osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
wireshark/epan/dissectors/packet-bt-utp.c

1270 lines
42 KiB
C
Raw Blame History

/* packet-bt-utp.c
* Routines for BT-UTP dissection
* Copyright 2011, Xiao Xiangquan <xiaoxiangquan@gmail.com>
* Copyright 2021, John Thacker <johnthacker@gmail.com>
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1999 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "config.h"
#include <epan/packet.h>
#include <epan/conversation.h>
#include <epan/exceptions.h>
#include <epan/show_exception.h>
#include <epan/prefs.h>
#include <epan/proto_data.h>
#include <epan/reassemble.h>
#include "packet-udp.h"
#include "packet-bt-utp.h"
void proto_register_bt_utp(void);
void proto_reg_handoff_bt_utp(void);
enum {
ST_DATA = 0,
ST_FIN = 1,
ST_STATE = 2,
ST_RESET = 3,
ST_SYN = 4,
ST_NUM_STATES
};
/* V0 hdr: "flags"; V1 hdr: "type" */
static const value_string bt_utp_type_vals[] = {
{ ST_DATA, "Data" },
{ ST_FIN, "Fin" },
{ ST_STATE, "State" },
{ ST_RESET, "Reset" },
{ ST_SYN, "Syn" },
{ 0, NULL }
};
enum {
EXT_NO_EXTENSION = 0,
EXT_SELECTIVE_ACKS = 1,
EXT_EXTENSION_BITS = 2,
EXT_NUM_EXT
};
static const value_string bt_utp_extension_type_vals[] = {
{ EXT_NO_EXTENSION, "No Extension" },
{ EXT_SELECTIVE_ACKS, "Selective ACKs" },
{ EXT_EXTENSION_BITS, "Extension bits" },
{ 0, NULL }
};
static int proto_bt_utp = -1;
/* --- "Original" uTP Header ("version 0" ?) --------------
See utp.cpp source code @ https://github.com/bittorrent/libutp
-- Fixed Header --
0 4 8 16 24 32
+-------+-------+---------------+---------------+---------------+
| connection_id |
+-------+-------+---------------+---------------+---------------+
| timestamp_seconds |
+---------------+---------------+---------------+---------------+
| timestamp_microseconds |
+---------------+---------------+---------------+---------------+
| timestamp_difference_microseconds |
+---------------+---------------+---------------+---------------+
| wnd_size | ext | flags | seq_nr [ho] |
+---------------+---------------+---------------+---------------+
| seq_nr [lo] | ack_nr |
+---------------+---------------+---------------+
-- Extension Field(s) --
0 8 16
+---------------+---------------+---------------+---------------+
| extension | len | bitmask
+---------------+---------------+---------------+---------------+
|
+---------------+---------------+....
*/
/* --- Version 1 Header ----------------
Specifications: BEP-0029
http://www.bittorrent.org/beps/bep_0029.html
-- Fixed Header --
Fields Types
0 4 8 16 24 32
+-------+-------+---------------+---------------+---------------+
| type | ver | extension | connection_id |
+-------+-------+---------------+---------------+---------------+
| timestamp_microseconds |
+---------------+---------------+---------------+---------------+
| timestamp_difference_microseconds |
+---------------+---------------+---------------+---------------+
| wnd_size |
+---------------+---------------+---------------+---------------+
| seq_nr | ack_nr |
+---------------+---------------+---------------+---------------+
-- Extension Field(s) --
0 8 16
+---------------+---------------+---------------+---------------+
| extension | len | bitmask
+---------------+---------------+---------------+---------------+
|
+---------------+---------------+....
*/
#define V0_FIXED_HDR_SIZE 23
#define V1_FIXED_HDR_SIZE 20
/* Very early versions of libutp (still used by Transmission) set the max
* recv window size to 0x00380000, versions from 2013 and later set it to
* 0x00100000, and some other clients use 0x00040000. This is one of the
* few possible sources of heuristics.
