2000-04-12 22:53:16 +00:00
|
|
|
/* packet-socks.c
|
|
|
|
* Routines for socks versions 4 &5 packet dissection
|
|
|
|
* Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
|
|
|
|
*
|
2001-01-03 06:56:03 +00:00
|
|
|
* $Id: packet-socks.c,v 1.16 2001/01/03 06:55:33 guy Exp $
|
2000-04-12 22:53:16 +00:00
|
|
|
*
|
|
|
|
* Ethereal - Network traffic analyzer
|
|
|
|
* By Gerald Combs <gerald@zing.org>
|
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* The Version 4 decode is based on SOCKS4.protocol and SOCKS4A.protocol.
|
|
|
|
* The Version 5 decoder is based upon rfc-1928
|
|
|
|
* The Version 5 User/Password authentication is based on rfc-1929.
|
|
|
|
*
|
|
|
|
* See http://www.socks.nec.com/socksprot.html for these and other documents
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Possible enhancements -
|
|
|
|
*
|
|
|
|
* Add GSS-API authentication per rfc-1961
|
|
|
|
* Add CHAP authentication
|
|
|
|
* Decode FLAG bits per
|
|
|
|
* http://www.socks.nec.com/draft/draft-ietf-aft-socks-pro-v-04.txt
|
|
|
|
* In call_next_dissector, could load the destination address into the
|
|
|
|
* pi structure before calling next dissector.
|
|
|
|
* remove display_string or at least make it use protocol identifiers
|
|
|
|
* socks_hash_entry_t needs to handle V5 address type and domain names
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
# include "config.h"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
|
|
# include <sys/types.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef HAVE_NETINET_IN_H
|
|
|
|
# include <netinet/in.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <glib.h>
|
2000-08-11 13:37:21 +00:00
|
|
|
|
|
|
|
#ifdef NEED_SNPRINTF_H
|
|
|
|
# include "snprintf.h"
|
|
|
|
#endif
|
|
|
|
|
2000-04-12 22:53:16 +00:00
|
|
|
#include "packet.h"
|
|
|
|
#include "resolv.h"
|
|
|
|
#include "globals.h"
|
|
|
|
#include "alignment.h"
|
|
|
|
#include "conversation.h"
|
|
|
|
|
|
|
|
#include "packet-tcp.h"
|
|
|
|
#include "packet-udp.h"
|
2000-09-11 16:16:13 +00:00
|
|
|
#include "strutil.h"
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
|
2000-08-06 10:04:15 +00:00
|
|
|
#define CHECK_PACKET_LENGTH(X) if (!BYTES_ARE_IN_FRAME(offset, X)){ \
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text(tree, NullTVB, offset, 0, "*** FRAME TOO SHORT ***"); \
|
2000-04-12 22:53:16 +00:00
|
|
|
return; }
|
|
|
|
|
|
|
|
#define compare_packet(X) (X == (fd->num))
|
|
|
|
#define get_packet_ptr (fd->num)
|
|
|
|
#define row_pointer_type guint32
|
|
|
|
|
|
|
|
#define TCP_PORT_SOCKS 1080
|
|
|
|
|
|
|
|
|
|
|
|
/**************** Socks commands ******************/
|
|
|
|
|
|
|
|
#define CONNECT_COMMAND 1
|
|
|
|
#define BIND_COMMAND 2
|
|
|
|
#define UDP_ASSOCIATE_COMMAND 3
|
|
|
|
#define PING_COMMAND 0x80
|
|
|
|
#define TRACERT_COMMAND 0x81
|
|
|
|
|
|
|
|
|
|
|
|
/********** V5 Authentication methods *************/
|
|
|
|
|
|
|
|
#define NO_AUTHENTICATION 0
|
|
|
|
#define GSS_API_AUTHENTICATION 1
|
|
|
|
#define USER_NAME_AUTHENTICATION 2
|
|
|
|
#define CHAP_AUTHENTICATION 3
|
|
|
|
#define AUTHENTICATION_FAILED 0xff
|
|
|
|
|
|
|
|
|
|
|
|
/*********** Header field identifiers *************/
|
|
|
|
|
|
|
|
static int proto_socks = -1;
|
|
|
|
|
|
|
|
static int ett_socks = -1;
|
|
|
|
static int ett_socks_auth = -1;
|
|
|
|
static int ett_socks_name = -1;
|
|
|
|
|
|
|
|
static int hf_socks_ver = -1;
|
|
|
|
static int hf_socks_ip_dst = -1;
|
|
|
|
static int hf_socks_ip6_dst = -1;
|
|
|
|
static int hf_user_name = -1;
|
|
|
|
static int hf_socks_dstport = -1;
|
|
|
|
static int hf_socks_command = -1;
|
|
|
|
|
|
|
|
|
|
|
|
/************* State Machine names ***********/
|
|
|
|
|
|
|
|
enum SockState {
|
|
|
|
None = 0,
|
|
|
|
Connecting,
|
|
|
|
V4UserNameWait,
|
|
|
|
V4NameWait,
|
|
|
|
V5Command,
|
|
|
|
V5Reply,
|
|
|
|
V5BindReply,
|
|
|
|
UserNameAuth,
|
|
|
|
GssApiAuth,
|
|
|
|
AuthReply,
|
|
|
|
Done
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
int state;
|
|
|
|
int version;
|
|
|
|
int command;
|
|
|
|
int grant;
|
|
|
|
gint32 port;
|
|
|
|
gint32 udp_port;
|
|
|
|
gint32 udp_remote_port;
|
|
|
|
|
|
|
|
int connect_offset;
|
|
|
|
row_pointer_type v4_name_row;
|
|
|
|
row_pointer_type v4_user_name_row;
|
|
|
|
row_pointer_type connect_row;
|
|
|
|
row_pointer_type cmd_reply_row;
|
|
|
|
row_pointer_type bind_reply_row;
|
|
|
|
row_pointer_type command_row;
|
|
|
|
row_pointer_type auth_method_row;
|
|
|
|
row_pointer_type user_name_auth_row;
|
|
|
|
guint32 start_done_row;
|
|
|
|
|
|
|
|
guint32 dst_addr; /* this needs to handle IPv6 */
|
|
|
|
}socks_hash_entry_t;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static char *address_type_table[] = {
|
|
|
|
"Unknown",
|
|
|
|
"IPv4",
|
|
|
|
"Unknown",
|
|
|
|
"Domain Name",
|
|
|
|
"IPv6",
|
|
|
|
"Unknown"
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* String table for the V4 reply status messages */
|
|
|
|
|
|
|
|
static char *reply_table_v4[] = {
|
|
|
|
"Granted",
|
|
|
|
"Rejected or Failed",
|
|
|
|
"Rejected because SOCKS server cannot connect to identd on the client",
|
|
|
|
"Rejected because the client program and identd report different user-ids",
|
|
|
|
"Unknown"
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* String table for the V5 reply status messages */
|
|
|
|
|
|
|
|
static char *reply_table_v5[] = {
|
|
|
|
"Succeeded",
|
|
|
|
