forked from osmocom/wireshark
89de832c93
svn path=/trunk/; revision=11801
1796 lines
48 KiB
C
1796 lines
48 KiB
C
/* packet-http.c
|
|
* Routines for HTTP packet disassembly
|
|
* RFC 1945 (HTTP/1.0)
|
|
* RFC 2616 (HTTP/1.1)
|
|
*
|
|
* Guy Harris <guy@alum.mit.edu>
|
|
*
|
|
* Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net>
|
|
* Copyright 2002, Tim Potter <tpot@samba.org>
|
|
* Copyright 1999, Andrew Tridgell <tridge@samba.org>
|
|
*
|
|
* $Id$
|
|
*
|
|
* Ethereal - Network traffic analyzer
|
|
* By Gerald Combs <gerald@ethereal.com>
|
|
* Copyright 1998 Gerald Combs
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version 2
|
|
* of the License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
*/
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#include <string.h>
|
|
#include <ctype.h>
|
|
|
|
#include <glib.h>
|
|
#include <epan/packet.h>
|
|
#include <epan/strutil.h>
|
|
|
|
#include "util.h"
|
|
#include "req_resp_hdrs.h"
|
|
#include "packet-http.h"
|
|
#include "prefs.h"
|
|
|
|
typedef enum _http_type {
|
|
HTTP_REQUEST,
|
|
HTTP_RESPONSE,
|
|
HTTP_NOTIFICATION,
|
|
HTTP_OTHERS
|
|
} http_type_t;
|
|
|
|
#include "tap.h"
|
|
|
|
static int http_tap = -1;
|
|
|
|
static int proto_http = -1;
|
|
static int hf_http_notification = -1;
|
|
static int hf_http_response = -1;
|
|
static int hf_http_request = -1;
|
|
static int hf_http_basic = -1;
|
|
static int hf_http_request_method = -1;
|
|
static int hf_http_response_code = -1;
|
|
static int hf_http_authorization = -1;
|
|
static int hf_http_proxy_authenticate = -1;
|
|
static int hf_http_proxy_authorization = -1;
|
|
static int hf_http_www_authenticate = -1;
|
|
static int hf_http_content_type = -1;
|
|
static int hf_http_content_length = -1;
|
|
static int hf_http_content_encoding = -1;
|
|
static int hf_http_transfer_encoding = -1;
|
|
|
|
static gint ett_http = -1;
|
|
static gint ett_http_ntlmssp = -1;
|
|
static gint ett_http_request = -1;
|
|
static gint ett_http_chunked_response = -1;
|
|
static gint ett_http_chunk_data = -1;
|
|
static gint ett_http_encoded_entity = -1;
|
|
|
|
static dissector_handle_t data_handle;
|
|
static dissector_handle_t media_handle;
|
|
static dissector_handle_t http_handle;
|
|
|
|
/*
|
|
* desegmentation of HTTP headers
|
|
* (when we are over TCP or another protocol providing the desegmentation API)
|
|
*/
|
|
static gboolean http_desegment_headers = FALSE;
|
|
|
|
/*
|
|
* desegmentation of HTTP bodies
|
|
* (when we are over TCP or another protocol providing the desegmentation API)
|
|
* TODO let the user filter on content-type the bodies he wants desegmented
|
|
*/
|
|
static gboolean http_desegment_body = FALSE;
|
|
|
|
/*
|
|
* De-chunking of content-encoding: chunk entity bodies.
|
|
*/
|
|
static gboolean http_dechunk_body = TRUE;
|
|
|
|
/*
|
|
* Decompression of zlib encoded entities.
|
|
*/
|
|
#ifdef HAVE_LIBZ
|
|
static gboolean http_decompress_body = TRUE;
|
|
#else
|
|
static gboolean http_decompress_body = FALSE;
|
|
#endif
|
|
|
|
|
|
#define TCP_PORT_HTTP 80
|
|
#define TCP_PORT_PROXY_HTTP 3128
|
|
#define TCP_PORT_PROXY_ADMIN_HTTP 3132
|
|
#define TCP_ALT_PORT_HTTP 8080
|
|
#define TCP_PORT_HKP 11371
|
|
#define TCP_PORT_DAAP 3689
|
|
/*
|
|
* SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
|
|
*/
|
|
#define TCP_PORT_SSDP 1900
|
|
#define UDP_PORT_SSDP 1900
|
|
|
|
/*
|
|
* Protocols implemented atop HTTP.
|
|
*/
|
|
typedef enum {
|
|
PROTO_HTTP, /* just HTTP */
|
|
PROTO_SSDP, /* Simple Service Discovery Protocol */
|
|
PROTO_DAAP /* Digital Audio Access Protocol */
|
|
} http_proto_t;
|
|
|
|
typedef void (*RequestDissector)(tvbuff_t*, proto_tree*, int);
|
|
|
|
/*
|
|
* Structure holding information from headers needed by main
|
|
* HTTP dissector code.
|
|
*/
|
|
typedef struct {
|
|
char *content_type;
|
|
char *content_type_parameters;
|
|
long content_length; /* XXX - make it 64-bit? */
|
|
char *content_encoding;
|
|
char *transfer_encoding;
|
|
} headers_t;
|
|
|
|
static int is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
|
|
RequestDissector *req_dissector, int *req_strlen);
|
|
static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
|
|
proto_tree *tree, int offset);
|
|
static void process_header(tvbuff_t *tvb, int offset, int next_offset,
|
|
const guchar *line, int linelen, int colon_offset, packet_info *pinfo,
|
|
proto_tree *tree, headers_t *eh_ptr);
|
|
static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len);
|
|
static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb,
|
|
packet_info *pinfo, gchar *value);
|
|
static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb,
|
|
gchar *value);
|
|
|
|
static dissector_table_t port_subdissector_table;
|
|
static dissector_table_t media_type_subdissector_table;
|
|
static heur_dissector_list_t heur_subdissector_list;
|
|
|
|
static dissector_handle_t ntlmssp_handle=NULL;
|
|
|
|
|
|
/* Return a tvb that contains the binary representation of a base64
|
|
string */
|
|
|
|
static tvbuff_t *
|
|
base64_to_tvb(const char *base64)
|
|
{
|
|
tvbuff_t *tvb;
|
|
char *data = g_strdup(base64);
|
|
size_t len;
|
|
|
|
len = epan_base64_decode(data);
|
|
tvb = tvb_new_real_data((const guint8 *)data, len, len);
|
|
|
|
tvb_set_free_cb(tvb, g_free);
|
|
|
|
return tvb;
|
|
}
|
|
|
|
static void
|
|
dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|
const char *line)
|
|
{
|
|
tvbuff_t *ntlmssp_tvb;
|
|
|
|
ntlmssp_tvb = base64_to_tvb(line);
|
|
tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb);
|
|
add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP Data");
|
|
|
|
call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
|
|
}
|
|
|
|
static void
|
|
cleanup_headers(void *arg)
|
|
{
|
|
headers_t *headers = arg;
|
|
|
|
if (headers->content_type != NULL)
|
|
g_free(headers->content_type);
|
|
/*
|
|
* The content_type_parameters field actually points into the
|
|
* content_type headers, so don't free it, as that'll double-free
|
|
* some memory.
|
|
*/
|
|
if (headers->content_encoding != NULL)
|
|
g_free(headers->content_encoding);
|
|
if (headers->transfer_encoding != NULL)
|
|
g_free(headers->transfer_encoding);
|
|
}
|
|
|
|
/*
|
|
* TODO: remove this ugly global variable.
|
|
*
|
|
* XXX - we leak "http_info_value_t" structures.
|
|
* XXX - this gets overwritten if there's more than one HTTP request or
|
|
* reply in the tvbuff.
