osmith/wireshark
1
0
Fork 0
forked from osmocom/wireshark
Code Pull requests Releases Wiki Activity
wireshark/packet-msproxy.c
Guy Harris 43ccfd8054 Add an additional "protocol index" argument to "{old_}dissector_add()", 
"{old_}heur_dissector_add()", "{old_}conv_dissector_add()", and
"register_dissector()", so that an entry in those tables has associated
with it the protocol index of the protocol the dissector handles (or -1,
if there is no protocol index for it).

This is for future use in a number of places.

(Arguably, "proto_register_protocol()" should take a dissector pointer
as an argument, but

	1) it'd have to handle both regular and heuristic dissectors;

	2) making it take either a "dissector_t" or a union of that and
	   a "heur_dissector_t" introduces some painful header-file
	   interdependencies

so I'm punting on that for now.  As with other Ethereal internal APIs,
these APIs are subject to change in the future, at least until Ethereal
1.0 comes out....)

svn path=/trunk/; revision=2849
2001-01-09 06:32:10 +00:00

1360 lines
33 KiB
C
Raw Blame History

/* packet-msproxy.c
* Routines for Microsoft Proxy packet dissection
* Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
*
* $Id: packet-msproxy.c,v 1.16 2001/01/09 06:31:38 guy Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@zing.org>
* Copyright 1998 Gerald Combs
*
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*
* This was derived from the dante socks implimentation source code.
* Most of the information came from common.h and msproxy_clientprotocol.c
*
* See http://www.inet.no/dante for more information
*
*/
/************************************************************************
* *
* Notes: These are possible command values. User input is welcome *
* *
* Command = 0x040a - Remote host closed connection (maybe ?? ) *
* Command = 0x0411 - Remote host closed connection *
* Command = 0x0413 - Local host closed connection or SYN worked *
* *
************************************************************************/
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#ifdef HAVE_NETINET_IN_H
# include <netinet/in.h>
#endif
#include <stdio.h>
#include <string.h>
#include <glib.h>
#ifdef NEED_SNPRINTF_H
# include "snprintf.h"
#endif
#include "packet.h"
#include "resolv.h"
#include "globals.h"
#include "alignment.h"
#include "conversation.h"
#include "packet-tcp.h"
#include "packet-udp.h"
#define CHECK_PACKET_LENGTH(X) if (!BYTES_ARE_IN_FRAME(offset, X)){ \
proto_tree_add_text(tree, NullTVB, offset, 0, "****FRAME TOO SHORT***"); return;}
extern void udp_hash_add(guint16 proto,
void (*dissect)(const u_char *, int, frame_data *, proto_tree *));
static int proto_msproxy = -1;
static int ett_msproxy = -1;
static int ett_msproxy_name = -1;
static int hf_msproxy_cmd = -1;
static int hf_msproxy_clntport = -1;
static int hf_msproxy_dstaddr = -1;
static int hf_msproxy_srcport = -1;
static int hf_msproxy_dstport = -1;
static int hf_msproxy_serverport = -1;
static int hf_msproxy_serveraddr = -1;
static int hf_msproxy_bindport = -1;
static int hf_msproxy_bindaddr = -1;
static int hf_msproxy_boundport = -1;
static int hf_msproxy_bind_id = -1;
static int hf_msproxy_resolvaddr = -1;
static int hf_msproxy_server_int_addr = -1;
static int hf_msproxy_server_int_port = -1;
static int hf_msproxy_server_ext_addr = -1;
static int hf_msproxy_server_ext_port = -1;
#define UDP_PORT_MSPROXY 1745
#define N_MSPROXY_HELLO 0x05 /* packet 1 from client */
#define N_MSPROXY_ACK 0x10 /* packet 1 from server */
#define N_MSPROXY_USERINFO_ACK 0x04 /* packet 2 from server */
#define N_MSPROXY_AUTH 0x47 /* packet 3 from client */
#define N_MSPROXY_RESOLVE 0x07 /* Resolve request */
/*$$$ 0x0500 was dante value, I see 0x05ff and 0x0500 */
#define MSPROXY_HELLO 0x0500
#define MSPROXY_HELLO_2 0x05ff
#define MSPROXY_HELLO_ACK 0x1000
#define MSPROXY_USERINFO 0x1000
#define MSPROXY_USERINFO_ACK 0x0400
#define MSPROXY_AUTH 0x4700
