcp_option_rvbd_trpy_flag_fw_rst_probe = -1;
static int hf_tcp_option_rvbd_trpy_src = -1;
static int hf_tcp_option_rvbd_trpy_dst = -1;
static int hf_tcp_option_rvbd_trpy_src_port = -1;
static int hf_tcp_option_rvbd_trpy_dst_port = -1;
static int hf_tcp_option_rvbd_trpy_client_port = -1;
static int hf_tcp_option_mptcp_flags = -1;
static int hf_tcp_option_mptcp_backup_flag = -1;
static int hf_tcp_option_mptcp_checksum_flag = -1;
static int hf_tcp_option_mptcp_B_flag = -1;
static int hf_tcp_option_mptcp_H_flag = -1;
static int hf_tcp_option_mptcp_F_flag = -1;
static int hf_tcp_option_mptcp_m_flag = -1;
static int hf_tcp_option_mptcp_M_flag = -1;
static int hf_tcp_option_mptcp_a_flag = -1;
static int hf_tcp_option_mptcp_A_flag = -1;
static int hf_tcp_option_mptcp_reserved_flag = -1;
static int hf_tcp_option_mptcp_subtype = -1;
static int hf_tcp_option_mptcp_version = -1;
static int hf_tcp_option_mptcp_reserved = -1;
static int hf_tcp_option_mptcp_address_id = -1;
static int hf_tcp_option_mptcp_recv_token = -1;
static int hf_tcp_option_mptcp_sender_key = -1;
static int hf_tcp_option_mptcp_recv_key = -1;
static int hf_tcp_option_mptcp_sender_rand = -1;
static int hf_tcp_option_mptcp_sender_trunc_hmac = -1;
static int hf_tcp_option_mptcp_sender_hmac = -1;
static int hf_tcp_option_mptcp_addaddr_trunc_hmac = -1;
static int hf_tcp_option_mptcp_data_ack_raw = -1;
static int hf_tcp_option_mptcp_data_seq_no_raw = -1;
static int hf_tcp_option_mptcp_subflow_seq_no = -1;
static int hf_tcp_option_mptcp_data_lvl_len = -1;
static int hf_tcp_option_mptcp_checksum = -1;
static int hf_tcp_option_mptcp_ipver = -1;
static int hf_tcp_option_mptcp_ipv4 = -1;
static int hf_tcp_option_mptcp_ipv6 = -1;
static int hf_tcp_option_mptcp_port = -1;
static int hf_mptcp_expected_idsn = -1;
static int hf_mptcp_dsn = -1;
static int hf_mptcp_rawdsn64 = -1;
static int hf_mptcp_dss_dsn = -1;
static int hf_mptcp_ack = -1;
static int hf_mptcp_stream = -1;
static int hf_mptcp_expected_token = -1;
static int hf_mptcp_analysis = -1;
static int hf_mptcp_analysis_master = -1;
static int hf_mptcp_analysis_subflows_stream_id = -1;
static int hf_mptcp_analysis_subflows = -1;
static int hf_mptcp_number_of_removed_addresses = -1;
static int hf_mptcp_related_mapping = -1;
static int hf_mptcp_reinjection_of = -1;
static int hf_mptcp_reinjected_in = -1;
static int hf_tcp_option_fast_open_cookie_request = -1;
static int hf_tcp_option_fast_open_cookie = -1;
static int hf_tcp_ts_relative = -1;
static int hf_tcp_ts_delta = -1;
static int hf_tcp_option_scps_vector = -1;
static int hf_tcp_option_scps_binding = -1;
static int hf_tcp_option_scps_binding_len = -1;
static int hf_tcp_scpsoption_flags_bets = -1;
static int hf_tcp_scpsoption_flags_snack1 = -1;
static int hf_tcp_scpsoption_flags_snack2 = -1;
static int hf_tcp_scpsoption_flags_compress = -1;
static int hf_tcp_scpsoption_flags_nlts = -1;
static int hf_tcp_scpsoption_flags_reserved = -1;
static int hf_tcp_scpsoption_connection_id = -1;
static int hf_tcp_option_snack_offset = -1;
static int hf_tcp_option_snack_size = -1;
static int hf_tcp_option_snack_le = -1;
static int hf_tcp_option_snack_re = -1;
static int hf_tcp_option_user_to_granularity = -1;
static int hf_tcp_option_user_to_val = -1;
static int hf_tcp_proc_src_uid = -1;
static int hf_tcp_proc_src_pid = -1;
static int hf_tcp_proc_src_uname = -1;
static int hf_tcp_proc_src_cmd = -1;
static int hf_tcp_proc_dst_uid = -1;
static int hf_tcp_proc_dst_pid = -1;
static int hf_tcp_proc_dst_uname = -1;
static int hf_tcp_proc_dst_cmd = -1;
static int hf_tcp_segment_data = -1;
static int hf_tcp_payload = -1;
static int hf_tcp_reset_cause = -1;
static int hf_tcp_fin_retransmission = -1;
static int hf_tcp_option_rvbd_probe_reserved = -1;
static int hf_tcp_option_scps_binding_data = -1;
static gint ett_tcp = -1;
static gint ett_tcp_flags = -1;
static gint ett_tcp_options = -1;
static gint ett_tcp_option_timestamp = -1;
static gint ett_tcp_option_mss = -1;
static gint ett_tcp_option_wscale = -1;
static gint ett_tcp_option_sack = -1;
static gint ett_tcp_option_snack = -1;
static gint ett_tcp_option_scps = -1;
static gint ett_tcp_scpsoption_flags = -1;
static gint ett_tcp_option_scps_extended = -1;
static gint ett_tcp_option_user_to = -1;
static gint ett_tcp_option_exp = -1;
static gint ett_tcp_option_sack_perm = -1;
static gint ett_tcp_analysis = -1;
static gint ett_tcp_analysis_faults = -1;
static gint ett_tcp_timestamps = -1;
static gint ett_tcp_segments = -1;
static gint ett_tcp_segment = -1;
static gint ett_tcp_checksum = -1;
static gint ett_tcp_process_info = -1;
static gint ett_tcp_option_mptcp = -1;
static gint ett_tcp_opt_rvbd_probe = -1;
static gint ett_tcp_opt_rvbd_probe_flags = -1;
static gint ett_tcp_opt_rvbd_trpy = -1;
static gint ett_tcp_opt_rvbd_trpy_flags = -1;
static gint ett_tcp_opt_echo = -1;
static gint ett_tcp_opt_cc = -1;
static gint ett_tcp_opt_md5 = -1;
static gint ett_tcp_opt_qs = -1;
static gint ett_tcp_opt_recbound = -1;
static gint ett_tcp_opt_scpscor = -1;
static gint ett_tcp_unknown_opt = -1;
static gint ett_tcp_option_other = -1;
static gint ett_mptcp_analysis = -1;
static gint ett_mptcp_analysis_subflows = -1;
static expert_field ei_tcp_opt_len_invalid = EI_INIT;
static expert_field ei_tcp_analysis_retransmission = EI_INIT;
static expert_field ei_tcp_analysis_fast_retransmission = EI_INIT;
static expert_field ei_tcp_analysis_spurious_retransmission = EI_INIT;
static expert_field ei_tcp_analysis_out_of_order = EI_INIT;
static expert_field ei_tcp_analysis_reused_ports = EI_INIT;
static expert_field ei_tcp_analysis_lost_packet = EI_INIT;
static expert_field ei_tcp_analysis_ack_lost_packet = EI_INIT;
static expert_field ei_tcp_analysis_window_update = EI_INIT;
static expert_field ei_tcp_analysis_window_full = EI_INIT;
static expert_field ei_tcp_analysis_keep_alive = EI_INIT;
static expert_field ei_tcp_analysis_keep_alive_ack = EI_INIT;
static expert_field ei_tcp_analysis_duplicate_ack = EI_INIT;
static expert_field ei_tcp_analysis_zero_window_probe = EI_INIT;
static expert_field ei_tcp_analysis_zero_window = EI_INIT;
static expert_field ei_tcp_analysis_zero_window_probe_ack = EI_INIT;
static expert_field ei_tcp_analysis_tfo_syn = EI_INIT;
static expert_field ei_tcp_scps_capable = EI_INIT;
static expert_field ei_tcp_option_snack_sequence = EI_INIT;
static expert_field ei_tcp_option_wscale_shift_invalid = EI_INIT;
static expert_field ei_tcp_short_segment = EI_INIT;
static expert_field ei_tcp_ack_nonzero = EI_INIT;
static expert_field ei_tcp_connection_sack = EI_INIT;
static expert_field ei_tcp_connection_syn = EI_INIT;
static expert_field ei_tcp_connection_fin = EI_INIT;
static expert_field ei_tcp_connection_rst = EI_INIT;
static expert_field ei_tcp_checksum_ffff = EI_INIT;
static expert_field ei_tcp_checksum_bad = EI_INIT;
static expert_field ei_tcp_urgent_pointer_non_zero = EI_INIT;
static expert_field ei_tcp_suboption_malformed = EI_INIT;
static expert_field ei_tcp_nop = EI_INIT;
/* static expert_field ei_mptcp_analysis_unexpected_idsn = EI_INIT; */
static expert_field ei_mptcp_analysis_echoed_key_mismatch = EI_INIT;
static expert_field ei_mptcp_analysis_missing_algorithm = EI_INIT;
static expert_field ei_mptcp_analysis_unsupported_algorithm = EI_INIT;
static expert_field ei_mptcp_infinite_mapping= EI_INIT;
static expert_field ei_mptcp_mapping_missing = EI_INIT;
/* static expert_field ei_mptcp_stream_incomplete = EI_INIT; */
/* static expert_field ei_mptcp_analysis_dsn_out_of_order = EI_INIT; */
/* Some protocols such as encrypted DCE/RPCoverHTTP have dependencies
* from one PDU to the next PDU and require that they are called in sequence.
* These protocols would not be able to handle PDUs coming out of order
* or for example when a PDU is seen twice, like for retransmissions.
* This preference can be set for such protocols to make sure that we don't
* invoke the subdissectors for retransmitted or out-of-order segments.
*/
static gboolean tcp_no_subdissector_on_error = TRUE;
/*
* FF: (draft-ietf-tcpm-experimental-options-03)
* With this flag set we assume the option structure for experimental
* codepoints (253, 254) has a magic number field (first field after the
* Kind and Length). The magic number is used to differentiate different
* experiments and thus will be used in data dissection.
*/
static gboolean tcp_exp_options_with_magic = TRUE;
/* Process info, currently discovered via IPFIX */
static gboolean tcp_display_process_info = FALSE;
/*
* TCP option
*/
#define TCPOPT_NOP 1 /* Padding */
#define TCPOPT_EOL 0 /* End of options */
#define TCPOPT_MSS 2 /* Segment size negotiating */
#define TCPOPT_WINDOW 3 /* Window scaling */
#define TCPOPT_SACK_PERM 4 /* SACK Permitted */
#define TCPOPT_SACK 5 /* SACK Block */
#define TCPOPT_ECHO 6
#define TCPOPT_ECHOREPLY 7
#define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
#define TCPOPT_CC 11
#define TCPOPT_CCNEW 12
#define TCPOPT_CCECHO 13
#define TCPOPT_MD5 19 /* RFC2385 */
#define TCPOPT_SCPS 20 /* SCPS Capabilities */
#define TCPOPT_SNACK 21 /* SCPS SNACK */
#define TCPOPT_RECBOUND 22 /* SCPS Record Boundary */
#define TCPOPT_CORREXP 23 /* SCPS Corruption Experienced */
#define TCPOPT_QS 27 /* RFC4782 Quick-Start Response */
#define TCPOPT_USER_TO 28 /* RFC5482 User Timeout Option */
#define TCPOPT_MPTCP 30 /* RFC6824 Multipath TCP */
#define TCPOPT_TFO 34 /* RFC7413 TCP Fast Open Cookie */
#define TCPOPT_EXP_FD 0xfd /* Experimental, reserved */
#define TCPOPT_EXP_FE 0xfe /* Experimental, reserved */
/* Non IANA registered option numbers */
#define TCPOPT_RVBD_PROBE 76 /* Riverbed probe option */
#define TCPOPT_RVBD_TRPY 78 /* Riverbed transparency option */
/*
* TCP option lengths
*/
#define TCPOLEN_MSS 4
#define TCPOLEN_WINDOW 3
#define TCPOLEN_SACK_PERM 2
#define TCPOLEN_SACK_MIN 2
#define TCPOLEN_ECHO 6
#define TCPOLEN_ECHOREPLY 6
#define TCPOLEN_TIMESTAMP 10
#define TCPOLEN_CC 6
#define TCPOLEN_CCNEW 6
#define TCPOLEN_CCECHO 6
#define TCPOLEN_MD5 18
#define TCPOLEN_SCPS 4
#define TCPOLEN_SNACK 6
#define TCPOLEN_RECBOUND 2
#define TCPOLEN_CORREXP 2
#define TCPOLEN_QS 8
#define TCPOLEN_USER_TO 4
#define TCPOLEN_MPTCP_MIN 3
#define TCPOLEN_TFO_MIN 2
#define TCPOLEN_RVBD_PROBE_MIN 3
#define TCPOLEN_RVBD_TRPY_MIN 16
#define TCPOLEN_EXP_MIN 2
/*
* Multipath TCP subtypes
*/
#define TCPOPT_MPTCP_MP_CAPABLE 0x0 /* Multipath TCP Multipath Capable */
#define TCPOPT_MPTCP_MP_JOIN 0x1 /* Multipath TCP Join Connection */
#define TCPOPT_MPTCP_DSS 0x2 /* Multipath TCP Data Sequence Signal */
#define TCPOPT_MPTCP_ADD_ADDR 0x3 /* Multipath TCP Add Address */
#define TCPOPT_MPTCP_REMOVE_ADDR 0x4 /* Multipath TCP Remove Address */
#define TCPOPT_MPTCP_MP_PRIO 0x5 /* Multipath TCP Change Subflow Priority */
#define TCPOPT_MPTCP_MP_FAIL 0x6 /* Multipath TCP Fallback */
#define TCPOPT_MPTCP_MP_FASTCLOSE 0x7 /* Multipath TCP Fast Close */
static const true_false_string tcp_option_user_to_granularity = {
"Minutes", "Seconds"
};
static const value_string tcp_option_kind_vs[] = {
{ TCPOPT_EOL, "End of Option List" },
{ TCPOPT_NOP, "No-Operation" },
{ TCPOPT_MSS, "Maximum Segment Size" },
{ TCPOPT_WINDOW, "Window Scale" },
{ TCPOPT_SACK_PERM, "SACK Permitted" },
{ TCPOPT_SACK, "SACK" },
{ TCPOPT_ECHO, "Echo" },
{ TCPOPT_ECHOREPLY, "Echo Reply" },
{ TCPOPT_TIMESTAMP, "Time Stamp Option" },
{ 9, "Partial Order Connection Permitted" },
{ 10, "Partial Order Service Profile" },
{ TCPOPT_CC, "CC" },
{ TCPOPT_CCNEW, "CC.NEW" },
{ TCPOPT_CCECHO, "CC.ECHO" },
{ 14, "TCP Alternate Checksum Request" },
{ 15, "TCP Alternate Checksum Data" },
{ 16, "Skeeter" },
{ 17, "Bubba" },
{ 18, "Trailer Checksum Option" },
{ TCPOPT_MD5, "MD5 Signature Option" },
{ TCPOPT_SCPS, "SCPS Capabilities" },