*/
#define V1_MAX_WINDOW_SIZE 0x380000U
static dissector_handle_t bt_utp_handle;
static dissector_handle_t bittorrent_handle;
static int hf_bt_utp_ver = -1;
static int hf_bt_utp_type = -1;
static int hf_bt_utp_flags = -1;
static int hf_bt_utp_extension = -1;
static int hf_bt_utp_next_extension_type = -1;
static int hf_bt_utp_extension_len = -1;
static int hf_bt_utp_extension_bitmask = -1;
static int hf_bt_utp_extension_unknown = -1;
static int hf_bt_utp_connection_id_v0 = -1;
static int hf_bt_utp_connection_id_v1 = -1;
static int hf_bt_utp_stream = -1;
static int hf_bt_utp_timestamp_sec = -1;
static int hf_bt_utp_timestamp_us = -1;
static int hf_bt_utp_timestamp_diff_us = -1;
static int hf_bt_utp_wnd_size_v0 = -1;
static int hf_bt_utp_wnd_size_v1 = -1;
static int hf_bt_utp_seq_nr = -1;
static int hf_bt_utp_ack_nr = -1;
static int hf_bt_utp_len = -1;
static int hf_bt_utp_data = -1;
static int hf_bt_utp_pdu_size = -1;
static int hf_bt_utp_continuation_to = -1;
static gint ett_bt_utp = -1;
static gint ett_bt_utp_extension = -1;
static gboolean enable_version0 = FALSE;
static guint max_window_size = V1_MAX_WINDOW_SIZE;
/* XXX: Desegementation and OOO-reassembly are not supported yet */
static gboolean utp_desegment = FALSE;
/*static gboolean utp_reassemble_out_of_order = FALSE;*/
static gboolean utp_analyze_seq = TRUE;
static guint32 bt_utp_stream_count = 0;
typedef struct _utp_multisegment_pdu {
guint16 first_seq;
guint16 last_seq;
guint first_seq_start_offset;
guint last_seq_end_offset;
/*gint length;
guint32 reassembly_id;*/
guint32 first_frame;
} utp_multisegment_pdu;
typedef struct _utp_flow_t {
#if 0
/* XXX: Some other things to add in later. */
gboolean base_seq_set;
guint16 base_seq;
guint32 fin;
guint32 window;
guint32 maxnextseq;
#endif
wmem_tree_t *multisegment_pdus;
} utp_flow_t;
typedef struct {
guint32 stream;
utp_flow_t flow[2];
utp_flow_t *fwd;
utp_flow_t *rev;
#if 0
/* XXX: Some other things to add in later. */
nstime_t ts_first;
nstime_t ts_prev;
guint8 conversation_completeness;
#endif
} utp_stream_info_t;
/* Per-packet header information. */
typedef struct {
guint8 type;
gboolean v0;
guint32 connection; /* The prelease "V0" version is 32 bit */
guint32 stream;
guint16 seq;
guint16 ack;
guint32 seglen; /* reported length remaining */
gboolean have_seglen;
proto_tree *tree; /* For the bittorrent subdissector to access */
} utp_info_t;
static utp_stream_info_t*
get_utp_stream_info(packet_info *pinfo, utp_info_t *utp_info)
{
conversation_t* conv;
utp_stream_info_t *stream_info;
guint32 id_up, id_down;
int direction;
/* Handle connection ID wrapping correctly. (Mainline libutp source
* does not appear to do this, probably fails to connect if the random
* connection ID is GMAX_UINT16 and tries again.)
*/
if (utp_info->v0) {
id_up = utp_info->connection+1;
id_down = utp_info->connection-1;
} else {
id_up = (guint16)(utp_info->connection+1);
id_down = (guint16)(utp_info->connection-1);
}
if (utp_info->type == ST_SYN) {
/* SYN packets are special, they have the connection ID for the other
* side, and allow us to know both.
*/
conv = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_BT_UTP,
id_up, utp_info->connection, 0);
if (!conv) {
/* XXX: A SYN for between the same pair of hosts with a duplicate
* connection ID in the same direction is almost surely a retransmission
* (unless there's a client that doesn't actually generate random IDs.)
* We could check to see if we've gotten a FIN or RST on that same
* connection, and also could do like TCP and see if the initial sequence
* number matches. (The latter still doesn't help if the client also
* doesn't start with random sequence numbers.)
