2014-01-06 00:44:41 +00:00
|
|
|
/* file-file.c
|
|
|
|
*
|
|
|
|
* Top-most file dissector. Decides dissector based on Filetap Encapsulation Type.
|
|
|
|
*
|
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
|
|
|
* Copyright 2000 Gerald Combs
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "config.h"
|
|
|
|
|
|
|
|
#ifdef _MSC_VER
|
|
|
|
#include <windows.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <glib.h>
|
|
|
|
|
|
|
|
#include <wsutil/md5.h>
|
|
|
|
|
|
|
|
#include <epan/epan.h>
|
|
|
|
#include <epan/packet.h>
|
|
|
|
#include <epan/exceptions.h>
|
|
|
|
#include <epan/show_exception.h>
|
|
|
|
#include <epan/timestamp.h>
|
|
|
|
#include <epan/prefs.h>
|
|
|
|
#include <epan/to_str.h>
|
|
|
|
#include <epan/tap.h>
|
|
|
|
#include <epan/expert.h>
|
|
|
|
|
|
|
|
#include "color.h"
|
|
|
|
#include "color_filters.h"
|
|
|
|
|
2014-01-13 19:32:10 +00:00
|
|
|
#include "file-file.h"
|
|
|
|
|
2014-01-06 00:44:41 +00:00
|
|
|
void proto_register_file(void);
|
|
|
|
void proto_reg_handoff_file(void);
|
|
|
|
|
|
|
|
static int proto_file = -1;
|
|
|
|
static int hf_file_record_number = -1;
|
|
|
|
static int hf_file_record_len = -1;
|
|
|
|
static int hf_file_ftap_encap = -1;
|
|
|
|
static int hf_file_marked = -1;
|
|
|
|
static int hf_file_ignored = -1;
|
|
|
|
static int hf_file_protocols = -1;
|
|
|
|
static int hf_file_num_p_prot_data = -1;
|
|
|
|
static int hf_file_color_filter_name = -1;
|
|
|
|
static int hf_file_color_filter_text = -1;
|
|
|
|
|
|
|
|
static gint ett_file = -1;
|
|
|
|
|
|
|
|
static int file_tap = -1;
|
|
|
|
|
|
|
|
static dissector_handle_t data_handle;
|
|
|
|
|
|
|
|
dissector_table_t file_encap_dissector_table;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Routine used to register record end routine. The routine should only
|
|
|
|
* be registered when the dissector is used in the record, not in the
|
|
|
|
* proto_register_XXX function.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
register_file_record_end_routine(packet_info *pinfo, void (*func)(void))
|
|
|
|
{
|
|
|
|
pinfo->frame_end_routines = g_slist_append(pinfo->frame_end_routines, (gpointer)func);
|
|
|
|
}
|
|
|
|
|
|
|
|
typedef void (*void_func_t)(void);
|
|
|
|
|
|
|
|
static void
|
|
|
|
call_file_record_end_routine(gpointer routine, gpointer dummy _U_)
|
|
|
|
{
|
|
|
|
void_func_t func = (void_func_t)routine;
|
|
|
|
(*func)();
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dissect_file_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
|
|
|
|
{
|
|
|
|
proto_item *volatile ti = NULL;
|
|
|
|
guint cap_len = 0, frame_len = 0;
|
|
|
|
proto_tree *volatile tree;
|
|
|
|
proto_item *item;
|
|
|
|
const gchar *cap_plurality, *frame_plurality;
|
|
|
|
|
|
|
|
tree=parent_tree;
|
|
|
|
|
|
|
|
pinfo->current_proto = "File";
|
|
|
|
|
|
|
|
/* if FILE is not referenced from any filters we dont need to worry about
|
|
|
|
generating any tree items. */
|
|
|
|
if(!proto_field_is_referenced(tree, proto_file)) {
|
|
|
|
tree=NULL;
|
|
|
|
} else {
|
|
|
|
proto_tree *fh_tree;
|
|
|
|
gboolean old_visible;
|
|
|
|
|
|
|
|
/* Put in frame header information. */
|
2014-06-19 17:18:16 +00:00
|
|
|
cap_len = tvb_length(tvb);
|
2014-01-06 00:44:41 +00:00
|
|
|
frame_len = tvb_reported_length(tvb);
|
|
|
|
|
|
|
|
cap_plurality = plurality(cap_len, "", "s");
|
|
|
|
frame_plurality = plurality(frame_len, "", "s");
|
|
|
|
|
|
