8d17d1fe7a
line 949, column 5 Value stored to 'offset' is never read
1893 lines
73 KiB
C
1893 lines
73 KiB
C
/* packet-ftp.c
|
|
* Routines for ftp packet dissection
|
|
* Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
|
|
* Copyright 2001, Juan Toledo <toledo@users.sourceforge.net> (Passive FTP)
|
|
*
|
|
* Wireshark - Network traffic analyzer
|
|
* By Gerald Combs <gerald@wireshark.org>
|
|
* Copyright 1998 Gerald Combs
|
|
*
|
|
* Copied from packet-pop.c
|
|
*
|
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
|
*/
|
|
|
|
#include "config.h"
|
|
|
|
#include <stdio.h> /* for sscanf() */
|
|
#include <wsutil/strtoi.h>
|
|
|
|
#include <epan/packet.h>
|
|
#include <epan/strutil.h>
|
|
#include <epan/conversation.h>
|
|
#include <epan/expert.h>
|
|
#include <epan/addr_resolv.h>
|
|
#include <epan/proto_data.h>
|
|
#include "packet-acdr.h"
|
|
|
|
#include <tap.h>
|
|
#include <epan/export_object.h>
|
|
#include <ui/tap-credentials.h>
|
|
|
|
#include "packet-tls.h"
|
|
#include "packet-tls-utils.h"
|
|
|
|
void proto_register_ftp(void);
|
|
void proto_reg_handoff_ftp(void);
|
|
|
|
static int credentials_tap = -1;
|
|
|
|
static int proto_ftp = -1;
|
|
static int proto_ftp_data = -1;
|
|
static int hf_ftp_current_working_directory = -1;
|
|
static int hf_ftp_response = -1;
|
|
static int hf_ftp_request = -1;
|
|
static int hf_ftp_request_command = -1;
|
|
static int hf_ftp_request_arg = -1;
|
|
static int hf_ftp_response_code = -1;
|
|
static int hf_ftp_response_arg = -1;
|
|
static int hf_ftp_pasv_ip = -1 ;
|
|
static int hf_ftp_pasv_port = -1;
|
|
static int hf_ftp_pasv_nat = -1;
|
|
static int hf_ftp_active_ip = -1;
|
|
static int hf_ftp_active_port = -1;
|
|
static int hf_ftp_active_nat = -1;
|
|
static int hf_ftp_eprt_af = -1;
|
|
static int hf_ftp_eprt_ip = -1;
|
|
static int hf_ftp_eprt_ipv6 = -1;
|
|
static int hf_ftp_eprt_port = -1;
|
|
static int hf_ftp_epsv_ip = -1;
|
|
static int hf_ftp_epsv_ipv6 = -1;
|
|
static int hf_ftp_epsv_port = -1;
|
|
static int hf_ftp_command_response_frames = -1;
|
|
static int hf_ftp_command_response_bytes = -1;
|
|
static int hf_ftp_command_response_first_frame_num = -1;
|
|
static int hf_ftp_command_response_last_frame_num = -1;
|
|
static int hf_ftp_command_response_duration = -1;
|
|
static int hf_ftp_command_response_kbps = -1;
|
|
static int hf_ftp_command_setup_frame = -1;
|
|
static int hf_ftp_command_command_frame = -1;
|
|
static int hf_ftp_command_command = -1;
|
|
|
|
static int hf_ftp_data_setup_frame = -1;
|
|
static int hf_ftp_data_setup_method = -1;
|
|
static int hf_ftp_data_command = -1;
|
|
static int hf_ftp_data_command_frame = -1;
|
|
static int hf_ftp_data_current_working_directory = -1;
|
|
|
|
static gint ett_ftp = -1;
|
|
static gint ett_ftp_reqresp = -1;
|
|
|
|
static expert_field ei_ftp_eprt_args_invalid = EI_INIT;
|
|
static expert_field ei_ftp_epsv_args_invalid = EI_INIT;
|
|
static expert_field ei_ftp_response_code_invalid = EI_INIT;
|
|
static expert_field ei_ftp_pwd_response_invalid = EI_INIT;
|
|
|
|
static int ftp_eo_tap = -1;
|
|
|
|
static dissector_handle_t ftpdata_handle;
|
|
static dissector_handle_t ftp_handle;
|
|
static dissector_handle_t data_text_lines_handle;
|
|
static dissector_handle_t tls_handle;
|
|
|
|
#define TCP_PORT_FTPDATA 20
|
|
#define TCP_PORT_FTP 21
|
|
|
|
static const value_string response_table[] = {
|
|
{ 110, "Restart marker reply" },
|
|
{ 120, "Service ready in nnn minutes" },
|
|
{ 125, "Data connection already open; transfer starting" },
|
|
{ 150, "File status okay; about to open data connection" },
|
|
{ 200, "Command okay" },
|
|
{ 202, "Command not implemented, superfluous at this site" },
|
|
{ 211, "System status, or system help reply" },
|
|
{ 212, "Directory status" },
|
|
{ 213, "File status" },
|
|
{ 214, "Help message" },
|
|
{ 215, "NAME system type" },
|
|
{ 220, "Service ready for new user" },
|
|
{ 221, "Service closing control connection" },
|
|
{ 225, "Data connection open; no transfer in progress" },
|
|
{ 226, "Closing data connection" },
|
|
{ 227, "Entering Passive Mode" },
|
|
{ 229, "Entering Extended Passive Mode" },
|
|
{ 230, "User logged in, proceed" },
|
|
{ 232, "User logged in, authorized by security data exchange" },
|
|
{ 234, "Security data exchange complete" },
|
|
{ 235, "Security data exchange completed successfully" },
|
|
{ 250, "Requested file action okay, completed" },
|
|
{ 257, "PATHNAME created" },
|
|
{ 331, "User name okay, need password" },
|
|
{ 332, "Need account for login" },
|
|
{ 334, "Requested security mechanism is ok" },
|
|
{ 335, "Security data is acceptable, more is required" },
|
|
{ 336, "Username okay, need password. Challenge is ..." },
|
|
{ 350, "Requested file action pending further information" },
|
|
{ 421, "Service not available, closing control connection" },
|
|
{ 425, "Can't open data connection" },
|
|
{ 426, "Connection closed; transfer aborted" },
|
|
{ 431, "Need some unavailable resource to process security" },
|
|
{ 450, "Requested file action not taken" },
|
|
{ 451, "Requested action aborted: local error in processing" },
|
|
{ 452, "Requested action not taken. Insufficient storage space in system" },
|
|
{ 500, "Syntax error, command unrecognized" },
|
|
{ 501, "Syntax error in parameters or arguments" },
|
|
{ 502, "Command not implemented" },
|
|
{ 503, "Bad sequence of commands" },
|
|
{ 504, "Command not implemented for that parameter" },
|
|
{ 522, "Network protocol not supported" },
|
|
{ 530, "Not logged in" },
|
|
{ 532, "Need account for storing files" },
|
|
{ 533, "Command protection level denied for policy reasons" },
|
|
{ 534, "Request denied for policy reasons" },
|
|
{ 535, "Failed security check (hash, sequence, etc)" },
|
|
{ 536, "Requested PROT level not supported by mechanism" },
|
|
{ 537, "Command protection level not supported by security mechanism" },
|
|
{ 550, "Requested action not taken: File unavailable" },
|
|
{ 551, "Requested action aborted: page type unknown" },
|
|
{ 552, "Requested file action aborted: Exceeded storage allocation" },
|
|
{ 553, "Requested action not taken: File name not allowed" },
|
|
{ 631, "Integrity protected reply" },
|
|
{ 632, "Confidentiality and integrity protected reply" },
|
|
{ 633, "Confidentiality protected reply" },
|
|
{ 0, NULL }
|
|
};
|
|
static value_string_ext response_table_ext = VALUE_STRING_EXT_INIT(response_table);
|
|
|
|
#define EPRT_AF_IPv4 1
|
|
#define EPRT_AF_IPv6 2
|
|
static const value_string eprt_af_vals[] = {
|
|
{ EPRT_AF_IPv4, "IPv4" },
|
|
{ EPRT_AF_IPv6, "IPv6" },
|
|
{ 0, NULL }
|
|
};
|
|
|
|
/* Used for FTP-DATA's Export Object feature
|
|
This will be controlled by the preferences setting "export.maxsize".
|
|
It will be used to set the maximum file size for FTP's export
|
|
objects (in megabytes). Use 0 for no limit.
|
|
*/
|
|
static guint pref_export_maxsize = 0;
|
|
|
|
typedef struct _ftp_eo_t {
|
|
gchar *command; /* Command this data stream answers (e.g., RETR foo.txt) */
|
|
guint32 command_frame; /* Where command for this data was seen */
|
|
guint32 payload_len; /* Length of packet's data */
|
|
gchar *payload_data; /* Packet's data */
|
|
} ftp_eo_t;
|
|
|
|
/* Stores mappings of the command packet number to the export object
|
|
table's row number, so we can append data from later FTP packets
|
|
to the entries.
|
|
*/
|
|
GHashTable *command_packet_to_eo_row = NULL;
|
|
|
|
/* Track which row number in the export object table we're up to */
|
|
guint32 eo_row_count = 0;
|
|
|
|
/**
|
|
* This is the callback passed to register_export_object()
|
|
* as the tap processing function. It will be called each time
|
|
* tap_queue_packet() sends a packet to the export objects tap.
|
|
*
|
|
* The general approach is that when a file transfer begins,
|
|
* besides storing the standard export object data, like
|
|
* the source system, filename, data, and length,
|
|
* an entry is added to the command_packet_to_eo_row hashtable,
|
|
* mapping the FTP command packet's number to the
|
|
* export object list's row number.
|
|
*
|
|
* When a later packet has a command packet number
|
|
* that's already present in the command_packet_to_eo_row hashtable,
|
|
* we detect that's it's a continuation of a previous
|
|
* file transfer, so we look up the associated entry in the export
|
|
* object list and append the data to there.
|
|
*
|
|
* FTP is complex in that there's no guarantee that the file transmission
|
|
* was completely captured. It might be possible to infer a successful
|
|
* transfer with either the "SIZE" command or with a 226 response code
|
|
* (indicating that the STOR or RETR command was succesful), but there
|
|
* is no guarantee that either of these are present. As such, this
|
|
* implementation takes a best-effort approach of simply appending
|
|
* all associated ftp-data packets to the export objects entry.
