1998-09-17 03:12:28 +00:00
|
|
|
/* follow.c
|
|
|
|
*
|
2004-07-18 00:24:25 +00:00
|
|
|
* $Id$
|
1998-09-17 03:12:28 +00:00
|
|
|
*
|
|
|
|
* Copyright 1998 Mike Hall <mlh@io.com>
|
|
|
|
*
|
2006-05-21 05:12:17 +00:00
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
1998-09-17 03:12:28 +00:00
|
|
|
* Copyright 1998 Gerald Combs
|
2002-08-28 21:04:11 +00:00
|
|
|
*
|
1998-09-17 03:12:28 +00:00
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
2002-08-28 21:04:11 +00:00
|
|
|
*
|
1998-09-17 03:12:28 +00:00
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
2002-08-28 21:04:11 +00:00
|
|
|
*
|
1998-09-17 03:12:28 +00:00
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
1998-10-10 03:32:20 +00:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
# include "config.h"
|
|
|
|
#endif
|
|
|
|
|
1998-12-17 05:42:33 +00:00
|
|
|
#include <stdlib.h>
|
|
|
|
#include <stdio.h>
|
1998-09-17 03:12:28 +00:00
|
|
|
#include <string.h>
|
1999-07-13 02:53:26 +00:00
|
|
|
#ifdef HAVE_UNISTD_H
|
1998-09-17 03:12:28 +00:00
|
|
|
#include <unistd.h>
|
1999-07-13 02:53:26 +00:00
|
|
|
#endif
|
1998-09-17 03:12:28 +00:00
|
|
|
|
1999-07-07 22:52:57 +00:00
|
|
|
#include <glib.h>
|
2002-01-21 07:37:49 +00:00
|
|
|
#include <epan/packet.h>
|
2007-11-03 04:45:35 +00:00
|
|
|
#include <epan/ipproto.h>
|
1998-09-17 03:12:28 +00:00
|
|
|
#include "follow.h"
|
2008-09-30 13:29:15 +00:00
|
|
|
#include <epan/conversation.h>
|
1998-09-17 03:12:28 +00:00
|
|
|
|
2004-01-23 01:42:45 +00:00
|
|
|
#define MAX_IPADDR_LEN 16
|
|
|
|
|
|
|
|
typedef struct _tcp_frag {
|
|
|
|
gulong seq;
|
|
|
|
gulong len;
|
|
|
|
gulong data_len;
|
|
|
|
gchar *data;
|
|
|
|
struct _tcp_frag *next;
|
|
|
|
} tcp_frag;
|
|
|
|
|
2002-02-28 19:35:09 +00:00
|
|
|
FILE* data_out_file = NULL;
|
1998-09-17 03:12:28 +00:00
|
|
|
|
2007-05-22 00:00:09 +00:00
|
|
|
gboolean empty_tcp_stream;
|
|
|
|
gboolean incomplete_tcp_stream;
|
1999-03-23 20:25:50 +00:00
|
|
|
|
2000-08-11 22:18:22 +00:00
|
|
|
static guint8 ip_address[2][MAX_IPADDR_LEN];
|
2007-11-03 04:45:35 +00:00
|
|
|
static guint port[2];
|
2002-08-02 23:36:07 +00:00
|
|
|
static guint bytes_written[2];
|
2000-08-11 22:18:22 +00:00
|
|
|
static gboolean is_ipv6 = FALSE;
|
1999-07-31 13:55:16 +00:00
|
|
|
|
2007-12-15 23:25:05 +00:00
|
|
|
static int check_fragments( int, tcp_stream_chunk *, gulong );
|
2000-08-09 05:18:45 +00:00
|
|
|
static void write_packet_data( int, tcp_stream_chunk *, const char * );
|
|
|
|
|
|
|
|
void
|
2007-11-03 04:45:35 +00:00
|
|
|
follow_stats(follow_stats_t* stats)
|
2000-08-09 05:18:45 +00:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < 2 ; i++) {
|
2000-08-11 22:18:22 +00:00
|
|
|
memcpy(stats->ip_address[i], ip_address[i], MAX_IPADDR_LEN);
|
2007-11-03 04:45:35 +00:00
|
|
|
stats->port[i] = port[i];
|
2000-08-09 05:18:45 +00:00
|
|
|
stats->bytes_written[i] = bytes_written[i];
|
2000-08-11 22:18:22 +00:00
|
|
|
stats->is_ipv6 = is_ipv6;
|
2000-08-09 05:18:45 +00:00
|
|
|
}
|
|
|
|
}
|
1999-07-07 01:41:15 +00:00
|
|
|
|
2002-08-28 21:04:11 +00:00
|
|
|
/* this will build libpcap filter text that will only
|
|
|
|
pass the packets related to the stream. There is a
|
|
|
|
chance that two streams could intersect, but not a
|
1998-09-17 03:12:28 +00:00
|
|
|
very good one */
|
2002-08-28 21:04:11 +00:00
|
|
|
char*
|
1998-09-17 03:12:28 +00:00
|
|
|
build_follow_filter( packet_info *pi ) {
|
2005-08-08 18:50:39 +00:00
|
|
|
char* buf;
|
2000-08-11 22:18:22 +00:00
|
|
|
int len;
|
2008-09-30 13:29:15 +00:00
|
|
|
conversation_t *conv=NULL;
|
|
|
|
|
Generalize the "ip_src" and "ip_dst" members of the "packet_info"
structure to "dl_src"/"dl_dst", "net_src"/"net_dst", and "src"/"dst"
addresses, where an address is an address type, an address length in
bytes, and a pointer to that many bytes.