|
|
ti = proto_tree_add_protocol_format(tree, proto_file, tvb, 0, -1,
|
|
|
|
"File record %u: %u byte%s",
|
|
|
|
pinfo->fd->num, frame_len, frame_plurality);
|
|
|
|
proto_item_append_text(ti, ", %u byte%s",
|
|
|
|
cap_len, cap_plurality);
|
|
|
|
|
|
|
|
fh_tree = proto_item_add_subtree(ti, ett_file);
|
|
|
|
|
|
|
|
proto_tree_add_int(fh_tree, hf_file_ftap_encap, tvb, 0, 0, pinfo->fd->lnk_t);
|
|
|
|
|
|
|
|
proto_tree_add_uint(fh_tree, hf_file_record_number, tvb, 0, 0, pinfo->fd->num);
|
|
|
|
|
|
|
|
proto_tree_add_uint_format(fh_tree, hf_file_record_len, tvb,
|
|
|
|
0, 0, frame_len, "Record Length: %u byte%s (%u bits)",
|
|
|
|
frame_len, frame_plurality, frame_len * 8);
|
|
|
|
|
|
|
|
ti = proto_tree_add_boolean(fh_tree, hf_file_marked, tvb, 0, 0,pinfo->fd->flags.marked);
|
|
|
|
PROTO_ITEM_SET_GENERATED(ti);
|
|
|
|
|
|
|
|
ti = proto_tree_add_boolean(fh_tree, hf_file_ignored, tvb, 0, 0,pinfo->fd->flags.ignored);
|
|
|
|
PROTO_ITEM_SET_GENERATED(ti);
|
|
|
|
|
|
|
|
if(proto_field_is_referenced(tree, hf_file_protocols)) {
|
|
|
|
/* we are going to be using proto_item_append_string() on
|
|
|
|
* hf_frame_protocols, and we must therefore disable the
|
|
|
|
* TRY_TO_FAKE_THIS_ITEM() optimisation for the tree by
|
|
|
|
* setting it as visible.
|
|
|
|
*
|
|
|
|
* See proto.h for details.
|
|
|
|
*/
|
|
|
|
old_visible = proto_tree_set_visible(fh_tree, TRUE);
|
|
|
|
ti = proto_tree_add_string(fh_tree, hf_file_protocols, tvb, 0, 0, "");
|
|
|
|
PROTO_ITEM_SET_GENERATED(ti);
|
|
|
|
proto_tree_set_visible(fh_tree, old_visible);
|
|
|
|
}
|
|
|
|
|
|
|
|
if(pinfo->fd->pfd != 0){
|
|
|
|
proto_item *ppd_item;
|
|
|
|
guint num_entries = g_slist_length(pinfo->fd->pfd);
|
|
|
|
guint i;
|
|
|
|
ppd_item = proto_tree_add_uint(fh_tree, hf_file_num_p_prot_data, tvb, 0, 0, num_entries);
|
|
|
|
PROTO_ITEM_SET_GENERATED(ppd_item);
|
|
|
|
for(i=0; i<num_entries; i++){
|
|
|
|
proto_tree_add_text (fh_tree, tvb, 0, 0, "%s",p_get_proto_name_and_key(wmem_file_scope(), pinfo, i));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#if 0
|
|
|
|
if (show_file_off) {
|
|
|
|
proto_tree_add_int64_format_value(fh_tree, hf_frame_file_off, tvb,
|
|
|
|
0, 0, pinfo->fd->file_off,
|
|
|
|
"%" G_GINT64_MODIFIER "d (0x%" G_GINT64_MODIFIER "x)",
|
|
|
|
pinfo->fd->file_off, pinfo->fd->file_off);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
if(pinfo->fd->color_filter != NULL) {
|
|
|
|
const color_filter_t *color_filter = (const color_filter_t *)pinfo->fd->color_filter;
|
|
|
|
item = proto_tree_add_string(fh_tree, hf_file_color_filter_name, tvb,
|
|
|
|
0, 0, color_filter->filter_name);
|
|
|
|
PROTO_ITEM_SET_GENERATED(item);
|
|
|
|
item = proto_tree_add_string(fh_tree, hf_file_color_filter_text, tvb,
|
|
|
|
0, 0, color_filter->filter_text);
|
|
|
|
PROTO_ITEM_SET_GENERATED(item);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pinfo->fd->flags.ignored) {
|
|
|
|
/* Ignored package, stop handling here */
|
|
|
|
col_set_str(pinfo->cinfo, COL_INFO, "<Ignored>");
|
|
|
|
proto_tree_add_text (tree, tvb, 0, -1, "This record is marked as ignored");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Portable Exception Handling to trap Wireshark specific exceptions like BoundsError exceptions */
|
|
|
|
TRY {
|
|
|
|
#ifdef _MSC_VER
|
|
|
|
/* Win32: Visual-C Structured Exception Handling (SEH) to trap hardware exceptions
|
|
|
|
like memory access violations.