|
|
*/
|
|
static tap_packet_status
|
|
ftp_eo_packet(void *tapdata, packet_info *pinfo, epan_dissect_t *edt _U_, const void *data, tap_flags_t flags _U_)
|
|
{
|
|
export_object_list_t *object_list = (export_object_list_t *)tapdata;
|
|
const ftp_eo_t *eo_info = (const ftp_eo_t *)data;
|
|
|
|
if(eo_info) { /* We have data waiting for us */
|
|
/* Only export files transferred with STOR or RETR*/
|
|
if (strncmp(eo_info->command, "STOR", 4) != 0 && strncmp(eo_info->command, "RETR", 4) != 0) {
|
|
return TAP_PACKET_DONT_REDRAW; /* State unchanged - no window updates needed */
|
|
}
|
|
/* Create the command_packet_to_eo_row hashtable for mapping the FTP
|
|
command packet's number to the export object list's row number */
|
|
if(command_packet_to_eo_row == NULL) {
|
|
command_packet_to_eo_row = g_hash_table_new(g_direct_hash, g_direct_equal);
|
|
}
|
|
if (!g_hash_table_contains(command_packet_to_eo_row, GUINT_TO_POINTER(eo_info->command_frame))) {
|
|
/* Command packet not previously seen. Create the new entry in the hashtable. */
|
|
export_object_entry_t *entry = g_new(export_object_entry_t, 1);
|
|
entry->pkt_num = pinfo->num;
|
|
/* If the command is STOR, the transfer is from the client to the server
|
|
If the command is RETR, the transfer is from the server to the client
|
|
However, ftp-data will always have the file's origin as pinfo->src */
|
|
entry->hostname = g_strdup(address_to_str(pinfo->pool, &pinfo->src));
|
|
entry->content_type = g_strdup("FTP file");
|
|
|
|
/* Remove the "STOR " or "RETR " to extract the filename */
|
|
if (strlen(eo_info->command) > 5){
|
|
entry->filename = g_strdup(eo_info->command + 5);
|
|
} else {
|
|
entry->filename = g_strdup("(MISSING)");
|
|
}
|
|
|
|
gsize bytes_to_copy;
|
|
if (pref_export_maxsize != 0 && (eo_info->payload_len > pref_export_maxsize*1024*1024)) {
|
|
bytes_to_copy = pref_export_maxsize*1024*1024;
|
|
}
|
|
else {
|
|
bytes_to_copy = eo_info->payload_len;
|
|
}
|
|
entry->payload_len = bytes_to_copy;
|
|
entry->payload_data = (guint8 *)g_memdup2(eo_info->payload_data, bytes_to_copy);
|
|
|
|
/* Add the mapping of the command frame and the export object
|
|
list's row number to the hash table */
|
|
g_hash_table_insert(command_packet_to_eo_row, GUINT_TO_POINTER(eo_info->command_frame), GUINT_TO_POINTER(eo_row_count));
|
|
eo_row_count += 1;
|
|
object_list->add_entry(object_list->gui_data, entry);
|
|
} else {
|
|
/* This command packet number is already present in the
|
|
command_packet_to_eo_row hashtable, so it's a continuation of
|
|
a previous. Let's look up the entry in the export
|
|
object list and append the data to there */
|
|
guint32 row_num = GPOINTER_TO_UINT(g_hash_table_lookup(command_packet_to_eo_row, GUINT_TO_POINTER(eo_info->command_frame)));
|
|
export_object_entry_t *entry = object_list->get_entry(object_list->gui_data, row_num);
|
|
|
|
gsize bytes_to_copy;
|
|
if (pref_export_maxsize != 0 && (entry->payload_len + eo_info->payload_len) > pref_export_maxsize*1024*1024) {
|
|
bytes_to_copy = pref_export_maxsize*1024*1024 - entry->payload_len;
|
|
}
|
|
else {
|
|
bytes_to_copy = eo_info->payload_len;
|
|
}
|
|
|
|
entry->payload_data = (guint8 *) g_realloc(entry->payload_data, entry->payload_len + bytes_to_copy);
|
|
memcpy(entry->payload_data + entry->payload_len, eo_info->payload_data, bytes_to_copy);
|
|
entry->payload_len = entry->payload_len + bytes_to_copy;
|
|
}
|
|
/* payload_data will be freed when the Export Object window is closed. */
|
|
return TAP_PACKET_REDRAW; /* State changed - window should be redrawn */
|
|
} else {
|
|
return TAP_PACKET_DONT_REDRAW; /* State unchanged - no window updates needed */
|
|
}
|
|
}
|
|
|
|
/**
|
|
* This is the callback passed to register_export_object()
|
|
* as the reset_cb. This will be used in the export_object module
|
|
* to cleanup any previous private data of the export object functionality
|
|
* before performing the eo_reset function or when the window closes */
|
|
static void
|
|
ftp_eo_cleanup(void)
|
|
{
|
|
if(command_packet_to_eo_row != NULL) {
|
|
g_hash_table_destroy(command_packet_to_eo_row);
|
|
command_packet_to_eo_row = NULL;
|
|
}
|
|
eo_row_count = 0;
|
|
}
|
|
|
|
|
|
|
|
/********************************************************************/
|
|
/* Storing session state and linking between control (ftp) and data */
|
|
/* data (ftp-data) conversations */
|
|
|
|
typedef struct ftp_data_conversation_t
|
|
{
|
|
const gchar *command; /* Command that this data answers */
|
|
guint32 command_frame; /* Frame command was seen */
|
|
const gchar *setup_method; /* Type of command used to set up data conversation */
|
|
guint32 setup_frame; /* Frame where this happened */
|
|
wmem_strbuf_t *current_working_directory;
|
|
|
|
/* Summary details of stream to show in command frame. */
|
|
guint first_frame_num;
|
|
nstime_t first_frame_time;
|
|
guint last_frame_num;
|
|
nstime_t last_frame_time;
|
|
guint frames_seen;
|
|
guint bytes_seen;
|
|
} ftp_data_conversation_t;
|
|
|
|
/* Data to associate with individual FTP frame */
|
|
typedef struct ftp_packet_data_t
|
|
{
|
|
wmem_strbuf_t *current_working_directory;
|
|
} ftp_packet_data_t;
|
|
|
|
/* State of FTP conversation */
|
|
typedef struct ftp_conversation_t
|
|
{
|
|
const gchar *last_command; /* Most recent request command seen (on first pass) */
|
|
guint32 last_command_frame; /* When request was seen */
|
|
wmem_strbuf_t *current_working_directory;
|
|
ftp_data_conversation_t *current_data_conv; /* Current data conversation (during first pass) */
|
|
guint32 current_data_setup_frame;
|
|
gchar *username;
|
|
guint username_pkt_num;
|
|
gboolean tls_requested;
|
|
} ftp_conversation_t;
|
|
|
|
/* For a given packet, retrieve or initialise a new conversation, and return it */
|
|
static ftp_conversation_t *find_or_create_ftp_conversation(packet_info *pinfo)
|
|
{
|
|
/* Create control conversation if necessary */
|
|
conversation_t *conv = find_or_create_conversation(pinfo);
|
|
ftp_conversation_t *p_ftp_conv;
|
|
|
|
/* Control conversation data */
|
|
p_ftp_conv = (ftp_conversation_t *)conversation_get_proto_data(conv, proto_ftp);
|
|
if (!p_ftp_conv) {
|
|
p_ftp_conv = wmem_new0(wmem_file_scope(), ftp_conversation_t);
|
|
/* Start with an empty string - assume relative path unless/until find out differently. */
|
|
p_ftp_conv->current_working_directory = wmem_strbuf_new(wmem_file_scope(), "");
|
|
conversation_add_proto_data(conv, proto_ftp, p_ftp_conv);
|
|
}
|
|
|
|
return p_ftp_conv;
|
|
}
|
|
|
|
/* Keep track of ftp_data_conversation_t*, keyed by the ftp command frame */
|
|
static GHashTable *ftp_command_to_data_hash = NULL;
|
|
|
|
|
|
/* When new data conversation is being created, should:
|
|
* - create data conversation
|
|
* - create control conversation, and have it point at control conversation
|
|
*/
|
|
static void create_and_link_data_conversation(packet_info *pinfo,
|
|
address *addr_a,
|
|
guint16 port_a,
|
|
address *addr_b,
|
|
guint16 port_b,
|
|
const char *method)
|
|
{
|
|
/* Only to do on first pass */
|
|
if (pinfo->fd->visited) {
|
|
return;
|
|
}
|
|
|
|
ftp_conversation_t *p_ftp_conv = find_or_create_ftp_conversation(pinfo);
|
|
|
|
/* Create data conversation and set dissector */
|
|
ftp_data_conversation_t *p_ftp_data_conv;
|
|
conversation_t *data_conversation = conversation_new(pinfo->num,
|
|
addr_a, addr_b,
|
|
CONVERSATION_TCP,
|
|
port_a, port_b,
|
|
NO_PORT2);
|
|
conversation_set_dissector(data_conversation, ftpdata_handle);
|
|
|
|
/* Allocate data for data conversation. Note that control conversation will update it with commands. */
|
|
p_ftp_data_conv = wmem_new0(wmem_file_scope(), ftp_data_conversation_t);
|
|
/* Set method */
|
|
p_ftp_data_conv->setup_method = method;
|
|
/* Copy snapshot of what cwd is at this point */
|
|
p_ftp_data_conv->current_working_directory = p_ftp_conv->current_working_directory;
|
|
|
|
/* Point control conversation at current data conversation */
|
|
conversation_add_proto_data(data_conversation, proto_ftp_data,
|
|
p_ftp_data_conv);
|
|
p_ftp_conv->current_data_conv = p_ftp_data_conv;
|
|
p_ftp_conv->current_data_setup_frame = pinfo->num;
|
|
}
|
|
|
|
/********************************************************************/
|
|
|
|
|
|
/*
|
|
* Parse the address and port information in a PORT command or in the
|
|
* response to a PASV command. Return TRUE if we found an address and
|
|
* port, and supply the address and port; return FALSE if we didn't find
|
|
* them.
|
|
*
|
|
* We ignore the IP address in the reply, and use the address from which
|
|
* the request came.
|
|
*
|
|
* XXX - are there cases where they differ? What if the FTP server is
|
|
* behind a NAT box, so that the address it puts into the reply isn't
|
|
* the address at which you should contact it? Do all NAT boxes detect
|
|
* FTP PASV replies and rewrite the address? (I suspect not.)
|
|
*
|
|
* RFC 959 doesn't say much about the syntax of the 227 reply.
|
|
*
|
|
* A proposal from Dan Bernstein at
|
|
*
|
|
* http://cr.yp.to/ftp/retr.html
|
|
*
|
|
* "recommend[s] that clients use the following strategy to parse the
|
|
* response line: look for the first digit after the initial space; look
|
|
* for the fourth comma after that digit; read two (possibly negative)
|
|
* integers, separated by a comma; the TCP port number is p1*256+p2, where
|
|
* p1 is the first integer modulo 256 and p2 is the second integer modulo
|
|
* 256."
|
|
*
|
|
* wget 1.5.3 looks for a digit, although it doesn't handle negative
|
|
* integers.