#define MSPROXY_AUTH_1_ACK 0x4714
#define MSPROXY_AUTH_2 0x4701
#define MSPROXY_AUTH_2_ACK 0x4715
#define MSPROXY_AUTH_2_ACK2 0x4716
#define MSPROXY_RESOLVE 0x070d
#define MSPROXY_RESOLVE_ACK 0x070f
#define MSPROXY_BIND 0x0704
#define MSPROXY_BIND_ACK 0x0706
#define MSPROXY_TCP_BIND 0x0707
#define MSPROXY_TCP_BIND_ACK 0x0708
#define MSPROXY_LISTEN 0x0406
#define MSPROXY_BINDINFO 0x0709
#define MSPROXY_BINDINFO_ACK 0x070a
#define MSPROXY_CONNECT 0x071e
#define MSPROXY_CONNECT_ACK 0x0703
#define MSPROXY_UDPASSOCIATE 0x0705
#define MSPROXY_UDPASSOCIATE_ACK 0x0706
#define MSPROXY_UDP_BIND_REQ 0x070b
#define MSPROXY_CONNECTED 0x042c
#define MSPROXY_SESSIONEND 0x251e
#define MSPROXY_BIND_AUTHFAILED 0x0804
#define MSPROXY_CONNECT_AUTHFAILED 0x081e
#define MSPROXY_CONNREFUSED 0x4 /* low 12 bits seem to vary. */
#define FROM_SERVER 1 /* direction of packet data for get_msproxy_cmd_name */
#define FROM_CLIENT 0
/*$$$ should this be the same as redirect_entry_t ?? */
/* then the add_conversation could just copy the structure */
/* using the same allocation (instance for you object guys) */
/* wouldn't work because there may be multiple child conversations */
/* from the same MSProxy conversation */
typedef struct {
guint32 dst_addr;
guint32 clnt_port;
guint32 dst_port;
guint32 server_int_port;
int proto;
}hash_entry_t;
/************** conversation hash stuff ***************/
#define hash_init_count 20
#define hash_val_length (sizeof(hash_entry_t))
static GMemChunk *vals = NULL;
typedef struct {
guint32 remote_addr;
guint32 clnt_port;
guint32 server_int_port;
guint32 remote_port;
int proto;
}redirect_entry_t;
/************** negotiated conversation hash stuff ***************/
#define redirect_init_count 20
#define redirect_val_length (sizeof(redirect_entry_t))
static GMemChunk *redirect_vals = NULL;
static guint32 last_row= 0; /* used to see if packet is new */
static void msproxy_sub_dissector( const u_char *pd, int offset, frame_data *fd,
proto_tree *tree) {
/* Conversation dissector called from TCP or UDP dissector. Decode and */
/* display the socks header, the pass the rest of the data to the tcp */
/* or udp port decode routine to handle the payload. */
guint32 *ptr;
redirect_entry_t *redirect_info;
conversation_t *conversation;
proto_tree *msp_tree;
proto_item *ti;
tvbuff_t *tvb;
conversation = find_conversation( &pi.src, &pi.dst, pi.ptype,
pi.srcport, pi.destport, 0);
g_assert( conversation); /* should always find a conversation */
redirect_info = (redirect_entry_t*)conversation->data;
if (check_col(fd, COL_PROTOCOL))
col_set_str(fd, COL_PROTOCOL, "MS Proxy");
if (check_col(fd, COL_INFO))
col_add_fstr(fd, COL_INFO, "%s",
(( redirect_info->proto == PT_TCP) ? "TCP stream" :
"UDP packets"));
if ( tree) {
ti = proto_tree_add_item( tree, proto_msproxy, NullTVB, offset, 0,
FALSE );
msp_tree = proto_item_add_subtree(ti, ett_msproxy);
proto_tree_add_uint( msp_tree, hf_msproxy_dstport, NullTVB,
offset, 0, redirect_info->remote_port);
proto_tree_add_ipv4( msp_tree, hf_msproxy_dstaddr, NullTVB, offset, 0,
redirect_info->remote_addr);
}
/* set pi src/dst port and call the udp sub-dissector lookup */
if ( pi.srcport == redirect_info->clnt_port)
ptr = &pi.destport;
else
ptr = &pi.srcport;
*ptr = redirect_info->remote_port;
tvb = tvb_create_from_top(0);
if ( redirect_info->proto == PT_TCP)
decode_tcp_ports( tvb, offset, &pi, tree, pi.srcport, pi.destport);
else
decode_udp_ports( tvb, offset, &pi, tree, pi.srcport, pi.destport);
*ptr = redirect_info->server_int_port;
}
static void add_msproxy_conversation( hash_entry_t *hash_info){
/* check to see if a conversation already exists, if it does assume */
/* it's our conversation and quit. Otherwise create a new conversation. */
/* Load the conversation dissector to our dissector and load the */
/* conversation data structure with the info needed to call the TCP or */
/* UDP port decoder. */
/* NOTE: Currently this assume that the conversation will be created */