{ TCPOPT_SNACK, "Selective Negative Acknowledgements" },
{ TCPOPT_RECBOUND, "Record Boundaries" },
{ TCPOPT_CORREXP, "Corruption experienced" },
{ 24, "SNAP" },
{ 25, "Unassigned" },
{ 26, "TCP Compression Filter" },
{ TCPOPT_QS, "Quick-Start Response" },
{ TCPOPT_USER_TO, "User Timeout Option" },
{ 29, "TCP Authentication Option" },
{ TCPOPT_MPTCP, "Multipath TCP" },
{ TCPOPT_TFO, "TCP Fast Open Cookie" },
{ TCPOPT_RVBD_PROBE, "Riverbed Probe" },
{ TCPOPT_RVBD_TRPY, "Riverbed Transparency" },
{ TCPOPT_EXP_FD, "RFC3692-style Experiment 1" },
{ TCPOPT_EXP_FE, "RFC3692-style Experiment 2" },
{ 0, NULL }
};
static value_string_ext tcp_option_kind_vs_ext = VALUE_STRING_EXT_INIT(tcp_option_kind_vs);
/* not all of the hf_fields below make sense for TCP but we have to provide
them anyways to comply with the API (which was aimed for IP fragment
reassembly) */
static const fragment_items tcp_segment_items = {
&ett_tcp_segment,
&ett_tcp_segments,
&hf_tcp_segments,
&hf_tcp_segment,
&hf_tcp_segment_overlap,
&hf_tcp_segment_overlap_conflict,
&hf_tcp_segment_multiple_tails,
&hf_tcp_segment_too_long_fragment,
&hf_tcp_segment_error,
&hf_tcp_segment_count,
&hf_tcp_reassembled_in,
&hf_tcp_reassembled_length,
&hf_tcp_reassembled_data,
"Segments"
};
static const value_string mptcp_subtype_vs[] = {
{ TCPOPT_MPTCP_MP_CAPABLE, "Multipath Capable" },
{ TCPOPT_MPTCP_MP_JOIN, "Join Connection" },
{ TCPOPT_MPTCP_DSS, "Data Sequence Signal" },
{ TCPOPT_MPTCP_ADD_ADDR, "Add Address"},
{ TCPOPT_MPTCP_REMOVE_ADDR, "Remove Address" },
{ TCPOPT_MPTCP_MP_PRIO, "Change Subflow Priority" },
{ TCPOPT_MPTCP_MP_FAIL, "TCP Fallback" },
{ TCPOPT_MPTCP_MP_FASTCLOSE, "Fast Close" },
{ 0, NULL }
};
static dissector_table_t subdissector_table;
static dissector_table_t tcp_option_table;
static heur_dissector_list_t heur_subdissector_list;
static dissector_handle_t data_handle;
static dissector_handle_t tcp_handle;
static dissector_handle_t sport_handle;
static dissector_handle_t tcp_opt_unknown_handle;
static guint32 tcp_stream_count;
static guint32 mptcp_stream_count;
/*
* Maps an MPTCP token to a mptcp_analysis structure
* Collisions are not handled
*/
static wmem_tree_t *mptcp_tokens = NULL;
static const int *tcp_option_mptcp_capable_flags[] = {
&hf_tcp_option_mptcp_checksum_flag,
&hf_tcp_option_mptcp_B_flag,
&hf_tcp_option_mptcp_H_flag,
&hf_tcp_option_mptcp_reserved_flag,
NULL
};
static const int *tcp_option_mptcp_join_flags[] = {
&hf_tcp_option_mptcp_backup_flag,
NULL
};
static const int *tcp_option_mptcp_dss_flags[] = {
&hf_tcp_option_mptcp_F_flag,
&hf_tcp_option_mptcp_m_flag,
&hf_tcp_option_mptcp_M_flag,
&hf_tcp_option_mptcp_a_flag,
&hf_tcp_option_mptcp_A_flag,
NULL
};
const unit_name_string units_64bit_version = { " (64bits version)", NULL };
static const char *
tcp_flags_to_str(wmem_allocator_t *scope, const struct tcpheader *tcph)
{
static const char flags[][4] = { "FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECN", "CWR", "NS" };
const int maxlength = 64; /* upper bounds, max 53B: 8 * 3 + 2 + strlen("Reserved") + 9 * 2 + 1 */
char *pbuf;
const char *buf;
int i;
buf = pbuf = (char *) wmem_alloc(scope, maxlength);
*pbuf = '\0';
for (i = 0; i < 9; i++) {
if (tcph->th_flags & (1 << i)) {
if (buf[0])
pbuf = g_stpcpy(pbuf, ", ");
pbuf = g_stpcpy(pbuf, flags[i]);
}
}
if (tcph->th_flags & TH_RES) {
if (buf[0])
pbuf = g_stpcpy(pbuf, ", ");
g_stpcpy(pbuf, "Reserved");
}
if (buf[0] == '\0')
buf = "<None>";
return buf;
}
static const char *
tcp_flags_to_str_first_letter(const struct tcpheader *tcph)
{
wmem_strbuf_t *buf = wmem_strbuf_new(wmem_packet_scope(), "");
unsigned i;
const unsigned flags_count = 12;
const char first_letters[] = "RRRNCEUAPRSF";
/* upper three bytes are marked as reserved ('R'). */
for (i = 0; i < flags_count; i++) {
if (((tcph->th_flags >> (flags_count - 1 - i)) & 1)) {
wmem_strbuf_append_c(buf, first_letters[i]);
} else {
wmem_strbuf_append(buf, UTF8_MIDDLE_DOT);
}
}
return wmem_strbuf_finalize(buf);
}
static void
tcp_src_prompt(packet_info *pinfo, gchar *result)
{
guint32 port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num));
g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "source (%u%s)", port, UTF8_RIGHTWARDS_ARROW);
}
static gpointer
tcp_src_value(packet_info *pinfo)
{
return p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num);
}
static void
tcp_dst_prompt(packet_info *pinfo, gchar *result)
{
guint32 port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, port);
}
static gpointer
tcp_dst_value(packet_info *pinfo)
{
return p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num);
}
static void
tcp_both_prompt(packet_info *pinfo, gchar *result)
{
guint32 srcport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num)),
destport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport);
}
static const char* tcp_conv_get_filter_type(conv_item_t* conv, conv_filter_type_e filter)
{
if (filter == CONV_FT_SRC_PORT)
return "tcp.srcport";
if (filter == CONV_FT_DST_PORT)
return "tcp.dstport";
if (filter == CONV_FT_ANY_PORT)
return "tcp.port";
if(!conv) {
return CONV_FILTER_INVALID;
}
if (filter == CONV_FT_SRC_ADDRESS) {
if (conv->src_address.type == AT_IPv4)
return "ip.src";
if (conv->src_address.type == AT_IPv6)
return "ipv6.src";
}
if (filter == CONV_FT_DST_ADDRESS) {
if (conv->dst_address.type == AT_IPv4)
return "ip.dst";
if (conv->dst_address.type == AT_IPv6)
return "ipv6.dst";
}
if (filter == CONV_FT_ANY_ADDRESS) {
if (conv->src_address.type == AT_IPv4)
return "ip.addr";
if (conv->src_address.type == AT_IPv6)
return "ipv6.addr";
}
return CONV_FILTER_INVALID;
}
static ct_dissector_info_t tcp_ct_dissector_info = {&tcp_conv_get_filter_type};
static int
tcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
{
conv_hash_t *hash = (conv_hash_t*) pct;
const struct tcpheader *tcphdr=(const struct tcpheader *)vip;
add_conversation_table_data_with_conv_id(hash, &tcphdr->ip_src, &tcphdr->ip_dst, tcphdr->th_sport, tcphdr->th_dport, (conv_id_t) tcphdr->th_stream, 1, pinfo->fd->pkt_len,
&pinfo->rel_ts, &pinfo->abs_ts, &tcp_ct_dissector_info, ENDPOINT_TCP);
return 1;
}
static int
mptcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
{
conv_hash_t *hash = (conv_hash_t*) pct;
const struct tcp_analysis *tcpd=(const struct tcp_analysis *)vip;
const mptcp_meta_flow_t *meta=(const mptcp_meta_flow_t *)tcpd->fwd->mptcp_subflow->meta;
add_conversation_table_data_with_conv_id(hash, &meta->ip_src, &meta->ip_dst,
meta->sport, meta->dport, (conv_id_t) tcpd->mptcp_analysis->stream, 1, pinfo->fd->pkt_len,
&pinfo->rel_ts, &pinfo->abs_ts, &tcp_ct_dissector_info, ENDPOINT_TCP);
return 1;
}
static const char* tcp_host_get_filter_type(hostlist_talker_t* host, conv_filter_type_e filter)
{
if (filter == CONV_FT_SRC_PORT)
return "tcp.srcport";
if (filter == CONV_FT_DST_PORT)
return "tcp.dstport";
if (filter == CONV_FT_ANY_PORT)
return "tcp.port";
if(!host) {
return CONV_FILTER_INVALID;
}
if (filter == CONV_FT_SRC_ADDRESS) {
if (host->myaddress.type == AT_IPv4)
return "ip.src";
if (host->myaddress.type == AT_IPv6)
return "ipv6.src";
}
if (filter == CONV_FT_DST_ADDRESS) {
if (host->myaddress.type == AT_IPv4)
return "ip.dst";
if (host->myaddress.type == AT_IPv6)
return "ipv6.dst";
}
if (filter == CONV_FT_ANY_ADDRESS) {
if (host->myaddress.type == AT_IPv4)
return "ip.addr";
if (host->myaddress.type == AT_IPv6)
return "ipv6.addr";
}
return CONV_FILTER_INVALID;
}
static hostlist_dissector_info_t tcp_host_dissector_info = {&tcp_host_get_filter_type};
static int
tcpip_hostlist_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
{
conv_hash_t *hash = (conv_hash_t*) pit;
const struct tcpheader *tcphdr=(const struct tcpheader *)vip;
/* Take two "add" passes per packet, adding for each direction, ensures that all
packets are counted properly (even if address is sending to itself)
XXX - this could probably be done more efficiently inside hostlist_table */
add_hostlist_table_data(hash, &tcphdr->ip_src, tcphdr->th_sport, TRUE, 1, pinfo->fd->pkt_len, &tcp_host_dissector_info, ENDPOINT_TCP);
add_hostlist_table_data(hash, &tcphdr->ip_dst, tcphdr->th_dport, FALSE, 1, pinfo->fd->pkt_len, &tcp_host_dissector_info, ENDPOINT_TCP);
return 1;
}
static gboolean
tcp_filter_valid(packet_info *pinfo)
{
return proto_is_frame_protocol(pinfo->layers, "tcp");
}
static gchar*
tcp_build_filter(packet_info *pinfo)
{
if( pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4 ) {
/* TCP over IPv4 */
return g_strdup_printf("(ip.addr eq %s and ip.addr eq %s) and (tcp.port eq %d and tcp.port eq %d)",
address_to_str(pinfo->pool, &pinfo->net_src),
address_to_str(pinfo->pool, &pinfo->net_dst),
pinfo->srcport, pinfo->destport );
}
if( pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6 ) {
/* TCP over IPv6 */
return g_strdup_printf("(ipv6.addr eq %s and ipv6.addr eq %s) and (tcp.port eq %d and tcp.port eq %d)",
address_to_str(pinfo->pool, &pinfo->net_src),
address_to_str(pinfo->pool, &pinfo->net_dst),
pinfo->srcport, pinfo->destport );
}
return NULL;
}
/****************************************************************************/
/* whenever a TCP packet is seen by the tap listener */
/* Add a new tcp frame into the graph */
static gboolean
tcp_seq_analysis_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U_, const void *tcp_info)
{
seq_analysis_info_t *sainfo = (seq_analysis_info_t *) ptr;
const struct tcpheader *tcph = (const struct tcpheader *)tcp_info;
const char* flags;
seq_analysis_item_t *sai = sequence_analysis_create_sai_with_addresses(pinfo, sainfo);
if (!sai)
return FALSE;
sai->frame_number = pinfo->num;
sai->port_src=pinfo->srcport;
sai->port_dst=pinfo->destport;
flags = tcp_flags_to_str(NULL, tcph);
if ((tcph->th_have_seglen)&&(tcph->th_seglen!=0)){
sai->frame_label = g_strdup_printf("%s - Len: %u",flags, tcph->th_seglen);
}
else{
sai->frame_label = g_strdup(flags);
}
wmem_free(NULL, (void*)flags);
if (tcph->th_flags & TH_ACK)
sai->comment = g_strdup_printf("Seq = %u Ack = %u",tcph->th_seq, tcph->th_ack);
else
sai->comment = g_strdup_printf("Seq = %u",tcph->th_seq);
sai->line_style = 1;
sai->conv_num = (guint16) tcph->th_stream;
sai->display = TRUE;
g_queue_push_tail(sainfo->items, sai);
return TRUE;
}
gchar* tcp_follow_conv_filter(packet_info* pinfo, int* stream)
{
conversation_t *conv;
struct tcp_analysis *tcpd;
if (((pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4) ||
(pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6))
&& (conv=find_conversation_pinfo(pinfo, 0)) != NULL )
{
/* TCP over IPv4/6 */
tcpd=get_tcp_conversation_data(conv, pinfo);
if (tcpd == NULL)
return NULL;
*stream = tcpd->stream;
return g_strdup_printf("tcp.stream eq %d", tcpd->stream);
}
return NULL;
}
gchar* tcp_follow_index_filter(int stream)
{
return g_strdup_printf("tcp.stream eq %d", stream);
}
gchar* tcp_follow_address_filter(address* src_addr, address* dst_addr, int src_port, int dst_port)
{
const gchar *ip_version = src_addr->type == AT_IPv6 ? "v6" : "";
gchar src_addr_str[WS_INET6_ADDRSTRLEN];
gchar dst_addr_str[WS_INET6_ADDRSTRLEN];
address_to_str_buf(src_addr, src_addr_str, sizeof(src_addr_str));
address_to_str_buf(dst_addr, dst_addr_str, sizeof(dst_addr_str));
return g_strdup_printf("((ip%s.src eq %s and tcp.srcport eq %d) and "
"(ip%s.dst eq %s and tcp.dstport eq %d))"
" or "
"((ip%s.src eq %s and tcp.srcport eq %d) and "
"(ip%s.dst eq %s and tcp.dstport eq %d))",
ip_version, src_addr_str, src_port,
ip_version, dst_addr_str, dst_port,
ip_version, dst_addr_str, dst_port,
ip_version, src_addr_str, src_port);
}
typedef struct tcp_follow_tap_data
{
tvbuff_t *tvb;
struct tcpheader* tcph;
struct tcp_analysis *tcpd;
} tcp_follow_tap_data_t;
/*
* Tries to apply segments from fragments list to the reconstructed payload.