|
|
*
|
|
* The FTP code in the source of the cURL library, at
|
|
*
|
|
* https://github.com/curl/curl/blob/master/lib/ftp.c
|
|
*
|
|
* says that cURL "now scans for a sequence of six comma-separated numbers
|
|
* and will take them as IP+port indicators"; it loops, doing "sscanf"s
|
|
* looking for six numbers separated by commas, stepping the start pointer
|
|
* in the scanf one character at a time - i.e., it tries rather exhaustively.
|
|
*
|
|
* An optimization would be to scan for a digit, and start there, and if
|
|
* the scanf doesn't find six values, scan for the next digit and try
|
|
* again; this will probably succeed on the first try.
|
|
*
|
|
* The cURL code also says that "found reply-strings include":
|
|
*
|
|
* "227 Entering Passive Mode (127,0,0,1,4,51)"
|
|
* "227 Data transfer will passively listen to 127,0,0,1,4,51"
|
|
* "227 Entering passive mode. 127,0,0,1,4,51"
|
|
*
|
|
* so it appears that you can't assume there are parentheses around
|
|
* the address and port number.
|
|
*/
|
|
static gboolean
|
|
parse_port_pasv(tvbuff_t *tvb, int offset, int linelen, guint32 *ftp_ip,
|
|
guint16 *ftp_port, guint32 *pasv_offset, guint *ftp_ip_len,
|
|
guint *ftp_port_len)
|
|
{
|
|
char *args;
|
|
char *p;
|
|
guchar c;
|
|
int i;
|
|
int ip_address[4], port[2];
|
|
gboolean ret = FALSE;
|
|
|
|
/*
|
|
* Copy the rest of the line into a null-terminated buffer.
|
|
*/
|
|
args = wmem_alloc(wmem_packet_scope(), linelen + 1);
|
|
tvb_get_raw_bytes_as_string(tvb, offset, args, linelen + 1);
|
|
p = args;
|
|
|
|
for (;;) {
|
|
/*
|
|
* Look for a digit.
|
|
*/
|
|
while ((c = *p) != '\0' && !g_ascii_isdigit(c))
|
|
p++;
|
|
|
|
if (*p == '\0') {
|
|
/*
|
|
* We ran out of text without finding anything.
|
|
*/
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* See if we have six numbers.
|
|
*/
|
|
i = sscanf(p, "%d,%d,%d,%d,%d,%d",
|
|
&ip_address[0], &ip_address[1], &ip_address[2], &ip_address[3],
|
|
&port[0], &port[1]);
|
|
if (i == 6) {
|
|
/*
|
|
* We have a winner!
|
|
*/
|
|
*ftp_port = ((port[0] & 0xFF)<<8) | (port[1] & 0xFF);
|
|
*ftp_ip = g_htonl((ip_address[0] << 24) | (ip_address[1] <<16) | (ip_address[2] <<8) | ip_address[3]);
|
|
*pasv_offset = (guint32)(p - args);
|
|
*ftp_port_len = (port[0] < 10 ? 1 : (port[0] < 100 ? 2 : 3 )) + 1 +
|
|
(port[1] < 10 ? 1 : (port[1] < 100 ? 2 : 3 ));
|
|
*ftp_ip_len = (ip_address[0] < 10 ? 1 : (ip_address[0] < 100 ? 2 : 3)) + 1 +
|
|
(ip_address[1] < 10 ? 1 : (ip_address[1] < 100 ? 2 : 3)) + 1 +
|
|
(ip_address[2] < 10 ? 1 : (ip_address[2] < 100 ? 2 : 3)) + 1 +
|
|
(ip_address[3] < 10 ? 1 : (ip_address[3] < 100 ? 2 : 3));
|
|
ret = TRUE;
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* Well, that didn't work. Skip the first number we found,
|
|
* and keep trying.
|
|
*/
|
|
while ((c = *p) != '\0' && g_ascii_isdigit(c))
|
|
p++;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static gboolean
|
|
isvalid_rfc2428_delimiter(const guchar c)
|
|
{
|
|
/* RFC2428 sect. 2 states rules for a valid delimiter */
|
|
const gchar *forbidden = "0123456789abcdef.:";
|
|
if (!g_ascii_isgraph(c))
|
|
return FALSE;
|
|
if (strchr(forbidden, g_ascii_tolower(c)))
|
|
return FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
/*
|
|
* RFC2428 states...
|
|
*
|
|
* AF Number Protocol
|
|
* --------- --------
|
|
* 1 Internet Protocol, Version 4
|
|
* 2 Internet Protocol, Version 6
|
|
*
|
|
* AF Number Address Format Example
|
|
* --------- -------------- -------
|
|
* 1 dotted decimal 132.235.1.2
|
|
* 2 IPv6 string 1080::8:800:200C:417A
|
|
* representations
|
|
* defined in
|
|
*
|
|
* The following are sample EPRT commands:
|
|
* EPRT |1|132.235.1.2|6275|
|
|
* EPRT |2|1080::8:800:200C:417A|5282|
|
|
*
|
|
* The first command specifies that the server should use IPv4 to open a
|
|
* data connection to the host "132.235.1.2" on TCP port 6275. The
|
|
* second command specifies that the server should use the IPv6 network
|
|
* protocol and the network address "1080::8:800:200C:417A" to open a
|
|
* TCP data connection on port 5282.
|
|
*
|
|
* ... which means in fact that RFC2428 is capable to handle both,
|
|
* IPv4 and IPv6 so we have to care about the address family and properly
|
|
* act depending on it.
|
|
*
|
|
*/
|
|
static gboolean
|
|
parse_eprt_request(tvbuff_t *tvb, int offset, gint linelen, guint32 *eprt_af,
|
|
guint32 *eprt_ip, guint16 *eprt_ipv6, guint16 *ftp_port,
|
|
guint32 *eprt_ip_len, guint32 *ftp_port_len)
|
|
{
|
|
gint delimiters_seen = 0;
|
|
gchar delimiter;
|
|
gint fieldlen;
|
|
gchar *field;
|
|
gint n;
|
|
gint lastn;
|
|
char *args, *p;
|
|
gboolean ret = TRUE;
|
|
|
|
|
|
/* line contains the EPRT parameters, we need at least the 4 delimiters */
|
|
if (linelen<4)
|
|
return FALSE;
|
|
|
|
/* Copy the rest of the line into a null-terminated buffer. */
|
|
args = wmem_alloc(wmem_packet_scope(), linelen + 1);
|
|
tvb_get_raw_bytes_as_string(tvb, offset, args, linelen + 1);
|
|
p = args;
|
|
/*
|
|
* Handle a NUL being in the line; if there's a NUL in the line,
|
|
* strlen(args) will terminate at the NUL and will thus return
|
|
* a value less than linelen.
|
|
*/
|
|
if ((gint)strlen(args) < linelen)
|
|
linelen = (gint)strlen(args);
|
|
|
|
/*
|
|
* RFC2428 sect. 2 states ...
|
|
*
|
|
* The EPRT command keyword MUST be followed by a single space (ASCII
|
|
* 32). Following the space, a delimiter character (<d>) MUST be
|
|
* specified.
|
|
*
|
|
* ... the preceding <space> is already stripped so we know that the first
|
|
* character must be the delimiter and has just to be checked to be valid.
|
|
*/
|
|
if (!isvalid_rfc2428_delimiter(*p))
|
|
return FALSE; /* EPRT command does not follow a vaild delimiter;
|
|
* malformed EPRT command - immediate escape */
|
|
|
|
delimiter = *p;
|
|
/* Validate that the delimiter occurs 4 times in the string */
|
|
for (n = 0; n < linelen; n++) {
|
|
if (*(p+n) == delimiter)
|
|
delimiters_seen++;
|
|
}
|
|
if (delimiters_seen != 4)
|
|
return FALSE; /* delimiter doesn't occur 4 times
|
|
* probably no EPRT request - immediate escape */
|
|
|
|
/* we know that the first character is a delimiter... */
|
|
delimiters_seen = 1;
|
|
lastn = 0;
|
|
/* ... so we can start searching from the 2nd onwards */
|
|
for (n=1; n < linelen; n++) {
|
|
|
|
if (*(p+n) != delimiter)
|
|
continue;
|
|
|
|
/* we found a delimiter */
|
|
delimiters_seen++;
|
|
|
|
fieldlen = n - lastn - 1;
|
|
if (fieldlen<=0)
|
|
return FALSE; /* all fields must have data in them */
|
|
field = p + lastn + 1;
|
|
|
|
if (delimiters_seen == 2) { /* end of address family field */
|
|
gchar *af_str;
|
|
af_str = wmem_strndup(wmem_packet_scope(), field, fieldlen);
|
|
if (!ws_strtou32(af_str, NULL, eprt_af))
|
|
return FALSE;
|
|
}
|
|
else if (delimiters_seen == 3) {/* end of IP address field */
|
|
gchar *ip_str;
|
|
ip_str = wmem_strndup(wmem_packet_scope(), field, fieldlen);
|
|
|
|
if (*eprt_af == EPRT_AF_IPv4) {
|
|
if (str_to_ip(ip_str, eprt_ip))
|
|
ret = TRUE;
|
|
else
|
|
ret = FALSE;
|
|
}
|
|
else if (*eprt_af == EPRT_AF_IPv6) {
|
|
if (str_to_ip6(ip_str, eprt_ipv6))
|
|
ret = TRUE;
|
|
else
|
|
ret = FALSE;
|
|
}
|
|
else
|
|
return FALSE; /* invalid/unknown address family */
|
|
|
|
*eprt_ip_len = fieldlen;
|
|
}
|
|
else if (delimiters_seen == 4) {/* end of port field */
|
|
gchar *pt_str;
|
|
pt_str = wmem_strndup(wmem_packet_scope(), field, fieldlen);
|
|
|
|
if (!ws_strtou16(pt_str, NULL, ftp_port))
|
|
return FALSE;
|
|
*ftp_port_len = fieldlen;
|
|
}
|
|
|
|
lastn = n;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* RFC2428 states ....
|
|
*
|
|
* The first two fields contained in the parenthesis MUST be blank. The
|
|
* third field MUST be the string representation of the TCP port number
|
|
* on which the server is listening for a data connection.
|
|
*
|
|
* The network protocol used by the data connection will be the same network
|
|
* protocol used by the control connection. In addition, the network
|
|
* address used to establish the data connection will be the same
|
|
* network address used for the control connection.
|
|
*
|
|
* An example response string follows:
|
|
*
|
|
* Entering Extended Passive Mode (|||6446|)
|
|
*
|
|
* ... which in fact means that again both address families IPv4 and IPv6
|
|
* are supported. But gladly it's not necessary to parse because it doesn't
|
|
* occur in EPSV responses. We can leverage ftp_ip_address which is
|
|
* protocol independent and already set.