"dl_{src,dst}" are the link-layer source/destination; "net_{src,dst}"
are the network-layer source/destination; "{src,dst}" are the
source/destination from the highest of those two layers that we have in
the packet.
Add a port type to "packet_info" as well, specifying whether it's a TCP
or UDP port.
Don't set the address and port columns in the dissector functions; just
set the address and port members of the "packet_info" structure. Set
the columns in "fill_in_columns()"; this means that if we're showing
COL_{DEF,RES,UNRES}_SRC" or "COL_{DEF,RES,UNRES}_DST", we only generate
the string from "src" or "dst", we don't generate a string for the
link-layer address and then overwrite it with a string for the
network-layer address (generating those strings costs CPU).
Add support for "conversations", where a "conversation" is (at present)
a source and destination address and a source and destination port. (In
the future, we may support "conversations" above the transport layer,
e.g. a TFTP conversation, where the first packet goes from the client to
the TFTP server port, but the reply comes back from a different port,
and all subsequent packets go between the client address/port and the
server address/new port, or an NFS conversation, which might include
lock manager, status monitor, and mount packets, as well as NFS
packets.)
Currently, all we support is a call that takes the source and
destination address/port pairs, looks them up in a hash table, and:
if nothing is found, creates a new entry in the hash table, and
assigns it a unique 32-bit conversation ID, and returns that
conversation ID;
if an entry is found, returns its conversation ID.
Use that in the SMB and AFS code to keep track of individual SMB or AFS
conversations. We need to match up requests and replies, as, for
certain replies, the operation code for the request to which it's a
reply doesn't show up in the reply - you have to find the request with a
matching transaction ID. Transaction IDs are per-conversation, so the
hash table for requests should include a conversation ID and transaction
ID as the key.
This allows SMB and AFS decoders to handle IPv4 or IPv6 addresses
transparently (and should allow the SMB decoder to handle NetBIOS atop
other protocols as well, if the source and destination address and port
values in the "packet_info" structure are set appropriately).
In the "Follow TCP Connection" code, check to make sure that the
addresses are IPv4 addressses; ultimately, that code should be changed
to use the conversation code instead, which will let it handle IPv6
transparently.
svn path=/trunk/; revision=909
1999-10-22 07:18:23 +00:00
|
|
|
if( pi->net_src.type == AT_IPv4 && pi->net_dst.type == AT_IPv4
|
2008-09-30 13:29:15 +00:00
|
|
|
&& pi->ipproto == IP_PROTO_TCP
|
|
|
|
&& (conv=find_conversation(pi->fd->num, &pi->src, &pi->dst, pi->ptype,
|
|
|
|
pi->srcport, pi->destport, 0)) != NULL ) {
|
Generalize the "ip_src" and "ip_dst" members of the "packet_info"
structure to "dl_src"/"dl_dst", "net_src"/"net_dst", and "src"/"dst"
addresses, where an address is an address type, an address length in
bytes, and a pointer to that many bytes.
"dl_{src,dst}" are the link-layer source/destination; "net_{src,dst}"
are the network-layer source/destination; "{src,dst}" are the
source/destination from the highest of those two layers that we have in
the packet.