"General SOCKS server failure",
|
|
|
|
"Connection not allowed by ruleset",
|
|
|
|
"Network unreachable",
|
|
|
|
"Host unreachable",
|
|
|
|
"Connection refused",
|
|
|
|
"TTL expired",
|
|
|
|
"Command not supported",
|
|
|
|
"Address type not supported",
|
|
|
|
"Unknown"
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
#define socks_hash_init_count 20
|
|
|
|
#define socks_hash_val_length (sizeof(socks_hash_entry_t))
|
|
|
|
|
|
|
|
static GMemChunk *socks_vals = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
/************************* Support routines ***************************/
|
|
|
|
|
|
|
|
|
|
|
|
static int display_string( const u_char *pd, int offset, frame_data *fd,
|
|
|
|
proto_tree *tree, char *label){
|
|
|
|
|
|
|
|
/* display a string with a length, characters encoding */
|
|
|
|
/* they are displayed under a tree with the name in Label variable */
|
|
|
|
/* return the length of the string and the length byte */
|
|
|
|
|
|
|
|
|
|
|
|
proto_tree *name_tree;
|
|
|
|
proto_item *ti;
|
|
|
|
|
|
|
|
|
|
|
|
char temp[ 256];
|
|
|
|
int length = GBYTE( pd, offset);
|
|
|
|
|
2000-08-06 10:04:15 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, 8)){
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text(tree, NullTVB, offset, 0, "*** FRAME TOO SHORT ***");
|
2000-04-12 22:53:16 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
strncpy( temp, &pd[ offset + 1], length);
|
|
|
|
temp[ length ] = 0;
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
ti = proto_tree_add_text(tree, NullTVB, offset, length + 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"%s: %s" , label, temp);
|
|
|
|
|
|
|
|
|
|
|
|
name_tree = proto_item_add_subtree(ti, ett_socks_name);
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( name_tree, NullTVB, offset, 1, "Length: %d", length);
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
++offset;
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( name_tree, NullTVB, offset, length, "String: %s", temp);
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
return length + 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static char *get_auth_method_name( guint Number){
|
|
|
|
|
|
|
|
/* return the name of the authenication method */
|
|
|
|
|
|
|
|
if ( Number == 0) return "No authentication";
|
|
|
|
if ( Number == 1) return "GSSAPI";
|
|
|
|
if ( Number == 2) return "Username/Password";
|
|
|
|
if ( Number == 3) return "Chap";
|
|
|
|
if (( Number >= 4) && ( Number <= 0x7f))return "IANA assigned";
|
|
|
|
if (( Number >= 0x80) && ( Number <= 0xfe)) return "private method";
|
|
|
|
if ( Number == 0xff) return "no acceptable method";
|
|
|
|
|
|
|
|
/* shouldn't reach here */
|
|
|
|
|
|
|
|
return "Bad method number (not 0-0xff)";
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static char *get_command_name( guint Number){
|
|
|
|
|
|
|
|
/* return the name of the command as a string */
|
|
|
|
|
|
|
|
if ( Number == 0) return "Unknow";
|
|
|
|
if ( Number == 1) return "Connect";
|
|
|
|
if ( Number == 2) return "Bind";
|
|
|
|
if ( Number == 3) return "UdpAssociate";
|
|
|
|
if ( Number == 0x80) return "Ping";
|
|
|
|
if ( Number == 0x81) return "Traceroute";
|
|
|
|
return "Unknown";
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int display_address( const u_char *pd, int offset,
|
|
|
|
frame_data *fd, proto_tree *tree) {
|
|
|
|
|
|
|
|
/* decode and display the v5 address, return offset of next byte */
|
|
|
|
|
|
|
|
int a_type = GBYTE( pd, offset);
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Address Type: %d (%s)", a_type,
|
|
|
|
address_type_table[ MAX( 0, MIN( a_type,
|
|
|
|
array_length( address_type_table)-1))]);
|
|
|
|
|
|
|
|
++offset;
|
|
|
|
|
|
|
|
if ( a_type == 1){ /* IPv4 address */
|
2000-08-06 10:04:15 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, 4))
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text(tree, NullTVB, offset, 0, "*** FRAME TOO SHORT ***");
|
2000-04-12 22:53:16 +00:00
|
|
|
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_ipv4( tree, hf_socks_ip_dst, NullTVB, offset,
|
2000-04-12 22:53:16 +00:00
|
|
|
4, GWORD( pd, offset));
|
|
|
|
offset += 4;
|
|
|
|
}
|
|
|
|
else if ( a_type == 3){ /* domain name address */
|
|
|
|
|
|
|
|
offset += display_string( pd, offset, fd, tree,
|
|
|
|
"Remote name");
|
|
|
|
}
|
|
|
|
else if ( a_type == 4){ /* IPv6 address */
|
2000-08-06 10:04:15 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, 16))
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text(tree, NullTVB, offset, 0, "*** FRAME TOO SHORT ***");
|
2000-04-12 22:53:16 +00:00
|
|
|
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_ipv6( tree, hf_socks_ip6_dst, NullTVB, offset,
|
|
|
|
4, &pd[offset]);
|
2000-04-12 22:53:16 +00:00
|
|
|
offset += 16;
|
|
|
|
}
|
|
|
|
|
|
|
|
return offset;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int get_address_v5( const u_char *pd, int offset,
|
|
|
|
socks_hash_entry_t *hash_info) {
|
|
|
|
|
|
|
|
/* decode the v5 address and return offset of next byte */
|
|
|
|
/*$$$ this needs to handle IPV6 and domain name addresses */
|
|
|
|
|
|
|
|
|
|
|
|
int a_type = GBYTE( pd, offset++);
|
|
|
|
|
|
|
|
if ( a_type == 1){ /* IPv4 address */
|
|
|
|
|
|
|
|
if ( hash_info)
|
|
|
|
hash_info->dst_addr = GWORD( pd, offset);
|
|
|
|
offset += 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