|
|
*
|
|
*/
|
|
static gboolean
|
|
parse_extended_pasv_response(tvbuff_t *tvb, int offset, gint linelen,
|
|
guint16 *ftp_port, guint *pasv_offset, guint *ftp_port_len)
|
|
{
|
|
gint n;
|
|
gchar *args;
|
|
gchar *p;
|
|
gchar *e;
|
|
guchar c;
|
|
gboolean ret = FALSE;
|
|
gboolean delimiters_seen = FALSE;
|
|
|
|
/*
|
|
* Copy the rest of the line into a null-terminated buffer.
|
|
*/
|
|
args = wmem_alloc(wmem_packet_scope(), linelen + 1);
|
|
tvb_get_raw_bytes_as_string(tvb, offset, args, linelen + 1);
|
|
p = args;
|
|
|
|
/*
|
|
* Look for ( <d> <d> <d>
|
|
(Try to cope with '(' in description)
|
|
*/
|
|
for (; !delimiters_seen;) {
|
|
guchar delimiter = '\0';
|
|
while ((c = *p) != '\0' && (c != '('))
|
|
p++;
|
|
|
|
if (*p == '\0') {
|
|
return FALSE;
|
|
}
|
|
|
|
/* Skip '(' */
|
|
p++;
|
|
|
|
/* Make sure same delimiter is used 3 times */
|
|
for (n=0; n<3; n++) {
|
|
if ((c = *p) != '\0') {
|
|
if (delimiter == '\0' && isvalid_rfc2428_delimiter(c)) {
|
|
delimiter = c;
|
|
}
|
|
if (c != delimiter) {
|
|
break;
|
|
}
|
|
p++;
|
|
}
|
|
else {
|
|
break;
|
|
}
|
|
}
|
|
delimiters_seen = TRUE;
|
|
}
|
|
|
|
/*
|
|
* Should now be at digits.
|
|
*/
|
|
if (*p != '\0') {
|
|
const gchar* endptr;
|
|
gboolean port_valid;
|
|
/*
|
|
* We didn't run out of text without finding anything.
|
|
*/
|
|
port_valid = ws_strtou16(p, &endptr, ftp_port);
|
|
/* the conversion returned false, but the converted value could
|
|
be valid instead, check it out */
|
|
if (!port_valid && *endptr == '|')
|
|
port_valid = TRUE;
|
|
if (port_valid) {
|
|
*pasv_offset = (guint32)(p - args);
|
|
|
|
ret = TRUE;
|
|
|
|
/* get port string length */
|
|
if ((e=strchr(p,')')) == NULL) {
|
|
ret = FALSE;
|
|
}
|
|
else {
|
|
*ftp_port_len = (guint)(--e - p);
|
|
}
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* Get the last character out of a string */
|
|
static gchar wmem_strbuf_get_last_char(wmem_strbuf_t *string)
|
|
{
|
|
gsize len = wmem_strbuf_get_len(string);
|
|
if (len > 0) {
|
|
const gchar *buf = wmem_strbuf_get_str(string);
|
|
return buf[len-1];
|
|
}
|
|
else {
|
|
/* Error */
|
|
return '\0';
|
|
}
|
|
}
|
|
|
|
/* Get the nth character out of string */
|
|
static gchar wmem_strbuf_get_char_n(wmem_strbuf_t *string, size_t n)
|
|
{
|
|
if (n > wmem_strbuf_get_len(string)-1) {
|
|
return '\0';
|
|
}
|
|
else {
|
|
return wmem_strbuf_get_str(string)[n];
|
|
}
|
|
}
|
|
|
|
/* Does the path end with the separator character? */
|
|
static gboolean ends_with_separator(wmem_strbuf_t *path)
|
|
{
|
|
if (wmem_strbuf_get_len(path) == 0) {
|
|
return FALSE;
|
|
}
|
|
|
|
gchar last = wmem_strbuf_get_last_char(path);
|
|
return last == '/';
|
|
}
|
|
|
|
/* Does the path begin with the separator character? */
|
|
static gboolean begins_with_separator(wmem_strbuf_t *path)
|
|
{
|
|
if (wmem_strbuf_get_len(path) == 0) {
|
|
return FALSE;
|
|
}
|
|
|
|
gchar first = wmem_strbuf_get_char_n(path, 0);
|
|
return first == '/';
|
|
}
|
|
|
|
|
|
/* Add new_path to the current working directory of the conversation, then normalise. */
|
|
/* N.B. could use e.g. g_build_path() here, but doesn't really buy us anything */
|
|
static void add_directory_to_conv(ftp_conversation_t *conv, const char *new_path)
|
|
{
|
|
wmem_strbuf_t *appended_path = wmem_strbuf_new(wmem_packet_scope(), NULL);
|
|
|
|
if (!wmem_strbuf_get_len(conv->current_working_directory)) {
|
|
/* Currently empty so just assign to new */
|
|
wmem_strbuf_append(conv->current_working_directory, new_path);
|
|
return;
|
|
}
|
|
if (ends_with_separator(conv->current_working_directory)) {
|
|
/* Ends in separator, so don't need to write one */
|
|
wmem_strbuf_append_printf(appended_path, "%s%s", wmem_strbuf_get_str(conv->current_working_directory), new_path);
|
|
}
|
|
else {
|
|
/* Separator needed */
|
|
wmem_strbuf_append_printf(appended_path, "%s/%s", wmem_strbuf_get_str(conv->current_working_directory), new_path);
|
|
}
|
|
|
|
/* Now normalise, by going through the string one directory at a time. If see "..",
|
|
remove it and the previous folder. If see ".", ignore it. */
|
|
guint offset;
|
|
|
|
/* Initialise with empty path */
|
|
wmem_strbuf_t *normalised_directory = wmem_strbuf_new(wmem_file_scope(), NULL);
|
|
wmem_strbuf_t *this_folder = wmem_strbuf_new(wmem_packet_scope(), NULL);
|
|
|
|
offset = 0;
|
|
/* If absolute, add root to this one too */
|
|
if (begins_with_separator(conv->current_working_directory)) {
|
|
wmem_strbuf_append_c(normalised_directory, '/');
|
|
offset++;
|
|
}
|
|
|
|
/* Now go through the appended path, one directory at a time, and
|
|
copy to normalised_directory */
|
|
for (; offset <= wmem_strbuf_get_len(appended_path); offset++) {
|
|
gchar ch = wmem_strbuf_get_char_n(appended_path, offset);
|
|
if ((offset == wmem_strbuf_get_len(appended_path)) || ch == '/' || ch == '\0') {
|
|
/* Folder name is complete */
|
|
if (offset>0 && wmem_strbuf_get_len(this_folder) > 0) {
|
|
|
|
/* Up a level. Rewind to before last directory - don't output this one */
|
|
if (strcmp(wmem_strbuf_get_str(this_folder), "..") == 0) {
|
|
while (wmem_strbuf_get_len(normalised_directory) && !ends_with_separator(normalised_directory)) {
|
|
wmem_strbuf_truncate(normalised_directory, wmem_strbuf_get_len(normalised_directory)-1);
|
|
}
|
|
/* Potentially skip left-over trailing '/' too */
|
|
if ((wmem_strbuf_get_len(normalised_directory) > 1) &&
|
|
(wmem_strbuf_get_last_char(normalised_directory) == '/')) {
|
|
|
|
wmem_strbuf_truncate(normalised_directory, wmem_strbuf_get_len(normalised_directory)-1);
|
|
}
|
|
}
|
|
/* Current directory - ignore */
|
|
else if (strcmp(wmem_strbuf_get_str(this_folder), ".") == 0) {
|
|
/* Don't copy to normalised_directory */
|
|
}
|
|
else {
|
|
/* Regular directory name - copy this one out */
|
|
if (wmem_strbuf_get_len(normalised_directory) > 0 && !ends_with_separator(normalised_directory)) {
|
|
wmem_strbuf_append_c(normalised_directory, '/');
|
|
}
|
|
wmem_strbuf_append(normalised_directory, wmem_strbuf_get_str(this_folder));
|
|
}
|
|
|
|
/* Reset folder name for next time */
|
|
this_folder = wmem_strbuf_new(wmem_packet_scope(), NULL);
|
|
}
|
|
}
|
|
else {
|
|
/* Keep copying this folder name */
|
|
wmem_strbuf_append_c(this_folder, ch);
|
|
}
|
|
if (ch == '\0') {
|
|
/* Reached end - get out of loop */
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* Copy normalised path into conversation */
|
|
conv->current_working_directory = normalised_directory;
|
|
}
|
|
|
|
/* In response to the arg to a CWD command succeeding, update the conversation's current working directory */
|
|
static void process_cwd_success(ftp_conversation_t *conv, const char *new_path)
|
|
{
|
|
if (g_path_is_absolute(new_path)) {
|
|
/* Just adopt new_path */
|
|
conv->current_working_directory = wmem_strbuf_new(wmem_file_scope(), new_path);
|
|
}
|
|
else {
|
|
/* Add new_path to what we already have */
|
|
add_directory_to_conv(conv, new_path);
|
|
}
|
|
}
|
|
|
|
/* When get a PWD command response, extract directory and set it in conversation. */
|
|
static void process_pwd_success(ftp_conversation_t *conv, tvbuff_t *tvb,
|
|
int offset, int linelen, packet_info *pinfo,
|
|
proto_item *pi)
|
|
{
|
|
wmem_strbuf_t *output;
|
|
const char *line = tvb_get_ptr(tvb, offset, linelen);
|
|
gboolean outputStarted = FALSE;
|
|
|
|
/* Line must start with quotes */
|
|
if ((linelen < 2) || (line[0] != '"')) {
|
|
expert_add_info(pinfo, pi, &ei_ftp_pwd_response_invalid);
|
|
return;
|
|
}
|
|
|
|
output = wmem_strbuf_new(wmem_file_scope(), NULL);
|
|
|
|
/* For each character */
|
|
for (offset=0;
|
|
(offset < linelen) && (line[offset] != '\r') && (line[offset] != '\n');
|
|
offset++) {
|
|
|
|
if (line[offset] == '"') {
|
|
if ((offset+1 < linelen) && (line[offset+1] == '"')) {
|
|
/* Double, so output one */
|
|
wmem_strbuf_append_c(output, '"');
|
|
offset++;
|
|
}
|
|
else {
|
|
if (outputStarted) {
|
|
/* End of path */
|
|
break;
|
|
}
|
|
outputStarted = TRUE;
|
|
}
|
|
}
|
|
else {
|
|
/* Part of path - append */
|
|
wmem_strbuf_append_c(output, line[offset]);
|
|
}
|
|
}
|
|
|
|
/* Make sure output ends in " */
|
|
if (offset >= linelen || line[offset] != '"') {
|
|
expert_add_info(pinfo, pi, &ei_ftp_pwd_response_invalid);
|
|
wmem_strbuf_destroy(output);
|
|
return;
|
|
}
|
|
|
|
/* Save result - assume it's UTF-8 */
|
|
wmem_strbuf_utf8_make_valid(output);
|
|
conv->current_working_directory = output;
|
|
}
|
|
|
|
|
|
/* Associate the conversation's current working directory with the given packet */
|
|
static void store_directory_in_packet(packet_info *pinfo, ftp_conversation_t *p_ftp_conv)
|
|
{
|
|
ftp_packet_data_t *p_packet_data = wmem_new0(wmem_file_scope(), ftp_packet_data_t);
|
|
/* Take deep copy of current path, and associate with this packet */
|
|
p_packet_data->current_working_directory = wmem_strbuf_new(wmem_file_scope(),
|
|
wmem_strbuf_get_str(p_ftp_conv->current_working_directory));
|
|
p_add_proto_data(wmem_file_scope(), pinfo, proto_ftp, 0, p_packet_data);
|
|
}
|
|
|
|
|
|
static int
|
|
dissect_ftp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
|
{
|
|
gboolean is_request;
|
|
proto_tree *ftp_tree;
|
|
proto_tree *reqresp_tree;
|
|
proto_item *ti, *hidden_item;
|
|
gint offset = 0;
|
|
guint32 code;
|
|
gchar code_str[4];
|
|
gboolean is_port_request = FALSE;
|
|
gboolean is_eprt_request = FALSE;
|
|
gboolean is_pasv_response = FALSE;
|
|
gboolean is_epasv_response = FALSE;
|
|
gint next_offset;
|
|
gint next_token;
|
|
int linelen;
|
|
int tokenlen = 0;
|
|
guint32 pasv_ip;
|
|
guint32 pasv_offset;
|
|
guint32 ftp_ip;
|
|
guint32 ftp_ip_len;
|
|
guint32 eprt_offset;
|
|
guint32 eprt_af = 0;
|
|
guint32 eprt_ip;
|
|
guint16 eprt_ipv6[8];
|
|
guint32 eprt_ip_len = 0;
|
|
guint16 ftp_port;
|
|
guint32 ftp_port_len;
|
|
address ftp_ip_address;
|
|
gboolean ftp_nat;
|
|
|
|
copy_address_shallow(&ftp_ip_address, &pinfo->src);
|
|
|
|
if (pinfo->match_uint == pinfo->destport)
|
|
is_request = TRUE;
|
|
else
|
|
is_request = FALSE;
|
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "FTP");
|
|
|
|
/* Get the conversation */
|
|
ftp_conversation_t *p_ftp_conv = find_or_create_ftp_conversation(pinfo);
|
|
|
|
/* Store the current working directory */
|
|
if (!pinfo->fd->visited) {
|
|
store_directory_in_packet(pinfo, p_ftp_conv);
|
|
}
|
|
|
|
/*
|
|
* Find the end of the first line.