/* during a packet from the server. If that changes, the pi.src */
/* and pi.dst will not be correct and this routine will have to */
/* change. */
redirect_entry_t *new_conv_info;
conversation_t *conversation = find_conversation( &pi.src, &pi.dst,
hash_info->proto, hash_info->server_int_port,
hash_info->clnt_port, 0);
if ( conversation)
return;
new_conv_info = g_mem_chunk_alloc(redirect_vals);
conversation = conversation_new( &pi.src, &pi.dst, hash_info->proto,
hash_info->server_int_port, hash_info->clnt_port,
new_conv_info, 0);
g_assert( new_conv_info);
g_assert( conversation);
new_conv_info->remote_addr = hash_info->dst_addr;
new_conv_info->clnt_port = hash_info->clnt_port;
new_conv_info->remote_port = hash_info->dst_port;
new_conv_info->server_int_port = hash_info->server_int_port;
new_conv_info->proto = hash_info->proto;
old_conversation_set_dissector(conversation, msproxy_sub_dissector);
}
static int display_application_name(const u_char *pd, int offset,
frame_data *fd, proto_tree *tree) {
/* display the application name in the proto tree. */
/* NOTE: this routine assumes that the tree pointer is valid (not NULL) */
char temp[255];
if (!IS_DATA_IN_FRAME(offset)){
proto_tree_add_text(tree, NullTVB, offset, 0, "****FRAME TOO SHORT***");
return 0;
}
strncpy( temp, &pd[ offset], MIN( 255, END_OF_FRAME));
temp[ MIN( 255, END_OF_FRAME)] = 0;
proto_tree_add_text( tree, NullTVB, offset, strlen(temp), "Application: %s", temp);
return strlen(temp);
}
static char *get_msproxy_cmd_name( int cmd, int direction) {
/* return the command name string for cmd */
switch (cmd){
case MSPROXY_HELLO_2:
case MSPROXY_HELLO: return "Hello";
/* MSPROXY_HELLO_ACK & MSPROXY_USERINFO have the same value (0x1000). */
/* So use the direction flag to determine which to use. */
case MSPROXY_USERINFO:
if ( direction == FROM_SERVER)
return "Hello Acknowledge";
else
return "User Info";
case MSPROXY_USERINFO_ACK: return "User Info Acknowledge";
case MSPROXY_AUTH: return "Authentication";
case MSPROXY_AUTH_1_ACK: return "Authentication Acknowledge";
case MSPROXY_AUTH_2: return "Authentication 2";
case MSPROXY_AUTH_2_ACK: return "Authentication 2 Acknowledge";
case MSPROXY_RESOLVE: return "Resolve";
case MSPROXY_RESOLVE_ACK: return "Resolve Acknowledge";
case MSPROXY_BIND: return "Bind";
case MSPROXY_TCP_BIND: return "TCP Bind";
case MSPROXY_TCP_BIND_ACK: return "TCP Bind Acknowledge";
case MSPROXY_LISTEN: return "Listen";
case MSPROXY_BINDINFO: return "Bind Info";
case MSPROXY_BINDINFO_ACK: return "Bind Info Acknowledge";
case MSPROXY_CONNECT: return "Connect";
case MSPROXY_CONNECT_ACK: return "Connect Acknowledge";
case MSPROXY_UDPASSOCIATE: return "UDP Associate";
case MSPROXY_UDP_BIND_REQ: return "UDP Bind";
case MSPROXY_UDPASSOCIATE_ACK: return "Bind or Associate Acknowledge";
case MSPROXY_CONNECTED: return "Connected";
case MSPROXY_SESSIONEND: return "Session End";
default: return "Unknown";
}
}
static void dissect_user_info_2(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
/* decode the user, application, computer name */
char str[ 255];
if ( tree) {
strncpy( str, &pd[ offset], MIN( 255, END_OF_FRAME));
str[ MIN( 255, END_OF_FRAME)] = 0;
proto_tree_add_text( tree, NullTVB, offset, strlen( str) + 1,
"User name: %s", str);
offset += strlen( str) + 2;
strncpy( str, &pd[ offset], MIN( 255, END_OF_FRAME));
str[ MIN( 255, END_OF_FRAME)] = 0;
proto_tree_add_text( tree, NullTVB, offset, strlen( str) + 1,
"Application name: %s", str);
offset += strlen( str) + 1;
strncpy( str, &pd[ offset], MIN( 255, END_OF_FRAME));
str[ MIN( 255, END_OF_FRAME)] = 0;
proto_tree_add_text( tree, NullTVB, offset, strlen( str) + 1,
"Client computer name: %s", str);
}
}
static void dissect_msproxy_request_1(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
/* decode the request _1 structure */
offset += 180;
dissect_user_info_2( pd, 262, fd, tree);
}
static void dissect_bind(const u_char *pd, int offset, frame_data *fd,