|
|
|
|
(a running debugger will be called before the except part below) */
|
|
|
|
/* Note: A Windows "exceptional exception" may leave the kazlib's (Portable Exception Handling)
|
|
|
|
stack in an inconsistent state thus causing a crash at some point in the
|
|
|
|
handling of the exception.
|
|
|
|
See: https://www.wireshark.org/lists/wireshark-dev/200704/msg00243.html
|
|
|
|
*/
|
|
|
|
__try {
|
|
|
|
#endif
|
|
|
|
if (!dissector_try_uint(file_encap_dissector_table, pinfo->fd->lnk_t,
|
|
|
|
tvb, pinfo, parent_tree)) {
|
|
|
|
|
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "UNKNOWN");
|
|
|
|
col_add_fstr(pinfo->cinfo, COL_INFO, "FTAP_ENCAP = %d",
|
|
|
|
pinfo->fd->lnk_t);
|
|
|
|
call_dissector(data_handle,tvb, pinfo, parent_tree);
|
|
|
|
}
|
|
|
|
#ifdef _MSC_VER
|
|
|
|
} __except(EXCEPTION_EXECUTE_HANDLER /* handle all exceptions */) {
|
|
|
|
switch(GetExceptionCode()) {
|
|
|
|
case(STATUS_ACCESS_VIOLATION):
|
|
|
|
show_exception(tvb, pinfo, parent_tree, DissectorError,
|
|
|
|
"STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address");
|
|
|
|
break;
|
|
|
|
case(STATUS_INTEGER_DIVIDE_BY_ZERO):
|
|
|
|
show_exception(tvb, pinfo, parent_tree, DissectorError,
|
|
|
|
"STATUS_INTEGER_DIVIDE_BY_ZERO: dissector tried an integer division by zero");
|
|
|
|
break;
|
|
|
|
case(STATUS_STACK_OVERFLOW):
|
|
|
|
show_exception(tvb, pinfo, parent_tree, DissectorError,
|
|
|
|
"STATUS_STACK_OVERFLOW: dissector overflowed the stack (e.g. endless loop)");
|
|
|
|
/* XXX - this will have probably corrupted the stack,
|
|
|
|
which makes problems later in the exception code */
|
|
|
|
break;
|
|
|
|
/* XXX - add other hardware exception codes as required */
|
|
|
|
default:
|
|
|
|
show_exception(tvb, pinfo, parent_tree, DissectorError,
|
|
|
|
g_strdup_printf("dissector caused an unknown exception: 0x%x", GetExceptionCode()));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
CATCH_BOUNDS_AND_DISSECTOR_ERRORS {
|
|
|
|
show_exception(tvb, pinfo, parent_tree, EXCEPT_CODE, GET_MESSAGE);
|
|
|
|
}
|
|
|
|
ENDTRY;
|
|
|
|
|
|
|
|
if(proto_field_is_referenced(tree, hf_file_protocols)) {
|
|
|
|
wmem_strbuf_t *val = wmem_strbuf_new(wmem_packet_scope(), "");
|
|
|
|
wmem_list_frame_t *frame;
|
|
|
|
/* skip the first entry, it's always the "frame" protocol */
|
|
|
|
frame = wmem_list_frame_next(wmem_list_head(pinfo->layers));
|
|
|
|
if (frame) {
|
|
|
|
wmem_strbuf_append(val, proto_get_protocol_filter_name(GPOINTER_TO_UINT(wmem_list_frame_data(frame))));
|
|
|
|
frame = wmem_list_frame_next(frame);
|
|
|
|
}
|
|
|
|
while (frame) {
|
|
|
|
wmem_strbuf_append_c(val, ':');
|
|
|
|
wmem_strbuf_append(val, proto_get_protocol_filter_name(GPOINTER_TO_UINT(wmem_list_frame_data(frame))));
|
|
|
|
frame = wmem_list_frame_next(frame);
|
|
|
|
}
|
|
|
|
proto_item_append_string(ti, wmem_strbuf_get_str(val));
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Call postdissectors if we have any (while trying to avoid another
|
|
|
|
* TRY/CATCH)
|
|
|