else if ( a_type == 4) /* IPv6 address */
|
|
|
|
offset += 16;
|
|
|
|
|
|
|
|
else if ( a_type == 3) /* domain name address */
|
|
|
|
offset += GBYTE( pd, offset) + 1;
|
|
|
|
|
|
|
|
return offset;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/********************* V5 UDP Associate handlers ***********************/
|
|
|
|
|
|
|
|
static void socks_udp_dissector( const u_char *pd, int offset, frame_data *fd,
|
|
|
|
proto_tree *tree) {
|
|
|
|
|
|
|
|
/* Conversation dissector called from UDP dissector. Decode and display */
|
|
|
|
/* the socks header, the pass the rest of the data to the udp port */
|
|
|
|
/* decode routine to handle the payload. */
|
|
|
|
|
|
|
|
guint32 *ptr;
|
|
|
|
socks_hash_entry_t *hash_info;
|
|
|
|
conversation_t *conversation;
|
|
|
|
proto_tree *socks_tree;
|
|
|
|
proto_item *ti;
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
tvbuff_t *tvb;
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
conversation = find_conversation( &pi.src, &pi.dst, pi.ptype,
|
2000-10-21 05:52:28 +00:00
|
|
|
pi.srcport, pi.destport, 0);
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
g_assert( conversation); /* should always find a conversation */
|
|
|
|
|
|
|
|
hash_info = (socks_hash_entry_t*)conversation->data;
|
|
|
|
|
|
|
|
if (check_col(fd, COL_PROTOCOL))
|
2000-11-19 08:54:37 +00:00
|
|
|
col_set_str(fd, COL_PROTOCOL, "Socks");
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_add_fstr(fd, COL_INFO, "Version: 5, UDP Associated packet");
|
|
|
|
|
|
|
|
if ( tree) {
|
2000-05-31 05:09:07 +00:00
|
|
|
ti = proto_tree_add_protocol_format( tree, proto_socks, NullTVB, offset,
|
|
|
|
END_OF_FRAME, "Socks" );
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
socks_tree = proto_item_add_subtree(ti, ett_socks);
|
|
|
|
|
|
|
|
CHECK_PACKET_LENGTH( 3);
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( socks_tree, NullTVB, offset, 2, "Reserved");
|
2000-04-12 22:53:16 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( socks_tree, NullTVB, offset, 1, "Fragment Number: %d", GBYTE( pd,offset));
|
2000-04-12 22:53:16 +00:00
|
|
|
++offset;
|
|
|
|
|
|
|
|
|
|
|
|
offset = display_address( pd, offset, fd, socks_tree);
|
|
|
|
hash_info->udp_remote_port = pntohs( &pd[ offset]);
|
|
|
|
|
|
|
|
CHECK_PACKET_LENGTH( 2);
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_uint( socks_tree, hf_socks_dstport, NullTVB,
|
2000-04-12 22:53:16 +00:00
|
|
|
offset, 2, hash_info->udp_remote_port);
|
|
|
|
|
|
|
|
offset += 2;
|
|
|
|
}
|
|
|
|
else { /* no tree, skip past the socks header */
|
|
|
|
CHECK_PACKET_LENGTH( 3);
|
|
|
|
offset += 3;
|
|
|
|
offset = get_address_v5( pd,offset, 0) + 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* set pi src/dst port and call the udp sub-dissector lookup */
|
|
|
|
|
|
|
|
if ( pi.srcport == hash_info->port)
|
|
|
|
ptr = &pi.destport;
|
|
|
|
else
|
|
|
|
ptr = &pi.srcport;
|
|
|
|
|
|
|
|
*ptr = hash_info->udp_remote_port;
|
|
|
|
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
tvb = tvb_create_from_top(0);
|
|
|
|
decode_udp_ports( tvb, offset, &pi, tree, pi.srcport, pi.destport);
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
*ptr = hash_info->udp_port;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void new_udp_conversation( socks_hash_entry_t *hash_info){
|
|
|
|
|
|
|
|
conversation_t *conversation = conversation_new( &pi.src, &pi.dst, PT_UDP,
|
2000-10-21 05:52:28 +00:00
|
|
|
hash_info->udp_port, hash_info->port, hash_info, 0);
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
g_assert( conversation);
|
|
|
|
|
2000-08-21 18:36:35 +00:00
|
|
|
old_conversation_set_dissector(conversation, socks_udp_dissector);
|
2000-04-12 22:53:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**************** Protocol Tree Display routines ******************/
|
|
|
|
|
|
|
|
|
|
|
|
void display_socks_v4( const u_char *pd, int offset, frame_data *fd,
|
|
|
|
proto_tree *parent, proto_tree *tree, socks_hash_entry_t *hash_info) {
|
|
|
|
|
|
|
|
|
|
|
|
/* Display the protocol tree for the V5 version. This routine uses the */
|
|
|
|
/* stored conversation information to decide what to do with the row. */
|
|
|
|
/* Per packet information would have been better to do this, but we */
|
|
|
|
/* didn't have that when I wrote this. And I didn't expect this to get */
|
|
|
|
/* so messy. */
|
|
|
|
|
|
|
|
|
|
|
|
int command;
|
|
|
|
|
|
|
|
/* Display command from client */
|
|
|
|
if (compare_packet( hash_info->connect_row)){
|
|
|
|
|
|
|
|
CHECK_PACKET_LENGTH( 8);
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Version: %u ", hash_info->version);
|
|
|
|
++offset;
|
|
|
|
command = GBYTE( pd, offset);
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Command: %u (%s)", command,
|
|
|
|
get_command_name( command));
|
|
|
|
++offset;
|
|
|
|
|
|
|
|
/* Do remote port */
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_uint( tree, hf_socks_dstport, NullTVB, offset, 2,
|
2000-04-12 22:53:16 +00:00
|
|
|
pntohs( &pd[ offset]));
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
/* Do destination address */
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_ipv4( tree, hf_socks_ip_dst, NullTVB, offset,
|
2000-04-12 22:53:16 +00:00
|
|
|
4, GWORD( pd, offset));
|
|
|
|
|
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
/*$$ check this, needs to do length checking */
|
|
|
|
/* display user name */