Add a port type to "packet_info" as well, specifying whether it's a TCP
or UDP port.
Don't set the address and port columns in the dissector functions; just
set the address and port members of the "packet_info" structure. Set
the columns in "fill_in_columns()"; this means that if we're showing
COL_{DEF,RES,UNRES}_SRC" or "COL_{DEF,RES,UNRES}_DST", we only generate
the string from "src" or "dst", we don't generate a string for the
link-layer address and then overwrite it with a string for the
network-layer address (generating those strings costs CPU).
Add support for "conversations", where a "conversation" is (at present)
a source and destination address and a source and destination port. (In
the future, we may support "conversations" above the transport layer,
e.g. a TFTP conversation, where the first packet goes from the client to
the TFTP server port, but the reply comes back from a different port,
and all subsequent packets go between the client address/port and the
server address/new port, or an NFS conversation, which might include
lock manager, status monitor, and mount packets, as well as NFS
packets.)
Currently, all we support is a call that takes the source and
destination address/port pairs, looks them up in a hash table, and:
if nothing is found, creates a new entry in the hash table, and
assigns it a unique 32-bit conversation ID, and returns that
conversation ID;
if an entry is found, returns its conversation ID.
Use that in the SMB and AFS code to keep track of individual SMB or AFS
conversations. We need to match up requests and replies, as, for
certain replies, the operation code for the request to which it's a
reply doesn't show up in the reply - you have to find the request with a
matching transaction ID. Transaction IDs are per-conversation, so the
hash table for requests should include a conversation ID and transaction
ID as the key.
This allows SMB and AFS decoders to handle IPv4 or IPv6 addresses
transparently (and should allow the SMB decoder to handle NetBIOS atop
other protocols as well, if the source and destination address and port
values in the "packet_info" structure are set appropriately).
In the "Follow TCP Connection" code, check to make sure that the
addresses are IPv4 addressses; ultimately, that code should be changed
to use the conversation code instead, which will let it handle IPv6
transparently.
svn path=/trunk/; revision=909
1999-10-22 07:18:23 +00:00
|
|
|
/* TCP over IPv4 */
|
2008-09-30 13:29:15 +00:00
|
|
|
buf = g_strdup_printf("tcp.stream eq %d", conv->index);
|
2000-08-11 22:18:22 +00:00
|
|
|
len = 4;
|
|
|
|
is_ipv6 = FALSE;
|
|
|
|
}
|
2007-11-03 04:45:35 +00:00
|
|
|
else if( pi->net_src.type == AT_IPv4 && pi->net_dst.type == AT_IPv4
|
|
|
|
&& pi->ipproto == IP_PROTO_UDP ) {
|
|
|
|
/* UDP over IPv4 */
|
|
|
|
buf = g_strdup_printf(
|
|
|
|
"(ip.addr eq %s and ip.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
|
|
|
|
ip_to_str( pi->net_src.data),
|
|
|
|
ip_to_str( pi->net_dst.data),
|
|
|
|
pi->srcport, pi->destport );
|
|
|
|
len = 4;
|
|
|
|
is_ipv6 = FALSE;
|
|
|
|
}
|
2000-08-11 22:18:22 +00:00
|
|
|
else if( pi->net_src.type == AT_IPv6 && pi->net_dst.type == AT_IPv6
|
2008-09-30 13:29:15 +00:00
|
|
|
&& pi->ipproto == IP_PROTO_TCP
|
|
|
|
&& (conv=find_conversation(pi->fd->num, &pi->src, &pi->dst, pi->ptype,
|
|
|
|
pi->srcport, pi->destport, 0)) != NULL ) {
|
2000-08-11 22:18:22 +00:00
|
|
|
/* TCP over IPv6 */
|
2008-09-30 13:29:15 +00:00
|
|
|
buf = g_strdup_printf("tcp.stream eq %d", conv->index);
|
2000-08-11 22:18:22 +00:00
|
|
|