|
|
*/
|
|
static http_info_value_t *stat_info;
|
|
|
|
static int
|
|
dissect_http_message(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|
proto_tree *tree)
|
|
{
|
|
http_proto_t proto;
|
|
char *proto_tag;
|
|
proto_tree *http_tree = NULL;
|
|
proto_item *ti = NULL;
|
|
const guchar *line;
|
|
gint next_offset;
|
|
const guchar *linep, *lineend;
|
|
int orig_offset;
|
|
int first_linelen, linelen;
|
|
gboolean is_request_or_reply;
|
|
gboolean saw_req_resp_or_header;
|
|
guchar c;
|
|
http_type_t http_type;
|
|
proto_item *hdr_item;
|
|
RequestDissector req_dissector;
|
|
int req_strlen;
|
|
proto_tree *req_tree;
|
|
int colon_offset;
|
|
headers_t headers;
|
|
int datalen;
|
|
int reported_datalen;
|
|
dissector_handle_t handle;
|
|
gboolean dissected;
|
|
|
|
/*
|
|
* Is this a request or response?
|
|
*
|
|
* Note that "tvb_find_line_end()" will return a value that
|
|
* is not longer than what's in the buffer, so the
|
|
* "tvb_get_ptr()" call won't throw an exception.
|
|
*/
|
|
first_linelen = tvb_find_line_end(tvb, offset,
|
|
tvb_ensure_length_remaining(tvb, offset), &next_offset,
|
|
FALSE);
|
|
/*
|
|
* Is the first line a request or response?
|
|
*/
|
|
line = tvb_get_ptr(tvb, offset, first_linelen);
|
|
http_type = HTTP_OTHERS; /* type not known yet */
|
|
is_request_or_reply = is_http_request_or_reply((const gchar *)line,
|
|
first_linelen, &http_type, NULL, NULL);
|
|
if (is_request_or_reply) {
|
|
/*
|
|
* Yes, it's a request or response.
|
|
* Do header desegmentation if we've been told to,
|
|
* and do body desegmentation if we've been told to and
|
|
* we find a Content-Length header.
|
|
*/
|
|
if (!req_resp_hdrs_do_reassembly(tvb, pinfo,
|
|
http_desegment_headers, http_desegment_body)) {
|
|
/*
|
|
* More data needed for desegmentation.
|
|
*/
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
stat_info = g_malloc(sizeof(http_info_value_t));
|
|
stat_info->response_code = 0;
|
|
stat_info->request_method = NULL;
|
|
|
|
switch (pinfo->match_port) {
|
|
|
|
case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
|
|
proto = PROTO_SSDP;
|
|
proto_tag = "SSDP";
|
|
break;
|
|
|
|
case TCP_PORT_DAAP:
|
|
proto = PROTO_DAAP;
|
|
proto_tag = "DAAP";
|
|
break;
|
|
|
|
default:
|
|
proto = PROTO_HTTP;
|
|
proto_tag = "HTTP";
|
|
break;
|
|
}
|
|
|
|
if (check_col(pinfo->cinfo, COL_PROTOCOL))
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
|
|
if (check_col(pinfo->cinfo, COL_INFO)) {
|
|
/*
|
|
* Put the first line from the buffer into the summary
|
|
* if it's an HTTP request or reply (but leave out the
|
|
* line terminator).
|
|
* Otherwise, just call it a continuation.
|
|
*
|
|
* Note that "tvb_find_line_end()" will return a value that
|
|
* is not longer than what's in the buffer, so the
|
|
* "tvb_get_ptr()" call won't throw an exception.
|
|
*/
|
|
line = tvb_get_ptr(tvb, offset, first_linelen);
|
|
if (is_request_or_reply)
|
|
col_add_str(pinfo->cinfo, COL_INFO,
|
|
format_text(line, first_linelen));
|
|
else
|
|
col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
|
|
}
|
|
|
|
orig_offset = offset;
|
|
if (tree) {
|
|
ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
|
|
FALSE);
|
|
http_tree = proto_item_add_subtree(ti, ett_http);
|
|
}
|
|
|
|
/*
|
|
* Process the packet data, a line at a time.
|
|
*/
|
|
http_type = HTTP_OTHERS; /* type not known yet */
|
|
headers.content_type = NULL; /* content type not known yet */
|
|
headers.content_type_parameters = NULL; /* content type parameters too */
|
|
headers.content_length = -1; /* content length not known yet */
|
|
headers.content_encoding = NULL; /* content encoding not known yet */
|
|
headers.transfer_encoding = NULL; /* transfer encoding not known yet */
|
|
saw_req_resp_or_header = FALSE; /* haven't seen anything yet */
|
|
CLEANUP_PUSH(cleanup_headers, &headers);
|
|
while (tvb_reported_length_remaining(tvb, offset) != 0) {
|
|
/*
|
|
* Find the end of the line.
|
|
*/
|
|
linelen = tvb_find_line_end(tvb, offset,
|
|
tvb_ensure_length_remaining(tvb, offset), &next_offset,
|
|
FALSE);
|
|
if (linelen < 0)
|
|
return -1;
|
|
|
|
/*
|
|
* Get a buffer that refers to the line.
|
|
*/
|
|
line = tvb_get_ptr(tvb, offset, linelen);
|
|
lineend = line + linelen;
|
|
colon_offset = -1;
|
|
|
|
/*
|
|
* OK, does it look like an HTTP request or response?
|
|
*/
|
|
req_dissector = NULL;
|
|
is_request_or_reply = is_http_request_or_reply((const gchar *)line,
|
|
linelen, &http_type, &req_dissector, &req_strlen);
|
|
if (is_request_or_reply)
|
|
goto is_http;
|
|
|
|
/*
|
|
* No. Does it look like a blank line (as would appear
|
|
* at the end of an HTTP request)?
|
|
*/
|
|
if (linelen == 0)
|
|
goto is_http; /* Yes. */
|
|
|
|
/*
|
|
* No. Does it look like a header?
|
|
*/
|
|
linep = line;
|
|
colon_offset = offset;
|
|
while (linep < lineend) {
|
|
c = *linep++;
|
|
|
|
/*
|
|
* This must be a CHAR to be part of a token; that
|
|
* means it must be ASCII.
|
|
*/
|
|
if (!isascii(c))
|
|
break; /* not ASCII, thus not a CHAR */
|
|
|
|
/*
|
|
* This mustn't be a CTL to be part of a token.
|
|
*
|
|
* XXX - what about leading LWS on continuation
|
|
* lines of a header?
|
|
*/
|
|
if (iscntrl(c))
|
|
break; /* CTL, not part of a header */
|
|
|
|
/*
|
|
* This mustn't be a SEP to be part of a token;
|
|
* a ':' ends the token, everything else is an
|
|
* indication that this isn't a header.
|
|
*/
|
|
switch (c) {
|
|
|
|
case '(':
|
|
case ')':
|
|
case '<':
|
|
case '>':
|
|
case '@':
|
|
case ',':
|
|
case ';':
|
|
case '\\':
|
|
case '"':
|
|
case '/':
|
|
case '[':
|
|
case ']':
|
|
case '?':
|
|
case '=':
|
|
case '{':
|
|
case '}':
|
|
case ' ':
|
|
/*
|
|
* It's a separator, so it's not part of a
|
|
* token, so it's not a field name for the
|
|
* beginning of a header.
|
|
*
|
|
* (We don't have to check for HT; that's
|
|
* already been ruled out by "iscntrl()".)
|
|
*/
|
|
goto not_http;
|
|
|
|
case ':':
|
|
/*
|
|
* This ends the token; we consider this
|
|
* to be a header.
|
|
*/
|
|
goto is_http;
|
|
|
|
default:
|
|
colon_offset++;
|
|
break;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* We haven't seen the colon, but everything else looks
|
|
* OK for a header line.
