HTTP2: Send headers to the follow tap after decompression

Field blocks (carried in HEADERS, PUSH_PROMISE, and CONTINUATION frames) are compressed by HPACK. Send them to the follow tap only after decompression. Update the tests to match the new output. Ping #18239 (There's still the case of gzip and brotli compressed DATA frames to handle).
2022-08-03 07:29:29 -04:00 · 2022-08-03 07:29:29 -04:00 · 862803de5c
parent 8097d3e4a3
commit 862803de5c
3 changed files with 34 additions and 4 deletions
--- a/epan/dissectors/packet-http2.c
+++ b/epan/dissectors/packet-http2.c
@ -2106,6 +2106,15 @@ inflate_http2_header_block(tvbuff_t *tvb, packet_info *pinfo, guint offset, prot
    ti = proto_tree_add_uint(tree, hf_http2_header_length, header_tvb, hoffset, 1, header_len);
    proto_item_set_generated(ti);

+    if (have_tap_listener(http2_follow_tap)) {
+        http2_follow_tap_data_t *follow_data = wmem_new0(wmem_packet_scope(), http2_follow_tap_data_t);
+
+        follow_data->tvb = header_tvb;
+        follow_data->stream_id = h2session->current_stream_id;
+
+        tap_queue_packet(http2_follow_tap, pinfo, follow_data);
+    }
+
    if (header_data->header_size_attempted > 0) {
        expert_add_info_format(pinfo, ti, &ei_http2_header_size,
                               "Decompression stopped after %u bytes (%u attempted).",
@ -3688,6 +3697,7 @@ dissect_http2_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* dat
    GHashTable* entry;
    struct tcp_analysis* tcpd;
    conversation_t* conversation = find_or_create_conversation(pinfo);
+    gboolean use_follow_tap = TRUE;

    col_set_str(pinfo->cinfo, COL_PROTOCOL, "HTTP2");

@ -3798,6 +3808,9 @@ dissect_http2_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* dat

        case HTTP2_HEADERS: /* Headers (1) */
            dissect_http2_headers(tvb, pinfo, http2_session, http2_tree, offset, flags);
+#ifdef HAVE_NGHTTP2
+            use_follow_tap = FALSE;
+#endif
        break;

        case HTTP2_PRIORITY: /* Priority (2) */
@ -3814,6 +3827,9 @@ dissect_http2_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* dat

        case HTTP2_PUSH_PROMISE: /* PUSH Promise (5) */
            dissect_http2_push_promise(tvb, pinfo, http2_session, http2_tree, offset, flags);
+#ifdef HAVE_NGHTTP2
+            use_follow_tap = FALSE;
+#endif
        break;

        case HTTP2_PING: /* Ping (6) */
@ -3830,6 +3846,9 @@ dissect_http2_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* dat

        case HTTP2_CONTINUATION: /* Continuation (9) */
            dissect_http2_continuation(tvb, pinfo, http2_session, http2_tree, offset, flags);
+#ifdef HAVE_NGHTTP2
+            use_follow_tap = FALSE;
+#endif
        break;

        case HTTP2_ALTSVC: /* ALTSVC (10) */
@ -3854,7 +3873,10 @@ dissect_http2_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* dat
    }
    tap_queue_packet(http2_tap, pinfo, http2_stats);

-    if (have_tap_listener(http2_follow_tap)) {
+    /* HEADERS, CONTINUATION, and PUSH_PROMISE frames are compressed,
+     * and sent to the follow tap inside inflate_http2_header_block.
+     */
+    if (have_tap_listener(http2_follow_tap) && use_follow_tap) {
        http2_follow_tap_data_t *follow_data = wmem_new0(wmem_packet_scope(), http2_follow_tap_data_t);

        follow_data->tvb = tvb;
--- a/test/suite_dissection.py
+++ b/test/suite_dissection.py
@ -408,8 +408,12 @@ class case_dissect_http2(subprocesstest.SubprocessTestCase):
                '-o', 'tls.keylog_file: {}'.format(key_file),
                '-z', 'follow,http2,hex,0,0'
            ))
+        # Stream ID 0 bytes
        self.assertTrue(self.grepOutput('00000000  00 00 12 04 00 00 00 00'))
+        # Stream ID 1 bytes, decrypted but compressed by HPACK
        self.assertFalse(self.grepOutput('00000000  00 00 2c 01 05 00 00 00'))
+        # Stream ID 1 bytes, decrypted and uncompressed
+        self.assertFalse(self.grepOutput('00000000  00 00 00 07 3a 6d 65 74'))

