Preparation Host Flows: Tap Sequence Analysis

The tap_sequence_analysis was adapted to store the protocol of each
frame. Therefore a new variable was introduced. In case of an ICMP or
ICMPv6 packet, the ICMP message type and code is retrieved. The adapted
ICMP and ICMPv6 dissector stores both values in packet info (see [1]).

In case of ICMP and ICMPv6 packets, the source and destination port is
not set or 0, respectively. Compared to that, the NetFlow service export
protocol [2] codes the ICMP message type and code into the port numbers.
The source port is zero while the destination is defined as: destination
port = ICMP type * 256 + ICMP code. This definition was implemented for
the ICMP and ICMPv6 packets.

References
[1] https://code.wireshark.org/review/10097
[2] http://www.ietf.org/rfc/rfc3954.txt

Change-Id: I07518e360975682a3f45e80cb24f82f58cfb15f0
Reviewed-on: https://code.wireshark.org/review/10098
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

ui/tap-sequence-analysis.c

@@ -82,6 +82,8 @@ seq_analysis_frame_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U
         gchar *protocol = NULL;
         gchar *colinfo = NULL;
         seq_analysis_item_t *sai = NULL;
+        gchar **strings = NULL;
+        gchar **stringsPart = NULL;
 
         if (sainfo->any_addr) {
             if (pinfo->net_src.type!=AT_NONE && pinfo->net_dst.type!=AT_NONE) {
@@ -104,6 +106,7 @@ seq_analysis_frame_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U
 
         sai->port_src=pinfo->srcport;
         sai->port_dst=pinfo->destport;
+        sai->protocol = g_strdup(port_type_to_str(pinfo->ptype));
 
         if(pinfo->cinfo) {
             if (pinfo->cinfo->col_first[COL_INFO]>=0){
@@ -133,6 +136,25 @@ seq_analysis_frame_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U
             if (protocol != NULL) {
                 sai->frame_label = g_strdup(colinfo);
                 sai->comment = g_strdup_printf("%s: %s", protocol, colinfo);
+                if ((!sai->port_src && !sai->port_dst) || strcmp(protocol, g_strdup("ICMP")) == 0 || strcmp(protocol, g_strdup("ICMPv6")) == 0) {
+                    guint32 type = 0;
+                    guint32 code = 0;
+                    sai->protocol = g_strdup(g_strdup_printf("%s", protocol));
+                    strings = g_strsplit(colinfo,", ", -1);
+                    for (i = 0; strings[i] != NULL; i++) {
+                        if (g_str_has_prefix(strings[i], "Type=") == TRUE) {
+                            stringsPart = g_strsplit(strings[i], "=", -1);
+                            type = (guint32)g_ascii_strtoull(stringsPart[1], NULL, 10);
+                        }
+                        if (g_str_has_prefix(strings[i], "Code=") == TRUE) {
+                            stringsPart = g_strsplit(strings[i], "=", -1);
+                            code = (guint32)g_ascii_strtoull(stringsPart[1], NULL, 10);
+                        }
+                    }
+                    sai->port_src = 0;
+                    sai->port_dst = type * 256 + code;
+
+                }
             } else {
                 sai->frame_label = g_strdup(colinfo);
                 sai->comment = g_strdup(colinfo);
@@ -147,6 +169,8 @@ seq_analysis_frame_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U
 
         g_free(protocol);
         g_free(colinfo);
+        g_free(strings);
+        g_free(stringsPart);
 
         sai->line_style=1;
         sai->conv_num=0;
@@ -186,6 +210,7 @@ seq_analysis_tcp_packet( void *ptr _U_, packet_info *pinfo, epan_dissect_t *edt
         }
         sai->port_src=pinfo->srcport;
         sai->port_dst=pinfo->destport;
+        sai->protocol=g_strdup(port_type_to_str(pinfo->ptype));
 
         flags[0] = '\0';
         for (i = 0; i < 8; i++) {
@@ -273,6 +298,7 @@ static void sequence_analysis_item_free(gpointer data)
     g_free(seq_item->frame_label);
     g_free(seq_item->time_str);
     g_free(seq_item->comment);
+    g_free(seq_item->protocol);
     g_free((void *)seq_item->src_addr.data);
     g_free((void *)seq_item->dst_addr.data);
     g_free(data);

ui/tap-sequence-analysis.h

@@ -63,6 +63,7 @@ typedef struct _seq_analysis_item {
     guint src_node;                     /**< this is used by graph_analysis.c to identify the node */
     guint dst_node;                     /**< a node is an IP address that will be displayed in columns */
     guint16 line_style;                 /**< the arrow line width in pixels*/
+    gchar *protocol;                    /**< the label of the protocol defined in the IP packet */
 } seq_analysis_item_t;
 
 /** defines the graph analysis structure */