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_string( tree, hf_user_name, NullTVB, offset,
|
2000-04-12 22:53:16 +00:00
|
|
|
strlen( &pd[offset]) + 1,
|
|
|
|
&pd[offset]);
|
|
|
|
|
|
|
|
}
|
|
|
|
/*Display command response from server*/
|
|
|
|
|
|
|
|
else if ( compare_packet( hash_info->cmd_reply_row)){
|
|
|
|
|
|
|
|
CHECK_PACKET_LENGTH( 8);
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Version: %u (should be 0) ", GBYTE( pd, offset));
|
|
|
|
++offset;
|
|
|
|
/* Do results code */
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Result Code: %u (%s)", GBYTE( pd, offset) ,
|
|
|
|
reply_table_v4[ MAX(0, MIN( GBYTE( pd, offset) - 90, 4))]);
|
|
|
|
++offset;
|
|
|
|
|
|
|
|
/* Do remote port */
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_uint( tree, hf_socks_dstport, NullTVB, offset, 2,
|
2000-04-12 22:53:16 +00:00
|
|
|
pntohs( &pd[ offset]));
|
|
|
|
offset += 2;;
|
|
|
|
/* Do remote address */
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_ipv4( tree, hf_socks_ip_dst, NullTVB, offset, 4,
|
2000-04-12 22:53:16 +00:00
|
|
|
GWORD( pd, offset));
|
|
|
|
}
|
|
|
|
|
|
|
|
else if ( compare_packet( hash_info->v4_user_name_row)){
|
|
|
|
|
|
|
|
/*$$ check this, needs to do length checking */
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, strlen( &pd[offset]),
|
2000-04-12 22:53:16 +00:00
|
|
|
"User Name: %s", &pd[offset]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void display_socks_v5( const u_char *pd, int offset, frame_data *fd,
|
|
|
|
proto_tree *parent, proto_tree *tree, socks_hash_entry_t *hash_info) {
|
|
|
|
|
|
|
|
/* Display the protocol tree for the version. This routine uses the */
|
|
|
|
/* stored conversation information to decide what to do with the row. */
|
|
|
|
/* Per packet information would have been better to do this, but we */
|
|
|
|
/* didn't have that when I wrote this. And I didn't expect this to get */
|
|
|
|
/* so messy. */
|
|
|
|
|
|
|
|
int i, command;
|
|
|
|
guint temp;
|
|
|
|
char *AuthMethodStr;
|
|
|
|
|
|
|
|
|
|
|
|
if (compare_packet( hash_info->connect_row)){
|
|
|
|
|
|
|
|
proto_tree *AuthTree;
|
|
|
|
proto_item *ti;
|
|
|
|
|
|
|
|
CHECK_PACKET_LENGTH( 2);
|
|
|
|
/* Do version */
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_uint( tree, hf_socks_ver, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
hash_info->version);
|
|
|
|
++offset;
|
|
|
|
|
|
|
|
temp = GBYTE( pd, offset); /* Get Auth method count */
|
|
|
|
/* build auth tree */
|
2000-05-11 08:18:09 +00:00
|
|
|
ti = proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Client Authentication Methods");
|
|
|
|
|
|
|
|
AuthTree = proto_item_add_subtree(ti, ett_socks_auth);
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( AuthTree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Count: %u ", temp);
|
|
|
|
++offset;
|
|
|
|
|
|
|
|
CHECK_PACKET_LENGTH( temp);
|
|
|
|
|
|
|
|
for( i = 0; i < temp; ++i) {
|
|
|
|
|
|
|
|
AuthMethodStr = get_auth_method_name(
|
|
|
|
GBYTE( pd, offset + i));
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( AuthTree, NullTVB, offset + i, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Method[%d]: %u (%s)", i,
|
|
|
|
GBYTE( pd, offset + i), AuthMethodStr);
|
|
|
|
}
|
|
|
|
return;
|
|
|
|
} /* Get accepted auth method */
|
|
|
|
else if (compare_packet( hash_info->auth_method_row)) {
|
|
|
|
|
|
|
|
++offset;
|
|
|
|
CHECK_PACKET_LENGTH( 1);
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Accepted Auth Method: 0x%0x (%s)", GBYTE( pd, offset),
|
|
|
|
get_auth_method_name( GBYTE( pd, offset)));
|
|
|
|
|
|
|
|
return;
|
|
|
|
} /* handle user/password auth */
|
|
|
|
else if (compare_packet( hash_info->user_name_auth_row)) {
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Version: %u ", hash_info->version);
|
|
|
|
++offset;
|
|
|
|
/* process user name */
|
|
|
|
offset += display_string( pd, offset, fd, tree,
|
|
|
|
"User name");
|
|
|
|
/* process password */
|
|
|
|
offset += display_string( pd, offset, fd, tree,
|
|
|
|
"Password");
|
|
|
|
}
|
|
|
|
/* command to the server */
|
|
|
|
/* command response from server */
|
|
|
|
else if ((compare_packet( hash_info->command_row)) ||
|
|
|
|
(compare_packet( hash_info->cmd_reply_row)) ||
|
|
|
|
(compare_packet( hash_info->bind_reply_row))){
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Version: %u ", hash_info->version);
|
|
|
|
|
|
|
|
CHECK_PACKET_LENGTH( 1);
|
|
|
|
|
|
|
|
++offset;
|
|
|
|
|
|
|
|
command = GBYTE( pd, offset);
|
|
|
|
|
|
|
|
if (compare_packet( hash_info->command_row))
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1, "Command: %u (%s)",
|
2000-04-12 22:53:16 +00:00
|
|
|
command, get_command_name( command));
|
|
|
|
else
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1, "Status: %d (%s)",
|
2000-04-12 22:53:16 +00:00
|
|
|
GBYTE( pd, offset), reply_table_v5[ MAX( 0,
|
|
|
|
MIN(GBYTE( pd, offset) - 90, 9))]);
|
|
|
|
++offset;
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Reserved: 0x%0x (should = 0x00)", GBYTE( pd, offset));
|
|
|
|
++offset;
|
|
|
|
|
|
|
|
offset = display_address( pd, offset, fd, tree);
|
|
|
|
|
|
|
|
CHECK_PACKET_LENGTH( 2);
|
|
|
|
/* Do remote port */
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, 2,
|
2000-04-13 11:11:38 +00:00
|
|
|
"%sPort: %d",
|
2000-04-12 22:53:16 +00:00
|
|
|
(compare_packet( hash_info->bind_reply_row) ?