|
|
*
|
|
* If we've already seen an HTTP request or response
|
|
* line, or a header line, and we're at the end of
|
|
* the tvbuff, we assume this is an incomplete header
|
|
* line. (We quit this loop after seeing a blank line,
|
|
* so if we've seen a request or response line, or a
|
|
* header line, this is probably more of the request
|
|
* or response we're presumably seeing. There is some
|
|
* risk of false positives, but the same applies for
|
|
* full request or response lines or header lines,
|
|
* although that's less likely.)
|
|
*
|
|
* We throw an exception in that case, by checking for
|
|
* the existence of the next byte after the last one
|
|
* in the line. If it exists, "tvb_ensure_bytes_exist()"
|
|
* throws no exception, and we fall through to the
|
|
* "not HTTP" case. If it doesn't exist,
|
|
* "tvb_ensure_bytes_exist()" will throw the appropriate
|
|
* exception.
|
|
*/
|
|
if (saw_req_resp_or_header)
|
|
tvb_ensure_bytes_exist(tvb, offset, linelen + 1);
|
|
|
|
not_http:
|
|
/*
|
|
* We don't consider this part of an HTTP request or
|
|
* reply, so we don't display it.
|
|
* (Yeah, that means we don't display, say, a text/http
|
|
* page, but you can get that from the data pane.)
|
|
*/
|
|
break;
|
|
|
|
is_http:
|
|
/*
|
|
* Process this line.
|
|
*/
|
|
if (linelen == 0) {
|
|
/*
|
|
* This is a blank line, which means that
|
|
* whatever follows it isn't part of this
|
|
* request or reply.
|
|
*/
|
|
proto_tree_add_text(http_tree, tvb, offset,
|
|
next_offset - offset, "%s",
|
|
tvb_format_text(tvb, offset, next_offset - offset));
|
|
offset = next_offset;
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* Not a blank line - either a request, a reply, or a header
|
|
* line.
|
|
*/
|
|
saw_req_resp_or_header = TRUE;
|
|
if (is_request_or_reply) {
|
|
if (tree) {
|
|
hdr_item = proto_tree_add_text(http_tree, tvb,
|
|
offset, next_offset - offset, "%s",
|
|
tvb_format_text(tvb, offset,
|
|
next_offset - offset));
|
|
if (req_dissector) {
|
|
req_tree = proto_item_add_subtree(
|
|
hdr_item, ett_http_request);
|
|
req_dissector(tvb, req_tree,
|
|
req_strlen);
|
|
}
|
|
}
|
|
} else {
|
|
/*
|
|
* Header.
|
|
*/
|
|
process_header(tvb, offset, next_offset, line, linelen,
|
|
colon_offset, pinfo, http_tree, &headers);
|
|
}
|
|
offset = next_offset;
|
|
}
|
|
|
|
if (tree) {
|
|
switch (http_type) {
|
|
|
|
case HTTP_NOTIFICATION:
|
|
proto_tree_add_boolean_hidden(http_tree,
|
|
hf_http_notification, tvb, 0, 0, 1);
|
|
break;
|
|
|
|
case HTTP_RESPONSE:
|
|
proto_tree_add_boolean_hidden(http_tree,
|
|
hf_http_response, tvb, 0, 0, 1);
|
|
break;
|
|
|
|
case HTTP_REQUEST:
|
|
proto_tree_add_boolean_hidden(http_tree,
|
|
hf_http_request, tvb, 0, 0, 1);
|
|
break;
|
|
|
|
case HTTP_OTHERS:
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* If a content length was supplied, the amount of data to be
|
|
* processed as HTTP payload is the minimum of the content
|
|
* length and the amount of data remaining in the frame.
|
|
*
|
|
* If no content length was supplied (or if a bad content length
|
|
* was supplied), the amount of data to be processed is the amount
|
|
* of data remaining in the frame.
|
|
*
|
|
* If there was no Content-Length entity header, we should
|
|
* accumulate all data until the end of the connection.
|
|
* That'd require that the TCP dissector call subdissectors
|
|
* for all frames with FIN, even if they contain no data,
|
|
* which would require subdissectors to deal intelligently
|
|
* with empty segments.
|
|
*
|
|
* Acccording to RFC 2616, however, 1xx responses, 204 responses,
|
|
* and 304 responses MUST NOT include a message body; if no
|
|
* content length is specified for them, we don't attempt to
|
|
* dissect the body.
|
|
*
|
|
* XXX - it says the same about responses to HEAD requests;
|
|
* unless there's a way to determine from the response
|
|
* whether it's a response to a HEAD request, we have to
|
|
* keep information about the request and associate that with
|
|
* the response in order to handle that.
|
|
*/
|
|
datalen = tvb_length_remaining(tvb, offset);
|
|
if (headers.content_length != -1) {
|
|
if (datalen > headers.content_length)
|
|
datalen = headers.content_length;
|
|
|
|
/*
|
|
* XXX - limit the reported length in the tvbuff we'll
|
|
* hand to a subdissector to be no greater than the
|
|
* content length.
|
|
*
|
|
* We really need both unreassembled and "how long it'd
|
|
* be if it were reassembled" lengths for tvbuffs, so
|
|
* that we throw the appropriate exceptions for
|
|
* "not enough data captured" (running past the length),
|
|
* "packet needed reassembly" (within the length but
|
|
* running past the unreassembled length), and
|
|
* "packet is malformed" (running past the reassembled
|
|
* length).
|
|
*/
|
|
reported_datalen = tvb_reported_length_remaining(tvb, offset);
|
|
if (reported_datalen > headers.content_length)
|
|
reported_datalen = headers.content_length;
|
|
} else {
|
|
if ((stat_info->response_code/100) == 1 ||
|
|
stat_info->response_code == 204 ||
|
|
stat_info->response_code == 304)
|
|
datalen = 0; /* no content! */
|
|
else
|
|
reported_datalen = -1;
|
|
}
|
|
|
|
if (datalen > 0) {
|
|
/*
|
|
* There's stuff left over; process it.
|
|
*/
|
|
tvbuff_t *next_tvb;
|
|
void *save_private_data = NULL;
|
|
gint chunks_decoded = 0;
|
|
|
|
/*
|
|
* Create a tvbuff for the payload.
|
|
*
|
|
* The amount of data to be processed that's
|
|
* available in the tvbuff is "datalen", which
|
|
* is the minimum of the amount of data left in
|
|
* the tvbuff and any specified content length.
|
|
*
|
|
* The amount of data to be processed that's in
|
|
* this frame, regardless of whether it was
|
|
* captured or not, is "reported_datalen",
|
|
* which, if no content length was specified,
|
|
* is -1, i.e. "to the end of the frame.
|
|
*/
|
|
next_tvb = tvb_new_subset(tvb, offset, datalen,
|
|
reported_datalen);
|
|
/*
|
|
* BEWARE - next_tvb is a subset of another tvb,
|
|
* so we MUST NOT attempt tvb_free(next_tvb);
|
|
*/
|
|
|
|
/*
|
|
* Handle *transfer* encodings other than "identity".
|
|
*/
|
|
if (headers.transfer_encoding != NULL &&
|
|
strcasecmp(headers.transfer_encoding, "identity") != 0) {
|
|
if (http_dechunk_body &&
|
|
(strcasecmp(headers.transfer_encoding, "chunked")
|
|
== 0)) {
|
|
|
|
chunks_decoded = chunked_encoding_dissector(
|
|
&next_tvb, pinfo, http_tree, 0);
|
|
|
|
if (chunks_decoded <= 0) {
|
|
/*
|
|
* The chunks weren't reassembled,
|
|
* or there was a single zero
|
|
* length chunk.
|
|
*/
|
|
goto body_dissected;
|
|
} else {
|
|
/*
|
|
* Add a new data source for the
|
|
* de-chunked data.
|
|
*/
|
|
tvb_set_child_real_data_tvbuff(tvb,
|
|
next_tvb);
|
|
add_new_data_source(pinfo, next_tvb,
|
|
"De-chunked entity body");
|
|
}
|
|
} else {
|
|
/*
|
|
* We currently can't handle, for example,
|
|
* "gzip", "compress", or "deflate" as
|
|
* *transfer* encodings; just handle them
|
|
* as data for now.