proto_tree *tree, hash_entry_t *conv_info) {
/* decode the bind request */
offset += 18;
CHECK_PACKET_LENGTH( 4);
if ( tree)
proto_tree_add_ipv4( tree, hf_msproxy_bindaddr, NullTVB, offset, 4,
GWORD( pd, offset));
offset += 4;
CHECK_PACKET_LENGTH( 2);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_bindport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
offset += 6;
CHECK_PACKET_LENGTH( 2);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_clntport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
offset += 2;
conv_info->clnt_port = pntohs( &pd[ offset]);
offset += 6;
if ( tree){
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_boundport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
offset += 82;
display_application_name( pd, offset, fd, tree);
}
}
static void dissect_auth(const u_char *pd, int offset,
frame_data *fd, proto_tree *tree) {
/* decode the authorization request */
char temp[255];
if ( tree) {
offset += 134;
strncpy( temp, &pd[ offset], 7);
temp[ 7] = 0;
proto_tree_add_text( tree, NullTVB, offset, 7, "NTLMSSP signature: %s",
temp);
offset += 7;
}
}
static void dissect_tcp_bind(const u_char *pd, int offset,
frame_data *fd, proto_tree *tree, hash_entry_t *conv_info) {
/* decode the bind packet. Set the protocol type in the conversation */
/* information so the bind_info can use it to create the payload */
/* dissector. */
conv_info->proto = PT_TCP;
if ( tree) {
offset += 6;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
offset += 16;
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_boundport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
offset += 96;
display_application_name( pd, offset, fd, tree);
}
}
static void dissect_request_connect(const u_char *pd, int offset, frame_data *fd,
proto_tree *tree, hash_entry_t *conv_info) {
/* decode the connect request, display */
conv_info->proto = PT_TCP;
offset += 20;
CHECK_PACKET_LENGTH( 2);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_dstport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
conv_info->dst_port = pntohs( &pd[ offset]);
offset += 2;
CHECK_PACKET_LENGTH( 4);
if ( tree)
proto_tree_add_ipv4( tree, hf_msproxy_dstaddr, NullTVB, offset, 4,
GWORD( pd, offset));
memcpy( &conv_info->dst_addr, &pd[ offset], sizeof( guint32));
offset += 12;
CHECK_PACKET_LENGTH( 2);
conv_info->clnt_port = pntohs( &pd[ offset]);
if ( tree){
proto_tree_add_uint( tree, hf_msproxy_clntport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
offset += 84;
display_application_name( pd, offset, fd, tree);
}
}
static void dissect_bind_info_ack(const u_char *pd, int offset, frame_data *fd,
proto_tree *tree, hash_entry_t *conv_info) {
/* decode the client bind info ack */
if ( tree){
offset += 6;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
offset += 14;
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_dstport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
offset += 2;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_ipv4( tree, hf_msproxy_dstaddr, NullTVB, offset, 4,
GWORD( pd, offset));
offset += 12;
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_server_int_port, NullTVB, offset,
2, pntohs( &pd[ offset]));
offset += 4;
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset,
2, pntohs( &pd[ offset]));
offset += 2;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset,
4, GWORD( pd, offset));
offset += 78;
display_application_name( pd, offset, fd, tree);
}
}
static void dissect_request_resolve(const u_char *pd, int offset,
frame_data *fd, proto_tree *tree) {
/* dissect the request resolve structure */
/* display a string with a length, characters encoding */
/* they are displayed under a tree with the name in Label variable */
/* return the length of the string and the length byte */
proto_tree *name_tree;
proto_item *ti;
char temp[ 256];
int length = GBYTE( pd, offset);
if ( tree){
strncpy( temp, &pd[ offset + 18], length);