|
|
*
|
|
* Note that "tvb_find_line_end()" will return a value that is
|
|
* not longer than what's in the buffer, so the "tvb_get_ptr()"
|
|
* call won't throw an exception.
|
|
*/
|
|
/*
|
|
* Both request and reply arguments can be pathnames, which according
|
|
* to RFC 2640 MUST be assumed to be UTF-8 if they are valid UTF-8,
|
|
* unless explicitly configured to use another character set (and there
|
|
* is no official way to do so.) We don't have a preference for character
|
|
* set, so we'll display strings as UTF-8 (backwards compatible to ASCII).
|
|
*
|
|
* XXX: Non valid UTF-8 sequences SHOULD be treated as raw bytes,
|
|
* which means that the various extracted strings should be copied
|
|
* as raw bytes, and added as FT_BYTES with BASE_SHOW_UTF_8_PRINTABLE.
|
|
* That would work better for pathnames that are in a different character
|
|
* set, but worse for those intended to be in ASCII/UTF-8 but with errors.
|
|
* Pathnames would still need to be converted to a valid string for Export
|
|
* Objects, though.
|
|
*
|
|
* XXX: RFC 2640 allows embedded <CR> and <LF> in pathnames by enforcing
|
|
* that ftp commands end with \r\n and requiring that <CR> be padded
|
|
* with a <NUL> that is then stripped away upon receipt, similar to Telnet.
|
|
*/
|
|
linelen = tvb_find_line_end(tvb, 0, -1, &next_offset, FALSE);
|
|
|
|
/*
|
|
* Put the first line from the buffer into the summary
|
|
* (but leave out the line terminator).
|
|
*/
|
|
col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s",
|
|
is_request ? "Request" : "Response",
|
|
tvb_format_text(pinfo->pool, tvb, 0, linelen));
|
|
|
|
ti = proto_tree_add_item(tree, proto_ftp, tvb, 0, -1, ENC_NA);
|
|
ftp_tree = proto_item_add_subtree(ti, ett_ftp);
|
|
|
|
hidden_item = proto_tree_add_boolean(ftp_tree,
|
|
hf_ftp_request, tvb, 0, 0, is_request);
|
|
proto_item_set_hidden(hidden_item);
|
|
hidden_item = proto_tree_add_boolean(ftp_tree,
|
|
hf_ftp_response, tvb, 0, 0, is_request == FALSE);
|
|
proto_item_set_hidden(hidden_item);
|
|
|
|
/* Put the line into the protocol tree. */
|
|
ti = proto_tree_add_format_text(ftp_tree, tvb, 0, next_offset);
|
|
reqresp_tree = proto_item_add_subtree(ti, ett_ftp_reqresp);
|
|
|
|
if (is_request) {
|
|
/*
|
|
* Extract the first token, and, if there is a first
|
|
* token, add it as the request.
|
|
*/
|
|
/* RFC 2640 s3.1: "There MUST be only one <SP> between a ftp command
|
|
* and the pathname. Implementations MUST assume <SP> characters
|
|
* following the initial <SP> as part of the pathname."
|
|
*
|
|
* tvb_get_token_len() does not skip trailing spaces, which is
|
|
* what we want. (get_token_len() _does_ skip extra spaces.)
|
|
*/
|
|
tokenlen = tvb_get_token_len(tvb, 0, linelen, &next_token, FALSE);
|
|
if (tokenlen != 0) {
|
|
proto_tree_add_item(reqresp_tree, hf_ftp_request_command,
|
|
tvb, 0, tokenlen, ENC_UTF_8);
|
|
if (tvb_strneql(tvb, 0, "PORT", tokenlen) == 0)
|
|
is_port_request = TRUE;
|
|
/*
|
|
* EPRT request command, as per RFC 2428
|
|
*/
|
|
else if (tvb_strneql(tvb, 0, "EPRT", tokenlen) == 0)
|
|
is_eprt_request = TRUE;
|
|
else if (tvb_strneql(tvb, 0, "USER", tokenlen) == 0) {
|
|
if (p_ftp_conv && !p_ftp_conv->username && linelen - tokenlen > 1) {
|
|
p_ftp_conv->username = tvb_get_string_enc(wmem_file_scope(), tvb, tokenlen + 1, linelen - tokenlen - 1, ENC_UTF_8);
|
|
p_ftp_conv->username_pkt_num = pinfo->num;
|
|
}
|
|
} else if (tvb_strneql(tvb, 0, "PASS", tokenlen) == 0) {
|
|
if (p_ftp_conv && p_ftp_conv->username) {
|
|
tap_credential_t* auth = wmem_new0(wmem_packet_scope(), tap_credential_t);
|
|
auth->num = pinfo->num;
|
|
auth->proto = "FTP";
|
|
auth->password_hf_id = hf_ftp_request_arg;
|
|
auth->username = p_ftp_conv->username;
|
|
auth->username_num = p_ftp_conv->username_pkt_num;
|
|
auth->info = wmem_strdup_printf(wmem_packet_scope(), "Username in packet: %u", p_ftp_conv->username_pkt_num);
|
|
tap_queue_packet(credentials_tap, pinfo, auth);
|
|
}
|
|
}
|
|
}
|
|
|
|
/* If there is an ftp data conversation that doesn't have a
|
|
command yet, attempt to update here */
|
|
if (p_ftp_conv) {
|
|
p_ftp_conv->last_command = tvb_get_string_enc(wmem_file_scope(), tvb, 0, linelen, ENC_UTF_8);
|
|
p_ftp_conv->last_command_frame = pinfo->num;
|
|
|
|
if ( (linelen == 8) && ! tvb_strneql(tvb, 0, "AUTH TLS", 8) )
|
|
p_ftp_conv->tls_requested = TRUE;
|
|
}
|
|
/* And make sure set for FTP data conversation */
|
|
if (p_ftp_conv && p_ftp_conv->current_data_conv && !p_ftp_conv->current_data_conv->command) {
|
|
/* Store command and frame where it happened */
|
|
p_ftp_conv->current_data_conv->command = tvb_get_string_enc(wmem_file_scope(), tvb, 0, linelen, ENC_UTF_8);
|
|
p_ftp_conv->current_data_conv->command_frame = pinfo->num;
|
|
|
|
/* Add to table to ftp-data response can be shown with this frame on later passes */
|
|
g_hash_table_insert(ftp_command_to_data_hash, GUINT_TO_POINTER(pinfo->num),
|
|
p_ftp_conv->current_data_conv);
|
|
g_hash_table_insert(ftp_command_to_data_hash, GUINT_TO_POINTER(p_ftp_conv->current_data_setup_frame),
|
|
p_ftp_conv->current_data_conv);
|
|
}
|
|
} else {
|
|
/*
|
|
* This is a response; the response code is 3 digits,
|
|
* followed by a space or hyphen, possibly followed by
|
|
* text.
|
|
*
|
|
* If the line doesn't start with 3 digits, it's part of
|
|
* a continuation.
|
|
*
|
|
* XXX - keep track of state in the first pass, and
|
|
* treat non-continuation lines not beginning with digits
|
|
* as errors?
|
|
*/
|
|
if (linelen >= 3 && tvb_ascii_isdigit(tvb, 0, 3)) {
|
|
gboolean code_valid;
|
|
proto_item* pi;
|
|
/*
|
|
* One-line reply, or first or last line
|
|
* of a multi-line reply.
|
|
*/
|
|
tvb_get_raw_bytes_as_string(tvb, 0, code_str, sizeof code_str);
|
|
code_valid = ws_strtou32(code_str, NULL, &code);
|
|
|
|
pi = proto_tree_add_uint(reqresp_tree,
|
|
hf_ftp_response_code, tvb, 0, 3, code);
|
|
|
|
if (!code_valid)
|
|
expert_add_info(pinfo, pi, &ei_ftp_response_code_invalid);
|
|
|
|
/*
|
|
* See if it's a passive-mode response.