|
|
*/
|
|
call_dissector(data_handle, next_tvb, pinfo,
|
|
http_tree);
|
|
goto body_dissected;
|
|
}
|
|
}
|
|
/*
|
|
* At this point, any chunked *transfer* coding has been removed
|
|
* (the entity body has been dechunked) so it can be presented
|
|
* for the following operation (*content* encoding), or it has
|
|
* been been handed off to the data dissector.
|
|
*
|
|
* Handle *content* encodings other than "identity" (which
|
|
* shouldn't appear in a Content-Encoding header, but
|
|
* we handle it in any case).
|
|
*/
|
|
if (headers.content_encoding != NULL &&
|
|
strcasecmp(headers.content_encoding, "identity") != 0) {
|
|
/*
|
|
* We currently can't handle, for example, "compress";
|
|
* just handle them as data for now.
|
|
*
|
|
* After July 7, 2004 the LZW patent expires, so support
|
|
* might be added then. However, I don't think that
|
|
* anybody ever really implemented "compress", due to
|
|
* the aforementioned patent.
|
|
*/
|
|
tvbuff_t *uncomp_tvb = NULL;
|
|
proto_item *e_ti = NULL;
|
|
proto_tree *e_tree = NULL;
|
|
|
|
if (http_decompress_body &&
|
|
(strcasecmp(headers.content_encoding, "gzip") == 0 ||
|
|
strcasecmp(headers.content_encoding, "deflate")
|
|
== 0)) {
|
|
|
|
uncomp_tvb = tvb_uncompress(next_tvb, 0,
|
|
tvb_length(next_tvb));
|
|
}
|
|
|
|
/*
|
|
* Add the encoded entity to the protocol tree
|
|
*/
|
|
e_ti = proto_tree_add_text(http_tree, next_tvb,
|
|
0, tvb_length(next_tvb),
|
|
"Content-encoded entity body (%s)",
|
|
headers.content_encoding);
|
|
e_tree = proto_item_add_subtree(e_ti,
|
|
ett_http_encoded_entity);
|
|
|
|
if (uncomp_tvb != NULL) {
|
|
/*
|
|
* Decompression worked
|
|
*/
|
|
|
|
/* XXX - Don't free this, since it's possible
|
|
* that the data was only partially
|
|
* decompressed, such as when desegmentation
|
|
* isn't enabled.
|
|
*
|
|
tvb_free(next_tvb);
|
|
*/
|
|
next_tvb = uncomp_tvb;
|
|
tvb_set_child_real_data_tvbuff(tvb, next_tvb);
|
|
add_new_data_source(pinfo, next_tvb,
|
|
"Uncompressed entity body");
|
|
} else {
|
|
if (chunks_decoded > 1) {
|
|
tvb_set_child_real_data_tvbuff(tvb,
|
|
next_tvb);
|
|
add_new_data_source(pinfo, next_tvb,
|
|
"Compressed entity body");
|
|
}
|
|
call_dissector(data_handle, next_tvb, pinfo,
|
|
e_tree);
|
|
|
|
goto body_dissected;
|
|
}
|
|
}
|
|
/*
|
|
* Note that a new data source is added for the entity body
|
|
* only if it was content-encoded and/or transfer-encoded.
|
|
*/
|
|
|
|
/*
|
|
* Do subdissector checks.
|
|
*
|
|
* First, check whether some subdissector asked that they
|
|
* be called if something was on some particular port.
|
|
*/
|
|
handle = dissector_get_port_handle(port_subdissector_table,
|
|
pinfo->match_port);
|
|
if (handle == NULL && headers.content_type != NULL) {
|
|
/*
|
|
* We didn't find any subdissector that
|
|
* registered for the port, and we have a
|
|
* Content-Type value. Is there any subdissector
|
|
* for that content type?
|
|
*/
|
|
save_private_data = pinfo->private_data;
|
|
/*
|
|
* XXX - this won't get freed if the subdissector
|
|
* throws an exception. Do we really need to
|
|
* strdup it?
|
|
*/
|
|
if (headers.content_type_parameters)
|
|
pinfo->private_data = g_strdup(headers.content_type_parameters);
|
|
else
|
|
pinfo->private_data = NULL;
|
|
/*
|
|
* Calling the string handle for the media type
|
|
* dissector table will set pinfo->match_string
|
|
* to headers.content_type for us.
|
|
*/
|
|
pinfo->match_string = headers.content_type;
|
|
handle = dissector_get_string_handle(
|
|
media_type_subdissector_table,
|
|
headers.content_type);
|
|
/*
|
|
* Calling the default media handle otherwise
|
|
*/
|
|
if (handle == NULL) {
|
|
handle = media_handle;
|
|
}
|
|
}
|
|
if (handle != NULL) {
|
|
/*
|
|
* We have a subdissector - call it.
|
|
*/
|
|
dissected = call_dissector(handle, next_tvb, pinfo,
|
|
tree);
|
|
} else {
|
|
/*
|
|
* We don't have a subdissector - try the heuristic
|
|
* subdissectors.
|
|
*/
|
|
dissected = dissector_try_heuristic(
|
|
heur_subdissector_list, next_tvb, pinfo, tree);
|
|
}
|
|
if (dissected) {
|
|
/*
|
|
* The subdissector dissected the body.
|
|
* Fix up the top-level item so that it doesn't
|
|
* include the stuff for that protocol.
|
|
*/
|
|
if (ti != NULL)
|
|
proto_item_set_len(ti, offset);
|
|
} else {
|
|
call_dissector(data_handle, next_tvb, pinfo,
|
|
http_tree);
|
|
}
|
|
|
|
body_dissected:
|
|
/*
|
|
* Do *not* attempt at freeing the private data;
|
|
* it may be in use by subdissectors.
|
|
*/
|
|
if (save_private_data)
|
|
pinfo->private_data = save_private_data;
|
|
/*
|
|
* We've processed "datalen" bytes worth of data
|
|
* (which may be no data at all); advance the
|
|
* offset past whatever data we've processed.
|
|
*/
|
|
offset += datalen;
|
|
}
|
|
|
|
/*
|
|
* Clean up any header stuff, by calling and popping the cleanup
|
|
* handler.
|
|
*/
|
|
CLEANUP_CALL_AND_POP;
|
|
|
|
tap_queue_packet(http_tap, pinfo, stat_info);
|
|
|
|
return offset - orig_offset;
|
|
}
|
|
|
|
/* This can be used to dissect an HTTP request until such time
|
|
* that a more complete dissector is written for that HTTP request.
|
|
* This simple dissectory only puts http.request_method into a sub-tree.
|
|
*/
|
|
static void
|
|
basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int req_strlen)
|
|
{
|
|
proto_tree_add_item(tree, hf_http_request_method, tvb, 0, req_strlen, FALSE);
|
|
}
|
|
|
|
static void
|
|
basic_response_dissector(tvbuff_t *tvb, proto_tree *tree, int resp_strlen)
|
|
{
|
|
gchar *data;
|
|
int minor, major, status_code;
|
|
|
|
/* BEWARE - sscanf() only operates on C strings.
|
|
* The pointer returned by tvb_get_ptr points into the real data,
|
|
* which is not necessarily NULL terminated. For this reason,
|
|
* the sscanf() call is only applied to a buffer guaranteed to
|
|
* only contain a NULL terminated string. */
|
|
data = g_strndup((const gchar *)tvb_get_ptr(tvb, 5, resp_strlen), resp_strlen);
|
|
if (sscanf((const gchar *)data, "%d.%d %d", &minor, &major, &status_code) == 3) {
|
|
proto_tree_add_uint(tree, hf_http_response_code, tvb, 9, 3, status_code);
|
|
stat_info->response_code = status_code;
|
|
}
|
|
g_free(data);
|
|
}
|
|
|
|
/*
|
|
* Dissect the http data chunks and add them to the tree.