* Fragments that can be appended to the end of the payload will be applied (and
* removed from the list). Fragments that should have been received (according
* to the ack number) will also be appended to the payload (preceded by some
* dummy data to mark packet loss if any).
*
* Returns TRUE if one fragment has been applied or FALSE if no more fragments
* can be added the the payload (there might still be unacked fragments with
* missing segments before them).
*/
static gboolean
check_follow_fragments(follow_info_t *follow_info, gboolean is_server, guint32 acknowledged, guint32 packet_num)
{
GList *fragment_entry;
follow_record_t *fragment, *follow_record;
guint32 lowest_seq = 0;
gchar *dummy_str;
fragment_entry = g_list_first(follow_info->fragments[is_server]);
if (fragment_entry == NULL)
return FALSE;
fragment = (follow_record_t*)fragment_entry->data;
lowest_seq = fragment->seq;
for (; fragment_entry != NULL; fragment_entry = g_list_next(fragment_entry))
{
fragment = (follow_record_t*)fragment_entry->data;
if( GT_SEQ(lowest_seq, fragment->seq) ) {
lowest_seq = fragment->seq;
}
if( LT_SEQ(fragment->seq, follow_info->seq[is_server]) ) {
guint32 newseq;
/* this sequence number seems dated, but
check the end to make sure it has no more
info than we have already seen */
newseq = fragment->seq + fragment->data->len;
if( GT_SEQ(newseq, follow_info->seq[is_server]) ) {
guint32 new_pos;
/* this one has more than we have seen. let's get the
payload that we have not seen. This happens when
part of this frame has been retransmitted */
new_pos = follow_info->seq[is_server] - fragment->seq;
if ( fragment->data->len > new_pos ) {
guint32 new_frag_size = fragment->data->len - new_pos;
follow_record = g_new0(follow_record_t,1);
follow_record->is_server = is_server;
follow_record->packet_num = fragment->packet_num;
follow_record->seq = follow_info->seq[is_server] + new_frag_size;
follow_record->data = g_byte_array_append(g_byte_array_new(),
fragment->data->data + new_pos,
new_frag_size);
follow_info->payload = g_list_prepend(follow_info->payload, follow_record);
}
follow_info->seq[is_server] += (fragment->data->len - new_pos);
}
/* Remove the fragment from the list as the "new" part of it
* has been processed or its data has been seen already in
* another packet. */
g_byte_array_free(fragment->data, TRUE);
g_free(fragment);
follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
return TRUE;
}
if( EQ_SEQ(fragment->seq, follow_info->seq[is_server]) ) {
/* this fragment fits the stream */
if( fragment->data->len > 0 ) {
follow_info->payload = g_list_prepend(follow_info->payload, fragment);
}
follow_info->seq[is_server] += fragment->data->len;
follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
return TRUE;
}
}
if( GT_SEQ(acknowledged, lowest_seq) ) {
/* There are frames missing in the capture file that were seen
* by the receiving host. Add dummy stream chunk with the data
* "[xxx bytes missing in capture file]".
*/
dummy_str = g_strdup_printf("[%d bytes missing in capture file]",
(int)(lowest_seq - follow_info->seq[is_server]) );
// XXX the dummy replacement could be larger than the actual missing bytes.
follow_record = g_new0(follow_record_t,1);
follow_record->data = g_byte_array_append(g_byte_array_new(),
dummy_str,
(guint)strlen(dummy_str)+1);
g_free(dummy_str);
follow_record->is_server = is_server;
follow_record->packet_num = packet_num;
follow_record->seq = lowest_seq;
follow_info->seq[is_server] = lowest_seq;
follow_info->payload = g_list_prepend(follow_info->payload, follow_record);
return TRUE;
}
return FALSE;
}
static gboolean
follow_tcp_tap_listener(void *tapdata, packet_info *pinfo,
epan_dissect_t *edt _U_, const void *data)
{
follow_record_t *follow_record;
follow_info_t *follow_info = (follow_info_t *)tapdata;
const tcp_follow_tap_data_t *follow_data = (const tcp_follow_tap_data_t *)data;
gboolean is_server;
guint32 sequence = follow_data->tcph->th_seq;
guint32 length = follow_data->tcph->th_seglen;
guint32 data_offset = 0;
guint32 data_length = tvb_captured_length(follow_data->tvb);
if (follow_data->tcph->th_flags & TH_SYN) {
sequence++;
}
if (follow_info->client_port == 0) {
follow_info->client_port = pinfo->srcport;
copy_address(&follow_info->client_ip, &pinfo->src);
follow_info->server_port = pinfo->destport;
copy_address(&follow_info->server_ip, &pinfo->dst);
}
is_server = !(addresses_equal(&follow_info->client_ip, &pinfo->src) && follow_info->client_port == pinfo->srcport);
/* Check whether this frame ACKs fragments in flow from the other direction.
* This happens when frames are not in the capture file, but were actually
* seen by the receiving host (Fixes bug 592).
*/
if (follow_info->fragments[!is_server] != NULL) {
while (check_follow_fragments(follow_info, !is_server, follow_data->tcph->th_ack, pinfo->fd->num));
}
/*
* If this is the first segment of this stream, initialize the next expected
* sequence number. If there is any data, it will be added below.
*/
if (follow_info->bytes_written[is_server] == 0 && follow_info->seq[is_server] == 0) {
follow_info->seq[is_server] = sequence;
}
/* We have already seen this src (and received some segments), let's figure
* out whether this segment extends the stream or overlaps a previous gap. */
if (LT_SEQ(sequence, follow_info->seq[is_server])) {
/* This sequence number seems dated, but check the end in case it was a
* retransmission with more data. */
guint32 nextseq = sequence + length;
if (GT_SEQ(nextseq, follow_info->seq[is_server])) {
/* The begin of the segment was already seen, try to add the
* remaining data that we have not seen to the payload. */
data_offset = follow_info->seq[is_server] - sequence;
if (data_length <= data_offset) {
data_length = 0;
} else {
data_length -= data_offset;
}
sequence = follow_info->seq[is_server];
length = nextseq - follow_info->seq[is_server];
}
}
/*
* Ignore segments that have no new data (either because it was empty, or
* because it was fully overlapping with previously received data).
*/
if (data_length == 0 || LT_SEQ(sequence, follow_info->seq[is_server])) {
return FALSE;
}
follow_record = g_new0(follow_record_t, 1);
follow_record->is_server = is_server;
follow_record->packet_num = pinfo->fd->num;
follow_record->seq = sequence; /* start of fragment, used by check_follow_fragments. */
follow_record->data = g_byte_array_append(g_byte_array_new(),
tvb_get_ptr(follow_data->tvb, data_offset, data_length),
data_length);
if (EQ_SEQ(sequence, follow_info->seq[is_server])) {
/* The segment overlaps or extends the previous end of stream. */
follow_info->seq[is_server] += length;
follow_info->bytes_written[is_server] += follow_record->data->len;
follow_info->payload = g_list_prepend(follow_info->payload, follow_record);
/* done with the packet, see if it caused a fragment to fit */
while(check_follow_fragments(follow_info, is_server, 0, pinfo->fd->num));
} else {
/* Out of order packet (more preceding segments are expected). */
follow_info->fragments[is_server] = g_list_append(follow_info->fragments[is_server], follow_record);
}
return FALSE;
}
#define EXP_PDU_TCP_INFO_DATA_LEN 19
#define EXP_PDU_TCP_INFO_VERSION 1
static int exp_pdu_tcp_dissector_data_size(packet_info *pinfo _U_, void* data _U_)
{
return EXP_PDU_TCP_INFO_DATA_LEN+4;
}
static int exp_pdu_tcp_dissector_data_populate_data(packet_info *pinfo _U_, void* data, guint8 *tlv_buffer, guint32 buffer_size _U_)
{
struct tcpinfo* dissector_data = (struct tcpinfo*)data;
tlv_buffer[0] = 0;
tlv_buffer[1] = EXP_PDU_TAG_TCP_INFO_DATA;
tlv_buffer[2] = 0;
tlv_buffer[3] = EXP_PDU_TCP_INFO_DATA_LEN; /* tag length */
tlv_buffer[4] = 0;
tlv_buffer[5] = EXP_PDU_TCP_INFO_VERSION;
tlv_buffer[6] = (dissector_data->seq & 0xff000000) >> 24;
tlv_buffer[7] = (dissector_data->seq & 0x00ff0000) >> 16;
tlv_buffer[8] = (dissector_data->seq & 0x0000ff00) >> 8;
tlv_buffer[9] = (dissector_data->seq & 0x000000ff);
tlv_buffer[10] = (dissector_data->nxtseq & 0xff000000) >> 24;
tlv_buffer[11] = (dissector_data->nxtseq & 0x00ff0000) >> 16;
tlv_buffer[12] = (dissector_data->nxtseq & 0x0000ff00) >> 8;
tlv_buffer[13] = (dissector_data->nxtseq & 0x000000ff);
tlv_buffer[14] = (dissector_data->lastackseq & 0xff000000) >> 24;
tlv_buffer[15] = (dissector_data->lastackseq & 0x00ff0000) >> 16;
tlv_buffer[16] = (dissector_data->lastackseq & 0x0000ff00) >> 8;
tlv_buffer[17] = (dissector_data->lastackseq & 0x000000ff);
tlv_buffer[18] = dissector_data->is_reassembled;
tlv_buffer[19] = (dissector_data->flags & 0xff00) >> 8;
tlv_buffer[20] = (dissector_data->flags & 0x00ff);
tlv_buffer[21] = (dissector_data->urgent_pointer & 0xff00) >> 8;
tlv_buffer[22] = (dissector_data->urgent_pointer & 0x00ff);
return exp_pdu_tcp_dissector_data_size(pinfo, data);
}
static void
handle_export_pdu_dissection_table(packet_info *pinfo, tvbuff_t *tvb, guint32 port, struct tcpinfo *tcpinfo)
{
if (have_tap_listener(exported_pdu_tap)) {
exp_pdu_data_item_t exp_pdu_data_table_value = {exp_pdu_data_dissector_table_num_value_size, exp_pdu_data_dissector_table_num_value_populate_data, NULL};
exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
const exp_pdu_data_item_t *tcp_exp_pdu_items[] = {
&exp_pdu_data_src_ip,
&exp_pdu_data_dst_ip,
&exp_pdu_data_port_type,
&exp_pdu_data_src_port,
&exp_pdu_data_dst_port,
&exp_pdu_data_orig_frame_num,
&exp_pdu_data_table_value,
&exp_pdu_data_dissector_data,
NULL
};
exp_pdu_data_t *exp_pdu_data;
exp_pdu_data_table_value.data = GUINT_TO_POINTER(port);
exp_pdu_data_dissector_data.data = tcpinfo;
exp_pdu_data = export_pdu_create_tags(pinfo, "tcp.port", EXP_PDU_TAG_DISSECTOR_TABLE_NAME, tcp_exp_pdu_items);
exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
exp_pdu_data->pdu_tvb = tvb;
tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
}
}
static void
handle_export_pdu_heuristic(packet_info *pinfo, tvbuff_t *tvb, heur_dtbl_entry_t *hdtbl_entry, struct tcpinfo *tcpinfo)
{
exp_pdu_data_t *exp_pdu_data = NULL;
if (have_tap_listener(exported_pdu_tap)) {
if ((!hdtbl_entry->enabled) ||
(hdtbl_entry->protocol != NULL && !proto_is_protocol_enabled(hdtbl_entry->protocol))) {
exp_pdu_data = export_pdu_create_common_tags(pinfo, "data", EXP_PDU_TAG_PROTO_NAME);
} else if (hdtbl_entry->protocol != NULL) {
exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
const exp_pdu_data_item_t *tcp_exp_pdu_items[] = {
&exp_pdu_data_src_ip,
&exp_pdu_data_dst_ip,
&exp_pdu_data_port_type,
&exp_pdu_data_src_port,
&exp_pdu_data_dst_port,
&exp_pdu_data_orig_frame_num,
&exp_pdu_data_dissector_data,
NULL
};
exp_pdu_data_dissector_data.data = tcpinfo;
exp_pdu_data = export_pdu_create_tags(pinfo, hdtbl_entry->short_name, EXP_PDU_TAG_HEUR_PROTO_NAME, tcp_exp_pdu_items);
}
if (exp_pdu_data != NULL) {
exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
exp_pdu_data->pdu_tvb = tvb;
tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
}
}
}
static void
handle_export_pdu_conversation(packet_info *pinfo, tvbuff_t *tvb, int src_port, int dst_port, struct tcpinfo *tcpinfo)
{
if (have_tap_listener(exported_pdu_tap)) {
conversation_t *conversation = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, ENDPOINT_TCP, src_port, dst_port, 0);
if (conversation != NULL)
{
dissector_handle_t handle = (dissector_handle_t)wmem_tree_lookup32_le(conversation->dissector_tree, pinfo->num);
if (handle != NULL)
{
exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
const exp_pdu_data_item_t *tcp_exp_pdu_items[] = {
&exp_pdu_data_src_ip,
&exp_pdu_data_dst_ip,
&exp_pdu_data_port_type,
&exp_pdu_data_src_port,
&exp_pdu_data_dst_port,
&exp_pdu_data_orig_frame_num,
&exp_pdu_data_dissector_data,
NULL
};
exp_pdu_data_t *exp_pdu_data;
exp_pdu_data_dissector_data.data = tcpinfo;
exp_pdu_data = export_pdu_create_tags(pinfo, dissector_handle_get_dissector_name(handle), EXP_PDU_TAG_PROTO_NAME, tcp_exp_pdu_items);
exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
exp_pdu_data->pdu_tvb = tvb;
tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
}
}
}
}
/* TCP structs and definitions */
/* **************************************************************************
* RTT, relative sequence numbers, window scaling & etc.