*/
conv = conversation_new(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_BT_UTP, id_up, utp_info->connection, 0);
}
} else {
/* For non-SYN packets, we know our connection ID, but we don't know if
* the other side has our ID+1 (src initiated the connection) or our ID-1
* (dst initiated). We also don't want find_conversation() to accidentally
* call conversation_set_port2() with the wrong ID. So first we see if
* we have a wildcarded conversation around (if we've seen previous
* non-SYN packets from our current direction but none in the other.)
*/
conv = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_BT_UTP, utp_info->connection, 0, NO_PORT_B);
if (!conv) {
/* Do we have a complete conversation originated by our src, or
* possibly a wildcarded conversation originated in this direction
* (but we saw a non-SYN for the non-initiating side first)? */
conv = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_BT_UTP, utp_info->connection, id_up, 0);
if (!conv) {
/* As above, but dst initiated? */
conv = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_BT_UTP, utp_info->connection, id_down, 0);
if (!conv) {
/* Didn't find it, so create a new wildcarded conversation. When we
* get a packet for the other direction, find_conversation() above
* will set port2 with the other connection ID.
*/
conv = conversation_new(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_BT_UTP, utp_info->connection, 0, NO_PORT2);
}
}
}
}
stream_info = (utp_stream_info_t *)conversation_get_proto_data(conv, proto_bt_utp);
if (!stream_info) {
stream_info = wmem_new0(wmem_file_scope(), utp_stream_info_t);
stream_info->stream = bt_utp_stream_count++;
stream_info->flow[0].multisegment_pdus=wmem_tree_new(wmem_file_scope());
stream_info->flow[1].multisegment_pdus=wmem_tree_new(wmem_file_scope());
conversation_add_proto_data(conv, proto_bt_utp, stream_info);
}
/* check direction */
direction=cmp_address(&pinfo->src, &pinfo->dst);
/* if the addresses are equal, match the ports instead. Use
* the UDP ports instead of the uTP connection IDs because
* we don't know which ID is smaller if we don't have both. */
if(direction==0) {
direction= (pinfo->srcport > pinfo->destport) ? 1 : -1;
}
if(direction>=0) {
stream_info->fwd=&(stream_info->flow[0]);
stream_info->rev=&(stream_info->flow[1]);
} else {
stream_info->fwd=&(stream_info->flow[1]);
stream_info->rev=&(stream_info->flow[0]);
}
return stream_info;
}
static void
print_pdu_tracking_data(packet_info *pinfo, tvbuff_t *tvb, proto_tree *utp_tree, utp_multisegment_pdu *msp)
{
proto_item *item;
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "[Continuation to #%u] ", msp->first_frame);
item=proto_tree_add_uint(utp_tree, hf_bt_utp_continuation_to,
tvb, 0, 0, msp->first_frame);
proto_item_set_generated(item);
}
static int
scan_for_next_pdu(tvbuff_t *tvb, proto_tree *utp_tree, packet_info *pinfo, wmem_tree_t *multisegment_pdus)
{
utp_multisegment_pdu *msp;
utp_info_t *p_utp_info;
guint16 seq, prev_seq;
p_utp_info = (utp_info_t *)p_get_proto_data(pinfo->pool, pinfo, proto_bt_utp, pinfo->curr_layer_num);
/* XXX: Wraparound is possible, as is cycling through all 16 bit
* sequence numbers in a connection. We only do this path if
* "seq analysis" is on; that ought to do something (relative
* sequence numbers definitely, maybe extend the width?) to help,
* but doesn't yet.
*/
seq = p_utp_info->seq;
prev_seq = seq - 1;
msp = (utp_multisegment_pdu *)wmem_tree_lookup32_le(multisegment_pdus, prev_seq);
if (msp) {
if(seq>msp->first_seq && seq<=msp->last_seq) {
print_pdu_tracking_data(pinfo, tvb, utp_tree, msp);
}
/* If this segment is completely within a previous PDU
* then we just skip this packet
*/
if(seq>msp->first_seq && seq<msp->last_seq) {
return -1;
}
if(seq>msp->first_seq && seq==msp->last_seq) {
if (!PINFO_FD_VISITED(pinfo) && p_utp_info->have_seglen) {
/* Unlike TCP, the sequence numbers don't measure bytes, so
* we can only really update the end of the MSP when the packets
* are in order, and if we have the real segment length (so not
* an unreassembled IP fragment).