|
|
*/
|
|
static int
|
|
chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
|
|
proto_tree *tree, int offset)
|
|
{
|
|
guint8 *chunk_string = NULL;
|
|
gint chunk_size = 0;
|
|
gint chunk_offset = 0;
|
|
gint datalen = 0;
|
|
gint linelen = 0;
|
|
gint chunks_decoded = 0;
|
|
tvbuff_t *tvb = NULL;
|
|
tvbuff_t *new_tvb = NULL;
|
|
gint chunked_data_size = 0;
|
|
proto_tree *subtree = NULL;
|
|
proto_item *ti = NULL;
|
|
|
|
if (tvb_ptr == NULL || *tvb_ptr == NULL) {
|
|
return 0;
|
|
}
|
|
|
|
tvb = *tvb_ptr;
|
|
|
|
datalen = tvb_reported_length_remaining(tvb, offset);
|
|
|
|
if (tree) {
|
|
ti = proto_tree_add_text(tree, tvb, offset, datalen,
|
|
"HTTP chunked response");
|
|
subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
|
|
}
|
|
|
|
|
|
while (datalen != 0) {
|
|
proto_item *chunk_ti = NULL;
|
|
proto_tree *chunk_subtree = NULL;
|
|
tvbuff_t *data_tvb = NULL;
|
|
gchar *c = NULL;
|
|
|
|
linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
|
|
|
|
if (linelen <= 0) {
|
|
/* Can't get the chunk size line */
|
|
break;
|
|
}
|
|
|
|
chunk_string = tvb_get_string(tvb, offset, linelen);
|
|
|
|
if (chunk_string == NULL) {
|
|
/* Can't get the chunk size line */
|
|
break;
|
|
}
|
|
|
|
c = chunk_string;
|
|
|
|
/*
|
|
* We don't care about the extensions.
|
|
*/
|
|
if ((c = strchr(c, ';'))) {
|
|
*c = '\0';
|
|
}
|
|
|
|
if (sscanf(chunk_string, "%x", &chunk_size) != 1) {
|
|
g_free(chunk_string);
|
|
break;
|
|
}
|
|
|
|
g_free(chunk_string);
|
|
|
|
|
|
if (chunk_size > datalen) {
|
|
/*
|
|
* The chunk size is more than what's in the tvbuff,
|
|
* so either the user hasn't enabled decoding, or all
|
|
* of the segments weren't captured.
|
|
*/
|
|
chunk_size = datalen;
|
|
}/* else if (new_tvb == NULL) {
|
|
new_tvb = tvb_new_composite();
|
|
}
|
|
|
|
|
|
|
|
if (new_tvb != NULL && chunk_size != 0) {
|
|
tvbuff_t *chunk_tvb = NULL;
|
|
|
|
chunk_tvb = tvb_new_subset(tvb, chunk_offset,
|
|
chunk_size, datalen);
|
|
|
|
tvb_composite_append(new_tvb, chunk_tvb);
|
|
|
|
}
|
|
*/
|
|
|
|
chunked_data_size += chunk_size;
|
|
|
|
if (chunk_size != 0) {
|
|
guint8 *raw_data = g_malloc(chunked_data_size);
|
|
gint raw_len = 0;
|
|
|
|
if (new_tvb != NULL) {
|
|
raw_len = tvb_length_remaining(new_tvb, 0);
|
|
tvb_memcpy(new_tvb, raw_data, 0, raw_len);
|
|
|
|
tvb_free(new_tvb);
|
|
}
|
|
|
|
tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len),
|
|
chunk_offset, chunk_size);
|
|
|
|
new_tvb = tvb_new_real_data(raw_data,
|
|
chunked_data_size, chunked_data_size);
|
|
tvb_set_free_cb(new_tvb, g_free);
|
|
|
|
}
|
|
|
|
if (subtree) {
|
|
if (chunk_size == 0) {
|
|
chunk_ti = proto_tree_add_text(subtree, tvb,
|
|
offset,
|
|
chunk_offset - offset + chunk_size + 2,
|
|
"Data chunk (last chunk)");
|
|
} else {
|
|
chunk_ti = proto_tree_add_text(subtree, tvb,
|
|
offset,
|
|
chunk_offset - offset + chunk_size + 2,
|
|
"Data chunk (%u octets)", chunk_size);
|
|
}
|
|
|
|
chunk_subtree = proto_item_add_subtree(chunk_ti,
|
|
ett_http_chunk_data);
|
|
|
|
proto_tree_add_text(chunk_subtree, tvb, offset,
|
|
chunk_offset - offset, "Chunk size: %u octets",
|
|
chunk_size);
|
|
|
|
data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size,
|
|
datalen);
|
|
|
|
|
|
if (chunk_size > 0) {
|
|
call_dissector(data_handle, data_tvb, pinfo,
|
|
chunk_subtree);
|
|
}
|
|
|
|
proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
|
|
chunk_size, 2, "Chunk boundary");
|
|
}
|
|
|
|
chunks_decoded++;
|
|
offset = chunk_offset + chunk_size + 2;
|
|
datalen = tvb_reported_length_remaining(tvb, offset);
|
|
}
|
|
|
|
if (new_tvb != NULL) {
|
|
|
|
/* Placeholder for the day that composite tvbuffer's will work.
|
|
tvb_composite_finalize(new_tvb);
|
|
/ * tvb_set_reported_length(new_tvb, chunked_data_size); * /
|
|
*/
|
|
|
|
/*
|
|
* XXX - Don't free this, since the tvbuffer that was passed
|
|
* may be used if the data spans multiple frames and reassembly
|
|
* isn't enabled.
|
|
*
|
|
tvb_free(*tvb_ptr);
|
|
*/
|
|
*tvb_ptr = new_tvb;
|
|
|
|
} else {
|
|
/*
|
|
* We didn't create a new tvb, so don't allow sub dissectors
|
|
* try to decode the non-existant entity body.
|
|
*/
|
|
chunks_decoded = -1;
|
|
}
|
|
|
|
return chunks_decoded;
|
|
|
|
}
|
|
|
|
|
|
/*
|
|
* XXX - this won't handle HTTP 0.9 replies, but they're all data
|
|
* anyway.
|
|
*/
|
|
static int
|
|
is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
|
|
RequestDissector *req_dissector, int *req_strlen)
|
|
{
|
|
int isHttpRequestOrReply = FALSE;
|
|
int prefix_len = 0;
|
|
|
|
/*
|
|
* From RFC 2774 - An HTTP Extension Framework
|
|
*
|
|
* Support the command prefix that identifies the presence of
|
|
* a "mandatory" header.