|
|
|
|
"Remote Host " : ""),
|
|
|
|
pntohs( &pd[ offset]));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**************** Decoder State Machines ******************/
|
|
|
|
|
|
|
|
|
|
|
|
static guint state_machine_v4( socks_hash_entry_t *hash_info, const u_char *pd,
|
|
|
|
int offset, frame_data *fd) {
|
|
|
|
|
|
|
|
/* Decode V4 protocol. This is done on the first pass through the */
|
|
|
|
/* list. Based upon the current state, decode the packet and determine */
|
|
|
|
/* what the next state should be. If we had per packet information, */
|
|
|
|
/* this would be the place to load them up. */
|
|
|
|
|
|
|
|
if ( hash_info->state == None) { /* new connection */
|
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO, " Connect to server request");
|
|
|
|
|
|
|
|
hash_info->state = Connecting; /* change state */
|
|
|
|
|
|
|
|
hash_info->command = GBYTE( pd, offset + 1);
|
|
|
|
/* get remote port */
|
|
|
|
if ( hash_info->command == CONNECT_COMMAND)
|
|
|
|
hash_info->port = pntohs( &pd[ offset + 2]);
|
|
|
|
/* get remote address */
|
|
|
|
hash_info->dst_addr = GWORD( pd, offset + 4);
|
|
|
|
|
|
|
|
/* save the packet pointer */
|
|
|
|
hash_info->connect_row = get_packet_ptr;
|
|
|
|
|
|
|
|
/* skip past this stuff */
|
|
|
|
hash_info->connect_offset = offset + 8;
|
|
|
|
|
|
|
|
offset += 8;
|
|
|
|
|
|
|
|
if ( offset == pi.len) /* if no user name */
|
|
|
|
/* change state */
|
|
|
|
hash_info->state = V4UserNameWait;
|
|
|
|
|
|
|
|
|
|
|
|
hash_info->connect_offset += strlen( &pd[ offset]) + 1;
|
|
|
|
|
|
|
|
if ( !hash_info->dst_addr){ /* if no dest address */
|
|
|
|
/* if more data */
|
|
|
|
if ( hash_info->connect_offset < pi.len ) {
|
|
|
|
/*$$$ copy remote name here ??? */
|
|
|
|
hash_info->state = Connecting;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
hash_info->state = V4NameWait;
|
|
|
|
}
|
|
|
|
/* waiting for V4 user name */
|
|
|
|
}else if ( hash_info->state == V4UserNameWait){
|
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO, " Connect Request (User name)");
|
|
|
|
|
|
|
|
hash_info->v4_user_name_row = get_packet_ptr;
|
|
|
|
/*$$$ may need to check for domain name here */
|
|
|
|
hash_info->state = Connecting;
|
|
|
|
}
|
|
|
|
/* waiting for V4 domain name */
|
|
|
|
else if ( hash_info->state == V4NameWait){
|
|
|
|
|
|
|
|
hash_info->v4_name_row = get_packet_ptr;
|
|
|
|
hash_info->state = Connecting;
|
|
|
|
|
|
|
|
}
|
|
|
|
else if ( hash_info->state == Connecting){
|
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO, " Connect Response");
|
|
|
|
|
|
|
|
/* save packet pointer */
|
|
|
|
hash_info->cmd_reply_row = get_packet_ptr;
|
|
|
|
hash_info->state = Done; /* change state */
|
|
|
|
offset = offset + 8;
|
|
|
|
}
|
|
|
|
|
|
|
|
return offset;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void state_machine_v5( socks_hash_entry_t *hash_info, const u_char *pd,
|
|
|
|
int offset, frame_data *fd) {
|
|
|
|
|
|
|
|
/* Decode V5 protocol. This is done on the first pass through the */
|
|
|
|
/* list. Based upon the current state, decode the packet and determine */
|
|
|
|
/* what the next state should be. If we had per packet information, */
|
|
|
|
/* this would be the place to load them up. */
|
|
|
|
|
|
|
|
|
|
|
|
int temp;
|
|
|
|
|
|
|
|
if ( hash_info->state == None) {
|
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO, " Connect to server request");
|
|
|
|
|
|
|
|
hash_info->state = Connecting; /* change state */
|
|
|
|
hash_info->connect_row = get_packet_ptr;
|
|
|
|
|
2000-08-06 10:04:15 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, 1)){
|
2000-04-12 22:53:16 +00:00
|
|
|
hash_info->state = Done; /* change state */
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
temp = GBYTE( pd, offset + 1);
|
|
|
|
/* skip past auth methods */
|
|
|
|
offset = hash_info->connect_offset = offset + 1 + temp;
|
|
|
|
}
|
|
|
|
else if ( hash_info->state == Connecting){
|
|
|
|
|
|
|
|
guint AuthMethod = GBYTE( pd, offset + 1);
|
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO, " Connect to server response");
|
|
|
|
|
|
|
|
hash_info->auth_method_row = get_packet_ptr;
|
|
|
|
|
|
|
|
if ( AuthMethod == NO_AUTHENTICATION)
|
|
|
|
hash_info->state = V5Command;
|
|
|
|
|
|
|
|
else if ( AuthMethod == USER_NAME_AUTHENTICATION)
|
|
|
|
hash_info->state = UserNameAuth;
|
|
|
|
|
|
|
|
else if ( AuthMethod == GSS_API_AUTHENTICATION)
|
|
|
|
/*$$$ should be this hash_info->state = GssApiAuth; */
|
|
|
|
hash_info->state = Done;
|
|
|
|
|
|
|
|