temp[ length ] = 0;
ti = proto_tree_add_text(tree, NullTVB, offset, length + 1,
"Host Name: %s", temp);
name_tree = proto_item_add_subtree(ti, ett_msproxy_name);
proto_tree_add_text( name_tree, NullTVB, offset, 1, "Length: %d", length);
++offset;
offset += 17;
proto_tree_add_text( name_tree, NullTVB, offset, length, "String: %s",
temp);
}
}
static void dissect_udp_bind(const u_char *pd, int offset,
frame_data *fd, proto_tree *tree, hash_entry_t *conv_info) {
/* Dissect the udp bind request. Load the protocol id (PT_UDP) and the */
/* remote address so bind_info can use it to create conversation */
/* dissector. */
conv_info->proto = PT_UDP;
offset += 8;
CHECK_PACKET_LENGTH( 4);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
offset += 12;
CHECK_PACKET_LENGTH( 2);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_dstport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
offset += 2;
CHECK_PACKET_LENGTH( 4);
if ( tree)
proto_tree_add_ipv4( tree, hf_msproxy_dstaddr, NullTVB, offset, 4,
GWORD( pd, offset));
offset += 96;
if ( tree)
display_application_name( pd, offset, fd, tree);
}
static void dissect_udp_assoc(const u_char *pd, int offset,
frame_data *fd, proto_tree *tree, hash_entry_t *conv_info) {
/* dissect the udp associate request. And load client port into */
/* conversation data structure for later. */
offset += 28;
CHECK_PACKET_LENGTH( 2);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_clntport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
conv_info->clnt_port = pntohs( &pd[ offset]);
offset += 90;
if ( tree)
display_application_name( pd, offset, fd, tree);
}
static void dissect_msproxy_request(const u_char *pd, int offset, frame_data *fd,
proto_tree *tree, hash_entry_t *conv_info) {
int cmd;
char temp[ 255];
if ( tree) {
CHECK_PACKET_LENGTH( 4);
proto_tree_add_text( tree, NullTVB, offset, 4, "Client id: 0x%0x",
GWORD( pd, offset));
offset += 4;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_text( tree, NullTVB, offset, 4, "Version: 0x%04x",
GWORD( pd, offset));
offset += 4;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_text( tree, NullTVB, offset, 4, "Server id: 0x%0x",
GWORD( pd, offset));
offset += 4;
CHECK_PACKET_LENGTH( 2);
proto_tree_add_text( tree, NullTVB, offset, 1, "Server ack: %u",
GBYTE( pd, offset));
offset += 4;
CHECK_PACKET_LENGTH( 1);
proto_tree_add_text( tree, NullTVB, offset, 1, "Sequence Number: %u",
GBYTE( pd, offset));
offset += 8;
CHECK_PACKET_LENGTH( 4);
strncpy( temp, &pd[ offset], 4);
temp[ 4] = 0;
proto_tree_add_text( tree, NullTVB, offset, 4, "RWSP signature: %s", temp);
offset += 12;
}
else /* no tree */
offset += 36;
CHECK_PACKET_LENGTH( 1);
cmd = pntohs( &pd[offset]);
if ( tree)
proto_tree_add_uint_format( tree, hf_msproxy_cmd, NullTVB, offset, 2,
cmd, "Command: 0x%02x (%s)", cmd,
get_msproxy_cmd_name( cmd, FROM_CLIENT));
offset += 2;
switch (cmd){
case MSPROXY_AUTH:
dissect_auth( pd, offset, fd, tree);
break;
case MSPROXY_BIND:
dissect_bind( pd, offset, fd, tree, conv_info);
break;
case MSPROXY_UDP_BIND_REQ:
dissect_udp_bind( pd, offset, fd, tree, conv_info);
break;
case MSPROXY_AUTH_2: /*$$ this is probably wrong place for this */
case MSPROXY_TCP_BIND:
dissect_tcp_bind( pd, offset, fd, tree, conv_info);
break;
case MSPROXY_RESOLVE:
dissect_request_resolve( pd, offset, fd, tree);
break;
case MSPROXY_CONNECT:
case MSPROXY_LISTEN:
dissect_request_connect( pd, offset, fd, tree,
conv_info);
break;
case MSPROXY_BINDINFO_ACK:
dissect_bind_info_ack( pd, offset, fd, tree, conv_info);
break;
case MSPROXY_HELLO:
case MSPROXY_HELLO_2:
dissect_msproxy_request_1( pd, offset, fd, tree);
break;
case MSPROXY_UDPASSOCIATE:
dissect_udp_assoc( pd, offset, fd, tree, conv_info);
break;
default:
if ( tree)
proto_tree_add_text( tree, NullTVB, offset, 0,
"Unhandled request command (report this, please)");
}
}
static void dissect_hello_ack(const u_char *pd, int offset, frame_data *fd,
proto_tree *tree, hash_entry_t *conv_info) {