|
*/
|
|
|
|
if (have_postdissector()) {
|
|
|
|
TRY {
|
|
|
|
#ifdef _MSC_VER
|
|
|
|
/* Win32: Visual-C Structured Exception Handling (SEH)
|
|
|
|
to trap hardware exceptions like memory access violations */
|
|
|
|
/* (a running debugger will be called before the except part below) */
|
|
|
|
/* Note: A Windows "exceptional exception" may leave the kazlib's (Portable Exception Handling)
|
|
|
|
stack in an inconsistent state thus causing a crash at some point in the
|
|
|
|
handling of the exception.
|
|
|
|
See: https://www.wireshark.org/lists/wireshark-dev/200704/msg00243.html
|
|
|
|
*/
|
|
|
|
__try {
|
|
|
|
#endif
|
|
|
|
call_all_postdissectors(tvb, pinfo, parent_tree);
|
|
|
|
#ifdef _MSC_VER
|
|
|
|
} __except(EXCEPTION_EXECUTE_HANDLER /* handle all exceptions */) {
|
|
|
|
switch(GetExceptionCode()) {
|
|
|
|
case(STATUS_ACCESS_VIOLATION):
|
|
|
|
show_exception(tvb, pinfo, parent_tree, DissectorError,
|
|
|
|
"STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address");
|
|
|
|
break;
|
|
|
|
case(STATUS_INTEGER_DIVIDE_BY_ZERO):
|
|
|
|
show_exception(tvb, pinfo, parent_tree, DissectorError,
|
|
|
|
"STATUS_INTEGER_DIVIDE_BY_ZERO: dissector tried an integer division by zero");
|
|
|
|
break;
|
|
|
|
case(STATUS_STACK_OVERFLOW):
|
|
|
|
show_exception(tvb, pinfo, parent_tree, DissectorError,
|
|
|
|
"STATUS_STACK_OVERFLOW: dissector overflowed the stack (e.g. endless loop)");
|
|
|
|
/* XXX - this will have probably corrupted the stack,
|
|
|
|
which makes problems later in the exception code */
|
|
|
|
break;
|
|
|
|
/* XXX - add other hardware exception codes as required */
|
|
|
|
default:
|
|
|
|
show_exception(tvb, pinfo, parent_tree, DissectorError,
|
|
|
|
g_strdup_printf("dissector caused an unknown exception: 0x%x", GetExceptionCode()));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
CATCH_BOUNDS_AND_DISSECTOR_ERRORS {
|
|
|
|
show_exception(tvb, pinfo, parent_tree, EXCEPT_CODE, GET_MESSAGE);
|
|
|
|
}
|
|
|
|
ENDTRY;
|
|
|
|
}
|
|
|
|
|
|
|
|
tap_queue_packet(file_tap, pinfo, NULL);
|
|
|
|
|
|
|
|
|
|
|
|
if (pinfo->frame_end_routines) {
|
|
|
|
g_slist_foreach(pinfo->frame_end_routines, &call_file_record_end_routine, NULL);
|
|
|
|
g_slist_free(pinfo->frame_end_routines);
|
|
|
|
pinfo->frame_end_routines = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_register_file(void)
|
|
|
|
{
|
|
|
|
static hf_register_info hf[] = {
|
|
|
|
{ &hf_file_record_number,
|
|
|
|
{ "Record Number", "file.record_number",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
NULL, HFILL }},
|
|
|
|
|
|
|
|
{ &hf_file_record_len,
|
|
|
|
{ "Record length", "file.record_len",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
NULL, HFILL }},
|
|
|
|
#if 0
|
|
|
|
{ &hf_frame_file_off,
|
|
|
|
{ "File Offset", "file.file_off",
|
|
|
|
FT_INT64, BASE_DEC, NULL, 0x0,
|
|
|
|
NULL, HFILL }},
|
|
|
|
#endif
|
|
|
|
{ &hf_file_marked,
|
|
|
|
{ "File record is marked", "file.marked",
|
|
|
|
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