|
|
*
|
|
* XXX - does anybody do FOOBAR, as per RFC
|
|
* 1639, or has that been supplanted by RFC 2428?
|
|
*/
|
|
if (code == 227)
|
|
is_pasv_response = TRUE;
|
|
|
|
/*
|
|
* Responses to EPSV command, as per RFC 2428
|
|
*/
|
|
if (code == 229)
|
|
is_epasv_response = TRUE;
|
|
|
|
/*
|
|
* Response to AUTH TLS command as per RFC 4217
|
|
*/
|
|
if (code == 234) {
|
|
if ( p_ftp_conv->tls_requested ) {
|
|
/* AUTH TLS accepted, next reply will be TLS */
|
|
ssl_starttls_ack( tls_handle, pinfo, ftp_handle);
|
|
|
|
p_ftp_conv->tls_requested = FALSE ;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Responses to CWD command.
|
|
*/
|
|
if (code == 250) {
|
|
if (!pinfo->fd->visited) {
|
|
if (p_ftp_conv && p_ftp_conv->last_command) {
|
|
/* Explicit Change Working Directory command */
|
|
if (strncmp(p_ftp_conv->last_command, "CWD ", 4) == 0) {
|
|
process_cwd_success(p_ftp_conv, p_ftp_conv->last_command+4);
|
|
/* Update path in packet */
|
|
store_directory_in_packet(pinfo, p_ftp_conv);
|
|
}
|
|
/* Change Directory Up command (i.e. "CWD ..") */
|
|
else if (strncmp(p_ftp_conv->last_command, "CDUP", 4) == 0) {
|
|
process_cwd_success(p_ftp_conv, "..");
|
|
/* Update path in packet */
|
|
store_directory_in_packet(pinfo, p_ftp_conv);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Responses to PWD command. Overwrite whatever is stored - this is the truth!
|
|
*/
|
|
if (code == 257) {
|
|
if (!pinfo->fd->visited) {
|
|
if (p_ftp_conv && linelen >= 4) {
|
|
/* Want directory name, which will be between " " */
|
|
process_pwd_success(p_ftp_conv, tvb, 4, linelen-4, pinfo, pi);
|
|
|
|
/* Update path in packet */
|
|
if (!pinfo->fd->visited) {
|
|
store_directory_in_packet(pinfo, p_ftp_conv);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
/*
|
|
* Skip the 3 digits and, if present, the
|
|
* space or hyphen.
|
|
*/
|
|
if (linelen >= 4)
|
|
next_token = 4;
|
|
else
|
|
next_token = linelen;
|
|
} else {
|
|
/*
|
|
* Line doesn't start with 3 digits; assume it's
|
|
* a line in the middle of a multi-line reply.
|
|
*/
|
|
next_token = 0;
|
|
}
|
|
}
|
|
|
|
offset = next_token;
|
|
linelen -= next_token;
|
|
|
|
/*
|
|
* Add the rest of the first line as request or
|
|
* reply data.
|
|
*/
|
|
if (linelen != 0) {
|
|
if (is_request) {
|
|
proto_tree_add_item(reqresp_tree,
|
|
hf_ftp_request_arg, tvb, offset,
|
|
linelen, ENC_UTF_8);
|
|
} else {
|
|
proto_tree_add_item(reqresp_tree,
|
|
hf_ftp_response_arg, tvb, offset,
|
|
linelen, ENC_UTF_8);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* If this is a PORT request or a PASV response, handle it.
|
|
*/
|
|
if (is_port_request) {
|
|
if (parse_port_pasv(tvb, offset, linelen, &ftp_ip, &ftp_port, &pasv_offset, &ftp_ip_len, &ftp_port_len)) {
|
|
proto_tree_add_ipv4(reqresp_tree, hf_ftp_active_ip,
|
|
tvb, pasv_offset + (tokenlen+1) , ftp_ip_len, ftp_ip);
|
|
proto_tree_add_uint(reqresp_tree, hf_ftp_active_port,
|
|
tvb, pasv_offset + 1 + (tokenlen+1) + ftp_ip_len, ftp_port_len, ftp_port);
|
|
set_address(&ftp_ip_address, AT_IPv4, 4, (const guint8 *)&ftp_ip);
|
|
ftp_nat = !addresses_equal(&pinfo->src, &ftp_ip_address);
|
|
if (ftp_nat) {
|
|
proto_tree_add_boolean(reqresp_tree, hf_ftp_active_nat,
|
|
tvb, 0, 0, ftp_nat);
|
|
}
|
|
|
|
/* Set up data conversation */
|
|
create_and_link_data_conversation(pinfo,
|
|
&pinfo->dst, 20,
|
|
&ftp_ip_address, ftp_port,
|
|
"PORT");
|
|
}
|
|
}
|
|
|
|
if (is_pasv_response) {
|
|
if (linelen != 0) {
|
|
/*
|
|
* This frame contains a PASV response; set up a
|
|
* conversation for the data.
|
|
*/
|
|
if (parse_port_pasv(tvb, offset, linelen, &pasv_ip, &ftp_port, &pasv_offset, &ftp_ip_len, &ftp_port_len)) {
|
|
proto_tree_add_ipv4(reqresp_tree, hf_ftp_pasv_ip,
|
|
tvb, pasv_offset + 4, ftp_ip_len, pasv_ip);
|
|
proto_tree_add_uint(reqresp_tree, hf_ftp_pasv_port,
|
|
tvb, pasv_offset + 4 + 1 + ftp_ip_len, ftp_port_len, ftp_port);
|
|
set_address(&ftp_ip_address, AT_IPv4, 4,
|
|
(const guint8 *)&pasv_ip);
|
|
ftp_nat = !addresses_equal(&pinfo->src, &ftp_ip_address);
|
|
if (ftp_nat) {
|
|
proto_tree_add_boolean(reqresp_tree, hf_ftp_pasv_nat,
|
|
tvb, 0, 0, ftp_nat);
|
|
}
|
|
|
|
create_and_link_data_conversation(pinfo, &ftp_ip_address, ftp_port, &pinfo->dst, pinfo->destport, "PASV");
|
|
}
|
|
}
|
|
}
|
|
|
|
if (is_eprt_request) {
|
|
/*
|
|
* RFC2428 - sect. 2
|
|
* This frame contains a EPRT request; let's dissect it and set up a
|
|
* conversation for the data connection.
|
|
*/
|
|
if (parse_eprt_request(tvb, offset, linelen,
|
|
&eprt_af, &eprt_ip, eprt_ipv6, &ftp_port,
|
|
&eprt_ip_len, &ftp_port_len)) {
|
|
|
|
/* since parse_eprt_request() returned TRUE,
|
|
we know that we have a valid address family */
|
|
eprt_offset = tokenlen + 1 + 1; /* token, space, 1st delimiter */
|
|
proto_tree_add_uint(reqresp_tree, hf_ftp_eprt_af, tvb,
|
|
eprt_offset, 1, eprt_af);
|
|
eprt_offset += 1 + 1; /* addr family, 2nd delimiter */
|
|
|
|
if (eprt_af == EPRT_AF_IPv4) {
|
|
proto_tree_add_ipv4(reqresp_tree, hf_ftp_eprt_ip,
|
|
tvb, eprt_offset, eprt_ip_len, eprt_ip);
|
|
set_address(&ftp_ip_address, AT_IPv4, 4,
|
|
(const guint8 *)&eprt_ip);
|
|
}
|
|
else if (eprt_af == EPRT_AF_IPv6) {
|
|
proto_tree_add_ipv6(reqresp_tree, hf_ftp_eprt_ipv6,
|
|
tvb, eprt_offset, eprt_ip_len, (const ws_in6_addr *)eprt_ipv6);
|
|
set_address(&ftp_ip_address, AT_IPv6, 16, eprt_ipv6);
|
|
}
|
|
eprt_offset += eprt_ip_len + 1; /* addr, 3rd delimiter */
|
|
|
|
proto_tree_add_uint(reqresp_tree, hf_ftp_eprt_port,
|
|
tvb, eprt_offset, ftp_port_len, ftp_port);
|
|
|
|
/* Set up data conversation */
|
|
create_and_link_data_conversation(pinfo,
|
|
&pinfo->src, ftp_port,
|
|
&ftp_ip_address, 0,
|
|
"EPRT");
|
|
}
|
|
else {
|
|
proto_tree_add_expert(reqresp_tree, pinfo, &ei_ftp_eprt_args_invalid,
|
|
tvb, offset - linelen - 1, linelen);
|
|
}
|
|
}
|
|
|
|
if (is_epasv_response) {
|
|
if (linelen != 0) {
|
|
proto_item *addr_it;
|
|
/*
|
|
* RFC2428 - sect. 3
|
|
* This frame contains an EPSV response; set up a
|
|
* conversation for the data.
|
|
*/
|
|
if (parse_extended_pasv_response(tvb, offset, linelen,
|
|
&ftp_port, &pasv_offset, &ftp_port_len)) {
|
|
/* Add IP address and port number to tree */
|
|
|
|
if (ftp_ip_address.type == AT_IPv4) {
|
|
guint32 addr;
|
|
memcpy(&addr, ftp_ip_address.data, 4);
|
|
addr_it = proto_tree_add_ipv4(reqresp_tree,
|
|
hf_ftp_epsv_ip, tvb, 0, 0, addr);
|
|
proto_item_set_generated(addr_it);
|
|
}
|
|
else if (ftp_ip_address.type == AT_IPv6) {
|
|
addr_it = proto_tree_add_ipv6(reqresp_tree,
|
|
hf_ftp_epsv_ipv6, tvb, 0, 0,
|
|
(const ws_in6_addr *)ftp_ip_address.data);
|
|
proto_item_set_generated(addr_it);
|
|
}
|
|
|
|
proto_tree_add_uint(reqresp_tree,
|
|
hf_ftp_epsv_port, tvb, pasv_offset + 4,
|
|
ftp_port_len, ftp_port);
|
|
|
|
/* Set up data conversation */
|
|
create_and_link_data_conversation(pinfo,
|
|
&ftp_ip_address, ftp_port,
|
|
&pinfo->dst, 0, "EPASV"); }
|
|
else {
|
|
proto_tree_add_expert(reqresp_tree, pinfo, &ei_ftp_epsv_args_invalid,
|
|
tvb, offset - linelen - 1, linelen);
|
|
}
|
|
}
|
|
}
|
|
|
|
offset = next_offset;
|
|
|
|
/*
|
|
* Show the rest of the request or response as text,
|
|
* a line at a time.
|
|
* XXX - only if there's a continuation indicator?
|
|
*/
|
|
while (tvb_offset_exists(tvb, offset)) {
|
|
/*
|
|
* Find the end of the line.