*/
if (p_utp_info->seglen >= msp->last_seq_end_offset) {
return msp->last_seq_end_offset;
} else {
msp->last_seq++;
msp->last_seq_end_offset -= p_utp_info->seglen;
return -1;
}
} else {
/* We can still provide a hint to the offset start in some
* cases even when we can't update the MSP.
*/
if (msp->last_seq_end_offset < tvb_reported_length(tvb)) {
return msp->last_seq_end_offset;
} else {
return -1;
}
}
}
}
return 0;
}
static utp_multisegment_pdu *
pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, guint16 seq, int offset, guint32 bytes_until_next_pdu, wmem_tree_t *multisegment_pdus)
{
utp_multisegment_pdu *msp;
msp = wmem_new(wmem_file_scope(), utp_multisegment_pdu);
msp->first_seq = seq;
msp->first_seq_start_offset = offset;
msp->last_seq = seq+1;
msp->last_seq_end_offset = bytes_until_next_pdu;
msp->first_frame = pinfo->num;
wmem_tree_insert32(multisegment_pdus, seq, (void *)msp);
return msp;
}
#if 0
static void
desegment_utp(tvbuff_t *tvb, packet_info *pinfo, int offset,
guint32 seq, guint32 nxtseq,
proto_tree *tree, proto_tree *utp_tree,
utp_stream_info_t *stream_info)
{
}
#endif
void
utp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
gboolean proto_desegment, guint fixed_len,
guint (*get_pdu_len)(packet_info *, tvbuff_t *, int, void*),
dissector_t dissect_pdu, void* dissector_data)
{
volatile int offset = 0;
int offset_before;
guint captured_length_remaining;
volatile guint plen;
guint length;
tvbuff_t *next_tvb;
proto_item *item=NULL;
const char *saved_proto;
guint8 curr_layer_num;
wmem_list_frame_t *frame;
while (tvb_reported_length_remaining(tvb, offset) > 0) {
/*
* We use "tvb_ensure_captured_length_remaining()" to make
* sure there actually *is* data remaining. The protocol
* we're handling could conceivably consists of a sequence of
* fixed-length PDUs, and therefore the "get_pdu_len" routine
* might not actually fetch anything from the tvbuff, and thus
* might not cause an exception to be thrown if we've run past
* the end of the tvbuff.
*
* This means we're guaranteed that "captured_length_remaining" is positive.
*/
captured_length_remaining = tvb_ensure_captured_length_remaining(tvb, offset);
/*
* Can we do reassembly?
*/
if (proto_desegment && pinfo->can_desegment) {
/*
* Yes - is the fixed-length part of the PDU split across segment
* boundaries?
*/
if (captured_length_remaining < fixed_len) {
/*
* Yes. Tell the uTP dissector where the data for this message
* starts in the data it handed us and that we need "some more
* data." Don't tell it exactly how many bytes we need because
* if/when we ask for even more (after the header) that will
* break reassembly.
*/
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return;
}
}
/*
* Get the length of the PDU.
*/
plen = (*get_pdu_len)(pinfo, tvb, offset, dissector_data);
if (plen == 0) {
/*
* Support protocols which have a variable length which cannot
* always be determined within the given fixed_len.
*/
DISSECTOR_ASSERT(proto_desegment && pinfo->can_desegment);
pinfo->desegment_offset = offset;
pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return;
}
if (plen < fixed_len) {
/*
* Either:
*
* 1) the length value extracted from the fixed-length portion
* doesn't include the fixed-length portion's length, and
* was so large that, when the fixed-length portion's
* length was added to it, the total length overflowed;
*
* 2) the length value extracted from the fixed-length portion
* includes the fixed-length portion's length, and the value
* was less than the fixed-length portion's length, i.e. it
* was bogus.
*
* Report this as a bounds error.
*/
show_reported_bounds_error(tvb, pinfo, tree);
return;
}
/* give a hint to uTP where the next PDU starts
* so that it can attempt to find it in case it starts
* somewhere in the middle of a segment.