|
|
*/
|
|
if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
|
|
data += 2;
|
|
linelen -= 2;
|
|
prefix_len = 2;
|
|
}
|
|
|
|
/*
|
|
* From draft-cohen-gena-client-01.txt, available from the uPnP forum:
|
|
* NOTIFY, SUBSCRIBE, UNSUBSCRIBE
|
|
*
|
|
* From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
|
|
* SEARCH
|
|
*/
|
|
if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
|
|
*type = HTTP_RESPONSE;
|
|
isHttpRequestOrReply = TRUE; /* response */
|
|
if (req_dissector) {
|
|
*req_dissector = basic_response_dissector;
|
|
*req_strlen = linelen - 5;
|
|
}
|
|
} else {
|
|
const guchar * ptr = (const guchar *)data;
|
|
int index = 0;
|
|
|
|
/* Look for the space following the Method */
|
|
while (index < linelen) {
|
|
if (*ptr == ' ')
|
|
break;
|
|
else {
|
|
ptr++;
|
|
index++;
|
|
}
|
|
}
|
|
|
|
/* Check the methods that have same length */
|
|
switch (index) {
|
|
|
|
case 3:
|
|
if (strncmp(data, "GET", index) == 0 ||
|
|
strncmp(data, "PUT", index) == 0) {
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
else if (strncmp(data, "ICY", index) == 0) {
|
|
*type = HTTP_RESPONSE;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 4:
|
|
if (strncmp(data, "COPY", index) == 0 ||
|
|
strncmp(data, "HEAD", index) == 0 ||
|
|
strncmp(data, "LOCK", index) == 0 ||
|
|
strncmp(data, "MOVE", index) == 0 ||
|
|
strncmp(data, "POLL", index) == 0 ||
|
|
strncmp(data, "POST", index) == 0) {
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 5:
|
|
if (strncmp(data, "BCOPY", index) == 0 ||
|
|
strncmp(data, "BMOVE", index) == 0 ||
|
|
strncmp(data, "MKCOL", index) == 0 ||
|
|
strncmp(data, "TRACE", index) == 0 ||
|
|
strncmp(data, "LABEL", index) == 0 || /* RFC 3253 8.2 */
|
|
strncmp(data, "MERGE", index) == 0) { /* RFC 3253 11.2 */
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 6:
|
|
if (strncmp(data, "DELETE", index) == 0 ||
|
|
strncmp(data, "SEARCH", index) == 0 ||
|
|
strncmp(data, "UNLOCK", index) == 0 ||
|
|
strncmp(data, "REPORT", index) == 0 || /* RFC 3253 3.6 */
|
|
strncmp(data, "UPDATE", index) == 0) { /* RFC 3253 7.1 */
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
else if (strncmp(data, "NOTIFY", index) == 0) {
|
|
*type = HTTP_NOTIFICATION;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 7:
|
|
if (strncmp(data, "BDELETE", index) == 0 ||
|
|
strncmp(data, "CONNECT", index) == 0 ||
|
|
strncmp(data, "OPTIONS", index) == 0 ||
|
|
strncmp(data, "CHECKIN", index) == 0) { /* RFC 3253 4.4, 9.4 */
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 8:
|
|
if (strncmp(data, "PROPFIND", index) == 0 ||
|
|
strncmp(data, "CHECKOUT", index) == 0) { /* RFC 3253 4.3, 9.3 */
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 9:
|
|
if (strncmp(data, "SUBSCRIBE", index) == 0) {
|
|
*type = HTTP_NOTIFICATION;
|
|
isHttpRequestOrReply = TRUE;
|
|
} else if (strncmp(data, "PROPPATCH", index) == 0 ||
|
|
strncmp(data, "BPROPFIND", index) == 0) {
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 10:
|
|
if (strncmp(data, "BPROPPATCH", index) == 0 ||
|
|
strncmp(data, "UNCHECKOUT", index) == 0 || /* RFC 3253 4.5 */
|
|
strncmp(data, "MKACTIVITY", index) == 0) { /* RFC 3253 13.5 */
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 11:
|
|
if (strncmp(data, "MKWORKSPACE", index) == 0) { /* RFC 3253 6.3 */
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
} else if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
|
|
*type = HTTP_NOTIFICATION;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 15:
|
|
if (strncmp(data, "VERSION-CONTROL", index) == 0) { /* RFC 3253 3.5 */
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
case 16:
|
|
if (strncmp(data, "BASELINE-CONTROL", index) == 0) { /* RFC 3253 12.6 */
|
|
*type = HTTP_REQUEST;
|
|
isHttpRequestOrReply = TRUE;
|
|
}
|
|
break;
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
if (isHttpRequestOrReply && req_dissector) {
|
|
*req_dissector = basic_request_dissector;
|
|
*req_strlen = index + prefix_len;
|
|
}
|
|
if (isHttpRequestOrReply && req_dissector) {
|
|
if (!stat_info->request_method)
|
|
stat_info->request_method = g_malloc( index+1 );
|
|
strncpy( stat_info->request_method, data, index);
|
|
stat_info->request_method[index] = '\0';
|
|
}
|
|
}
|
|
|
|
return isHttpRequestOrReply;
|
|
}
|
|
|
|
/*
|
|
* Process headers.
|
|
*/
|
|
typedef struct {
|
|
char *name;
|
|
gint *hf;
|
|
int special;
|
|
} header_info;
|
|
|
|
#define HDR_NO_SPECIAL 0
|
|
#define HDR_AUTHORIZATION 1
|
|
#define HDR_AUTHENTICATE 2
|
|
#define HDR_CONTENT_TYPE 3
|
|
#define HDR_CONTENT_LENGTH 4
|
|
#define HDR_CONTENT_ENCODING 5
|
|
#define HDR_TRANSFER_ENCODING 6
|
|
|
|
static const header_info headers[] = {
|
|
{ "Authorization", &hf_http_authorization, HDR_AUTHORIZATION },
|
|
{ "Proxy-Authorization", &hf_http_proxy_authorization, HDR_AUTHORIZATION },
|
|
{ "Proxy-Authenticate", &hf_http_proxy_authenticate, HDR_AUTHENTICATE },
|
|
{ "WWW-Authenticate", &hf_http_www_authenticate, HDR_AUTHENTICATE },
|
|
{ "Content-Type", &hf_http_content_type, HDR_CONTENT_TYPE },
|
|
{ "Content-Length", &hf_http_content_length, HDR_CONTENT_LENGTH },
|
|
{ "Content-Encoding", &hf_http_content_encoding, HDR_CONTENT_ENCODING },
|
|
{ "Transfer-Encoding", &hf_http_transfer_encoding, HDR_TRANSFER_ENCODING },
|
|
};
|
|
|
|
static void
|
|
process_header(tvbuff_t *tvb, int offset, int next_offset,
|
|
const guchar *line, int linelen, int colon_offset,
|
|
packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr)
|
|
{
|
|
int len;
|
|
int line_end_offset;
|
|
int header_len;
|
|
gint hf_index;
|
|
guchar c;
|
|
int value_offset;
|
|
int value_len;
|
|
char *value;
|
|
char *p;
|
|
guchar *up;
|
|
proto_item *hdr_item;
|
|
int i;
|
|
|
|
len = next_offset - offset;
|
|
line_end_offset = offset + linelen;
|
|
header_len = colon_offset - offset;
|
|
hf_index = find_header_hf_value(tvb, offset, header_len);
|
|
|
|
if (hf_index == -1) {
|
|
/*
|
|
* Not a header we know anything about. Just put it into
|
|
* the tree as text.
|
|
*/
|
|
if (tree) {
|
|
proto_tree_add_text(tree, tvb, offset, len,
|
|
"%s", format_text(line, len));
|
|
}
|
|
} else {
|
|
/*
|
|
* Skip whitespace after the colon.
|
|
*/
|
|
value_offset = colon_offset + 1;
|
|
while (value_offset < line_end_offset
|
|
&& ((c = line[value_offset - offset]) == ' ' || c == '\t'))
|
|
value_offset++;
|
|
|
|
/*
|
|
* Fetch the value.
|
|
*/
|
|
value_len = line_end_offset - value_offset;
|
|
value = g_malloc(value_len + 1);
|
|
memcpy(value, &line[value_offset - offset], value_len);
|
|
value[value_len] = '\0';
|
|
CLEANUP_PUSH(g_free, value);
|
|
|
|
/*
|
|
* Add it to the protocol tree as a particular field,
|
|
* but display the line as is.
|
|
*/
|
|
if (tree) {
|
|
hdr_item = proto_tree_add_string_format(tree,
|
|
*headers[hf_index].hf, tvb, offset, len,
|
|
value, "%s", format_text(line, len));
|
|
} else
|
|
hdr_item = NULL;
|
|
|
|
/*
|
|
* Do any special processing that particular headers
|
|
* require.