    def test_http2_follow_1(self, cmd_tshark, features, dirs, capture_file):
        '''Follow HTTP/2 Stream ID 1 test'''
@ -421,8 +425,12 @@ class case_dissect_http2(subprocesstest.SubprocessTestCase):
                '-o', 'tls.keylog_file: {}'.format(key_file),
                '-z', 'follow,http2,hex,0,1'
            ))
+        # Stream ID 0 bytes
        self.assertFalse(self.grepOutput('00000000  00 00 12 04 00 00 00 00'))
-        self.assertTrue(self.grepOutput('00000000  00 00 2c 01 05 00 00 00'))
+        # Stream ID 1 bytes, decrypted but compressed by HPACK
+        self.assertFalse(self.grepOutput('00000000  00 00 2c 01 05 00 00 00'))
+        # Stream ID 1 bytes, decrypted and uncompressed
+        self.assertTrue(self.grepOutput('00000000  00 00 00 07 3a 6d 65 74'))

@fixtures.mark_usefixtures('test_env')
@fixtures.uses_fixtures
--- a/test/suite_follow_multistream.py
+++ b/test/suite_follow_multistream.py
@ -28,9 +28,9 @@ Follow: http2,raw
 Filter: tcp.stream eq 0 and http2.streamid eq 25
 Node 0: 10.9.0.2:59246
 Node 1: 104.16.40.2:443
-00003301250000001900000005018205a46292c861b1d10c4a6b0b29fcc529ac426cb6a5a3b6a9282aed484759780db6f0e35fa23fc687c5c0c3c2bf
+000000073a6d6574686f6400000003474554000000053a70617468000000312f6d656469612f6a732f66697265666f785f666972737472756e2d62756e646c652e3464633733383035353861622e6a730000000a3a617574686f726974790000000f7777772e6d6f7a696c6c612e6f7267000000073a736368656d650000000568747470730000000a757365722d6167656e74000000444d6f7a696c6c612f352e3020285831313b204c696e7578207838365f36343b2072763a35322e3029204765636b6f2f32303130303130312046697265666f782f35322e3000000006616363657074000000032a2f2a0000000f6163636570742d6c616e67756167650000000e656e2d55532c656e3b713d302e350000000f6163636570742d656e636f64696e6700000011677a69702c206465666c6174652c20627200000007726566657265720000003668747470733a2f2f7777772e6d6f7a696c6c612e6f72672f656e2d55532f66697265666f782f35322e302e312f666972737472756e2f
 00000408000000001900be0000
-	0003ac01040000001988e0cfcecddd009021ea496a4ac8292db0c9f4b567a0c4f5ffbd05412c35695916114ff482d12ffa53e57a4fecd45035ea2a54f95e93fb35140d73d9329f2bd27f66a281ae43d2a7fab6a40e52ac6aa83545ff4a7fab6a40e52ac5ee3a3fd29f2b9eb49a937b2d1e9721e950f5a4d49bd968f4ba195c748fd9ea1f842e43d2a78f1e1798e79a82a473523a87316c5c87a54f1e3c2f31cf350558750e8f493110b90f4a891cd48ea1cc5b1798e79a82ae43d2a78f1e17f47b536c655c87a5442fe926a665c87a7ed435332c8b08a7fa416897fd29f2bd27f66a281af5152a7caf49fd9a8a06b9ec994f95e93fb35140d721e95241a47714f95cf5a4d49bd968f4b90f4a9e3c785e639e6a0a91cd48ea1cc5b1721e953c78f0bcc73cd41561d43a3d24c442e43d2a7cae9350542f48eb8cfe5721e95075997a475c67f2b90f4a84b0a349bb9487a693d485cf64ca0e45e43db1d0525062755ea2a7ed490b28eda12b22c229fe905a25ff4a7caf49fd9a8a06bd454a9f2bd27f66a281ae7b2653e57a4fecd45035c87a7ed496c1d255916114f95cf5a4d49bd968f4b90f4a9e3c785e639e6a0a91cd48ea1cc5b1721e953c78f0bcc73cd41561d43a3d24c442e43d2a78f1e17f47b536c655aa390e7ea62ae43d2a26c193a96c495095cf64ca78f1e1745b6772fa98dee93ae43d2a0c843db5250bca6b0b29fcae43d2a0c843db5250bca6b0b29fcae43d2b92a53c78f0bfa3da9b632ae43d3f6a213ea82ac8b08a7fa416897fd29f2bd27f66a281af5152a7caf49fd9a8a06b9ec994f95e93fb35140d721e953fd5b5207295635541aa2ffafb5087aaa2912b22c229fe905a25ff4a7caf49fd9a8a06bd454a9f2bd27f66