|
|
|
|
"File record is marked in the GUI", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_file_ignored,
|
|
|
|
{ "File record is ignored", "file.ignored",
|
|
|
|
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
|
|
|
|
"File record is ignored by the dissectors", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_file_protocols,
|
|
|
|
{ "File record types in frame", "file.record_types",
|
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
|
|
"File record types carried by this frame", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_file_color_filter_name,
|
|
|
|
{ "Coloring Rule Name", "file.coloring_rule.name",
|
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
|
|
"The file record matched the coloring rule with this name", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_file_color_filter_text,
|
|
|
|
{ "Coloring Rule String", "file.coloring_rule.string",
|
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
|
|
"The file record matched this coloring rule string", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_file_num_p_prot_data,
|
|
|
|
{ "Number of per-record-data", "file.p_record_data",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
NULL, HFILL }},
|
|
|
|
|
|
|
|
{ &hf_file_ftap_encap,
|
|
|
|
{ "Encapsulation type", "file.encap_type",
|
|
|
|
FT_INT16, BASE_DEC, NULL, 0x0,
|
|
|
|
NULL, HFILL }},
|
|
|
|
};
|
|
|
|
|
|
|
|
static gint *ett[] = {
|
|
|
|
&ett_file
|
|
|
|
};
|
|
|
|
|
|
|
|
#if 0
|
|
|
|
module_t *file_module;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
file_encap_dissector_table = register_dissector_table("ftap_encap",
|
|
|
|
"Filetap encapsulation type", FT_UINT32, BASE_DEC);
|
|
|
|
|
|
|
|
proto_file = proto_register_protocol("File", "File", "file");
|
|
|
|
proto_register_field_array(proto_file, hf, array_length(hf));
|
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
|
|
register_dissector("file",dissect_file_record,proto_file);
|
|
|
|
|
|
|
|
/* You can't disable dissection of "Frame", as that would be
|
|
|
|
tantamount to not doing any dissection whatsoever. */
|
|
|
|
proto_set_cant_toggle(proto_file);
|
|
|
|
|
|
|
|
/* Our preferences */
|
|
|
|
#if 0
|
|
|
|
frame_module = prefs_register_protocol(proto_frame, NULL);
|
|
|
|
prefs_register_bool_preference(frame_module, "show_file_off",
|
|
|
|
"Show File Offset", "Show offset of frame in capture file", &show_file_off);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
file_tap=register_tap("file");
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_reg_handoff_file(void)
|
|
|
|
{
|
|
|
|
data_handle = find_dissector("data");
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Editor modelines - http://www.wireshark.org/tools/modelines.html
|
|
|
|
*
|
|
|
|
* Local variables:
|
|
|
|
* c-basic-offset: 8
|
|
|
|
* tab-width: 8
|
|
|
|
* indent-tabs-mode: t
|
|
|
|
* End:
|
|
|
|
*
|
|
|
|
* vi: set shiftwidth=8 tabstop=8 noexpandtab:
|
|
|
|
* :indentSize=8:tabSize=8:noTabs=false:
|
|
|
|
*/
|