|
|
*/
|
|
switch (headers[hf_index].special) {
|
|
|
|
case HDR_AUTHORIZATION:
|
|
if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
|
|
break; /* dissected NTLMSSP */
|
|
check_auth_basic(hdr_item, tvb, value);
|
|
break;
|
|
|
|
case HDR_AUTHENTICATE:
|
|
check_auth_ntlmssp(hdr_item, tvb, pinfo, value);
|
|
break;
|
|
|
|
case HDR_CONTENT_TYPE:
|
|
if (eh_ptr->content_type != NULL)
|
|
g_free(eh_ptr->content_type);
|
|
eh_ptr->content_type = g_malloc(value_len + 1);
|
|
for (i = 0; i < value_len; i++) {
|
|
c = value[i];
|
|
if (c == ';' || isspace(c)) {
|
|
/*
|
|
* End of subtype - either
|
|
* white space or a ";"
|
|
* separating the subtype from
|
|
* a parameter.
|
|
*/
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* Map the character to lower case;
|
|
* content types are case-insensitive.
|
|
*/
|
|
eh_ptr->content_type[i] = tolower(c);
|
|
}
|
|
eh_ptr->content_type[i] = '\0';
|
|
/*
|
|
* Now find the start of the optional parameters;
|
|
* skip the optional white space and the semicolon
|
|
* if this has not been done before.
|
|
*/
|
|
i++;
|
|
while (i < value_len) {
|
|
c = value[i];
|
|
if (c == ';' || isspace(c))
|
|
/* Skip till start of parameters */
|
|
i++;
|
|
else
|
|
break;
|
|
}
|
|
if (i < value_len)
|
|
eh_ptr->content_type_parameters = value + i;
|
|
else
|
|
eh_ptr->content_type_parameters = NULL;
|
|
break;
|
|
|
|
case HDR_CONTENT_LENGTH:
|
|
eh_ptr->content_length = strtol(value, &p, 10);
|
|
up = (guchar *)p;
|
|
if (eh_ptr->content_length < 0 || p == value ||
|
|
(*up != '\0' && !isspace(*up)))
|
|
eh_ptr->content_length = -1; /* not valid */
|
|
break;
|
|
|
|
case HDR_CONTENT_ENCODING:
|
|
if (eh_ptr->content_encoding != NULL)
|
|
g_free(eh_ptr->content_encoding);
|
|
eh_ptr->content_encoding = g_malloc(value_len + 1);
|
|
memcpy(eh_ptr->content_encoding, value, value_len);
|
|
eh_ptr->content_encoding[value_len] = '\0';
|
|
break;
|
|
|
|
case HDR_TRANSFER_ENCODING:
|
|
if (eh_ptr->transfer_encoding != NULL)
|
|
g_free(eh_ptr->transfer_encoding);
|
|
eh_ptr->transfer_encoding = g_malloc(value_len + 1);
|
|
memcpy(eh_ptr->transfer_encoding, value, value_len);
|
|
eh_ptr->transfer_encoding[value_len] = '\0';
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* Free the value, by calling and popping the cleanup
|
|
* handler for it.
|
|
*/
|
|
CLEANUP_CALL_AND_POP;
|
|
}
|
|
}
|
|
|
|
/* Returns index of header tag in headers */
|
|
static gint
|
|
find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len)
|
|
{
|
|
guint i;
|
|
|
|
for (i = 0; i < array_length(headers); i++) {
|
|
if (header_len == strlen(headers[i].name) &&
|
|
tvb_strncaseeql(tvb, offset,
|
|
headers[i].name, header_len) == 0)
|
|
return i;
|
|
}
|
|
|
|
return -1;
|
|
}
|
|
|
|
/*
|
|
* Dissect Microsoft's abomination called NTLMSSP over HTTP.
|
|
*/
|
|
static gboolean
|
|
check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo,
|
|
gchar *value)
|
|
{
|
|
static const char *ntlm_headers[] = {
|
|
"NTLM ",
|
|
"Negotiate ",
|
|
NULL
|
|
};
|
|
const char **header;
|
|
size_t hdrlen;
|
|
proto_tree *hdr_tree;
|
|
|
|
/*
|
|
* Check for NTLM credentials and challenge; those can
|
|
* occur with WWW-Authenticate.
|
|
*/
|
|
for (header = &ntlm_headers[0]; *header != NULL; header++) {
|
|
hdrlen = strlen(*header);
|
|
if (strncmp(value, *header, hdrlen) == 0) {
|
|
if (hdr_item != NULL) {
|
|
hdr_tree = proto_item_add_subtree(hdr_item,
|
|
ett_http_ntlmssp);
|
|
} else
|
|
hdr_tree = NULL;
|
|
value += hdrlen;
|
|
dissect_http_ntlmssp(tvb, pinfo, hdr_tree, value);
|
|
return TRUE;
|
|
}
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
/*
|
|
* Dissect HTTP Basic authorization.
|
|
*/
|
|
static gboolean
|
|
check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value)
|
|
{
|
|
static const char *basic_headers[] = {
|
|
"Basic ",
|
|
NULL
|
|
};
|
|
const char **header;
|
|
size_t hdrlen;
|
|
proto_tree *hdr_tree;
|
|
size_t len;
|
|
|
|
for (header = &basic_headers[0]; *header != NULL; header++) {
|
|
hdrlen = strlen(*header);
|
|
if (strncmp(value, *header, hdrlen) == 0) {
|
|
if (hdr_item != NULL) {
|
|
hdr_tree = proto_item_add_subtree(hdr_item,
|
|
ett_http_ntlmssp);
|
|
} else
|
|
hdr_tree = NULL;
|
|
value += hdrlen;
|
|
|
|
len = epan_base64_decode(value);
|
|
value[len] = '\0';
|
|
proto_tree_add_string(hdr_tree, hf_http_basic, tvb,
|
|
0, 0, value);
|
|
|
|
return TRUE;
|
|
}
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
static void
|
|
dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|
{
|
|
int offset = 0;
|
|
int len;
|
|
|
|
while (tvb_reported_length_remaining(tvb, offset) != 0) {
|
|
len = dissect_http_message(tvb, offset, pinfo, tree);
|
|
if (len == -1)
|
|
break;
|
|
offset += len;
|
|
|
|
/*
|
|
* OK, we've set the Protocol and Info columns for the
|
|
* first HTTP message; make the columns non-writable,
|
|
* so that we don't change it for subsequent HTTP messages.