|
|
*/
|
|
tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
|
|
|
|
/*
|
|
* Put this line.
|
|
*/
|
|
proto_tree_add_format_text(ftp_tree, tvb, offset,
|
|
next_offset - offset);
|
|
offset = next_offset;
|
|
}
|
|
|
|
/* Show current working directory */
|
|
ftp_packet_data_t *ftp_packet_data = (ftp_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_ftp, 0);
|
|
if (ftp_packet_data != NULL) {
|
|
/* Should always be set.. */
|
|
if (ftp_packet_data->current_working_directory) {
|
|
proto_item *cwd_ti = proto_tree_add_string(tree, hf_ftp_current_working_directory,
|
|
tvb, 0, 0, wmem_strbuf_get_str(ftp_packet_data->current_working_directory));
|
|
proto_item_set_generated(cwd_ti);
|
|
}
|
|
}
|
|
|
|
/* If this is a command resulting in an ftp-data stream, show details */
|
|
if (pinfo->fd->visited) {
|
|
/* Look up what has been stored for this frame */
|
|
ftp_data_conversation_t *ftp_data =
|
|
(ftp_data_conversation_t *)g_hash_table_lookup(ftp_command_to_data_hash, GUINT_TO_POINTER(pinfo->num));
|
|
if (ftp_data) {
|
|
/* Show these for the command frame only */
|
|
if (pinfo->num == ftp_data->command_frame) {
|
|
/* Number of frames */
|
|
ti = proto_tree_add_uint(tree, hf_ftp_command_response_frames,
|
|
tvb, 0, 0, ftp_data->frames_seen);
|
|
proto_item_set_generated(ti);
|
|
|
|
/* Number of bytes */
|
|
ti = proto_tree_add_uint(tree, hf_ftp_command_response_bytes,
|
|
tvb, 0, 0, ftp_data->bytes_seen);
|
|
proto_item_set_generated(ti);
|
|
|
|
/* First frame */
|
|
ti = proto_tree_add_uint(tree, hf_ftp_command_response_first_frame_num,
|
|
tvb, 0, 0, ftp_data->first_frame_num);
|
|
proto_item_set_generated(ti);
|
|
|
|
/* Last frame */
|
|
ti = proto_tree_add_uint(tree, hf_ftp_command_response_last_frame_num,
|
|
tvb, 0, 0, ftp_data->last_frame_num);
|
|
proto_item_set_generated(ti);
|
|
|
|
/* Length of stream */
|
|
if (ftp_data->frames_seen > 1) {
|
|
/* Work out gap between frames */
|
|
gint seconds = (gint)
|
|
(ftp_data->last_frame_time.secs - ftp_data->first_frame_time.secs);
|
|
gint nseconds =
|
|
ftp_data->last_frame_time.nsecs - ftp_data->first_frame_time.nsecs;
|
|
|
|
/* Round gap to nearest ms. */
|
|
gint gap_ms = (seconds*1000) + ((nseconds+500000) / 1000000);
|
|
ti = proto_tree_add_uint(tree, hf_ftp_command_response_duration,
|
|
tvb, 0, 0, gap_ms);
|
|
proto_item_set_generated(ti);
|
|
|
|
/* Bitrate (kbps)*/
|
|
guint bitrate = (guint)(((ftp_data->bytes_seen*8.0)/(gap_ms/1000.0))/1000);
|
|
ti = proto_tree_add_uint(tree, hf_ftp_command_response_kbps,
|
|
tvb, offset, 0, bitrate);
|
|
proto_item_set_generated(ti);
|
|
}
|
|
|
|
ti = proto_tree_add_uint(tree, hf_ftp_command_setup_frame,
|
|
tvb, 0, 0, ftp_data->setup_frame);
|
|
proto_item_set_generated(ti);
|
|
}
|
|
|
|
/* Show this only under the setup frame */
|
|
if (pinfo->num == ftp_data->setup_frame) {
|
|
ti = proto_tree_add_string(tree, hf_ftp_command_command,
|
|
tvb, 0, 0, ftp_data->command);
|
|
proto_item_set_generated(ti);
|
|
|
|
ti = proto_tree_add_uint(tree, hf_ftp_command_command_frame,
|
|
tvb, 0, 0, ftp_data->command_frame);
|
|
proto_item_set_generated(ti);
|
|
}
|
|
}
|
|
}
|
|
|
|
return tvb_captured_length(tvb);
|
|
}
|
|
|
|
static int
|
|
dissect_ftpdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
|
{
|
|
proto_item *data_ti, *ti;
|
|
int data_length = tvb_captured_length(tvb);
|
|
gboolean is_text = TRUE;
|
|
gint check_chars, i;
|
|
conversation_t *p_conv;
|
|
ftp_data_conversation_t *p_ftp_data_conv;
|
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "FTP-DATA");
|
|
|
|
col_add_fstr(pinfo->cinfo, COL_INFO, "FTP Data: %u bytes",
|
|
tvb_reported_length(tvb));
|
|
|
|
data_ti = proto_tree_add_item(tree, proto_ftp_data, tvb, 0, -1, ENC_NA);
|
|
|
|
/* Link back to setup of this stream */
|
|
p_conv = find_conversation_pinfo(pinfo, 0);
|
|
|
|
if (p_conv) {
|
|
/* Link back to FTP frame where this conversation was created */
|
|
ti = proto_tree_add_uint(tree, hf_ftp_data_setup_frame,
|
|
tvb, 0, 0, p_conv->setup_frame);
|
|
proto_item_set_generated(ti);
|
|
|
|
p_ftp_data_conv = (ftp_data_conversation_t*)conversation_get_proto_data(p_conv, proto_ftp_data);
|
|
|
|
if (p_ftp_data_conv) {
|
|
/* First time around, update info. */
|
|
if (!pinfo->fd->visited) {
|
|
if (!p_ftp_data_conv->first_frame_num) {
|
|
p_ftp_data_conv->first_frame_num = pinfo->num;
|
|
p_ftp_data_conv->first_frame_time = pinfo->abs_ts;
|
|
}
|
|
if (pinfo->num > p_ftp_data_conv->last_frame_num) {
|
|
p_ftp_data_conv->last_frame_num = pinfo->num;
|
|
p_ftp_data_conv->last_frame_time = pinfo->abs_ts;
|
|
}
|
|
p_ftp_data_conv->frames_seen++;
|
|
p_ftp_data_conv->bytes_seen += tvb_reported_length(tvb);
|
|
|
|
/* Also store setup_frame here for benefit of ftp (control) */
|
|
p_ftp_data_conv->setup_frame = p_conv->setup_frame;
|
|
}
|
|
|
|
/* Show setup method as field and in info column */
|
|
if (p_ftp_data_conv->setup_method) {
|
|
ti = proto_tree_add_string(tree, hf_ftp_data_setup_method,
|
|
tvb, 0, 0, p_ftp_data_conv->setup_method);
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", p_ftp_data_conv->setup_method);
|
|
proto_item_set_generated(ti);
|
|
}
|
|
|
|
/* Show command in info column */
|
|
if (p_ftp_data_conv->command) {
|
|
ti = proto_tree_add_string(tree, hf_ftp_data_command,
|
|
tvb, 0, 0, p_ftp_data_conv->command);
|
|
proto_item_set_generated(ti);
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", p_ftp_data_conv->command);
|
|
|
|
proto_tree_add_uint(tree, hf_ftp_data_command_frame,
|
|
tvb, 0, 0, p_ftp_data_conv->command_frame);
|
|
proto_item_set_generated(ti);
|
|
}
|
|
|
|
/* Show current working directory */
|
|
if (p_ftp_data_conv->current_working_directory) {
|
|
ti = proto_tree_add_string(tree, hf_ftp_data_current_working_directory,
|
|
tvb, 0, 0, wmem_strbuf_get_str(p_ftp_data_conv->current_working_directory));
|
|
proto_item_set_generated(ti);
|
|
}
|
|
if (have_tap_listener(ftp_eo_tap)) {
|
|
if (p_ftp_data_conv->command_frame) {
|
|
ftp_eo_t *eo_info = wmem_new0(wmem_packet_scope(), ftp_eo_t);
|
|
eo_info->command = wmem_strdup(wmem_packet_scope(), p_ftp_data_conv->command);
|
|
eo_info->command_frame = p_ftp_data_conv->command_frame;
|
|
eo_info->payload_len = tvb_reported_length(tvb);
|
|
eo_info->payload_data = (gchar *) tvb_memdup(wmem_packet_scope(), tvb, 0, tvb_reported_length(tvb));
|
|
tap_queue_packet(ftp_eo_tap, pinfo, eo_info);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/* Check the first few chars to see whether it looks like a text file or output */
|
|
check_chars = MIN(20, data_length);
|
|
for (i=0; i < check_chars; i++) {
|
|
guint8 c = tvb_get_guint8(tvb, i);
|
|
if (c!='\r' && c!='\n' && !g_ascii_isprint(c)) {
|
|
is_text = FALSE;
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* Show the number of bytes */
|
|
proto_item_append_text(data_ti, " (%u bytes data)", data_length);
|
|
|
|
/* Show line-by-line if text */
|
|
if (is_text) {
|
|
call_dissector(data_text_lines_handle, tvb, pinfo, tree);
|
|
}
|
|
|
|
return data_length;
|
|
}
|
|
|
|
static void ftp_init_protocol(void)
|
|
{
|
|
ftp_command_to_data_hash = g_hash_table_new(g_direct_hash, g_direct_equal);
|
|
}
|
|
|
|
static void ftp_cleanup_protocol(void)
|
|
{
|
|
g_hash_table_destroy(ftp_command_to_data_hash);
|
|
}
|
|
|
|
void
|
|
proto_register_ftp(void)
|
|
{
|
|
static hf_register_info hf[] = {
|
|
{ &hf_ftp_current_working_directory,
|
|
{ "Current working directory", "ftp.current-working-directory",
|
|
FT_STRING, BASE_NONE, NULL, 0,
|
|
NULL, HFILL }},
|
|
|
|
{ &hf_ftp_response,
|
|
{ "Response", "ftp.response",
|
|
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
|
|
"TRUE if FTP response", HFILL }},
|
|
|
|
{ &hf_ftp_request,
|
|
{ "Request", "ftp.request",
|
|
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
|
|
"TRUE if FTP request", HFILL }},
|
|
|
|
{ &hf_ftp_request_command,
|
|
{ "Request command", "ftp.request.command",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
NULL, HFILL }},
|
|
|
|
{ &hf_ftp_request_arg,
|
|
{ "Request arg", "ftp.request.arg",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