/* decode the hello acknowledge packet */
offset += 60;
if ( tree) {
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_serverport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
offset += 2;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_ipv4( tree, hf_msproxy_serveraddr, NullTVB, offset, 4,
GWORD( pd, offset));
offset += 4;
}
}
static void dissect_user_info_ack(const u_char *pd, int offset,
frame_data *fd, proto_tree *tree) {
/* decode the response _2 structure */
offset += 18;
offset += 2;
}
static void dissect_udpassociate_ack( const u_char *pd, int offset,
frame_data *fd, proto_tree *tree) {
offset += 6;
if ( tree) {
CHECK_PACKET_LENGTH( 4);
proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
offset += 14;
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset, 2, pntohs( &pd[ offset]));
offset += 2;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset, 4, GWORD( pd, offset));
offset += 96;
display_application_name( pd, offset, fd, tree);
}
}
static void dissect_auth_1_ack(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
char temp[ 255];
offset += 134;
if ( tree) {
CHECK_PACKET_LENGTH( 7);
strncpy( temp, &pd[ offset], 7);
temp[ 7] = 0;
proto_tree_add_text( tree, NullTVB, offset, 7, "NTLMSSP signature: %s", temp);
offset += 48;
strncpy( temp, &pd[ offset], MIN( 255, END_OF_FRAME));
temp[ MIN( 255, END_OF_FRAME)] = 0;
proto_tree_add_text( tree, NullTVB, offset, 255, "NT domain: %s", temp);
offset += 7;
}
}
static void dissect_msproxy_response_4( const u_char *pd, int offset,
frame_data *fd, proto_tree *tree) {
/* decode the response _4 structure */
offset += 134;
}
static void dissect_connect_ack( const u_char *pd, int offset, frame_data *fd,
proto_tree *tree, hash_entry_t *conv_info) {
/* decode the connect ack packet */
offset += 20;
CHECK_PACKET_LENGTH( 2);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_server_int_port, NullTVB, offset, 2, pntohs( &pd[ offset]));
conv_info->proto = PT_TCP;
conv_info->server_int_port = pntohs( &pd[ offset]);
offset += 2;
if ( tree){
CHECK_PACKET_LENGTH( 2);
proto_tree_add_ipv4( tree, hf_msproxy_server_int_addr, NullTVB, offset, 2, GWORD( pd, offset));
offset += 14;
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset, 2, pntohs( &pd[ offset]));
offset += 2;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset, 4, GWORD( pd, offset));
offset += 80;
display_application_name( pd, offset, fd, tree);
}
add_msproxy_conversation( conv_info);
}
static void dissect_tcp_bind_ack( const u_char *pd, int offset, frame_data *fd,
proto_tree *tree) {
/* decode the tcp bind */
if ( tree) {
offset += 6;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
offset += 16;
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_server_int_port, NullTVB, offset,
2, pntohs( &pd[ offset]));
offset += 6;
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset,
2, pntohs( &pd[ offset]));
offset += 2;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset,
4, GWORD( pd, offset));
offset += 88;
display_application_name( pd, offset, fd, tree);
}
}
static void dissect_bind_info( const u_char *pd, int offset, frame_data *fd,
proto_tree *tree, hash_entry_t *conv_info) {
/* decode the Bind info response from server */
offset += 6;
CHECK_PACKET_LENGTH( 4);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_bind_id, NullTVB, offset, 4, pntohl( &pd[ offset]));
offset += 14;
CHECK_PACKET_LENGTH( 2);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_dstport, NullTVB, offset, 2,
pntohs( &pd[ offset]));
conv_info->dst_port = pntohs( &pd[ offset]);
offset += 2;
CHECK_PACKET_LENGTH( 4);
if ( tree)
proto_tree_add_ipv4( tree, hf_msproxy_dstaddr, NullTVB, offset, 4,
GWORD( pd, offset));
memcpy( &conv_info->dst_addr, &pd[ offset], sizeof( guint32));
offset += 12;
CHECK_PACKET_LENGTH( 2);
if ( tree)
proto_tree_add_uint( tree, hf_msproxy_server_int_port, NullTVB, offset,
2, pntohs( &pd[ offset]));