else hash_info->state = Done; /*Auth failed or error*/
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
else if ( hash_info->state == V5Command) { /* Handle V5 Command */
|
|
|
|
|
|
|
|
guint temp;
|
|
|
|
|
2000-08-06 10:04:15 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, 1)){
|
2000-04-12 22:53:16 +00:00
|
|
|
hash_info->state = Done; /* change state */
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
hash_info->command = GBYTE( pd, offset + 1); /* get command */
|
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_fstr(fd, COL_INFO, " Command Request - %s",
|
|
|
|
get_command_name(hash_info->command));
|
|
|
|
|
|
|
|
hash_info->state = V5Reply;
|
|
|
|
hash_info->command_row = get_packet_ptr;
|
|
|
|
|
|
|
|
offset += 3; /* skip to address type */
|
|
|
|
|
|
|
|
offset = get_address_v5( pd, offset, hash_info);
|
|
|
|
|
2000-08-06 10:04:15 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, 1)){
|
2000-04-12 22:53:16 +00:00
|
|
|
hash_info->state = Done;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
temp = GBYTE( pd, offset);
|
|
|
|
|
|
|
|
if (( hash_info->command == CONNECT_COMMAND) ||
|
|
|
|
( hash_info->command == UDP_ASSOCIATE_COMMAND))
|
|
|
|
/* get remote port */
|
|
|
|
hash_info->port = pntohs( &pd[ offset]);
|
|
|
|
}
|
|
|
|
|
|
|
|
else if ( hash_info->state == V5Reply) { /* V5 Command Reply */
|
|
|
|
|
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_fstr(fd, COL_INFO, " Command Response - %s",
|
|
|
|
get_command_name(hash_info->command));
|
|
|
|
|
|
|
|
hash_info->cmd_reply_row = get_packet_ptr;
|
|
|
|
|
|
|
|
if (( hash_info->command == CONNECT_COMMAND) ||
|
|
|
|
(hash_info->command == PING_COMMAND) ||
|
|
|
|
(hash_info->command == TRACERT_COMMAND))
|
|
|
|
hash_info->state = Done;
|
|
|
|
|
|
|
|
else if ( hash_info->command == BIND_COMMAND)
|
|
|
|
hash_info->state = V5BindReply;
|
|
|
|
|
|
|
|
else if ( hash_info->command == UDP_ASSOCIATE_COMMAND){
|
|
|
|
offset += 3; /* skip to address type */
|
|
|
|
offset = get_address_v5( pd, offset, hash_info);
|
|
|
|
|
|
|
|
/* save server udp port and create upd conversation */
|
2000-08-06 10:04:15 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, 2)){
|
2000-04-12 22:53:16 +00:00
|
|
|
hash_info->state = Done;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
hash_info->udp_port = pntohs( &pd[ offset]);
|
|
|
|
|
|
|
|
new_udp_conversation( hash_info);
|
|
|
|
|
|
|
|
/*$$ may need else statement to handle unknows and generate error message */
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if ( hash_info->state == V5BindReply) { /* V5 Bind Second Reply */
|
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO, " Command Response: Bind remote host info");
|
|
|
|
|
|
|
|
hash_info->bind_reply_row = get_packet_ptr;
|
|
|
|
hash_info->state = Done;
|
|
|
|
}
|
|
|
|
else if ( hash_info->state == UserNameAuth) { /* Handle V5 User Auth*/
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO,
|
|
|
|
" User authentication response");
|
|
|
|
|
|
|
|
hash_info->user_name_auth_row = get_packet_ptr;
|
|
|
|
hash_info->state = AuthReply;
|
|
|
|
|
|
|
|
}
|
|
|
|
else if ( hash_info->state == AuthReply){ /* V5 User Auth reply */
|
|
|
|
hash_info->cmd_reply_row = get_packet_ptr;
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO, " User authentication reply");
|
|
|
|
hash_info->state = V5Command;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void display_ping_and_tracert( const u_char *pd, int offset,
|
|
|
|
frame_data *fd, proto_tree *tree, socks_hash_entry_t *hash_info) {
|
|
|
|
|
|
|
|
/* Display the ping/trace_route conversation */
|
|
|
|
|
|
|
|
|
|
|
|
const u_char *data, *dataend;
|
|
|
|
const u_char *lineend, *eol;
|
|
|
|
int linelen;
|
|
|
|
|
|
|
|
/* handle the end command */
|
|
|
|
if ( pi.destport == TCP_PORT_SOCKS){
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO, ", Terminate Request");
|
|
|
|
|
|
|
|
if ( tree)
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text(tree, NullTVB, offset, 1,
|
2000-04-12 22:53:16 +00:00
|
|
|
(hash_info->command == PING_COMMAND) ?
|
|
|
|
"Ping: End command" :
|
|
|
|
"Traceroute: End command");
|
|
|
|
}
|
|
|
|
else{ /* display the PING or Traceroute results */
|
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
col_append_str(fd, COL_INFO, ", Results");
|
|
|
|
|
|
|
|
if ( tree){
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text(tree, NullTVB, offset, END_OF_FRAME,
|
2000-04-12 22:53:16 +00:00
|
|
|
(hash_info->command == PING_COMMAND) ?