len = 16;
|
|
|
|
is_ipv6 = TRUE;
|
1998-09-17 03:12:28 +00:00
|
|
|
}
|
2007-11-03 04:45:35 +00:00
|
|
|
else if( pi->net_src.type == AT_IPv6 && pi->net_dst.type == AT_IPv6
|
|
|
|
&& pi->ipproto == IP_PROTO_UDP ) {
|
|
|
|
/* UDP over IPv6 */
|
|
|
|
buf = g_strdup_printf(
|
|
|
|
"(ipv6.addr eq %s and ipv6.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
|
|
|
|
ip6_to_str((const struct e_in6_addr *)pi->net_src.data),
|
|
|
|
ip6_to_str((const struct e_in6_addr *)pi->net_dst.data),
|
|
|
|
pi->srcport, pi->destport );
|
|
|
|
len = 16;
|
|
|
|
is_ipv6 = TRUE;
|
|
|
|
}
|
2002-08-28 21:04:11 +00:00
|
|
|
else {
|
1998-09-17 03:12:28 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
2000-08-11 22:18:22 +00:00
|
|
|
memcpy(ip_address[0], pi->net_src.data, len);
|
|
|
|
memcpy(ip_address[1], pi->net_dst.data, len);
|
2007-11-03 04:45:35 +00:00
|
|
|
port[0] = pi->srcport;
|
|
|
|
port[1] = pi->destport;
|
1998-09-17 03:12:28 +00:00
|
|
|
return buf;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* here we are going to try and reconstruct the data portion of a TCP
|
2002-08-28 21:04:11 +00:00
|
|
|
session. We will try and handle duplicates, TCP fragments, and out
|
1998-09-17 03:12:28 +00:00
|
|
|
of order packets in a smart way. */
|
|
|
|
|
2000-03-12 04:26:35 +00:00
|
|
|
static tcp_frag *frags[2] = { 0, 0 };
|
2002-08-02 23:36:07 +00:00
|
|
|
static gulong seq[2];
|
2000-08-11 22:18:22 +00:00
|
|
|
static guint8 src_addr[2][MAX_IPADDR_LEN];
|
2002-08-02 23:36:07 +00:00
|
|
|
static guint src_port[2] = { 0, 0 };
|
1998-09-17 03:12:28 +00:00
|
|
|
|
2002-08-28 21:04:11 +00:00
|
|
|
void
|
2007-12-15 23:25:05 +00:00
|
|
|
reassemble_tcp( gulong sequence, gulong acknowledgement, gulong length,
|
|
|
|
const char* data, gulong data_length, int synflag,
|
|
|
|
address *net_src, address *net_dst,
|
|
|
|
guint srcport, guint dstport) {
|
2000-08-11 22:18:22 +00:00
|
|
|
guint8 srcx[MAX_IPADDR_LEN], dstx[MAX_IPADDR_LEN];
|
|
|
|
int src_index, j, first = 0, len;
|
2002-08-02 23:36:07 +00:00
|
|
|
gulong newseq;
|
1998-09-17 03:12:28 +00:00
|
|
|
tcp_frag *tmp_frag;
|
1999-11-28 03:35:20 +00:00
|
|
|
tcp_stream_chunk sc;
|
2002-08-28 21:04:11 +00:00
|
|
|
|
1998-09-17 03:12:28 +00:00
|
|
|
src_index = -1;
|
2002-08-28 21:04:11 +00:00
|
|
|
|
2000-03-12 04:26:35 +00:00
|
|
|
/* First, check if this packet should be processed. */
|
|
|
|
|
2000-08-11 22:18:22 +00:00
|
|
|
if ((net_src->type != AT_IPv4 && net_src->type != AT_IPv6) ||
|
|
|
|
(net_dst->type != AT_IPv4 && net_dst->type != AT_IPv6))
|
Generalize the "ip_src" and "ip_dst" members of the "packet_info"
structure to "dl_src"/"dl_dst", "net_src"/"net_dst", and "src"/"dst"
addresses, where an address is an address type, an address length in
bytes, and a pointer to that many bytes.
"dl_{src,dst}" are the link-layer source/destination; "net_{src,dst}"
are the network-layer source/destination; "{src,dst}" are the
source/destination from the highest of those two layers that we have in
the packet.
Add a port type to "packet_info" as well, specifying whether it's a TCP
or UDP port.
Don't set the address and port columns in the dissector functions; just
set the address and port members of the "packet_info" structure. Set
the columns in "fill_in_columns()"; this means that if we're showing
COL_{DEF,RES,UNRES}_SRC" or "COL_{DEF,RES,UNRES}_DST", we only generate
the string from "src" or "dst", we don't generate a string for the
link-layer address and then overwrite it with a string for the
network-layer address (generating those strings costs CPU).