* **************************************************************************/
static gboolean tcp_analyze_seq = TRUE;
static gboolean tcp_relative_seq = TRUE;
static gboolean tcp_track_bytes_in_flight = TRUE;
static gboolean tcp_calculate_ts = TRUE;
static gboolean tcp_analyze_mptcp = TRUE;
static gboolean mptcp_relative_seq = TRUE;
static gboolean mptcp_analyze_mappings = FALSE;
static gboolean mptcp_intersubflows_retransmission = FALSE;
#define TCP_A_RETRANSMISSION 0x0001
#define TCP_A_LOST_PACKET 0x0002
#define TCP_A_ACK_LOST_PACKET 0x0004
#define TCP_A_KEEP_ALIVE 0x0008
#define TCP_A_DUPLICATE_ACK 0x0010
#define TCP_A_ZERO_WINDOW 0x0020
#define TCP_A_ZERO_WINDOW_PROBE 0x0040
#define TCP_A_ZERO_WINDOW_PROBE_ACK 0x0080
#define TCP_A_KEEP_ALIVE_ACK 0x0100
#define TCP_A_OUT_OF_ORDER 0x0200
#define TCP_A_FAST_RETRANSMISSION 0x0400
#define TCP_A_WINDOW_UPDATE 0x0800
#define TCP_A_WINDOW_FULL 0x1000
#define TCP_A_REUSED_PORTS 0x2000
#define TCP_A_SPURIOUS_RETRANSMISSION 0x4000
/* Static TCP flags. Set in tcp_flow_t:static_flags */
#define TCP_S_BASE_SEQ_SET 0x01
#define TCP_S_SAW_SYN 0x03
#define TCP_S_SAW_SYNACK 0x05
/* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
#define MPTCP_META_HAS_BASE_DSN_MSB 0x01
#define MPTCP_META_HAS_KEY 0x03
#define MPTCP_META_HAS_TOKEN 0x04
#define MPTCP_META_HAS_ADDRESSES 0x08
/* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
#define MPTCP_SUBFLOW_HAS_NONCE 0x01
#define MPTCP_SUBFLOW_HAS_ADDRESS_ID 0x02
/* MPTCP meta analysis related */
#define MPTCP_META_CHECKSUM_REQUIRED 0x0002
/* if we have no key for this connection, some conversion become impossible,
* thus return false
*/
static
gboolean
mptcp_convert_dsn(guint64 dsn, mptcp_meta_flow_t *meta, enum mptcp_dsn_conversion conv, gboolean relative, guint64 *result ) {
*result = dsn;
/* if relative is set then we need the 64 bits version anyway
* we assume no wrapping was done on the 32 lsb so this may be wrong for elphant flows
*/
if(conv == DSN_CONV_32_TO_64 || relative) {
if(!(meta->static_flags & MPTCP_META_HAS_BASE_DSN_MSB)) {
/* can't do those without the expected_idsn based on the key */
return FALSE;
}
}
if(conv == DSN_CONV_32_TO_64) {
*result = KEEP_32MSB_OF_GUINT64(meta->base_dsn) | dsn;
}
if(relative) {
*result -= meta->base_dsn;
}
if(conv == DSN_CONV_64_TO_32) {
*result = (guint32) *result;
}
return TRUE;
}
static void
process_tcp_payload(tvbuff_t *tvb, volatile int offset, packet_info *pinfo,
proto_tree *tree, proto_tree *tcp_tree, int src_port, int dst_port,
guint32 seq, guint32 nxtseq, gboolean is_tcp_segment,
struct tcp_analysis *tcpd, struct tcpinfo *tcpinfo);
static struct tcp_analysis *
init_tcp_conversation_data(packet_info *pinfo)
{
struct tcp_analysis *tcpd;
/* Initialize the tcp protocol data structure to add to the tcp conversation */
tcpd=wmem_new0(wmem_file_scope(), struct tcp_analysis);
tcpd->flow1.win_scale=-1;
tcpd->flow1.window = G_MAXUINT32;
tcpd->flow1.multisegment_pdus=wmem_tree_new(wmem_file_scope());
tcpd->flow2.window = G_MAXUINT32;
tcpd->flow2.win_scale=-1;
tcpd->flow2.multisegment_pdus=wmem_tree_new(wmem_file_scope());
/* Only allocate the data if its actually going to be analyzed */
if (tcp_analyze_seq)
{
tcpd->flow1.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
tcpd->flow2.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
}
/* Only allocate the data if its actually going to be displayed */
if (tcp_display_process_info)
{
tcpd->flow1.process_info = wmem_new0(wmem_file_scope(), struct tcp_process_info_t);
tcpd->flow2.process_info = wmem_new0(wmem_file_scope(), struct tcp_process_info_t);
}
tcpd->acked_table=wmem_tree_new(wmem_file_scope());
tcpd->ts_first.secs=pinfo->abs_ts.secs;
tcpd->ts_first.nsecs=pinfo->abs_ts.nsecs;
nstime_set_zero(&tcpd->ts_mru_syn);
nstime_set_zero(&tcpd->ts_first_rtt);
tcpd->ts_prev.secs=pinfo->abs_ts.secs;
tcpd->ts_prev.nsecs=pinfo->abs_ts.nsecs;
tcpd->flow1.valid_bif = 1;
tcpd->flow2.valid_bif = 1;
tcpd->flow1.push_bytes_sent = 0;
tcpd->flow2.push_bytes_sent = 0;
tcpd->flow1.push_set_last = FALSE;
tcpd->flow2.push_set_last = FALSE;
tcpd->stream = tcp_stream_count++;
tcpd->server_port = 0;
return tcpd;
}
/* setup meta as well */
static void
mptcp_init_subflow(tcp_flow_t *flow)
{
struct mptcp_subflow *sf = wmem_new0(wmem_file_scope(), struct mptcp_subflow);
DISSECTOR_ASSERT(flow->mptcp_subflow == 0);
flow->mptcp_subflow = sf;
sf->ssn2dsn_mappings = wmem_itree_new(wmem_file_scope());
sf->dsn2packet_map = wmem_itree_new(wmem_file_scope());
}
/* add a new subflow to an mptcp connection */
static void
mptcp_attach_subflow(struct mptcp_analysis* mptcpd, struct tcp_analysis* tcpd) {
if(!wmem_list_find(mptcpd->subflows, tcpd)) {
wmem_list_prepend(mptcpd->subflows, tcpd);
}
/* in case we merge 2 mptcp connections */
tcpd->mptcp_analysis = mptcpd;
}
struct tcp_analysis *
get_tcp_conversation_data(conversation_t *conv, packet_info *pinfo)
{
int direction;
struct tcp_analysis *tcpd;
gboolean clear_ta = TRUE;
/* Did the caller supply the conversation pointer? */
if( conv==NULL ) {
/* If the caller didn't supply a conversation, don't
* clear the analysis, it may be needed */
clear_ta = FALSE;
conv = find_or_create_conversation(pinfo);
}
/* Get the data for this conversation */
tcpd=(struct tcp_analysis *)conversation_get_proto_data(conv, proto_tcp);
/* If the conversation was just created or it matched a
* conversation with template options, tcpd will not
* have been initialized. So, initialize
* a new tcpd structure for the conversation.
*/
if (!tcpd) {
tcpd = init_tcp_conversation_data(pinfo);
conversation_add_proto_data(conv, proto_tcp, tcpd);
}
if (!tcpd) {
return NULL;
}
/* check direction and get ua lists */
direction=cmp_address(&pinfo->src, &pinfo->dst);
/* if the addresses are equal, match the ports instead */
if(direction==0) {
direction= (pinfo->srcport > pinfo->destport) ? 1 : -1;
}
if(direction>=0) {
tcpd->fwd=&(tcpd->flow1);
tcpd->rev=&(tcpd->flow2);
} else {
tcpd->fwd=&(tcpd->flow2);
tcpd->rev=&(tcpd->flow1);
}
if (clear_ta) {
tcpd->ta=NULL;
}
return tcpd;
}
/* Attach process info to a flow */
/* XXX - We depend on the TCP dissector finding the conversation first */
void
add_tcp_process_info(guint32 frame_num, address *local_addr, address *remote_addr, guint16 local_port, guint16 remote_port, guint32 uid, guint32 pid, gchar *username, gchar *command) {
conversation_t *conv;
struct tcp_analysis *tcpd;
tcp_flow_t *flow = NULL;
if (!tcp_display_process_info)
return;
conv = find_conversation(frame_num, local_addr, remote_addr, ENDPOINT_TCP, local_port, remote_port, 0);
if (!conv) {
return;
}
tcpd = (struct tcp_analysis *)conversation_get_proto_data(conv, proto_tcp);
if (!tcpd) {
return;
}
if (cmp_address(local_addr, conversation_key_addr1(conv->key_ptr)) == 0 && local_port == conversation_key_port1(conv->key_ptr)) {
flow = &tcpd->flow1;
} else if (cmp_address(remote_addr, conversation_key_addr1(conv->key_ptr)) == 0 && remote_port == conversation_key_port1(conv->key_ptr)) {
flow = &tcpd->flow2;
}
if (!flow || (flow->process_info && flow->process_info->command)) {
return;
}
if (flow->process_info == NULL)
flow->process_info = wmem_new0(wmem_file_scope(), struct tcp_process_info_t);
flow->process_info->process_uid = uid;
flow->process_info->process_pid = pid;
flow->process_info->username = wmem_strdup(wmem_file_scope(), username);
flow->process_info->command = wmem_strdup(wmem_file_scope(), command);
}
/* Return the current stream count */
guint32 get_tcp_stream_count(void)
{
return tcp_stream_count;
}
/* Return the mptcp current stream count */
guint32 get_mptcp_stream_count(void)
{
return mptcp_stream_count;
}
/* Calculate the timestamps relative to this conversation */
static void
tcp_calculate_timestamps(packet_info *pinfo, struct tcp_analysis *tcpd,
struct tcp_per_packet_data_t *tcppd)
{
if( !tcppd ) {
tcppd = wmem_new(wmem_file_scope(), struct tcp_per_packet_data_t);
p_add_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num, tcppd);
}
if (!tcpd)
return;
nstime_delta(&tcppd->ts_del, &pinfo->abs_ts, &tcpd->ts_prev);
tcpd->ts_prev.secs=pinfo->abs_ts.secs;
tcpd->ts_prev.nsecs=pinfo->abs_ts.nsecs;
}
/* Add a subtree with the timestamps relative to this conversation */
static void
tcp_print_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree, struct tcp_analysis *tcpd, struct tcp_per_packet_data_t *tcppd)
{
proto_item *item;
proto_tree *tree;
nstime_t ts;
if (!tcpd)
return;
tree=proto_tree_add_subtree(parent_tree, tvb, 0, 0, ett_tcp_timestamps, &item, "Timestamps");
PROTO_ITEM_SET_GENERATED(item);
nstime_delta(&ts, &pinfo->abs_ts, &tcpd->ts_first);
item = proto_tree_add_time(tree, hf_tcp_ts_relative, tvb, 0, 0, &ts);
PROTO_ITEM_SET_GENERATED(item);
if( !tcppd )
tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
if( tcppd ) {
item = proto_tree_add_time(tree, hf_tcp_ts_delta, tvb, 0, 0,
&tcppd->ts_del);
PROTO_ITEM_SET_GENERATED(item);
}
}
static void
print_pdu_tracking_data(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tcp_tree, struct tcp_multisegment_pdu *msp)
{
proto_item *item;
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[Continuation to #%u] ", msp->first_frame);
item=proto_tree_add_uint(tcp_tree, hf_tcp_continuation_to,
tvb, 0, 0, msp->first_frame);
PROTO_ITEM_SET_GENERATED(item);
}
/* if we know that a PDU starts inside this segment, return the adjusted
offset to where that PDU starts or just return offset back
and let TCP try to find out what it can about this segment
*/
static int
scan_for_next_pdu(tvbuff_t *tvb, proto_tree *tcp_tree, packet_info *pinfo, int offset, guint32 seq, guint32 nxtseq, wmem_tree_t *multisegment_pdus)
{
struct tcp_multisegment_pdu *msp=NULL;
if(!pinfo->fd->flags.visited) {
msp=(struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(multisegment_pdus, seq-1);
if(msp) {
/* If this is a continuation of a PDU started in a
* previous segment we need to update the last_frame
* variables.
*/
if(seq>msp->seq && seq<msp->nxtpdu) {
msp->last_frame=pinfo->num;
msp->last_frame_time=pinfo->abs_ts;
print_pdu_tracking_data(pinfo, tvb, tcp_tree, msp);
}
/* If this segment is completely within a previous PDU
* then we just skip this packet
*/
if(seq>msp->seq && nxtseq<=msp->nxtpdu) {
return -1;
}
if(seq<msp->nxtpdu && nxtseq>msp->nxtpdu) {
offset+=msp->nxtpdu-seq;
return offset;
}
}
} else {
/* First we try to find the start and transfer time for a PDU.
* We only print this for the very first segment of a PDU
* and only for PDUs spanning multiple segments.
* Se we look for if there was any multisegment PDU started
* just BEFORE the end of this segment. I.e. either inside this
* segment or in a previous segment.
* Since this might also match PDUs that are completely within
* this segment we also verify that the found PDU does span
* beyond the end of this segment.
*/
msp=(struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(multisegment_pdus, nxtseq-1);
if(msp) {
if(pinfo->num==msp->first_frame) {
proto_item *item;
nstime_t ns;
item=proto_tree_add_uint(tcp_tree, hf_tcp_pdu_last_frame, tvb, 0, 0, msp->last_frame);
PROTO_ITEM_SET_GENERATED(item);
nstime_delta(&ns, &msp->last_frame_time, &pinfo->abs_ts);
item = proto_tree_add_time(tcp_tree, hf_tcp_pdu_time,
tvb, 0, 0, &ns);
PROTO_ITEM_SET_GENERATED(item);
}
}
/* Second we check if this segment is part of a PDU started
* prior to the segment (seq-1)
*/
msp=(struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(multisegment_pdus, seq-1);
if(msp) {
/* If this segment is completely within a previous PDU
* then we just skip this packet
*/
if(seq>msp->seq && nxtseq<=msp->nxtpdu) {
print_pdu_tracking_data(pinfo, tvb, tcp_tree, msp);
return -1;
}
if(seq<msp->nxtpdu && nxtseq>msp->nxtpdu) {
offset+=msp->nxtpdu-seq;
return offset;
}
}
}
return offset;
}
/* if we saw a PDU that extended beyond the end of the segment,
use this function to remember where the next pdu starts
*/
struct tcp_multisegment_pdu *
pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, guint32 seq, guint32 nxtpdu, wmem_tree_t *multisegment_pdus)
{
struct tcp_multisegment_pdu *msp;
msp=wmem_new(wmem_file_scope(), struct tcp_multisegment_pdu);
msp->nxtpdu=nxtpdu;
msp->seq=seq;
msp->first_frame=pinfo->num;
msp->last_frame=pinfo->num;
msp->last_frame_time=pinfo->abs_ts;
msp->flags=0;
wmem_tree_insert32(multisegment_pdus, seq, (void *)msp);
/*g_warning("pdu_store_sequencenumber_of_next_pdu: seq %u", seq);*/
return msp;
}
/* This is called for SYN and SYN+ACK packets and the purpose is to verify
* that we have seen window scaling in both directions.
* If we can't find window scaling being set in both directions
* that means it was present in the SYN but not in the SYN+ACK
* (or the SYN was missing) and then we disable the window scaling
* for this tcp session.
*/
static void
verify_tcp_window_scaling(gboolean is_synack, struct tcp_analysis *tcpd)
{
if( tcpd->fwd->win_scale==-1 ) {
/* We know window scaling will not be used as:
* a) this is the SYN and it does not have the WS option
* (we set the reverse win_scale also in case we miss
* the SYN/ACK)
* b) this is the SYN/ACK and either the SYN packet has not
* been seen or it did have the WS option. As the SYN/ACK
* does not have the WS option, window scaling will not be used.