a281ae7b2653e57a4fecd45035c87a54f95cf5a4d49bd968f4b90f4a9e3c785e639e6a0a91cd48ea1cc5b1721e953c78f0bcc73cd41561d43a3d24c442e43d2a7cae9350542f48eb8cfe5721e95075997a475c67f2b90f4fda849cd448b22c229f2b9eb49a937b2d1e9721e953c78f0bcc73cd415239a91d4398b62e43d2a78f1e1798e79a82ac3a8747a498885c87a54f1e3c2fe8f6a6d8cab54721cfd4c55c87a544d832752d892a12b9ec994f1e3c2e8b6cee5f531bdd275c87a5419087b6a4a1794d61653f95c87a5419087b6a4a1794d61653f95c87a57254a78f1e17f47b536c655c87a76c96df3dbf4a004a681d8a0801754082e32e5c644a62d1bfdbda7f1a9f91a75965d2004e05b5e32c961c9d56aec3c8bda85bc15095e93fb5fc1ecea8d9d8d7d6d5d4d37f138f65a74437e479c2be07596995a1d1bb
+	000000073a7374617475730000000332303000000004646174650000001d5765642c203239204d617220323031372031313a35393a333020474d540000000c636f6e74656e742d74797065000000276170706c69636174696f6e2f6a6176617363726970743b20636861727365743d227574662d38220000001b6163636573732d636f6e74726f6c2d616c6c6f772d6f726967696e000000012a0000000d63616368652d636f6e74726f6c000000246d61782d6167653d3331353336303030302c207075626c69632c20696d6d757461626c6500000010636f6e74656e742d656e636f64696e6700000004677a697000000017636f6e74656e742d73656375726974792d706f6c696379000004737363726970742d737263202773656c6627202a2e6d6f7a696c6c612e6e6574202a2e6d6f7a696c6c612e6f7267202a2e6d6f7a696c6c612e636f6d2027756e736166652d696e6c696e65272027756e736166652d6576616c27202a2e6f7074696d697a656c792e636f6d206f7074696d697a656c792e73332e616d617a6f6e6177732e636f6d207777772e676f6f676c657461676d616e616765722e636f6d207777772e676f6f676c652d616e616c79746963732e636f6d207461676d616e616765722e676f6f676c652e636f6d207777772e796f75747562652e636f6d20732e7974696d672e636f6d3b20696d672d737263202773656c6627202a2e6d6f7a696c6c612e6e6574202a2e6d6f7a696c6c612e6f7267202a2e6d6f7a696c6c612e636f6d20646174613a202a2e6f7074696d697a656c792e636f6d207777772e676f6f676c657461676d616e616765722e636f6d207777772e676f6f676c652d616e616c79746963732e636f6d202a2e74696c65732e6d6170626f782e636f6d206170692e6d6170626f782e636f6d206372656174697665636f6d6d6f6e732e6f72672061642e646f75626c65636c69636b2e6e65743b2064656661756c742d737263202773656c6627202a2e6d6f7a696c6c612e6e6574202a2e6d6f7a696c6c612e6f7267202a2e6d6f7a696c6c612e636f6d3b206672616d652d737263202a2e6f7074696d697a656c792e636f6d207777772e676f6f676c657461676d616e616765722e636f6d207777772e676f6f676c652d616e616c79746963732e636f6d207777772e796f75747562652d6e6f636f6f6b69652e636f6d20747261636b6572746573742e6f7267207777772e73757276657967697a6d6f2e636f6d206163636f756e74732e66697265666f782e636f6d206163636f756e74732e66697265666f782e636f6d2e636e207777772e796f75747562652e636f6d3b207374796c652d737263202773656c6627202a2e6d6f7a696c6c612e6e6574202a2e6d6f7a696c6c612e6f7267202a2e6d6f7a696c6c612e636f6d2027756e736166652d696e6c696e65273b20636f6e6e6563742d737263202773656c6627202a2e6d6f7a696c6c612e6e6574202a2e6d6f7a696c6c612e6f7267202a2e6d6f7a696c6c612e636f6d202a2e6f7074696d697a656c792e636f6d207777772e676f6f676c657461676d616e616765722e636f6d207777772e676f6f676c652d616e616c79746963732e636f6d202a2e74696c65732e6d6170626f782e636f6d206170692e6d6170626f782e636f6d3b206368696c642d737263202a2e6f7074696d697a656c792e636f6d207777772e676f6f676c657461676d616e616765722e636f6d207777772e676f6f676c652d616e616c79746963732e636f6d207777772e796f75747562652d6e6f636f6f6b69652