Add support for "conversations", where a "conversation" is (at present)
a source and destination address and a source and destination port. (In
the future, we may support "conversations" above the transport layer,
e.g. a TFTP conversation, where the first packet goes from the client to
the TFTP server port, but the reply comes back from a different port,
and all subsequent packets go between the client address/port and the
server address/new port, or an NFS conversation, which might include
lock manager, status monitor, and mount packets, as well as NFS
packets.)
Currently, all we support is a call that takes the source and
destination address/port pairs, looks them up in a hash table, and:
if nothing is found, creates a new entry in the hash table, and
assigns it a unique 32-bit conversation ID, and returns that
conversation ID;
if an entry is found, returns its conversation ID.
Use that in the SMB and AFS code to keep track of individual SMB or AFS
conversations. We need to match up requests and replies, as, for
certain replies, the operation code for the request to which it's a
reply doesn't show up in the reply - you have to find the request with a
matching transaction ID. Transaction IDs are per-conversation, so the
hash table for requests should include a conversation ID and transaction
ID as the key.
This allows SMB and AFS decoders to handle IPv4 or IPv6 addresses
transparently (and should allow the SMB decoder to handle NetBIOS atop
other protocols as well, if the source and destination address and port
values in the "packet_info" structure are set appropriately).
In the "Follow TCP Connection" code, check to make sure that the
addresses are IPv4 addressses; ultimately, that code should be changed
to use the conversation code instead, which will let it handle IPv6
transparently.
svn path=/trunk/; revision=909
1999-10-22 07:18:23 +00:00
|
|
|
return;
|
2000-03-12 04:26:35 +00:00
|
|
|
|
2000-08-11 22:18:22 +00:00
|
|
|
if (net_src->type == AT_IPv4)
|
|
|
|
len = 4;
|
|
|
|
else
|
|
|
|
len = 16;
|
|
|
|
|
2000-03-12 04:26:35 +00:00
|
|
|
/* Now check if the packet is for this connection. */
|
2000-08-11 22:18:22 +00:00
|
|
|
memcpy(srcx, net_src->data, len);
|
|
|
|
memcpy(dstx, net_dst->data, len);
|
2003-07-06 00:30:40 +00:00
|
|
|
if (
|
|
|
|
! (
|
|
|
|
memcmp(srcx, ip_address[0], len) == 0 &&
|
|
|
|
memcmp(dstx, ip_address[1], len) == 0 &&
|
2007-11-03 04:45:35 +00:00
|
|
|
srcport == port[0] &&
|
|
|
|
dstport == port[1]
|
2003-07-06 00:30:40 +00:00
|
|
|
) &&
|
|
|
|
! (
|
|
|
|
memcmp(srcx, ip_address[1], len) == 0 &&
|
|
|
|
memcmp(dstx, ip_address[0], len) == 0 &&
|
2007-11-03 04:45:35 +00:00
|
|
|
srcport == port[1] &&
|
|
|
|
dstport == port[0]
|
2003-07-06 00:30:40 +00:00
|
|
|
)
|
|
|
|
)
|
1999-07-31 13:55:16 +00:00
|
|
|
return;
|
|
|
|
|
2000-03-12 04:26:35 +00:00
|
|
|
/* Check to see if we have seen this source IP and port before.
|
|
|
|
(Yes, we have to check both source IP and port; the connection
|
|
|
|
might be between two different ports on the same machine.) */
|
1998-09-17 03:12:28 +00:00
|
|
|
for( j=0; j<2; j++ ) {
|
2000-08-11 22:18:22 +00:00
|
|
|
if (memcmp(src_addr[j], srcx, len) == 0 && src_port[j] == srcport ) {
|
1998-09-17 03:12:28 +00:00
|
|
|
src_index = j;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* we didn't find it if src_index == -1 */
|
|
|
|
if( src_index < 0 ) {
|
|
|
|
/* assign it to a src_index and get going */
|
|
|
|
for( j=0; j<2; j++ ) {
|
2000-08-11 22:18:22 +00:00
|
|
|
if( src_port[j] == 0 ) {
|
|
|
|
memcpy(src_addr[j], srcx, len);
|
2000-03-12 04:26:35 +00:00
|
|
|
src_port[j] = srcport;
|
1998-09-17 03:12:28 +00:00
|
|
|
src_index = j;
|
|
|
|
first = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if( src_index < 0 ) {
|
|
|
|
fprintf( stderr, "ERROR in reassemble_tcp: Too many addresses!\n");
|
|
|
|
return;
|
|
|
|
}
|
1999-03-23 20:25:50 +00:00
|
|
|
|
|
|
|
if( data_length < length ) {
|
|
|
|
incomplete_tcp_stream = TRUE;
|
|
|
|
}
|
|
|
|
|
2007-12-15 23:25:05 +00:00
|
|
|
/* Before adding data for this flow to the data_out_file, check whether
|
|
|
|
* this frame acks fragments that were already seen. This happens when
|
|
|
|
* frames are not in the capture file, but were actually seen by the
|
|
|
|
* receiving host (Fixes bug 592).