*
* Setting win_scale to -2 to indicate that we can
* trust the window_size value in the TCP header.
*/
tcpd->fwd->win_scale = -2;
tcpd->rev->win_scale = -2;
} else if( is_synack && tcpd->rev->win_scale==-2 ) {
/* The SYN/ACK has the WS option, while the SYN did not,
* this should not happen, but the endpoints will not
* have used window scaling, so we will neither
*/
tcpd->fwd->win_scale = -2;
}
}
/* given a tcpd, returns the mptcp_subflow that sides with meta */
static struct mptcp_subflow *
mptcp_select_subflow_from_meta(const struct tcp_analysis *tcpd, const mptcp_meta_flow_t *meta)
{
/* select the tcp_flow with appropriate direction */
if( tcpd->flow1.mptcp_subflow->meta == meta) {
return tcpd->flow1.mptcp_subflow;
}
else {
return tcpd->flow2.mptcp_subflow;
}
}
/* if we saw a window scaling option, store it for future reference
*/
static void
pdu_store_window_scale_option(guint8 ws, struct tcp_analysis *tcpd)
{
if (tcpd)
tcpd->fwd->win_scale=ws;
}
/* when this function returns, it will (if createflag) populate the ta pointer.
*/
static void
tcp_analyze_get_acked_struct(guint32 frame, guint32 seq, guint32 ack, gboolean createflag, struct tcp_analysis *tcpd)
{
wmem_tree_key_t key[4];
key[0].length = 1;
key[0].key = &frame;
key[1].length = 1;
key[1].key = &seq;
key[2].length = 1;
key[2].key = &ack;
key[3].length = 0;
key[3].key = NULL;
if (!tcpd) {
return;
}
tcpd->ta = (struct tcp_acked *)wmem_tree_lookup32_array(tcpd->acked_table, key);
if((!tcpd->ta) && createflag) {
tcpd->ta = wmem_new0(wmem_file_scope(), struct tcp_acked);
wmem_tree_insert32_array(tcpd->acked_table, key, (void *)tcpd->ta);
}
}
/* fwd contains a list of all segments processed but not yet ACKed in the
* same direction as the current segment.
* rev contains a list of all segments received but not yet ACKed in the
* opposite direction to the current segment.
*
* New segments are always added to the head of the fwd/rev lists.
*
* Changes below should be synced with ChAdvTCPAnalysis in the User's
* Guide: docbook/wsug_src/WSUG_chapter_advanced.asciidoc
*/
static void
tcp_analyze_sequence_number(packet_info *pinfo, guint32 seq, guint32 ack, guint32 seglen, guint16 flags, guint32 window, struct tcp_analysis *tcpd)
{
tcp_unacked_t *ual=NULL;
tcp_unacked_t *prevual=NULL;
guint32 nextseq;
int ackcount;
#if 0
printf("\nanalyze_sequence numbers frame:%u\n",pinfo->num);
printf("FWD list lastflags:0x%04x base_seq:%u: nextseq:%u lastack:%u\n",tcpd->fwd->lastsegmentflags,tcpd->fwd->base_seq,tcpd->fwd->tcp_analyze_seq_info->nextseq,tcpd->rev->tcp_analyze_seq_info->lastack);
for(ual=tcpd->fwd->tcp_analyze_seq_info->segments; ual; ual=ual->next)
printf("Frame:%d Seq:%u Nextseq:%u\n",ual->frame,ual->seq,ual->nextseq);
printf("REV list lastflags:0x%04x base_seq:%u nextseq:%u lastack:%u\n",tcpd->rev->lastsegmentflags,tcpd->rev->base_seq,tcpd->rev->tcp_analyze_seq_info->nextseq,tcpd->fwd->tcp_analyze_seq_info->lastack);
for(ual=tcpd->rev->tcp_analyze_seq_info->segments; ual; ual=ual->next)
printf("Frame:%d Seq:%u Nextseq:%u\n",ual->frame,ual->seq,ual->nextseq);
#endif
if (!tcpd) {
return;
}
/* if this is the first segment for this list we need to store the
* base_seq
* We use TCP_S_SAW_SYN/SYNACK to distinguish between client and server
*
* Start relative seq and ack numbers at 1 if this
* is not a SYN packet. This makes the relative
* seq/ack numbers to be displayed correctly in the
* event that the SYN or SYN/ACK packet is not seen
* (this solves bug 1542)
*/
if( !(tcpd->fwd->static_flags & TCP_S_BASE_SEQ_SET)) {
if(flags & TH_SYN) {
tcpd->fwd->base_seq = seq;
tcpd->fwd->static_flags |= (flags & TH_ACK) ? TCP_S_SAW_SYNACK : TCP_S_SAW_SYN;
}
else {
tcpd->fwd->base_seq = seq-1;
}
tcpd->fwd->static_flags |= TCP_S_BASE_SEQ_SET;
}
/* Only store reverse sequence if this isn't the SYN
* There's no guarantee that the ACK field of a SYN
* contains zeros; get the ISN from the first segment
* with the ACK bit set instead (usually the SYN/ACK).
*
* If the SYN and SYN/ACK were received out-of-order,
* the ISN is ack-1. If we missed the SYN/ACK, but got
* the last ACK of the 3WHS, the ISN is ack-1. For all
* other packets the ISN is unknown, so ack-1 is
* as good a guess as ack.
*/
if( !(tcpd->rev->static_flags & TCP_S_BASE_SEQ_SET) && (flags & TH_ACK) ) {
tcpd->rev->base_seq = ack-1;
tcpd->rev->static_flags |= TCP_S_BASE_SEQ_SET;
}
if( flags & TH_ACK ) {
tcpd->rev->valid_bif = 1;
}
/* ZERO WINDOW PROBE
* it is a zero window probe if
* the sequence number is the next expected one
* the window in the other direction is 0
* the segment is exactly 1 byte
*/
if( seglen==1
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& tcpd->rev->window==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_ZERO_WINDOW_PROBE;
goto finished_fwd;
}
/* ZERO WINDOW
* a zero window packet has window == 0 but none of the SYN/FIN/RST set
*/
if( window==0
&& (flags&(TH_RST|TH_FIN|TH_SYN))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_ZERO_WINDOW;
}
/* LOST PACKET
* If this segment is beyond the last seen nextseq we must
* have missed some previous segment
*
* We only check for this if we have actually seen segments prior to this
* one.
* RST packets are not checked for this.
*/
if( tcpd->fwd->tcp_analyze_seq_info->nextseq
&& GT_SEQ(seq, tcpd->fwd->tcp_analyze_seq_info->nextseq)
&& (flags&(TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_LOST_PACKET;
/* Disable BiF until an ACK is seen in the other direction */
tcpd->fwd->valid_bif = 0;
}
/* KEEP ALIVE
* a keepalive contains 0 or 1 bytes of data and starts one byte prior
* to what should be the next sequence number.
* SYN/FIN/RST segments are never keepalives
*/
if( (seglen==0||seglen==1)
&& seq==(tcpd->fwd->tcp_analyze_seq_info->nextseq-1)
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_KEEP_ALIVE;
}
/* WINDOW UPDATE
* A window update is a 0 byte segment with the same SEQ/ACK numbers as
* the previous seen segment and with a new window value
*/
if( seglen==0
&& window
&& window!=tcpd->fwd->window
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& ack==tcpd->fwd->tcp_analyze_seq_info->lastack
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_WINDOW_UPDATE;
}
/* WINDOW FULL
* If we know the window scaling
* and if this segment contains data and goes all the way to the
* edge of the advertised window
* then we mark it as WINDOW FULL
* SYN/RST/FIN packets are never WINDOW FULL
*/
if( seglen>0
&& tcpd->rev->win_scale!=-1
&& (seq+seglen)==(tcpd->rev->tcp_analyze_seq_info->lastack+(tcpd->rev->window<<(tcpd->rev->win_scale==-2?0:tcpd->rev->win_scale)))
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_WINDOW_FULL;
}
/* KEEP ALIVE ACK
* It is a keepalive ack if it repeats the previous ACK and if
* the last segment in the reverse direction was a keepalive
*/
if( seglen==0
&& window
&& window==tcpd->fwd->window
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& ack==tcpd->fwd->tcp_analyze_seq_info->lastack
&& (tcpd->rev->lastsegmentflags&TCP_A_KEEP_ALIVE)
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_KEEP_ALIVE_ACK;
goto finished_fwd;
}
/* ZERO WINDOW PROBE ACK
* It is a zerowindowprobe ack if it repeats the previous ACK and if
* the last segment in the reverse direction was a zerowindowprobe
* It also repeats the previous zero window indication
*/
if( seglen==0
&& window==0
&& window==tcpd->fwd->window
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& ack==tcpd->fwd->tcp_analyze_seq_info->lastack
&& (tcpd->rev->lastsegmentflags&TCP_A_ZERO_WINDOW_PROBE)
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_ZERO_WINDOW_PROBE_ACK;
goto finished_fwd;
}
/* DUPLICATE ACK
* It is a duplicate ack if window/seq/ack is the same as the previous
* segment and if the segment length is 0
*/
if( seglen==0
&& window
&& window==tcpd->fwd->window
&& seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
&& ack==tcpd->fwd->tcp_analyze_seq_info->lastack
&& (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
tcpd->fwd->tcp_analyze_seq_info->dupacknum++;
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_DUPLICATE_ACK;
tcpd->ta->dupack_num=tcpd->fwd->tcp_analyze_seq_info->dupacknum;
tcpd->ta->dupack_frame=tcpd->fwd->tcp_analyze_seq_info->lastnondupack;
}
finished_fwd:
/* If the ack number changed we must reset the dupack counters */
if( ack != tcpd->fwd->tcp_analyze_seq_info->lastack ) {
tcpd->fwd->tcp_analyze_seq_info->lastnondupack=pinfo->num;
tcpd->fwd->tcp_analyze_seq_info->dupacknum=0;
}
/* ACKED LOST PACKET
* If this segment acks beyond the 'max seq to be acked' in the other direction
* then that means we have missed packets going in the
* other direction
*
* We only check this if we have actually seen some seq numbers
* in the other direction.
*/
if( tcpd->rev->tcp_analyze_seq_info->maxseqtobeacked
&& GT_SEQ(ack, tcpd->rev->tcp_analyze_seq_info->maxseqtobeacked )
&& (flags&(TH_ACK))!=0 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_ACK_LOST_PACKET;
/* update 'max seq to be acked' in the other direction so we don't get
* this indication again.
*/
tcpd->rev->tcp_analyze_seq_info->maxseqtobeacked=tcpd->rev->tcp_analyze_seq_info->nextseq;
}
/* RETRANSMISSION/FAST RETRANSMISSION/OUT-OF-ORDER
* If the segment contains data (or is a SYN or a FIN) and
* if it does not advance the sequence number, it must be one
* of these three.
* Only test for this if we know what the seq number should be
* (tcpd->fwd->nextseq)
*
* Note that a simple KeepAlive is not a retransmission
*/
if (seglen>0 || flags&(TH_SYN|TH_FIN)) {
gboolean seq_not_advanced = tcpd->fwd->tcp_analyze_seq_info->nextseq
&& (LT_SEQ(seq, tcpd->fwd->tcp_analyze_seq_info->nextseq));
guint64 t;
guint64 ooo_thres;
if(tcpd->ta && (tcpd->ta->flags&TCP_A_KEEP_ALIVE) ) {
goto finished_checking_retransmission_type;
}
/* If there were >=2 duplicate ACKs in the reverse direction
* (there might be duplicate acks missing from the trace)
* and if this sequence number matches those ACKs
* and if the packet occurs within 20ms of the last
* duplicate ack
* then this is a fast retransmission
*/
t=(pinfo->abs_ts.secs-tcpd->rev->tcp_analyze_seq_info->lastacktime.secs)*1000000000;
t=t+(pinfo->abs_ts.nsecs)-tcpd->rev->tcp_analyze_seq_info->lastacktime.nsecs;
if( seq_not_advanced
&& tcpd->rev->tcp_analyze_seq_info->dupacknum>=2
&& tcpd->rev->tcp_analyze_seq_info->lastack==seq
&& t<20000000 ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_FAST_RETRANSMISSION;
goto finished_checking_retransmission_type;
}
/* If the segment came relatively close since the segment with the highest
* seen sequence number and it doesn't look like a retransmission
* then it is an OUT-OF-ORDER segment.
*/
t=(pinfo->abs_ts.secs-tcpd->fwd->tcp_analyze_seq_info->nextseqtime.secs)*1000000000;
t=t+(pinfo->abs_ts.nsecs)-tcpd->fwd->tcp_analyze_seq_info->nextseqtime.nsecs;
if (tcpd->ts_first_rtt.nsecs == 0 && tcpd->ts_first_rtt.secs == 0) {
ooo_thres = 3000000;
} else {
ooo_thres = tcpd->ts_first_rtt.nsecs + tcpd->ts_first_rtt.secs*1000000000;
}
if( seq_not_advanced // XXX is this neccessary?
&& t < ooo_thres
&& tcpd->fwd->tcp_analyze_seq_info->nextseq != seq + seglen ) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_OUT_OF_ORDER;
goto finished_checking_retransmission_type;
}
/* Check for spurious retransmission. If the current seq + segment length
* is less than or equal to the current lastack, the packet contains
* duplicate data and may be considered spurious.
*/
if ( seglen > 0
&& tcpd->rev->tcp_analyze_seq_info->lastack
&& LE_SEQ(seq + seglen, tcpd->rev->tcp_analyze_seq_info->lastack) ) {
if(!tcpd->ta){
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_SPURIOUS_RETRANSMISSION;
goto finished_checking_retransmission_type;
}
if (seq_not_advanced) {
/* Then it has to be a generic retransmission */
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->flags|=TCP_A_RETRANSMISSION;
nstime_delta(&tcpd->ta->rto_ts, &pinfo->abs_ts, &tcpd->fwd->tcp_analyze_seq_info->nextseqtime);
tcpd->ta->rto_frame=tcpd->fwd->tcp_analyze_seq_info->nextseqframe;
}
}
finished_checking_retransmission_type:
nextseq = seq+seglen;
if ((seglen || flags&(TH_SYN|TH_FIN)) && tcpd->fwd->tcp_analyze_seq_info->segment_count < TCP_MAX_UNACKED_SEGMENTS) {
/* Add this new sequence number to the fwd list. But only if there
* aren't "too many" unacked segments (e.g., we're not seeing the ACKs).
*/
ual = wmem_new(wmem_file_scope(), tcp_unacked_t);
ual->next=tcpd->fwd->tcp_analyze_seq_info->segments;
tcpd->fwd->tcp_analyze_seq_info->segments=ual;
tcpd->fwd->tcp_analyze_seq_info->segment_count++;
ual->frame=pinfo->num;
ual->seq=seq;
ual->ts=pinfo->abs_ts;
/* next sequence number is seglen bytes away, plus SYN/FIN which counts as one byte */
if( (flags&(TH_SYN|TH_FIN)) ) {
nextseq+=1;
}
ual->nextseq=nextseq;
}
/* Store the highest number seen so far for nextseq so we can detect
* when we receive segments that arrive with a "hole"
* If we don't have anything since before, just store what we got.