conv_info->server_int_port = pntohs( &pd[ offset]);
offset += 4;
if ( tree) {
CHECK_PACKET_LENGTH( 2);
proto_tree_add_uint( tree, hf_msproxy_server_ext_port, NullTVB, offset,
2, pntohs( &pd[ offset]));
offset += 2;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_ipv4( tree, hf_msproxy_server_ext_addr, NullTVB, offset,
4, GWORD( pd, offset));
offset += 78;
display_application_name( pd, offset, fd, tree);
}
add_msproxy_conversation( conv_info);
}
static void dissect_resolve(const u_char *pd, int offset, frame_data *fd,
proto_tree *tree) {
/* dissect the response resolve structure */
/* display a string with a length, characters encoding */
/* they are displayed under a tree with the name in Label variable */
/* return the length of the string and the length byte */
if ( tree) {
int addr_offset = GBYTE( pd, offset);
proto_tree_add_text( tree, NullTVB, offset, 1, "Address offset: %d",
addr_offset);
++offset;
offset += 13;
offset += addr_offset;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_ipv4( tree, hf_msproxy_resolvaddr, NullTVB, offset, 4,
GWORD( pd, offset));
}
}
static void dissect_msproxy_response(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, hash_entry_t *conv_info) {
char temp[ 255];
int cmd;
if ( tree) {
CHECK_PACKET_LENGTH( 4);
proto_tree_add_text( tree, NullTVB, offset, 4, "Client id: 0x%0x",
GWORD( pd, offset));
offset += 4;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_text( tree, NullTVB, offset, 4, "Version: 0x%04x",
GWORD( pd, offset));
offset += 4;
CHECK_PACKET_LENGTH( 4);
proto_tree_add_text( tree, NullTVB, offset, 4, "Server id: 0x%04x",
GWORD( pd, offset));
offset += 4;
CHECK_PACKET_LENGTH( 1);
proto_tree_add_text( tree, NullTVB, offset, 1, "Client ack: 0x%02x",
GBYTE( pd, offset));
offset += 4;
CHECK_PACKET_LENGTH( 1);
proto_tree_add_text( tree, NullTVB, offset, 1, "Sequence Number: 0x%02x",
GBYTE( pd, offset));
offset += 8;
CHECK_PACKET_LENGTH( 4);
strncpy( temp, &pd[ offset], 4);
temp[ 4] = 0;
proto_tree_add_text( tree, NullTVB, offset, 4, "RWSP signature: %s", temp);
offset += 12;
}
else
offset += 36;
CHECK_PACKET_LENGTH( 2);
cmd = pntohs( &pd[offset]);
if ( tree)
proto_tree_add_uint_format( tree, hf_msproxy_cmd, NullTVB, offset, 2,
cmd, "Command: 0x%02x (%s)", cmd,
get_msproxy_cmd_name( cmd, FROM_SERVER));
offset += 2;
switch (cmd) {
case MSPROXY_HELLO_ACK:
dissect_hello_ack( pd, offset, fd, tree, conv_info);
break;
case MSPROXY_USERINFO_ACK:
dissect_user_info_ack( pd, offset, fd, tree);
break;
case MSPROXY_AUTH_1_ACK:
dissect_auth_1_ack( pd, offset, fd, tree);
break;
/* this also handle the MSPROXY_BIND_ACK ??? check this */
case MSPROXY_UDPASSOCIATE_ACK:
dissect_udpassociate_ack( pd, offset, fd, tree);
break;
case MSPROXY_AUTH_2_ACK:
case MSPROXY_AUTH_2_ACK2:
dissect_msproxy_response_4( pd, offset, fd, tree);
break;
case MSPROXY_TCP_BIND_ACK:
dissect_tcp_bind_ack( pd, offset, fd, tree);
break;
case MSPROXY_CONNECT_ACK:
dissect_connect_ack( pd, offset, fd, tree, conv_info);
break;
case MSPROXY_BINDINFO:
dissect_bind_info( pd, offset, fd, tree, conv_info);
break;
case MSPROXY_RESOLVE_ACK:
dissect_resolve( pd, offset, fd, tree);
break;
case MSPROXY_CONNECT_AUTHFAILED:
case MSPROXY_BIND_AUTHFAILED:
proto_tree_add_text( tree, NullTVB, offset, 0, "No know information (help wanted)");
break;
default:
if (tree &&
(((cmd >> 8) == MSPROXY_CONNREFUSED) ||
((cmd >> 12) == MSPROXY_CONNREFUSED)))
proto_tree_add_text( tree, NullTVB, offset, 0,
"No know information (help wanted)");
else if ( tree)
proto_tree_add_text( tree, NullTVB, offset, 0,
"Unhandled response command (report this, please)");
}
}
static void dissect_msproxy(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
proto_tree *msproxy_tree = NULL;
proto_item *ti;
unsigned int cmd;
hash_entry_t *hash_info;
conversation_t *conversation;
OLD_CHECK_DISPLAY_AS_DATA(proto_msproxy, pd, offset, fd, tree);
conversation = find_conversation( &pi.src, &pi.dst, pi.ptype,
pi.srcport, pi.destport, 0);