NULL, HFILL }},
|
|
|
|
{ &hf_ftp_response_code,
|
|
{ "Response code", "ftp.response.code",
|
|
FT_UINT32, BASE_DEC|BASE_EXT_STRING, &response_table_ext, 0x0,
|
|
NULL, HFILL }},
|
|
|
|
{ &hf_ftp_response_arg,
|
|
{ "Response arg", "ftp.response.arg",
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
|
NULL, HFILL }},
|
|
|
|
{ &hf_ftp_pasv_ip,
|
|
{ "Passive IP address", "ftp.passive.ip",
|
|
FT_IPv4, BASE_NONE, NULL,0x0,
|
|
"Passive IP address (check NAT)", HFILL}},
|
|
|
|
{ &hf_ftp_pasv_port,
|
|
{ "Passive port", "ftp.passive.port",
|
|
FT_UINT16, BASE_DEC, NULL,0x0,
|
|
"Passive FTP server port", HFILL }},
|
|
|
|
{ &hf_ftp_pasv_nat,
|
|
{"Passive IP NAT", "ftp.passive.nat",
|
|
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
|
|
"NAT is active SIP and passive IP different", HFILL }},
|
|
|
|
{ &hf_ftp_active_ip,
|
|
{ "Active IP address", "ftp.active.cip",
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
"Active FTP client IP address", HFILL }},
|
|
|
|
{ &hf_ftp_active_port,
|
|
{"Active port", "ftp.active.port",
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
"Active FTP client port", HFILL }},
|
|
|
|
{ &hf_ftp_active_nat,
|
|
{ "Active IP NAT", "ftp.active.nat",
|
|
FT_BOOLEAN, BASE_NONE, NULL, 0x0,
|
|
"NAT is active", HFILL}},
|
|
|
|
{ &hf_ftp_eprt_af,
|
|
{ "Extended active address family", "ftp.eprt.af",
|
|
FT_UINT8, BASE_DEC, VALS(eprt_af_vals), 0,
|
|
NULL, HFILL }},
|
|
|
|
{ &hf_ftp_eprt_ip,
|
|
{ "Extended active IP address", "ftp.eprt.ip",
|
|
FT_IPv4, BASE_NONE, NULL, 0,
|
|
"Extended active FTP client IPv4 address", HFILL }},
|
|
|
|
{ &hf_ftp_eprt_ipv6,
|
|
{ "Extended active IPv6 address", "ftp.eprt.ipv6",
|
|
FT_IPv6, BASE_NONE, NULL, 0,
|
|
"Extended active FTP client IPv6 address", HFILL }},
|
|
|
|
{ &hf_ftp_eprt_port,
|
|
{ "Extended active port", "ftp.eprt.port",
|
|
FT_UINT16, BASE_DEC, NULL, 0,
|
|
"Extended active FTP client listener port", HFILL }},
|
|
|
|
{ &hf_ftp_epsv_ip,
|
|
{ "Extended passive IPv4 address", "ftp.epsv.ip",
|
|
FT_IPv4, BASE_NONE, NULL, 0,
|
|
"Extended passive FTP server IPv4 address", HFILL }},
|
|
|
|
{ &hf_ftp_epsv_ipv6,
|
|
{ "Extended passive IPv6 address", "ftp.epsv.ipv6",
|
|
FT_IPv6, BASE_NONE, NULL, 0,
|
|
"Extended passive FTP server IPv6 address", HFILL }},
|
|
|
|
{ &hf_ftp_epsv_port,
|
|
{ "Extended passive port", "ftp.epsv.port",
|
|
FT_UINT16, BASE_DEC, NULL, 0,
|
|
"Extended passive FTP server port", HFILL }},
|
|
|
|
{ &hf_ftp_command_response_first_frame_num,
|
|
{ "Command response first frame", "ftp.command-response.first-frame-num",
|
|
FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_RESPONSE), 0,
|
|
"First frame seen in resulting ftp-data stream", HFILL }},
|
|
|
|
{ &hf_ftp_command_response_last_frame_num,
|
|
{ "Command response last frame", "ftp.command-response.last-frame-num",
|
|
FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_RESPONSE), 0,
|
|
"Last frame seen in resulting ftp-data stream", HFILL }},
|
|
|
|
{ &hf_ftp_command_response_duration,
|
|
{ "Response duration", "ftp.command-response.duration",
|
|
FT_UINT32, BASE_DEC|BASE_UNIT_STRING, &units_milliseconds, 0,
|
|
"Duration of command response in ms", HFILL }},
|
|
|
|
{ &hf_ftp_command_response_kbps,
|
|
{ "Response bitrate", "ftp.command-response.bitrate",
|
|
FT_UINT32, BASE_DEC|BASE_UNIT_STRING, &units_kbps, 0,
|
|
"Bitrate of command response", HFILL }},
|
|
|
|
{ &hf_ftp_command_response_frames,
|
|
{ "Command response frames", "ftp.command-response.frames",
|
|
FT_UINT32, BASE_DEC, NULL, 0,
|
|
"Number of frames seen in resulting ftp-data stream", HFILL }},
|
|
|
|
{ &hf_ftp_command_response_bytes,
|
|
{ "Command response bytes", "ftp.command-response.bytes",
|
|
FT_UINT32, BASE_DEC, NULL, 0,
|
|
"Number of bytes seen in resulting ftp-data stream", HFILL }},
|
|
|
|
{ &hf_ftp_command_setup_frame,
|
|
{ "Setup frame", "ftp.setup-frame",
|
|
FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_REQUEST), 0,
|
|
"Where ftp-data conversation for this command was signalled", HFILL }},
|
|
|
|
{ &hf_ftp_command_command_frame,
|
|
{ "Command frame", "ftp.command-frame",
|
|
FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_REQUEST), 0,
|
|
"Where command for setup was seen", HFILL }},
|
|
|
|
{ &hf_ftp_command_command,
|
|
{ "Command", "ftp.command",
|
|
FT_STRING, BASE_NONE, NULL, 0,
|
|
"Command corresponding to this setup frame", HFILL }},
|
|
};
|
|
static gint *ett[] = {
|
|
&ett_ftp,
|
|
&ett_ftp_reqresp
|
|
};
|
|
|
|
static hf_register_info data_hf[] = {
|
|
{ &hf_ftp_data_setup_frame,
|
|
{ "Setup frame", "ftp-data.setup-frame",
|
|
FT_FRAMENUM, BASE_NONE, NULL, 0,
|
|
"Where ftp-data conversation was signalled", HFILL }},
|
|
|
|
{ &hf_ftp_data_setup_method,
|
|
{ "Setup method", "ftp-data.setup-method",
|
|
FT_STRING, BASE_NONE, NULL, 0,
|
|
"Method used to set up data conversation", HFILL }},
|
|
|
|
{ &hf_ftp_data_command,
|
|
{ "Command", "ftp-data.command",
|
|
FT_STRING, BASE_NONE, NULL, 0,
|
|
"Command that this data stream answers", HFILL }},
|
|
|
|
{ &hf_ftp_data_command_frame,
|
|
{ "Command frame", "ftp-data.command-frame",
|
|
FT_FRAMENUM, BASE_NONE, NULL, 0,
|
|
"Where command for this data was seen", HFILL }},
|
|
|
|
{ &hf_ftp_data_current_working_directory,
|
|
{ "Current working directory", "ftp-data.current-working-directory",
|
|
FT_STRING, BASE_NONE, NULL, 0,
|
|
"Current working directory at time of command", HFILL }}
|
|
};
|
|
|
|
static ei_register_info ei[] = {
|
|
{ &ei_ftp_eprt_args_invalid, { "ftp.eprt.args_invalid", PI_MALFORMED, PI_WARN, "EPRT arguments must have the form: |<family>|<addr>|<port>|", EXPFILL }},
|
|
{ &ei_ftp_epsv_args_invalid, { "ftp.epsv.args_invalid", PI_MALFORMED, PI_WARN, "EPSV arguments must have the form (|||<port>|)", EXPFILL }},
|
|
{ &ei_ftp_response_code_invalid, { "ftp.response.code.invalid", PI_MALFORMED, PI_ERROR, "Invalid response code", EXPFILL }},
|
|
{ &ei_ftp_pwd_response_invalid, { "ftp.response.pwd.invalid", PI_MALFORMED, PI_ERROR, "Invalid PWD response", EXPFILL }}
|
|
};
|
|
|
|
expert_module_t* expert_ftp;
|
|
|
|
proto_ftp = proto_register_protocol("File Transfer Protocol (FTP)", "FTP", "ftp");
|
|
|
|
ftp_handle = register_dissector("ftp", dissect_ftp, proto_ftp);
|
|
proto_ftp_data = proto_register_protocol("FTP Data", "FTP-DATA", "ftp-data");
|
|
ftpdata_handle = register_dissector("ftp-data", dissect_ftpdata, proto_ftp_data);
|
|
proto_register_field_array(proto_ftp, hf, array_length(hf));
|
|
proto_register_field_array(proto_ftp, data_hf, array_length(data_hf));
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
expert_ftp = expert_register_protocol(proto_ftp);
|
|
expert_register_field_array(expert_ftp, ei, array_length(ei));
|
|
|
|
register_init_routine(&ftp_init_protocol);
|
|
register_cleanup_routine(&ftp_cleanup_protocol);
|
|
|
|
credentials_tap = register_tap("credentials");
|
|
|
|
module_t *ftp_prefs_module = prefs_register_protocol(proto_ftp_data, NULL);
|
|
prefs_register_uint_preference(ftp_prefs_module, "export.maxsize",
|
|
"Max file size (in MB) for export objects (use 0 for unlimited)", /* Title */
|
|
"Maximum file size (in megabytes) for export objects (use 0 for unlimited).", /* Description */
|
|
10,
|
|
&pref_export_maxsize);
|
|
ftp_eo_tap = register_export_object(proto_ftp_data, ftp_eo_packet, ftp_eo_cleanup);
|
|
}
|
|
|
|
void
|
|
proto_reg_handoff_ftp(void)
|
|
{
|
|
dissector_add_uint_with_preference("tcp.port", TCP_PORT_FTPDATA, ftpdata_handle);
|
|
dissector_add_uint_with_preference("tcp.port", TCP_PORT_FTP, ftp_handle);
|
|
dissector_add_uint("acdr.tls_application", TLS_APP_FTP, ftp_handle);
|
|
|
|
data_text_lines_handle = find_dissector_add_dependency("data-text-lines", proto_ftp_data);
|
|
|
|
tls_handle = find_dissector( "tls" );
|
|
}
|
|
|
|
/*
|
|
* Editor modelines - https://www.wireshark.org/tools/modelines.html
|
|
*
|
|
* Local variables:
|
|
* c-basic-offset: 4
|
|
* tab-width: 8
|
|
* indent-tabs-mode: nil
|
|
* End:
|
|
*
|
|
* vi: set shiftwidth=4 tabstop=8 expandtab:
|
|
* :indentSize=4:tabSize=8:noTabs=true:
|
|
*/
|