* ZeroWindowProbes are special and don't really advance the nextseq
*/
if(GT_SEQ(nextseq, tcpd->fwd->tcp_analyze_seq_info->nextseq) || !tcpd->fwd->tcp_analyze_seq_info->nextseq) {
if( !tcpd->ta || !(tcpd->ta->flags&TCP_A_ZERO_WINDOW_PROBE) ) {
tcpd->fwd->tcp_analyze_seq_info->nextseq=nextseq;
tcpd->fwd->tcp_analyze_seq_info->nextseqframe=pinfo->num;
tcpd->fwd->tcp_analyze_seq_info->nextseqtime.secs=pinfo->abs_ts.secs;
tcpd->fwd->tcp_analyze_seq_info->nextseqtime.nsecs=pinfo->abs_ts.nsecs;
}
}
/* Store the highest continuous seq number seen so far for 'max seq to be acked',
so we can detect TCP_A_ACK_LOST_PACKET condition
*/
if(EQ_SEQ(seq, tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) || !tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) {
if( !tcpd->ta || !(tcpd->ta->flags&TCP_A_ZERO_WINDOW_PROBE) ) {
tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked=tcpd->fwd->tcp_analyze_seq_info->nextseq;
}
}
/* remember what the ack/window is so we can track window updates and retransmissions */
tcpd->fwd->window=window;
tcpd->fwd->tcp_analyze_seq_info->lastack=ack;
tcpd->fwd->tcp_analyze_seq_info->lastacktime.secs=pinfo->abs_ts.secs;
tcpd->fwd->tcp_analyze_seq_info->lastacktime.nsecs=pinfo->abs_ts.nsecs;
/* if there were any flags set for this segment we need to remember them
* we only remember the flags for the very last segment though.
*/
if(tcpd->ta) {
tcpd->fwd->lastsegmentflags=tcpd->ta->flags;
} else {
tcpd->fwd->lastsegmentflags=0;
}
/* remove all segments this ACKs and we don't need to keep around any more
*/
ackcount=0;
prevual = NULL;
ual = tcpd->rev->tcp_analyze_seq_info->segments;
while(ual) {
tcp_unacked_t *tmpual;
/* If this ack matches the segment, process accordingly */
if(ack==ual->nextseq) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
tcpd->ta->frame_acked=ual->frame;
nstime_delta(&tcpd->ta->ts, &pinfo->abs_ts, &ual->ts);
}
/* If this acknowledges part of the segment, adjust the segment info for the acked part */
else if (GT_SEQ(ack, ual->seq) && LE_SEQ(ack, ual->nextseq)) {
ual->seq = ack;
continue;
}
/* If this acknowledges a segment prior to this one, leave this segment alone and move on */
else if (GT_SEQ(ual->nextseq,ack)) {
prevual = ual;
ual = ual->next;
continue;
}
/* This segment is old, or an exact match. Delete the segment from the list */
ackcount++;
tmpual=ual->next;
if (tcpd->rev->scps_capable) {
/* Track largest segment successfully sent for SNACK analysis*/
if ((ual->nextseq - ual->seq) > tcpd->fwd->maxsizeacked) {
tcpd->fwd->maxsizeacked = (ual->nextseq - ual->seq);
}
}
if (!prevual) {
tcpd->rev->tcp_analyze_seq_info->segments = tmpual;
}
else{
prevual->next = tmpual;
}
wmem_free(wmem_file_scope(), ual);
ual = tmpual;
tcpd->rev->tcp_analyze_seq_info->segment_count--;
}
/* how many bytes of data are there in flight after this frame
* was sent
*/
ual=tcpd->fwd->tcp_analyze_seq_info->segments;
if (tcp_track_bytes_in_flight && seglen!=0 && ual && tcpd->fwd->valid_bif) {
guint32 first_seq, last_seq, in_flight;
first_seq = ual->seq - tcpd->fwd->base_seq;
last_seq = ual->nextseq - tcpd->fwd->base_seq;
while (ual) {
if ((ual->nextseq-tcpd->fwd->base_seq)>last_seq) {
last_seq = ual->nextseq-tcpd->fwd->base_seq;
}
if ((ual->seq-tcpd->fwd->base_seq)<first_seq) {
first_seq = ual->seq-tcpd->fwd->base_seq;
}
ual = ual->next;
}
in_flight = last_seq-first_seq;
if (in_flight>0 && in_flight<2000000000) {
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->bytes_in_flight = in_flight;
}
if((flags & TH_PUSH) && !tcpd->fwd->push_set_last) {
tcpd->fwd->push_bytes_sent += seglen;
tcpd->fwd->push_set_last = TRUE;
} else if ((flags & TH_PUSH) && tcpd->fwd->push_set_last) {
tcpd->fwd->push_bytes_sent = seglen;
tcpd->fwd->push_set_last = TRUE;
} else if (tcpd->fwd->push_set_last) {
tcpd->fwd->push_bytes_sent = seglen;
tcpd->fwd->push_set_last = FALSE;
} else {
tcpd->fwd->push_bytes_sent += seglen;
}
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->fd->num, seq, ack, TRUE, tcpd);
}
tcpd->ta->push_bytes_sent = tcpd->fwd->push_bytes_sent;
}
}
/*
* Prints results of the sequence number analysis concerning tcp segments
* retransmitted or out-of-order
*/
static void
tcp_sequence_number_analysis_print_retransmission(packet_info * pinfo,
tvbuff_t * tvb,
proto_tree * flags_tree, proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Retransmission */
if (ta->flags & TCP_A_RETRANSMISSION) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_retransmission);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Retransmission] ");
if (ta->rto_ts.secs || ta->rto_ts.nsecs) {
flags_item = proto_tree_add_time(flags_tree, hf_tcp_analysis_rto,
tvb, 0, 0, &ta->rto_ts);
PROTO_ITEM_SET_GENERATED(flags_item);
flags_item=proto_tree_add_uint(flags_tree, hf_tcp_analysis_rto_frame,
tvb, 0, 0, ta->rto_frame);
PROTO_ITEM_SET_GENERATED(flags_item);
}
}
/* TCP Fast Retransmission */
if (ta->flags & TCP_A_FAST_RETRANSMISSION) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_fast_retransmission);
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_retransmission);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Fast Retransmission] ");
}
/* TCP Spurious Retransmission */
if (ta->flags & TCP_A_SPURIOUS_RETRANSMISSION) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_spurious_retransmission);
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_retransmission);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Spurious Retransmission] ");
}
/* TCP Out-Of-Order */
if (ta->flags & TCP_A_OUT_OF_ORDER) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_out_of_order);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Out-Of-Order] ");
}
}
/* Prints results of the sequence number analysis concerning reused ports */
static void
tcp_sequence_number_analysis_print_reused(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Ports Reused */
if (ta->flags & TCP_A_REUSED_PORTS) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_reused_ports);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Port numbers reused] ");
}
}
/* Prints results of the sequence number analysis concerning lost tcp segments */
static void
tcp_sequence_number_analysis_print_lost(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Lost Segment */
if (ta->flags & TCP_A_LOST_PACKET) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_lost_packet);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Previous segment not captured] ");
}
/* TCP Ack lost segment */
if (ta->flags & TCP_A_ACK_LOST_PACKET) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_ack_lost_packet);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP ACKed unseen segment] ");
}
}
/* Prints results of the sequence number analysis concerning tcp window */
static void
tcp_sequence_number_analysis_print_window(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Window Update */
if (ta->flags & TCP_A_WINDOW_UPDATE) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_window_update);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Window Update] ");
}
/* TCP Full Window */
if (ta->flags & TCP_A_WINDOW_FULL) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_window_full);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Window Full] ");
}
}
/* Prints results of the sequence number analysis concerning tcp keepalive */
static void
tcp_sequence_number_analysis_print_keepalive(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/*TCP Keep Alive */
if (ta->flags & TCP_A_KEEP_ALIVE) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_keep_alive);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive] ");
}
/* TCP Ack Keep Alive */
if (ta->flags & TCP_A_KEEP_ALIVE_ACK) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_keep_alive_ack);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP Keep-Alive ACK] ");
}
}
/* Prints results of the sequence number analysis concerning tcp duplicate ack */
static void
tcp_sequence_number_analysis_print_duplicate(packet_info * pinfo,
tvbuff_t * tvb,
proto_tree * flags_tree,
struct tcp_acked *ta,
proto_tree * tree
)
{
proto_item * flags_item;
/* TCP Duplicate ACK */
if (ta->dupack_num) {
if (ta->flags & TCP_A_DUPLICATE_ACK ) {
flags_item=proto_tree_add_none_format(flags_tree,
hf_tcp_analysis_duplicate_ack,
tvb, 0, 0,
"This is a TCP duplicate ack"
);
PROTO_ITEM_SET_GENERATED(flags_item);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP Dup ACK %u#%u] ",
ta->dupack_frame,
ta->dupack_num
);
}
flags_item=proto_tree_add_uint(tree, hf_tcp_analysis_duplicate_ack_num,
tvb, 0, 0, ta->dupack_num);
PROTO_ITEM_SET_GENERATED(flags_item);
flags_item=proto_tree_add_uint(tree, hf_tcp_analysis_duplicate_ack_frame,
tvb, 0, 0, ta->dupack_frame);
PROTO_ITEM_SET_GENERATED(flags_item);
expert_add_info_format(pinfo, flags_item, &ei_tcp_analysis_duplicate_ack, "Duplicate ACK (#%u)", ta->dupack_num);
}
}
/* Prints results of the sequence number analysis concerning tcp zero window */
static void
tcp_sequence_number_analysis_print_zero_window(packet_info * pinfo,
proto_item * flags_item,
struct tcp_acked *ta
)
{
/* TCP Zero Window Probe */
if (ta->flags & TCP_A_ZERO_WINDOW_PROBE) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_zero_window_probe);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindowProbe] ");
}
/* TCP Zero Window */
if (ta->flags&TCP_A_ZERO_WINDOW) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_zero_window);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[TCP ZeroWindow] ");
}
/* TCP Zero Window Probe Ack */
if (ta->flags & TCP_A_ZERO_WINDOW_PROBE_ACK) {
expert_add_info(pinfo, flags_item, &ei_tcp_analysis_zero_window_probe_ack);
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO,
"[TCP ZeroWindowProbeAck] ");
}
}
/* Prints results of the sequence number analysis concerning how many bytes of data are in flight */
static void
tcp_sequence_number_analysis_print_bytes_in_flight(packet_info * pinfo _U_,
tvbuff_t * tvb,
proto_tree * flags_tree,
struct tcp_acked *ta
)
{
proto_item * flags_item;
if (tcp_track_bytes_in_flight) {
flags_item=proto_tree_add_uint(flags_tree,
hf_tcp_analysis_bytes_in_flight,
tvb, 0, 0, ta->bytes_in_flight);
PROTO_ITEM_SET_GENERATED(flags_item);
}
}
/* Generate the initial data sequence number and MPTCP connection token from the key. */
static void
mptcp_cryptodata_sha1(const guint64 key, guint32 *token, guint64 *idsn)
{
guint8 digest_buf[HASH_SHA1_LENGTH];
guint64 pseudokey = GUINT64_TO_BE(key);
guint32 _token;
guint64 _isdn;
gcry_md_hash_buffer(GCRY_MD_SHA1, digest_buf, (const guint8 *)&pseudokey, 8);
/* memcpy to prevent -Wstrict-aliasing errors with GCC 4 */
memcpy(&_token, digest_buf, sizeof(_token));
*token = GUINT32_FROM_BE(_token);
memcpy(&_isdn, digest_buf + HASH_SHA1_LENGTH - sizeof(_isdn), sizeof(_isdn));
*idsn = GUINT64_FROM_BE(_isdn);
}
/* Print formatted list of tcp stream ids that are part of the connection */
static void
mptcp_analysis_add_subflows(packet_info *pinfo _U_, tvbuff_t *tvb,
proto_tree *parent_tree, struct mptcp_analysis* mptcpd)
{
wmem_list_frame_t *it;
proto_tree *tree;
proto_item *item;
item=proto_tree_add_item(parent_tree, hf_mptcp_analysis_subflows, tvb, 0, 0, ENC_NA);
PROTO_ITEM_SET_GENERATED(item);
tree=proto_item_add_subtree(item, ett_mptcp_analysis_subflows);
/* for the analysis, we set each subflow tcp stream id */
for(it = wmem_list_head(mptcpd->subflows); it != NULL; it = wmem_list_frame_next(it)) {
struct tcp_analysis *sf = (struct tcp_analysis *)wmem_list_frame_data(it);
proto_item *subflow_item;
subflow_item=proto_tree_add_uint(tree, hf_mptcp_analysis_subflows_stream_id, tvb, 0, 0, sf->stream);
PROTO_ITEM_SET_HIDDEN(subflow_item);
proto_item_append_text(item, " %d", sf->stream);
}
PROTO_ITEM_SET_GENERATED(item);
}
/* Compute raw dsn if relative tcp seq covered by DSS mapping */
static gboolean
mptcp_map_relssn_to_rawdsn(mptcp_dss_mapping_t *mapping, guint32 relssn, guint64 *dsn)
{
if( (relssn < mapping->ssn_low) || (relssn > mapping->ssn_high)) {
return FALSE;
}
*dsn = mapping->rawdsn + (relssn - mapping->ssn_low);
return TRUE;
}
/* Add duplicated data */
static mptcp_dsn2packet_mapping_t *
mptcp_add_duplicated_dsn(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, struct mptcp_subflow *subflow,
guint64 rawdsn64low, guint64 rawdsn64high
)
{
wmem_list_t *results = NULL;
wmem_list_frame_t *packet_it = NULL;
mptcp_dsn2packet_mapping_t *packet = NULL;
proto_item *item = NULL;
results = wmem_itree_find_intervals(subflow->dsn2packet_map,
wmem_packet_scope(),
rawdsn64low,