|
|
|
|
*/
|
|
|
|
if( frags[1-src_index] ) {
|
|
|
|
memcpy(sc.src_addr, dstx, len);
|
|
|
|
sc.src_port = dstport;
|
|
|
|
sc.dlen = 0; /* Will be filled in in check_fragments */
|
|
|
|
while ( check_fragments( 1-src_index, &sc, acknowledgement ) )
|
|
|
|
;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Initialize our stream chunk. This data gets written to disk. */
|
|
|
|
memcpy(sc.src_addr, srcx, len);
|
|
|
|
sc.src_port = srcport;
|
|
|
|
sc.dlen = data_length;
|
|
|
|
|
2002-08-28 21:04:11 +00:00
|
|
|
/* now that we have filed away the srcs, lets get the sequence number stuff
|
1998-09-17 03:12:28 +00:00
|
|
|
figured out */
|
|
|
|
if( first ) {
|
|
|
|
/* this is the first time we have seen this src's sequence number */
|
|
|
|
seq[src_index] = sequence + length;
|
|
|
|
if( synflag ) {
|
|
|
|
seq[src_index]++;
|
|
|
|
}
|
|
|
|
/* write out the packet data */
|
2000-08-09 05:18:45 +00:00
|
|
|
write_packet_data( src_index, &sc, data );
|
1998-09-17 03:12:28 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
/* if we are here, we have already seen this src, let's
|
|
|
|
try and figure out if this packet is in the right place */
|
|
|
|
if( sequence < seq[src_index] ) {
|
2002-08-28 21:04:11 +00:00
|
|
|
/* this sequence number seems dated, but
|
1998-09-17 03:12:28 +00:00
|
|
|
check the end to make sure it has no more
|
|
|
|
info than we have already seen */
|
|
|
|
newseq = sequence + length;
|
|
|
|
if( newseq > seq[src_index] ) {
|
2002-08-02 23:36:07 +00:00
|
|
|
gulong new_len;
|
1999-03-23 20:25:50 +00:00
|
|
|
|
2002-08-28 21:04:11 +00:00
|
|
|
/* this one has more than we have seen. let's get the
|
1998-09-17 03:12:28 +00:00
|
|
|
payload that we have not seen. */
|
1999-03-23 20:25:50 +00:00
|
|
|
|
|
|
|
new_len = seq[src_index] - sequence;
|
|
|
|
|
|
|
|
if ( data_length <= new_len ) {
|
|
|
|
data = NULL;
|
|
|
|
data_length = 0;
|
|
|
|
incomplete_tcp_stream = TRUE;
|
|
|
|
} else {
|
|
|
|
data += new_len;
|
|
|
|
data_length -= new_len;
|
|
|
|
}
|
2001-05-24 23:07:41 +00:00
|
|
|
sc.dlen = data_length;
|
1998-09-17 03:12:28 +00:00
|
|
|
sequence = seq[src_index];
|
|
|
|
length = newseq - seq[src_index];
|
2002-08-28 21:04:11 +00:00
|
|
|
|
1998-09-17 03:12:28 +00:00
|
|
|
/* this will now appear to be right on time :) */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if ( sequence == seq[src_index] ) {
|
|
|
|
/* right on time */
|
|
|
|
seq[src_index] += length;
|
|
|
|
if( synflag ) seq[src_index]++;
|
1999-03-23 20:25:50 +00:00
|
|
|
if( data ) {
|
2000-08-09 05:18:45 +00:00
|
|
|
write_packet_data( src_index, &sc, data );
|
1999-03-23 20:25:50 +00:00
|
|
|
}
|
1998-09-17 03:12:28 +00:00
|
|
|
/* done with the packet, see if it caused a fragment to fit */
|
2007-12-15 23:25:05 +00:00
|
|
|
while( check_fragments( src_index, &sc, 0 ) )
|
1998-09-17 03:12:28 +00:00
|
|
|
;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
/* out of order packet */
|
2000-08-24 21:05:16 +00:00
|
|
|
if(data_length > 0 && sequence > seq[src_index] ) {
|
2005-08-05 23:58:58 +00:00
|
|
|
tmp_frag = (tcp_frag *)g_malloc( sizeof( tcp_frag ) );
|
2007-03-26 06:10:52 +00:00
|
|
|