|
|
|
|
"Ping Results:" :
|
|
|
|
"Traceroute Results");
|
|
|
|
|
|
|
|
data = &pd[offset];
|
|
|
|
dataend = data + END_OF_FRAME;
|
|
|
|
|
|
|
|
while (data < dataend) {
|
|
|
|
|
|
|
|
lineend = find_line_end(data, dataend, &eol);
|
|
|
|
linelen = lineend - data;
|
|
|
|
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( tree, NullTVB, offset, linelen,
|
2000-04-12 22:53:16 +00:00
|
|
|
format_text(data, linelen));
|
|
|
|
offset += linelen;
|
|
|
|
data = lineend;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void call_next_dissector( const u_char *pd, int offset, frame_data *fd,
|
|
|
|
proto_tree *tree, socks_hash_entry_t *hash_info) {
|
|
|
|
|
|
|
|
/* Display the results for PING and TRACERT extensions or */
|
|
|
|
/* Call TCP dissector for the port that was passed during the */
|
|
|
|
/* connect process */
|
|
|
|
/* Load pointer to pi.XXXport depending upon the direction, change */
|
|
|
|
/* pi port to the remote port, call next dissecotr to decode the */
|
|
|
|
/* payload, and restore the pi port after that is done. */
|
|
|
|
|
|
|
|
guint32 *ptr;
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
tvbuff_t *tvb;
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
if (( hash_info->command == PING_COMMAND) ||
|
|
|
|
( hash_info->command == TRACERT_COMMAND))
|
|
|
|
|
|
|
|
display_ping_and_tracert( pd, offset, fd, tree, hash_info);
|
|
|
|
|
|
|
|
else { /* call the tcp port decoder to handle the payload */
|
|
|
|
|
|
|
|
/*$$$ may want to load dest address here */
|
|
|
|
|
|
|
|
if ( pi.destport == TCP_PORT_SOCKS)
|
|
|
|
ptr = &pi.destport;
|
|
|
|
else
|
|
|
|
ptr = &pi.srcport;
|
|
|
|
|
|
|
|
*ptr = hash_info->port;
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
tvb = tvb_create_from_top(0);
|
|
|
|
decode_tcp_ports( tvb, offset, &pi, tree, pi.srcport, pi.destport);
|
2000-04-12 22:53:16 +00:00
|
|
|
*ptr = TCP_PORT_SOCKS;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
dissect_socks(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
|
|
|
|
|
|
|
|
proto_tree *socks_tree;
|
|
|
|
proto_item *ti;
|
|
|
|
socks_hash_entry_t *hash_info;
|
|
|
|
conversation_t *conversation;
|
|
|
|
|
Add the "Edit:Protocols..." feature which currently only implements
the following:
It is now possible to enable/disable a particular protocol decoding
(i.e. the protocol dissector is void or not). When a protocol
is disabled, it is displayed as Data and of course, all linked
sub-protocols are disabled as well.
Disabling a protocol could be interesting:
- in case of buggy dissectors
- in case of wrong heuristics
- for performance reasons
- to decode the data as another protocol (TODO)
Currently (if I am not wrong), all dissectors but NFS can be disabled
(and dissectors that do not register protocols :-)
I do not like the way the RPC sub-dissectors are disabled (in the
sub-dissectors) since this could be done in the RPC dissector itself,
knowing the sub-protocol hfinfo entry (this is why, I've not modified
the NFS one yet).
Two functions are added in proto.c :
gboolean proto_is_protocol_enabled(int n);
void proto_set_decoding(int n, gboolean enabled);
and two MACROs which can be used in dissectors:
OLD_CHECK_DISPLAY_AS_DATA(index, pd, offset, fd, tree)
CHECK_DISPLAY_AS_DATA(index, tvb, pinfo, tree)
See also the XXX in proto_dlg.c and proto.c around the new functions.
svn path=/trunk/; revision=2267
2000-08-13 14:09:15 +00:00
|
|
|
OLD_CHECK_DISPLAY_AS_DATA(proto_socks, pd, offset, fd, tree);
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
conversation = find_conversation( &pi.src, &pi.dst, pi.ptype,
|
2000-10-21 05:52:28 +00:00
|
|
|
pi.srcport, pi.destport, 0);
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
if ( conversation) /* conversation found */
|
|
|
|
hash_info = conversation->data;
|
|
|
|
|
|
|
|
/* new conversation create local data structure */
|
|
|
|
else {
|
|
|
|
hash_info = g_mem_chunk_alloc(socks_vals);
|
|
|
|
hash_info->start_done_row = G_MAXINT;
|
|
|
|
hash_info->state = None;
|
|
|
|
hash_info->port = -1;
|
|
|
|
hash_info->version = GBYTE( pd, offset); /* get version*/
|
|
|
|
|
|
|
|
if (( hash_info->version != 4) && /* error test version */
|
|
|
|
( hash_info->version != 5))
|
|
|
|
hash_info->state = Done;
|
|
|
|
|
|
|
|
conversation_new( &pi.src, &pi.dst, pi.ptype,
|
2000-10-21 05:52:28 +00:00
|
|
|
pi.srcport, pi.destport, hash_info, 0);
|
2000-04-12 22:53:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* display summary window information */
|
|
|
|
|
|
|
|
if (check_col(fd, COL_PROTOCOL))
|
2000-11-19 08:54:37 +00:00
|
|
|
col_set_str(fd, COL_PROTOCOL, "Socks");
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
if (check_col(fd, COL_INFO)){
|
|
|
|
if (( hash_info->version == 4) || ( hash_info->version == 5)){
|
|
|
|
col_add_fstr(fd, COL_INFO, "Version: %d",
|
|
|
|
hash_info->version);
|
|
|
|
}
|
|
|
|
else /* unknown version display error */
|
2000-11-19 08:54:37 +00:00
|
|
|
col_set_str(fd, COL_INFO, "Unknown");
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
|
|
|
|
if ( hash_info->command == PING_COMMAND)
|
|
|
|
col_append_str(fd, COL_INFO, ", Ping Req");
|
|
|
|
if ( hash_info->command == TRACERT_COMMAND)
|
|
|
|
col_append_str(fd, COL_INFO, ", Traceroute Req");
|
|
|
|
|
|
|
|
if ( hash_info->port != -1)
|
|
|
|
col_append_fstr(fd, COL_INFO, ", Remote Port: %d",
|
|
|
|
hash_info->port);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* run state machine if needed */
|
|
|
|
|
2000-04-13 20:39:38 +00:00
|
|
|
if ((hash_info->state != Done) && ( !fd->flags.visited)){
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
if ( hash_info->version == 4)
|
|
|
|
state_machine_v4( hash_info, pd, offset, fd);
|
|
|
|
|
|
|
|
else if ( hash_info->version == 5)
|
|
|
|
state_machine_v5( hash_info, pd, offset, fd);
|
|
|
|
|
|
|
|
if (hash_info->state == Done) { /* if done now */
|
|
|
|