rawdsn64high
);
for(packet_it = wmem_list_head(results);
packet_it != NULL;
packet_it = wmem_list_frame_next(packet_it))
{
packet = (mptcp_dsn2packet_mapping_t *) wmem_list_frame_data(packet_it);
DISSECTOR_ASSERT(packet);
if(pinfo->num > packet->frame) {
item = proto_tree_add_uint(tree, hf_mptcp_reinjection_of, tvb, 0, 0, packet->frame);
}
else {
item = proto_tree_add_uint(tree, hf_mptcp_reinjected_in, tvb, 0, 0, packet->frame);
}
PROTO_ITEM_SET_GENERATED(item);
}
return packet;
}
/* Lookup mappings that describe the packet and then converts the tcp seq number
* into the MPTCP Data Sequence Number (DSN)
*/
static void
mptcp_analysis_dsn_lookup(packet_info *pinfo , tvbuff_t *tvb,
proto_tree *parent_tree, struct tcp_analysis* tcpd, struct tcpheader * tcph, mptcp_per_packet_data_t *mptcppd)
{
struct mptcp_analysis* mptcpd = tcpd->mptcp_analysis;
proto_item *item = NULL;
mptcp_dss_mapping_t *mapping = NULL;
guint32 relseq;
guint64 rawdsn = 0;
enum mptcp_dsn_conversion convert;
if(!mptcp_analyze_mappings)
{
/* abort analysis */
return;
}
/* for this to work, we need to know the original seq number from the SYN, not from a subsequent packet
* hence, we abort if we didn't capture the SYN
*/
if(!(tcpd->fwd->static_flags & ~TCP_S_BASE_SEQ_SET & (TCP_S_SAW_SYN | TCP_S_SAW_SYNACK))) {
return;
}
/* if seq not relative yet, we compute it */
relseq = (tcp_relative_seq) ? tcph->th_seq : tcph->th_seq - tcpd->fwd->base_seq;
DISSECTOR_ASSERT(mptcpd);
DISSECTOR_ASSERT(mptcppd);
/* in case of a SYN, there is no mapping covering the DSN */
if(tcph->th_flags & TH_SYN) {
rawdsn = tcpd->fwd->mptcp_subflow->meta->base_dsn;
convert = DSN_CONV_NONE;
}
/* if it's a non-syn packet without data (just used to convey TCP options)
* then there would be no mappings */
else if(relseq == 1 && tcph->th_seglen == 0) {
rawdsn = tcpd->fwd->mptcp_subflow->meta->base_dsn + 1;
convert = DSN_CONV_NONE;
}
else {
wmem_list_frame_t *dss_it = NULL;
wmem_list_t *results = NULL;
guint32 ssn_low = relseq;
guint32 seglen = tcph->th_seglen;
results = wmem_itree_find_intervals(tcpd->fwd->mptcp_subflow->ssn2dsn_mappings,
wmem_packet_scope(),
ssn_low,
(seglen) ? ssn_low + seglen - 1 : ssn_low
);
dss_it = wmem_list_head(results); /* assume it's always ok */
if(dss_it) {
mapping = (mptcp_dss_mapping_t *) wmem_list_frame_data(dss_it);
}
if(dss_it == NULL || mapping == NULL) {
expert_add_info(pinfo, parent_tree, &ei_mptcp_mapping_missing);
return;
}
else {
mptcppd->mapping = mapping;
}
DISSECTOR_ASSERT(mapping);
if(seglen) {
/* Finds mappings that cover the sent data and adds them to the dissection tree */
for(dss_it = wmem_list_head(results);
dss_it != NULL;
dss_it = wmem_list_frame_next(dss_it))
{
mapping = (mptcp_dss_mapping_t *) wmem_list_frame_data(dss_it);
DISSECTOR_ASSERT(mapping);
item = proto_tree_add_uint(parent_tree, hf_mptcp_related_mapping, tvb, 0, 0, mapping->frame);
PROTO_ITEM_SET_GENERATED(item);
}
}
convert = (mapping->extended_dsn) ? DSN_CONV_NONE : DSN_CONV_32_TO_64;
DISSECTOR_ASSERT(mptcp_map_relssn_to_rawdsn(mapping, relseq, &rawdsn));
}
/* Make sure we have the 64bit raw DSN */
if(mptcp_convert_dsn(rawdsn, tcpd->fwd->mptcp_subflow->meta,
convert, FALSE, &tcph->th_mptcp->mh_rawdsn64)) {
/* always display the rawdsn64 (helpful for debug) */
item = proto_tree_add_uint64(parent_tree, hf_mptcp_rawdsn64, tvb, 0, 0, tcph->th_mptcp->mh_rawdsn64);
/* converts to relative if required */
if (mptcp_relative_seq
&& mptcp_convert_dsn(tcph->th_mptcp->mh_rawdsn64, tcpd->fwd->mptcp_subflow->meta, DSN_CONV_NONE, TRUE, &tcph->th_mptcp->mh_dsn)) {
item = proto_tree_add_uint64(parent_tree, hf_mptcp_dsn, tvb, 0, 0, tcph->th_mptcp->mh_dsn);
proto_item_append_text(item, " (Relative)");
}
/* register dsn->packet mapping */
if(mptcp_intersubflows_retransmission
&& !PINFO_FD_VISITED(pinfo)
&& tcph->th_seglen > 0
) {
mptcp_dsn2packet_mapping_t *packet = 0;
packet = wmem_new0(wmem_file_scope(), mptcp_dsn2packet_mapping_t);
packet->frame = pinfo->fd->num;
packet->subflow = tcpd;
wmem_itree_insert(tcpd->fwd->mptcp_subflow->dsn2packet_map,
tcph->th_mptcp->mh_rawdsn64,
tcph->th_mptcp->mh_rawdsn64 + (tcph->th_seglen - 1 ),
packet
);
}
PROTO_ITEM_SET_GENERATED(item);
/* We can do this only if rawdsn64 is valid !
if enabled, look for overlapping mappings on other subflows */
if(mptcp_intersubflows_retransmission
&& tcph->th_have_seglen
&& tcph->th_seglen) {
wmem_list_frame_t *subflow_it = NULL;
/* results should be some kind of list in case 2 DSS are needed to cover this packet */
for(subflow_it = wmem_list_head(mptcpd->subflows); subflow_it != NULL; subflow_it = wmem_list_frame_next(subflow_it)) {
struct tcp_analysis *sf_tcpd = (struct tcp_analysis *)wmem_list_frame_data(subflow_it);
struct mptcp_subflow *sf = mptcp_select_subflow_from_meta(sf_tcpd, tcpd->fwd->mptcp_subflow->meta);
/* for current subflow */
if (sf == tcpd->fwd->mptcp_subflow) {
/* skip, this is the current subflow */
}
/* in case there were retransmissions on other subflows */
else {
mptcp_add_duplicated_dsn(pinfo, parent_tree, tvb, sf,
tcph->th_mptcp->mh_rawdsn64,
tcph->th_mptcp->mh_rawdsn64 + tcph->th_seglen-1);
}
}
}
}
else {
/* could not get the rawdsn64, ignore and continue */
}
}
/* Print subflow list */
static void
mptcp_add_analysis_subtree(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree,
struct tcp_analysis *tcpd, struct mptcp_analysis *mptcpd, struct tcpheader * tcph)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
mptcp_per_packet_data_t *mptcppd = NULL;
if(mptcpd == NULL) {
return;
}
item=proto_tree_add_item(parent_tree, hf_mptcp_analysis, tvb, 0, 0, ENC_NA);
PROTO_ITEM_SET_GENERATED(item);
tree=proto_item_add_subtree(item, ett_mptcp_analysis);
PROTO_ITEM_SET_GENERATED(tree);
/* set field with mptcp stream */
if(mptcpd->master) {
item = proto_tree_add_boolean_format_value(tree, hf_mptcp_analysis_master, tvb, 0,
0, (mptcpd->master->stream == tcpd->stream) ? TRUE : FALSE
, "Master is tcp stream %u", mptcpd->master->stream
);
}
else {
item = proto_tree_add_boolean(tree, hf_mptcp_analysis_master, tvb, 0,
0, FALSE);
}
PROTO_ITEM_SET_GENERATED(item);
item = proto_tree_add_uint(tree, hf_mptcp_stream, tvb, 0, 0, mptcpd->stream);
PROTO_ITEM_SET_GENERATED(item);
/* retrieve saved analysis of packets, else create it */
mptcppd = (mptcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_mptcp, pinfo->curr_layer_num);
if(!mptcppd) {
mptcppd = (mptcp_per_packet_data_t *)wmem_new0(wmem_file_scope(), mptcp_per_packet_data_t);
p_add_proto_data(wmem_file_scope(), pinfo, proto_mptcp, pinfo->curr_layer_num, mptcppd);
}
/* Print formatted list of tcp stream ids that are part of the connection */
mptcp_analysis_add_subflows(pinfo, tvb, tree, mptcpd);
/* Converts TCP seq number into its MPTCP DSN */
mptcp_analysis_dsn_lookup(pinfo, tvb, tree, tcpd, tcph, mptcppd);
}
static void
tcp_sequence_number_analysis_print_push_bytes_sent(packet_info * pinfo _U_,
tvbuff_t * tvb,
proto_tree * flags_tree,
struct tcp_acked *ta
)
{
proto_item * flags_item;
if (tcp_track_bytes_in_flight) {
flags_item=proto_tree_add_uint(flags_tree,
hf_tcp_analysis_push_bytes_sent,
tvb, 0, 0, ta->push_bytes_sent);
PROTO_ITEM_SET_GENERATED(flags_item);
}
}
static void
tcp_print_sequence_number_analysis(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree,
struct tcp_analysis *tcpd, guint32 seq, guint32 ack)
{
struct tcp_acked *ta = NULL;
proto_item *item;
proto_tree *tree;
proto_tree *flags_tree=NULL;
if (!tcpd) {
return;
}
if(!tcpd->ta) {
tcp_analyze_get_acked_struct(pinfo->num, seq, ack, FALSE, tcpd);
}
ta=tcpd->ta;
if(!ta) {
return;
}
item=proto_tree_add_item(parent_tree, hf_tcp_analysis, tvb, 0, 0, ENC_NA);
PROTO_ITEM_SET_GENERATED(item);
tree=proto_item_add_subtree(item, ett_tcp_analysis);
/* encapsulate all proto_tree_add_xxx in ifs so we only print what
data we actually have */
if(ta->frame_acked) {
item = proto_tree_add_uint(tree, hf_tcp_analysis_acks_frame,
tvb, 0, 0, ta->frame_acked);
PROTO_ITEM_SET_GENERATED(item);
/* only display RTT if we actually have something we are acking */
if( ta->ts.secs || ta->ts.nsecs ) {
item = proto_tree_add_time(tree, hf_tcp_analysis_ack_rtt,
tvb, 0, 0, &ta->ts);
PROTO_ITEM_SET_GENERATED(item);
}
}
if (!nstime_is_zero(&tcpd->ts_first_rtt)) {
item = proto_tree_add_time(tree, hf_tcp_analysis_first_rtt,
tvb, 0, 0, &(tcpd->ts_first_rtt));
PROTO_ITEM_SET_GENERATED(item);
}
if(ta->bytes_in_flight) {
/* print results for amount of data in flight */
tcp_sequence_number_analysis_print_bytes_in_flight(pinfo, tvb, tree, ta);
tcp_sequence_number_analysis_print_push_bytes_sent(pinfo, tvb, tree, ta);
}
if(ta->flags) {
item = proto_tree_add_item(tree, hf_tcp_analysis_flags, tvb, 0, 0, ENC_NA);
PROTO_ITEM_SET_GENERATED(item);
flags_tree=proto_item_add_subtree(item, ett_tcp_analysis);
/* print results for reused tcp ports */
tcp_sequence_number_analysis_print_reused(pinfo, item, ta);
/* print results for retransmission and out-of-order segments */
tcp_sequence_number_analysis_print_retransmission(pinfo, tvb, flags_tree, item, ta);
/* print results for lost tcp segments */
tcp_sequence_number_analysis_print_lost(pinfo, item, ta);
/* print results for tcp window information */
tcp_sequence_number_analysis_print_window(pinfo, item, ta);
/* print results for tcp keep alive information */
tcp_sequence_number_analysis_print_keepalive(pinfo, item, ta);
/* print results for tcp duplicate acks */
tcp_sequence_number_analysis_print_duplicate(pinfo, tvb, flags_tree, ta, tree);
/* print results for tcp zero window */
tcp_sequence_number_analysis_print_zero_window(pinfo, item, ta);
}
}
static void
print_tcp_fragment_tree(fragment_head *ipfd_head, proto_tree *tree, proto_tree *tcp_tree, packet_info *pinfo, tvbuff_t *next_tvb)
{
proto_item *tcp_tree_item, *frag_tree_item;
/*
* The subdissector thought it was completely
* desegmented (although the stuff at the
* end may, in turn, require desegmentation),
* so we show a tree with all segments.
*/
show_fragment_tree(ipfd_head, &tcp_segment_items,
tree, pinfo, next_tvb, &frag_tree_item);
/*
* The toplevel fragment subtree is now
* behind all desegmented data; move it
* right behind the TCP tree.
*/
tcp_tree_item = proto_tree_get_parent(tcp_tree);
if(frag_tree_item && tcp_tree_item) {
proto_tree_move_item(tree, tcp_tree_item, frag_tree_item);
}
}
/* **************************************************************************
* End of tcp sequence number analysis
* **************************************************************************/
/* Minimum TCP header length. */
#define TCPH_MIN_LEN 20
/* Desegmentation of TCP streams */
static reassembly_table tcp_reassembly_table;
/* functions to trace tcp segments */
/* Enable desegmenting of TCP streams */
static gboolean tcp_desegment = TRUE;
/* Enable buffering of out-of-order TCP segments before passing it to a
* subdissector (depends on "tcp_desegment"). */
static gboolean tcp_reassemble_out_of_order = FALSE;
/* Returns true iff any gap exists in the segments associated with msp up to the
* given sequence number (it ignores any gaps after the sequence number). */
static gboolean
missing_segments(packet_info *pinfo, struct tcp_multisegment_pdu *msp, guint32 seq)
{
fragment_head *fd_head;
guint32 frag_offset = seq - msp->seq;
if ((gint32)frag_offset <= 0) {
return FALSE;
}
fd_head = fragment_get(&tcp_reassembly_table, pinfo, msp->first_frame, NULL);
/* msp implies existence of fragments, this should never be NULL. */
DISSECTOR_ASSERT(fd_head);
/* Find length of contiguous fragments. */
guint32 max = 0;
for (fragment_item *frag = fd_head; frag; frag = frag->next) {
guint32 frag_end = frag->offset + frag->len;
if (frag->offset <= max && max < frag_end) {
max = frag_end;
}
}
return max < frag_offset;
}
static void
desegment_tcp(tvbuff_t *tvb, packet_info *pinfo, int offset,
guint32 seq, guint32 nxtseq,
guint32 sport, guint32 dport,
proto_tree *tree, proto_tree *tcp_tree,
struct tcp_analysis *tcpd, struct tcpinfo *tcpinfo)
{
fragment_head *ipfd_head;
int last_fragment_len;
gboolean must_desegment;
gboolean called_dissector;
int another_pdu_follows;
int deseg_offset;
guint32 deseg_seq;
gint nbytes;
proto_item *item;
struct tcp_multisegment_pdu *msp;
gboolean cleared_writable = col_get_writable(pinfo->cinfo, COL_PROTOCOL);
const gboolean reassemble_ooo = tcp_desegment && tcp_reassemble_out_of_order;
again:
ipfd_head = NULL;
last_fragment_len = 0;
must_desegment = FALSE;
called_dissector = FALSE;
another_pdu_follows = 0;
msp = NULL;
/*
* Initialize these to assume no desegmentation.