tmp_frag->data = (gchar *)g_malloc( data_length );
|
1998-09-17 03:12:28 +00:00
|
|
|
tmp_frag->seq = sequence;
|
|
|
|
tmp_frag->len = length;
|
1999-03-23 20:25:50 +00:00
|
|
|
tmp_frag->data_len = data_length;
|
|
|
|
memcpy( tmp_frag->data, data, data_length );
|
1998-09-17 03:12:28 +00:00
|
|
|
if( frags[src_index] ) {
|
|
|
|
tmp_frag->next = frags[src_index];
|
|
|
|
} else {
|
|
|
|
tmp_frag->next = NULL;
|
|
|
|
}
|
|
|
|
frags[src_index] = tmp_frag;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} /* end reassemble_tcp */
|
|
|
|
|
|
|
|
/* here we search through all the frag we have collected to see if
|
|
|
|
one fits */
|
2002-08-28 21:04:11 +00:00
|
|
|
static int
|
2007-12-15 23:25:05 +00:00
|
|
|
check_fragments( int index, tcp_stream_chunk *sc, gulong acknowledged ) {
|
1998-09-17 03:12:28 +00:00
|
|
|
tcp_frag *prev = NULL;
|
|
|
|
tcp_frag *current;
|
2007-12-15 23:25:05 +00:00
|
|
|
gulong lowest_seq;
|
|
|
|
gchar *dummy_str;
|
|
|
|
|
1998-09-17 03:12:28 +00:00
|
|
|
current = frags[index];
|
2007-12-15 23:25:05 +00:00
|
|
|
if( current ) {
|
|
|
|
lowest_seq = current->seq;
|
|
|
|
while( current ) {
|
2008-05-13 22:45:04 +00:00
|
|
|
if( (glong)(lowest_seq - current->seq) > 0 ) {
|
|
|
|
lowest_seq = current->seq;
|
|
|
|
}
|
|
|
|
|
|
|
|
if( current->seq < seq[index] ) {
|
|
|
|
gulong newseq;
|
|
|
|
/* this sequence number seems dated, but
|
|
|
|
check the end to make sure it has no more
|
|
|
|
info than we have already seen */
|
|
|
|
newseq = current->seq + current->len;
|
|
|
|
if( newseq > seq[index] ) {
|
|
|
|
gulong new_pos;
|
|
|
|
|
|
|
|
/* this one has more than we have seen. let's get the
|
|
|
|
payload that we have not seen. This happens when
|
|
|
|
part of this frame has been retransmitted */
|
|
|
|
|
|
|
|
new_pos = seq[index] - current->seq;
|
|
|
|
|
|
|
|
if ( current->data_len > new_pos ) {
|
|
|
|
sc->dlen = current->data_len - new_pos;
|
|
|
|
write_packet_data( index, sc, current->data + new_pos );
|
|
|
|
}
|
|
|
|
|
|
|
|
seq[index] += (current->len - new_pos);
|
|
|
|
if( prev ) {
|
|
|
|
prev->next = current->next;
|
|
|
|
} else {
|
|
|
|
frags[index] = current->next;
|
|
|
|
}
|
|
|
|
g_free( current->data );
|
|
|
|
g_free( current );
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-12-15 23:25:05 +00:00
|
|
|
if( current->seq == seq[index] ) {
|
|
|
|
/* this fragment fits the stream */
|
|
|
|
if( current->data ) {
|
|
|
|
sc->dlen = current->data_len;
|
|
|
|
write_packet_data( index, sc, current->data );
|
|
|
|
}
|
|
|
|
seq[index] += current->len;
|
|
|
|
if( prev ) {
|
|
|
|
prev->next = current->next;
|
|
|
|
} else {
|
|
|
|
frags[index] = current->next;
|
|
|
|
}
|
|
|
|
g_free( current->data );
|
|
|
|
g_free( current );
|
|
|
|
return 1;
|
1998-09-17 03:12:28 +00:00
|
|
|
}
|
2007-12-15 23:25:05 +00:00
|
|
|
prev = current;
|
|
|
|
current = current->next;
|
|
|
|
}
|
2008-05-13 22:45:04 +00:00
|
|
|
if( (glong)(acknowledged - lowest_seq) > 0 ) {
|
2007-12-15 23:25:05 +00:00
|
|
|
/* There are frames missing in the capture file that were seen
|
|
|
|
* by the receiving host. Add dummy stream chunk with the data
|
|
|
|
* "[xxx bytes missing in capture file]".