hash_info->start_done_row = fd->num;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* if proto tree, decode and display */
|
|
|
|
|
|
|
|
if (tree) {
|
2000-05-11 08:18:09 +00:00
|
|
|
ti = proto_tree_add_item( tree, proto_socks, NullTVB, offset,
|
2000-05-31 05:09:07 +00:00
|
|
|
END_OF_FRAME, FALSE );
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
socks_tree = proto_item_add_subtree(ti, ett_socks);
|
|
|
|
|
|
|
|
if ( hash_info->version == 4)
|
|
|
|
display_socks_v4( pd, offset, fd, tree, socks_tree,
|
|
|
|
hash_info);
|
|
|
|
|
|
|
|
else if ( hash_info->version == 5)
|
|
|
|
display_socks_v5( pd, offset, fd, tree, socks_tree,
|
|
|
|
hash_info);
|
|
|
|
|
|
|
|
/* if past startup, add the faked stuff */
|
|
|
|
if ( fd->num > hash_info->start_done_row){
|
|
|
|
/* add info to tree */
|
2000-05-11 08:18:09 +00:00
|
|
|
proto_tree_add_text( socks_tree, NullTVB, offset, 0,
|
2000-04-12 22:53:16 +00:00
|
|
|
"Command: %d (%s)", hash_info->command,
|
|
|
|
get_command_name(hash_info->command));
|
|
|
|
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_ipv4( socks_tree, hf_socks_ip_dst, NullTVB,
|
2000-04-12 22:53:16 +00:00
|
|
|
offset, 0, hash_info->dst_addr);
|
|
|
|
|
|
|
|
/* no fake address for ping & traceroute */
|
|
|
|
|
|
|
|
if (( hash_info->command != PING_COMMAND) &&
|
|
|
|
( hash_info->command != TRACERT_COMMAND)){
|
2000-05-31 05:09:07 +00:00
|
|
|
proto_tree_add_uint( socks_tree, hf_socks_dstport, NullTVB,
|
2000-04-12 22:53:16 +00:00
|
|
|
offset, 0, hash_info->port);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* call next dissector if ready */
|
|
|
|
|
|
|
|
if ( fd->num > hash_info->start_done_row){
|
|
|
|
call_next_dissector( pd, offset, fd, tree, hash_info);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void socks_reinit( void){
|
|
|
|
|
|
|
|
/* Do the cleanup work when a new pass through the packet list is */
|
|
|
|
/* performed. Reset the highest row seen counter and re-initialize the */
|
|
|
|
/* conversation memory chunks. */
|
|
|
|
|
|
|
|
if (socks_vals)
|
|
|
|
g_mem_chunk_destroy(socks_vals);
|
|
|
|
|
|
|
|
socks_vals = g_mem_chunk_new("socks_vals", socks_hash_val_length,
|
|
|
|
socks_hash_init_count * socks_hash_val_length,
|
|
|
|
G_ALLOC_AND_FREE);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_register_socks( void){
|
|
|
|
|
|
|
|
/*** Prep the socks protocol, register it and a initialization routine */
|
|
|
|
/* to clear the hash stuff. */
|
|
|
|
|
|
|
|
|
|
|
|
static gint *ett[] = {
|
|
|
|
&ett_socks,
|
|
|
|
&ett_socks_auth,
|
|
|
|
&ett_socks_name
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
static hf_register_info hf[] = {
|
|
|
|
|
|
|
|
|
|
|
|
{ &hf_socks_ver,
|
|
|
|
{ "Version", "socks.ver", FT_UINT8, BASE_NONE, NULL,
|
|
|
|
0x0, ""
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{ &hf_socks_ip_dst,
|
|
|
|
{ "Remote Address", "socks.dst", FT_IPv4, BASE_NONE, NULL,
|
|
|
|
0x0, ""
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{ &hf_socks_ip6_dst,
|
|
|
|
{ "Remote Address", "socks.dstV6", FT_IPv6, BASE_NONE, NULL,
|
|
|
|
0x0, ""
|
|
|
|
}
|
|
|
|
},
|
|
|
|
|
|
|
|
{ &hf_user_name,
|
|
|
|
{ "User Name", "socks.username", FT_STRING, BASE_NONE,
|
|
|
|
NULL, 0x0, ""
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{ &hf_socks_dstport,
|
|
|
|
{ "Remote Port", "socks.dstport", FT_UINT16,
|
|
|
|
BASE_DEC, NULL, 0x0, ""
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{ &hf_socks_command,
|
|
|
|
{ "Command", "socks.command", FT_UINT16,
|
|
|
|
BASE_DEC, NULL, 0x0, ""
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
proto_socks = proto_register_protocol (
|
2001-01-03 06:56:03 +00:00
|
|
|
"Socks Protocol", "Socks", "socks");
|
2000-04-12 22:53:16 +00:00
|
|
|
|
|
|
|
proto_register_field_array(proto_socks, hf, array_length(hf));
|
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
|
|
|
|
|
|
register_init_routine( &socks_reinit); /* register re-init routine */
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_reg_handoff_socks(void) {
|
|
|
|
|
|
|
|
/* dissector install routine */
|
|
|
|
|
Allow either old-style (pre-tvbuff) or new-style (tvbuffified)
dissectors to be registered as dissectors for particular ports,
registered as heuristic dissectors, and registered as dissectors for
conversations, and have routines to be used both by old-style and
new-style dissectors to call registered dissectors.
Have the code that calls those dissectors translate the arguments as
necessary. (For conversation dissectors, replace
"find_conversation_dissector()", which just returns a pointer to the
dissector, with "old_try_conversation_dissector()" and
"try_conversation_dissector()", which actually call the dissector, so
that there's a single place at which we can do that translation. Also
make "dissector_lookup()" static and, instead of calling it and, if it
returns a non-null pointer, calling that dissector, just use
"old_dissector_try_port()" or "dissector_try_port()", for the same
reason.)
This allows some dissectors that took old-style arguments and
immediately translated them to new-style arguments to just take
new-style arguments; make them do so. It also allows some new-style
dissectors not to have to translate arguments before calling routines to
look up and call dissectors; make them not do so.
Get rid of checks for too-short frames in new-style dissectors - the
tvbuff code does those checks for you.
Give the routines to register old-style dissectors, and to call
dissectors from old-style dissectors, names beginning with "old_", with
the routines for new-style dissectors not having the "old_". Update the
dissectors that use those routines appropriately.
Rename "dissect_data()" to "old_dissect_data()", and
"dissect_data_tvb()" to "dissect_data()".
svn path=/trunk/; revision=2218
2000-08-07 03:21:25 +00:00
|
|
|
old_dissector_add("tcp.port", TCP_PORT_SOCKS, dissect_socks);
|
2000-04-12 22:53:16 +00:00
|
|
|
}
|