* If that's not the case, these will be set appropriately
* by the subdissector.
*/
pinfo->desegment_offset = 0;
pinfo->desegment_len = 0;
/*
* Initialize this to assume that this segment will just be
* added to the middle of a desegmented chunk of data, so
* that we should show it all as data.
* If that's not the case, it will be set appropriately.
*/
deseg_offset = offset;
if (tcpd) {
/* Have we seen this PDU before (and is it the start of a multi-
* segment PDU)?
* Only shortcircuit here when the first segment of the MSP is known,
* and when this this first segment is not one to complete the MSP.
*/
if ((msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(tcpd->fwd->multisegment_pdus, seq)) &&
!(msp->flags & MSP_FLAGS_MISSING_FIRST_SEGMENT) && msp->last_frame != pinfo->num) {
const char* str;
/* Yes. This could be because we've dissected this frame before
* or because this is a retransmission of a previously-seen
* segment. Either way, we don't need to hand it off to the
* subdissector and we certainly don't want to re-add it to the
* multisegment_pdus list: if we did, subsequent lookups would
* find this retransmission instead of the original transmission
* (breaking desegmentation if we'd already linked other segments
* to the original transmission's entry).
*/
if (msp->first_frame == pinfo->num) {
str = "";
col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "[TCP segment of a reassembled PDU]");
} else {
str = "Retransmitted ";
/* TCP analysis already flags this (in COL_INFO) as a retransmission--if it's enabled */
}
/* Fix for bug 3264: look up ipfd for this (first) segment,
so can add tcp.reassembled_in generated field on this code path. */
ipfd_head = fragment_get(&tcp_reassembly_table, pinfo, pinfo->num, NULL);
if (ipfd_head) {
if (ipfd_head->reassembled_in != 0) {
item = proto_tree_add_uint(tcp_tree, hf_tcp_reassembled_in, tvb, 0,
0, ipfd_head->reassembled_in);
PROTO_ITEM_SET_GENERATED(item);
}
}
nbytes = tvb_reported_length_remaining(tvb, offset);
proto_tree_add_bytes_format(tcp_tree, hf_tcp_segment_data, tvb, offset,
nbytes, NULL, "%sTCP segment data (%u byte%s)", str, nbytes,
plurality(nbytes, "", "s"));
return;
}
/* The above code only finds retransmission if the PDU boundaries and the seq coincide I think
* If we have sequence analysis active use the TCP_A_RETRANSMISSION flag.
* XXXX Could the above code be improved?
* XXX the following check works great for filtering duplicate
* retransmissions, but could there be a case where it prevents
* "tcp_reassemble_out_of_order" from functioning due to skipping
* retransmission of a lost segment?
* If the latter is enabled, it could use use "maxnextseq" for ignoring
* retransmitted single-segment PDUs (that would require storing
* per-packet state (tcp_per_packet_data_t) to make it work for two-pass
* and random access dissection). Retransmitted segments that are part
* of a MSP should already be passed only once to subdissectors due to
* the "reassembled_in" check below.
* The following should also check for TCP_A_SPURIOUS_RETRANSMISSION to
* address bug 10289.
*/
if((tcpd->ta) && ((tcpd->ta->flags&TCP_A_RETRANSMISSION) == TCP_A_RETRANSMISSION)){
const char* str = "Retransmitted ";
nbytes = tvb_reported_length_remaining(tvb, offset);
proto_tree_add_bytes_format(tcp_tree, hf_tcp_segment_data, tvb, offset,
nbytes, NULL, "%sTCP segment data (%u byte%s)", str, nbytes,
plurality(nbytes, "", "s"));
return;
}
/* Else, find the most previous PDU starting before this sequence number */
if (!msp) {
msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(tcpd->fwd->multisegment_pdus, seq-1);
}
}
if (reassemble_ooo && tcpd && !PINFO_FD_VISITED(pinfo)) {
/* If there is a gap between this segment and any previous ones (that
* is, seqno is larger than the maximum expected seqno), then it is
* possibly an out-of-order segment. The very first segment is expected
* to be in-order though (otherwise captures starting in midst of a
* connection would never be reassembled).
*/
if (tcpd->fwd->maxnextseq) {
/* Segments may be missing due to packet loss (assume later
* retransmission) or out-of-order (assume it will appear later).
*
* Extend an unfinished MSP when (1) missing segments exist between
* the start of the previous, (2) unfinished MSP and new segment.
*
* Create a new MSP when no (1) previous MSP exists and (2) a gap is
* detected between the previous largest nxtseq and the new segment.
*/
/* Whether a previous MSP exists with missing segments. */
gboolean has_unfinished_msp = msp && !(msp->flags & MSP_FLAGS_GOT_ALL_SEGMENTS);
/* Whether the new segment creates a new gap. */
gboolean has_gap = LT_SEQ(tcpd->fwd->maxnextseq, seq);
if (has_unfinished_msp && missing_segments(pinfo, msp, seq)) {
/* The last PDU is part of a MSP which still needed more data,
* extend it (if necessary) to cover the entire new segment.
*/
if (LT_SEQ(msp->nxtpdu, nxtseq)) {
msp->nxtpdu = nxtseq;
}
} else if (!has_unfinished_msp && has_gap) {
/* Either the previous segment was a single PDU that did not
* belong to a MSP, or the previous MSP was completed and cannot
* be extended.
* Create a new one starting at the expected next position and
* extend it to the end of the new segment.
*/
msp = pdu_store_sequencenumber_of_next_pdu(pinfo,
tcpd->fwd->maxnextseq, nxtseq,
tcpd->fwd->multisegment_pdus);
msp->flags |= MSP_FLAGS_MISSING_FIRST_SEGMENT;
}
/* Now that the MSP is updated or created, continue adding the
* segments to the MSP below. The subdissector will not be called as
* the MSP is not complete yet. */
}
if (tcpd->fwd->maxnextseq == 0 || LT_SEQ(tcpd->fwd->maxnextseq, nxtseq)) {
/* Update the maximum expected seqno if no SYN packet was seen
* before, or if the new segment succeeds previous segments. */
tcpd->fwd->maxnextseq = nxtseq;
}
}
if (msp && msp->seq <= seq && msp->nxtpdu > seq) {
int len;
if (!PINFO_FD_VISITED(pinfo)) {
msp->last_frame=pinfo->num;
msp->last_frame_time=pinfo->abs_ts;
}
/* OK, this PDU was found, which means the segment continues
* a higher-level PDU and that we must desegment it.
*/
if (msp->flags&MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) {
/* The dissector asked for the entire segment */
len = tvb_captured_length_remaining(tvb, offset);
} else {
len = MIN(nxtseq, msp->nxtpdu) - seq;
}
last_fragment_len = len;
if (reassemble_ooo) {
/*
* If the previous segment requested more data (setting
* FD_PARTIAL_REASSEMBLY as the next segment length is unknown), but
* subsequently an OoO segment was received (for an earlier hole),
* then "fragment_add" would truncate the reassembled PDU to the end
* of this OoO segment. To prevent that, explicitly specify the MSP
* length before calling "fragment_add".
*/
fragment_reset_tot_len(&tcp_reassembly_table, pinfo,
msp->first_frame, NULL,
MAX(seq + len, msp->nxtpdu) - msp->seq);
}
ipfd_head = fragment_add(&tcp_reassembly_table, tvb, offset,
pinfo, msp->first_frame, NULL,
seq - msp->seq, len,
(LT_SEQ (nxtseq,msp->nxtpdu)) );
if (!PINFO_FD_VISITED(pinfo)
&& msp->flags & MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) {
msp->flags &= (~MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT);
/* If we consumed the entire segment there is no
* other pdu starting anywhere inside this segment.
* So update nxtpdu to point at least to the start
* of the next segment.
* (If the subdissector asks for even more data we
* will advance nxtpdu even further later down in
* the code.)
*/
msp->nxtpdu = nxtseq;
}
if (reassemble_ooo && !PINFO_FD_VISITED(pinfo)) {
/* If the first segment of the MSP was seen, remember it. */
if (msp->seq == seq) {
msp->flags &= ~MSP_FLAGS_MISSING_FIRST_SEGMENT;
}
/* Remember when all segments are ready to avoid subsequent
* out-of-order packets from extending this MSP. If a subsdissector
* needs more segments, the flag will be cleared below. */
if (ipfd_head) {
msp->flags |= MSP_FLAGS_GOT_ALL_SEGMENTS;
}
}
if( (msp->nxtpdu < nxtseq)
&& (msp->nxtpdu >= seq)
&& (len > 0)) {
another_pdu_follows=msp->nxtpdu - seq;
}
} else {
/* This segment was not found in our table, so it doesn't
* contain a continuation of a higher-level PDU.
* Call the normal subdissector.
*/
/*
* Supply the sequence number of this segment. We set this here
* because this segment could be after another in the same packet,
* in which case seq was incremented at the end of the loop.
*/
tcpinfo->seq = seq;
process_tcp_payload(tvb, offset, pinfo, tree, tcp_tree,
sport, dport, 0, 0, FALSE, tcpd, tcpinfo);
called_dissector = TRUE;
/* Did the subdissector ask us to desegment some more data
* before it could handle the packet?
* If so we have to create some structures in our table but
* this is something we only do the first time we see this
* packet.
*/
if(pinfo->desegment_len) {
if (!PINFO_FD_VISITED(pinfo))
must_desegment = TRUE;
/*
* Set "deseg_offset" to the offset in "tvb"
* of the first byte of data that the
* subdissector didn't process.
*/
deseg_offset = offset + pinfo->desegment_offset;
}
/* Either no desegmentation is necessary, or this is
* segment contains the beginning but not the end of
* a higher-level PDU and thus isn't completely
* desegmented.
*/
ipfd_head = NULL;
}
/* is it completely desegmented? */
if (ipfd_head) {
/*
* Yes, we think it is.
* We only call subdissector for the last segment.
* Note that the last segment may include more than what
* we needed.
*/
if(ipfd_head->reassembled_in == pinfo->num) {
/*
* OK, this is the last segment.
* Let's call the subdissector with the desegmented
* data.
*/
tvbuff_t *next_tvb;
int old_len;
/* create a new TVB structure for desegmented data */
next_tvb = tvb_new_chain(tvb, ipfd_head->tvb_data);
/* add desegmented data to the data source list */
add_new_data_source(pinfo, next_tvb, "Reassembled TCP");
/*
* Supply the sequence number of the first of the
* reassembled bytes.
*/
tcpinfo->seq = msp->seq;
/* indicate that this is reassembled data */
tcpinfo->is_reassembled = TRUE;
/* call subdissector */
process_tcp_payload(next_tvb, 0, pinfo, tree, tcp_tree, sport,
dport, 0, 0, FALSE, tcpd, tcpinfo);
called_dissector = TRUE;
/*
* OK, did the subdissector think it was completely
* desegmented, or does it think we need even more
* data?
*/
if (reassemble_ooo && !PINFO_FD_VISITED(pinfo) && pinfo->desegment_len) {
/* "desegment_len" isn't 0, so it needs more data to extend the MSP. */
msp->flags &= ~MSP_FLAGS_GOT_ALL_SEGMENTS;
}
old_len = (int)(tvb_reported_length(next_tvb) - last_fragment_len);
if (pinfo->desegment_len &&
pinfo->desegment_offset<=old_len) {
/*
* "desegment_len" isn't 0, so it needs more
* data for something - and "desegment_offset"
* is before "old_len", so it needs more data
* to dissect the stuff we thought was
* completely desegmented (as opposed to the
* stuff at the beginning being completely
* desegmented, but the stuff at the end
* being a new higher-level PDU that also
* needs desegmentation).
*
* If "desegment_offset" is 0, then nothing in the reassembled
* TCP segments was dissected, so remove the data source.
*/
if (pinfo->desegment_offset == 0)
remove_last_data_source(pinfo);
fragment_set_partial_reassembly(&tcp_reassembly_table,
pinfo, msp->first_frame, NULL);
/* Update msp->nxtpdu to point to the new next
* pdu boundary.
*/
if (pinfo->desegment_len == DESEGMENT_ONE_MORE_SEGMENT) {
/* We want reassembly of at least one
* more segment so set the nxtpdu
* boundary to one byte into the next
* segment.
* This means that the next segment
* will complete reassembly even if it
* is only one single byte in length.
* If this is an OoO segment, then increment the MSP end.
*/
msp->nxtpdu = MAX(seq + tvb_reported_length_remaining(tvb, offset), msp->nxtpdu) + 1;
msp->flags |= MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT;
} else if (pinfo->desegment_len == DESEGMENT_UNTIL_FIN) {
tcpd->fwd->flags |= TCP_FLOW_REASSEMBLE_UNTIL_FIN;
} else {
if (seq + last_fragment_len >= msp->nxtpdu) {
/* This is the segment (overlapping) the end of the MSP. */
msp->nxtpdu = seq + last_fragment_len + pinfo->desegment_len;
} else {
/* This is a segment before the end of the MSP, so it
* must be an out-of-order segmented that completed the
* MSP. The requested additional data is relative to
* that end.
*/
msp->nxtpdu += pinfo->desegment_len;
}
}
/* Since we need at least some more data
* there can be no pdu following in the
* tail of this segment.
*/
another_pdu_follows = 0;
offset += last_fragment_len;
seq += last_fragment_len;
if (tvb_captured_length_remaining(tvb, offset) > 0)
goto again;
} else {
/*
* Show the stuff in this TCP segment as
* just raw TCP segment data.
*/
nbytes = another_pdu_follows > 0
? another_pdu_follows
: tvb_reported_length_remaining(tvb, offset);
proto_tree_add_bytes_format(tcp_tree, hf_tcp_segment_data, tvb, offset,
nbytes, NULL, "TCP segment data (%u byte%s)", nbytes,
plurality(nbytes, "", "s"));
print_tcp_fragment_tree(ipfd_head, tree, tcp_tree, pinfo, next_tvb);
/* Did the subdissector ask us to desegment
* some more data? This means that the data
* at the beginning of this segment completed
* a higher-level PDU, but the data at the
* end of this segment started a higher-level
* PDU but didn't complete it.
*
* If so, we have to create some structures
* in our table, but this is something we
* only do the first time we see this packet.
*/
if(pinfo->desegment_len) {
if (!PINFO_FD_VISITED(pinfo))
must_desegment = TRUE;
/* The stuff we couldn't dissect
* must have come from this segment,
* so it's all in "tvb".
*
* "pinfo->desegment_offset" is
* relative to the beginning of
* "next_tvb"; we want an offset
* relative to the beginning of "tvb".
*
* First, compute the offset relative
* to the *end* of "next_tvb" - i.e.,
* the number of bytes before the end
* of "next_tvb" at which the
* subdissector stopped. That's the
* length of "next_tvb" minus the
* offset, relative to the beginning
* of "next_tvb, at which the
* subdissector stopped.
*/
deseg_offset = ipfd_head->datalen - pinfo->desegment_offset;