|
|
|
|
*/
|
|
|
|
dummy_str = g_strdup_printf("[%d bytes missing in capture file]",
|
|
|
|
(int)(lowest_seq - seq[index]) );
|
2009-04-07 16:36:52 +00:00
|
|
|
sc->dlen = (guint32) strlen(dummy_str);
|
2007-12-15 23:25:05 +00:00
|
|
|
write_packet_data( index, sc, dummy_str );
|
|
|
|
g_free(dummy_str);
|
|
|
|
seq[index] = lowest_seq;
|
1998-09-17 03:12:28 +00:00
|
|
|
return 1;
|
|
|
|
}
|
2007-12-15 23:25:05 +00:00
|
|
|
}
|
1998-09-17 03:12:28 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* this should always be called before we start to reassemble a stream */
|
2002-08-28 21:04:11 +00:00
|
|
|
void
|
2007-05-22 00:00:09 +00:00
|
|
|
reset_tcp_reassembly(void)
|
|
|
|
{
|
1998-09-17 03:12:28 +00:00
|
|
|
tcp_frag *current, *next;
|
|
|
|
int i;
|
2007-05-22 00:00:09 +00:00
|
|
|
|
|
|
|
empty_tcp_stream = TRUE;
|
1999-03-23 20:25:50 +00:00
|
|
|
incomplete_tcp_stream = FALSE;
|
1998-09-17 03:12:28 +00:00
|
|
|
for( i=0; i<2; i++ ) {
|
|
|
|
seq[i] = 0;
|
2000-08-11 22:18:22 +00:00
|
|
|
memset(src_addr[i], '\0', MAX_IPADDR_LEN);
|
2000-03-12 04:26:35 +00:00
|
|
|
src_port[i] = 0;
|
2000-08-11 22:18:22 +00:00
|
|
|
memset(ip_address[i], '\0', MAX_IPADDR_LEN);
|
2007-11-03 04:45:35 +00:00
|
|
|
port[i] = 0;
|
2000-08-09 05:18:45 +00:00
|
|
|
bytes_written[i] = 0;
|
1998-09-17 03:12:28 +00:00
|
|
|
current = frags[i];
|
|
|
|
while( current ) {
|
|
|
|
next = current->next;
|
2005-08-05 23:58:58 +00:00
|
|
|
g_free( current->data );
|
|
|
|
g_free( current );
|
1998-09-17 03:12:28 +00:00
|
|
|
current = next;
|
|
|
|
}
|
|
|
|
frags[i] = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2002-08-28 21:04:11 +00:00
|
|
|
static void
|
2000-08-09 05:18:45 +00:00
|
|
|
write_packet_data( int index, tcp_stream_chunk *sc, const char *data )
|
|
|
|
{
|
2008-12-23 14:50:28 +00:00
|
|
|
size_t ret;
|
|
|
|
|
|
|
|
ret = fwrite( sc, 1, sizeof(tcp_stream_chunk), data_out_file );
|
|
|
|
DISSECTOR_ASSERT(sizeof(tcp_stream_chunk) == ret);
|
|
|
|
|
|
|
|
ret = fwrite( data, 1, sc->dlen, data_out_file );
|
|
|
|
DISSECTOR_ASSERT(sc->dlen == ret);
|
|
|
|
|
2000-08-09 05:18:45 +00:00
|
|
|
bytes_written[index] += sc->dlen;
|
2007-05-22 00:00:09 +00:00
|
|
|
empty_tcp_stream = FALSE;
|
1998-09-17 03:12:28 +00:00
|
|
|
}
|