if ( conversation) /* conversation found */
hash_info = conversation->data;
/* new conversation create local data structure */
else {
hash_info = g_mem_chunk_alloc(vals);
conversation_new( &pi.src, &pi.dst, pi.ptype,
pi.srcport, pi.destport, hash_info, 0);
}
if (check_col(fd, COL_PROTOCOL))
col_set_str(fd, COL_PROTOCOL, "MSproxy");
/* display packet info */
if (check_col(fd, COL_INFO)){
cmd = pntohs( &pd[offset + 36]);
if ( pi.srcport == UDP_PORT_MSPROXY)
col_add_fstr( fd, COL_INFO, "Server message: %s",
get_msproxy_cmd_name( cmd, FROM_SERVER));
else
col_add_fstr(fd, COL_INFO, "Client message: %s",
get_msproxy_cmd_name( cmd, FROM_CLIENT));
}
if (tree) { /* if proto tree, decode data */
ti = proto_tree_add_item( tree, proto_msproxy, NullTVB, offset,
END_OF_FRAME, FALSE );
msproxy_tree = proto_item_add_subtree(ti, ett_msproxy);
}
if ( pi.srcport == UDP_PORT_MSPROXY)
dissect_msproxy_response( pd, offset, fd, msproxy_tree, hash_info);
else
dissect_msproxy_request( pd, offset, fd, msproxy_tree, hash_info);
}
static void msproxy_reinit( void){
/* Do the cleanup work when a new pass through the packet list is */
/* performed. Reset the highest row seen counter and re-initialize the */
/* conversation memory chunks. */
last_row = 0;
if (vals)
g_mem_chunk_destroy(vals);
vals = g_mem_chunk_new("msproxy_vals", hash_val_length,
hash_init_count * hash_val_length,
G_ALLOC_AND_FREE);
if (redirect_vals)
g_mem_chunk_destroy(redirect_vals);
redirect_vals = g_mem_chunk_new("msproxy_redirect_vals", redirect_val_length,
redirect_init_count * redirect_val_length,
G_ALLOC_AND_FREE);
}
void
proto_register_msproxy( void){
/* Prep the msproxy protocol, for now, just register it */
static gint *ett[] = {
&ett_msproxy,
&ett_msproxy_name
};
static hf_register_info hf[] = {
{ &hf_msproxy_cmd,
{ "Command", "msproxy.command", FT_UINT16, BASE_DEC,
NULL, 0x0, ""
}
},
{ &hf_msproxy_dstaddr,
{ "Destination Address", "msproxy.dstaddr", FT_IPv4, BASE_NONE, NULL,
0x0, ""
}
},
{ &hf_msproxy_srcport,
{ "Source Port", "msproxy.srcport", FT_UINT16,
BASE_DEC, NULL, 0x0, ""
}
},
{ &hf_msproxy_dstport,
{ "Destination Port", "msproxy.dstport", FT_UINT16,
BASE_DEC, NULL, 0x0, ""
}
},
{ &hf_msproxy_clntport,
{ "Client Port", "msproxy.clntport", FT_UINT16,
BASE_DEC, NULL, 0x0, ""
}
},
{ &hf_msproxy_server_ext_addr,
{ "Server External Address", "msproxy.server_ext_addr", FT_IPv4, BASE_NONE, NULL,
0x0, ""
}
},
{ &hf_msproxy_server_ext_port,
{ "Server External Port", "msproxy.server_ext_port", FT_UINT16,
BASE_DEC, NULL, 0x0, ""
}
},
{ &hf_msproxy_server_int_addr,
{ "Server Internal Address", "msproxy.server_int_addr", FT_IPv4, BASE_NONE, NULL,
0x0, ""
}
},
{ &hf_msproxy_server_int_port,
{ "Server Internal Port", "msproxy.server_int_port", FT_UINT16,
BASE_DEC, NULL, 0x0, ""
}
},
{ &hf_msproxy_serverport,
{ "Server Port", "msproxy.serverport", FT_UINT16,
BASE_DEC, NULL, 0x0, ""
}
},
{ &hf_msproxy_bindport,
{ "Bind Port", "msproxy.bindport", FT_UINT16,
BASE_DEC, NULL, 0x0, ""
}
},
{ &hf_msproxy_boundport,
{ "Bound Port", "msproxy.boundport", FT_UINT16,
BASE_DEC, NULL, 0x0, ""
}
},
{ &hf_msproxy_serveraddr,
{ "Server Address", "msproxy.serveraddr", FT_IPv4, BASE_NONE, NULL,
0x0, ""
}
},
{ &hf_msproxy_bindaddr,
{ "Destination", "msproxy.bindaddr", FT_IPv4, BASE_NONE, NULL,
0x0, ""
}
},
{ &hf_msproxy_bind_id,
{ "Bound Port Id", "msproxy.bindid", FT_UINT32,
BASE_HEX, NULL, 0x0, ""
}
},
{ &hf_msproxy_resolvaddr,
{ "Address", "msproxy.resolvaddr", FT_IPv4, BASE_NONE, NULL,
0x0, ""
}
}
};
proto_msproxy = proto_register_protocol( "MS Proxy Protocol",
"MS Proxy", "msproxy");
proto_register_field_array(proto_msproxy, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
register_init_routine( &msproxy_reinit); /* register re-init routine */
}
void
proto_reg_handoff_msproxy(void) {
/* dissector install routine */
old_dissector_add("udp.port", UDP_PORT_MSPROXY, dissect_msproxy,
proto_msproxy);
}
View git blame Copy permalink