|
|
*/
|
|
col_set_writable(pinfo->cinfo, FALSE);
|
|
}
|
|
}
|
|
|
|
static void
|
|
dissect_http_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|
{
|
|
dissect_http_message(tvb, 0, pinfo, tree);
|
|
}
|
|
|
|
void
|
|
proto_register_http(void)
|
|
{
|
|
static hf_register_info hf[] = {
|
|
{ &hf_http_notification,
|
|
{ "Notification", "http.notification",
|
|
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
|
|
"TRUE if HTTP notification", HFILL }},
|
|
{ &hf_http_response,
|
|
{ "Response", "http.response",
|
|
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
|
|
"TRUE if HTTP response", HFILL }},
|
|
{ &hf_http_request,
|
|
{ "Request", "http.request",
|
|
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
|
|
"TRUE if HTTP request", HFILL }},
|
|
{ &hf_http_basic,
|
|
{ "Credentials", "http.authbasic",
|
|
FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
|
|
{ &hf_http_request_method,
|
|
{ "Request Method", "http.request.method",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
"HTTP Request Method", HFILL }},
|
|
{ &hf_http_response_code,
|
|
{ "Response Code", "http.response.code",
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
"HTTP Response Code", HFILL }},
|
|
{ &hf_http_authorization,
|
|
{ "Authorization", "http.authorization",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
"HTTP Authorization header", HFILL }},
|
|
{ &hf_http_proxy_authenticate,
|
|
{ "Proxy-Authenticate", "http.proxy_authenticate",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
"HTTP Proxy-Authenticate header", HFILL }},
|
|
{ &hf_http_proxy_authorization,
|
|
{ "Proxy-Authorization", "http.proxy_authorization",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
"HTTP Proxy-Authorization header", HFILL }},
|
|
{ &hf_http_www_authenticate,
|
|
{ "WWW-Authenticate", "http.www_authenticate",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
"HTTP WWW-Authenticate header", HFILL }},
|
|
{ &hf_http_content_type,
|
|
{ "Content-Type", "http.content_type",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
"HTTP Content-Type header", HFILL }},
|
|
{ &hf_http_content_length,
|
|
{ "Content-Length", "http.content_length",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
"HTTP Content-Length header", HFILL }},
|
|
{ &hf_http_content_encoding,
|
|
{ "Content-Encoding", "http.content_encoding",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
"HTTP Content-Encoding header", HFILL }},
|
|
{ &hf_http_transfer_encoding,
|
|
{ "Transfer-Encoding", "http.transfer_encoding",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
"HTTP Transfer-Encoding header", HFILL }},
|
|
};
|
|
static gint *ett[] = {
|
|
&ett_http,
|
|
&ett_http_ntlmssp,
|
|
&ett_http_request,
|
|
&ett_http_chunked_response,
|
|
&ett_http_chunk_data,
|
|
&ett_http_encoded_entity,
|
|
};
|
|
module_t *http_module;
|
|
|
|
proto_http = proto_register_protocol("Hypertext Transfer Protocol",
|
|
"HTTP", "http");
|
|
proto_register_field_array(proto_http, hf, array_length(hf));
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
http_module = prefs_register_protocol(proto_http, NULL);
|
|
prefs_register_bool_preference(http_module, "desegment_headers",
|
|
"Reassemble HTTP headers spanning multiple TCP segments",
|
|
"Whether the HTTP dissector should reassemble headers "
|
|
"of a request spanning multiple TCP segments. "
|
|
"To use this option, you must also enable "
|
|
"\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
|
|
&http_desegment_headers);
|
|
prefs_register_bool_preference(http_module, "desegment_body",
|
|
"Reassemble HTTP bodies spanning multiple TCP segments",
|
|
"Whether the HTTP dissector should use the "
|
|
"\"Content-length:\" value, if present, to reassemble "
|
|
"the body of a request spanning multiple TCP segments, "
|
|
"and reassemble chunked data spanning multiple TCP segments. "
|
|
"To use this option, you must also enable "
|
|
"\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
|
|
&http_desegment_body);
|
|
prefs_register_bool_preference(http_module, "dechunk_body",
|
|
"Reassemble chunked transfer-coded bodies",
|
|
"Whether to reassemble bodies of entities that are transfered "
|
|
"using the \"Transfer-Encoding: chunked\" method",
|
|
&http_dechunk_body);
|
|
#ifdef HAVE_LIBZ
|
|
prefs_register_bool_preference(http_module, "decompress_body",
|
|
"Uncompress entity bodies",
|
|
"Whether to uncompress entity bodies that are compressed "
|
|
"using \"Content-Encoding: \"",
|
|
&http_decompress_body);
|
|
#endif
|
|
|
|
http_handle = create_dissector_handle(dissect_http, proto_http);
|
|
|
|
/*
|
|
* Dissectors shouldn't register themselves in this table;
|
|
* instead, they should call "http_dissector_add()", and
|
|
* we'll register the port number they specify as a port
|
|
* for HTTP, and register them in our subdissector table.
|
|
*
|
|
* This only works for protocols such as IPP that run over
|
|
* HTTP on a specific non-HTTP port.
|
|
*/
|
|
port_subdissector_table = register_dissector_table("http.port",
|
|
"TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
|
|
|
|
/*
|
|
* Dissectors can register themselves in this table.
|
|
* It's just "media_type", not "http.content_type", because
|
|
* it's an Internet media type, usable by other protocols as well.
|
|
*/
|
|
media_type_subdissector_table =
|
|
register_dissector_table("media_type",
|
|
"Internet media type", FT_STRING, BASE_NONE);
|
|
|
|
/*
|
|
* Heuristic dissectors SHOULD register themselves in
|
|
* this table using the standard heur_dissector_add()
|
|
* function.
|
|
*/
|
|
register_heur_dissector_list("http", &heur_subdissector_list);
|
|
|
|
/*
|
|
* Register for tapping
|
|
*/
|
|
http_tap = register_tap("http");
|
|
}
|
|
|
|
/*
|
|
* Called by dissectors for protocols that run atop HTTP/TCP.
|
|
*/
|
|
void
|
|
http_dissector_add(guint32 port, dissector_handle_t handle)
|
|
{
|
|
/*
|
|
* Register ourselves as the handler for that port number
|
|
* over TCP.
|
|
*/
|
|
dissector_add("tcp.port", port, http_handle);
|
|
|
|
/*
|
|
* And register them in *our* table for that port.
|
|
*/
|
|
dissector_add("http.port", port, handle);
|
|
}
|
|
|
|
void
|
|
proto_reg_handoff_http(void)
|
|
{
|
|
dissector_handle_t http_udp_handle;
|
|
|
|
data_handle = find_dissector("data");
|
|
media_handle = find_dissector("media");
|
|
|
|
dissector_add("tcp.port", TCP_PORT_HTTP, http_handle);
|
|
dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle);
|
|
dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle);
|
|
dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle);
|
|
dissector_add("tcp.port", TCP_PORT_HKP, http_handle);
|
|
|
|
/*
|
|
* XXX - is there anything to dissect in the body of an SSDP
|
|
* request or reply? I.e., should there be an SSDP dissector?
|
|
*/
|
|
dissector_add("tcp.port", TCP_PORT_SSDP, http_handle);
|
|
http_udp_handle = create_dissector_handle(dissect_http_udp, proto_http);
|
|
dissector_add("udp.port", UDP_PORT_SSDP, http_udp_handle);
|
|
|
|
ntlmssp_handle = find_dissector("ntlmssp");
|
|
}
|
|
|
|
/*
|
|
* Content-Type: message/http
|
|
*/
|
|
|
|
static gint proto_message_http = -1;
|
|
static gint ett_message_http = -1;
|
|
static dissector_handle_t message_http_handle;
|
|
|
|
static void
|
|
dissect_message_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|
{
|
|
proto_tree *subtree;
|
|
proto_item *ti;
|
|
gint offset = 0, next_offset;
|
|
gint len;
|
|
|
|
if (check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_str(pinfo->cinfo, COL_INFO, " (message/http)");
|
|
if (tree) {
|
|
ti = proto_tree_add_item(tree, proto_message_http,
|
|
tvb, 0, -1, FALSE);
|
|
subtree = proto_item_add_subtree(ti, ett_message_http);
|
|
while (tvb_reported_length_remaining(tvb, offset) != 0) {
|
|
len = tvb_find_line_end(tvb, offset,
|
|
tvb_ensure_length_remaining(tvb, offset),
|
|
&next_offset, FALSE);
|
|
if (len == -1)
|
|
break;
|
|
proto_tree_add_text(subtree, tvb, offset, next_offset - offset,
|
|
"%s", tvb_format_text(tvb, offset, len));
|
|
offset = next_offset;
|
|
}
|
|
}
|
|
}
|
|
|
|
void
|
|
proto_register_message_http(void)
|
|
{
|
|
static gint *ett[] = {
|
|
&ett_message_http,
|
|
};
|
|
|
|
proto_message_http = proto_register_protocol(
|
|
"Media Type: message/http",
|
|
"message/http",
|
|
"message-http"
|
|
);
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
message_http_handle = create_dissector_handle(dissect_message_http,
|
|
proto_message_http);
|
|
}
|
|
|
|
void
|
|
proto_reg_handoff_message_http(void)
|
|
{
|
|
message_http_handle = create_dissector_handle(dissect_message_http,
|
|
proto_message_http);
|
|
|
|
dissector_add_string("media_type", "message/http", message_http_handle);
|
|
}
|