e636f6d20747261636b6572746573742e6f7267207777772e73757276657967697a6d6f2e636f6d206163636f756e74732e66697265666f782e636f6d206163636f756e74732e66697265666f782e636f6d2e636e207777772e796f75747562652e636f6d0000000d6c6173742d6d6f6469666965640000001d5468752c203032204d617220323031372031303a33363a333220474d54000000197374726963742d7472616e73706f72742d7365637572697479000000106d61782d6167653d333135333630303000000004766172790000000f4163636570742d456e636f64696e6700000010782d6261636b656e642d7365727665720000002b6434373333376330323631352e626564726f636b2d70726f642e75732d776573742e6d6f7a2e776f726b7300000011782d636c61636b732d6f7665726865616400000013474e552054657272792050726174636865747400000016782d636f6e74656e742d747970652d6f7074696f6e73000000076e6f736e6966660000000f782d6672616d652d6f7074696f6e730000000444454e590000000c782d726f626f74732d746167000000056e6f6f647000000010782d7873732d70726f74656374696f6e0000000d313b206d6f64653d626c6f636b0000000f63662d63616368652d737461747573000000034849540000000673657276657200000010636c6f7564666c6172652d6e67696e780000000663662d72617900000014333437326139643836653930373334332d414d53
 	0003f80000000000191f8b08000000000000037c55db6ee336107def5724ecc220615ac906db3ec850b740364153e4d266bb794917062d8d646e255220295f56d6bf77a84b6ca5415f649373869c3967662853ea7625e8f4e44e7f97792ea288542a81542a48085b0bf362a89b79ff37b8de8a9bd48802a2b452b1935a515693cac2897546c68eccbd2370c75574fa9e1b2eb9e59a570738b0da80ab8c3a8167087250995bcdde7f8df0fa33f211025b2df1287ace0f461642c3c5e108c16a880437d13b4a7e4cb76226db9066b156a9cc080b12e104252b6d1d61dc0e30fcaf23db1bad8971bd912ad19b4024c9d51a94bb95d68102434901d68a0c085ff1d37386b1608ae6aa10329f4cce683065bffacfdf81ffd617bc390b1c58478f706c32a13ad2533201bf8cc81454ac13f8f27873a98b522bbc6f84679850450de303d797b9444c702d0da47a7b27be69f304c62203bf441f7eee8e0f0c94b98881124cdec1d6451d1784bf6ca4db452a0d725aa9c5fa82e03d7a1a9189363293eaedb07a5a721d0b4f78d061197711049968a9bac74bf67be269457612e9e55f561e3d998cd7a7a82c9695a872473068f9ffaa8d7d03a76ff506cca5b040d994fcd6492adb732a2abda2070eb0da3c891253b481705845adcc5ce31adc5fb2005d397a54b86abf4fe987f373d6f08b9fda9f7454a83688adc5420299ad1ce63925e51603c572b9cc85b7e45a24be5b1a9e1f3972c56adf0626ea89f499dd8a1d98fdfef92b97510d9ec2d071891219d1ba618dcf91bb77016a062aa1124fe126282bbbc23c1b1e1f2e70fe82be79e1d961ef90c1860cfb1daad06335ca45a6c86d27242a6258d7846dbbbae8f7cf0ff741290cb20c6db46c6e37d2c52bea825817855009ab631461c8382ca963f3a501f1cfbcdd3760e5772061f26a3fd5a6588012cbdc7baddfb2a2e0bdb9786556622d33e1bc297b65b2325355b9282aeb166b3032dd9170f70ad3eecbae861798469983c31097af60b9464e48b8c1eda6e1e588359c62e73ca7bece6783d83ca644abdb6ec501994e463e69cf61d0d54d8f7fec086af1eb11be355f2313573d4d2da6781bf36920ab0565ff05ddbf70d6227623c41098b00f1bf587d12518b7a3a49d500fa5bb5104c756de6f9ce8d2cd90195ee7620979d83b1fc00d1ba8e9d418a8f9dcaeee509aa74e993692e52892deb193e8c0ead39164978362adfbe6a8fe5fdcfdbd18214ea6a11b5a65bc9ea3aef8d84be60ddcb17018b15f9cccf145d08f90e0948d1d35537286b3c24995596ceb79d725b554d285c7e1e3a0daefeb060ba619a6e5b73f2b30bbe149e96f60fcd86bf450c230e03370fd8cff040eb9b5f4385338bcb9810f83d6c7033274a379c98fa6734886b13ff3531a63652fb10ed1cd7ff8170000ffff030036351cd507080000
 	000000000100000019
 ===================================================================