*/
if(!pinfo->fd->visited && utp_analyze_seq) {
guint remaining_bytes;
remaining_bytes = tvb_reported_length_remaining(tvb, offset);
if(plen>remaining_bytes) {
pinfo->want_pdu_tracking=2;
pinfo->bytes_until_next_pdu=plen-remaining_bytes;
}
}
/*
* Can we do reassembly?
*/
if (proto_desegment && pinfo->can_desegment) {
/*
* Yes - is the PDU split across segment boundaries?
*/
if (captured_length_remaining < plen) {
/*
* Yes. Tell the TCP dissector where the data for this message
* starts in the data it handed us, and how many more bytes we
* need, and return.
*/
pinfo->desegment_offset = offset;
pinfo->desegment_len = plen - captured_length_remaining;
return;
}
}
curr_layer_num = pinfo->curr_layer_num-1;
frame = wmem_list_frame_prev(wmem_list_tail(pinfo->layers));
while (frame && (proto_bt_utp != (gint) GPOINTER_TO_UINT(wmem_list_frame_data(frame)))) {
frame = wmem_list_frame_prev(frame);
curr_layer_num--;
}
#if 0
if (captured_length_remaining >= plen || there are more packets)
{
#endif
/*
* Display the PDU length as a field
*/
item=proto_tree_add_uint(((utp_info_t *)p_get_proto_data(pinfo->pool, pinfo, proto_bt_utp, curr_layer_num))->tree,
hf_bt_utp_pdu_size,
tvb, offset, plen, plen);
proto_item_set_generated(item);
#if 0
} else {
item = proto_tree_add_expert_format((proto_tree *)p_get_proto_data(pinfo->pool, pinfo, proto_bt_utp, curr_layer_num),
tvb, offset, -1,
"PDU Size: %u cut short at %u",plen,captured_length_remaining);
proto_item_set_generated(item);
}
#endif
/*
* Construct a tvbuff containing the amount of the payload we have
* available. Make its reported length the amount of data in the PDU.
*/
length = captured_length_remaining;
if (length > plen) {
length = plen;
}
next_tvb = tvb_new_subset_length_caplen(tvb, offset, length, plen);
if (!(proto_desegment && pinfo->can_desegment)) {
/* If we can't do reassembly, give a hint that bounds errors
* are probably fragment errors. */
tvb_set_fragment(next_tvb);
}
/*
* Dissect the PDU.
*
* If it gets an error that means there's no point in
* dissecting any more PDUs, rethrow the exception in
* question.
*
* If it gets any other error, report it and continue, as that
* means that PDU got an error, but that doesn't mean we should
* stop dissecting PDUs within this frame or chunk of reassembled
* data.
*/
saved_proto = pinfo->current_proto;
TRY {
(*dissect_pdu)(next_tvb, pinfo, tree, dissector_data);
}
CATCH_NONFATAL_ERRORS {
show_exception(tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
/*
* Restore the saved protocol as well; we do this after
* show_exception(), so that the "Malformed packet" indication
* shows the protocol for which dissection failed.
*/
pinfo->current_proto = saved_proto;
}
ENDTRY;
/*
* Step to the next PDU.
* Make sure we don't overflow.
*/
offset_before = offset;
offset += plen;
if (offset <= offset_before)
break;
}
}
static gint
get_utp_version(tvbuff_t *tvb) {
guint8 v0_flags;
guint8 v1_ver_type, ext, ext_len;
guint32 window;
guint len, offset = 0;
gint ver = -1;
/* Simple heuristics inspired by code from utp.cpp */
len = tvb_captured_length(tvb);
/* Version 1? */
if (len < V1_FIXED_HDR_SIZE) {
return -1;
}
v1_ver_type = tvb_get_guint8(tvb, 0);
ext = tvb_get_guint8(tvb, 1);
if (((v1_ver_type & 0x0f) == 1) && ((v1_ver_type>>4) < ST_NUM_STATES) &&
(ext < EXT_NUM_EXT)) {
window = tvb_get_guint32(tvb, 12, ENC_BIG_ENDIAN);
if (window > max_window_size) {
return -1;
}
ver = 1;
offset = V1_FIXED_HDR_SIZE;
} else if (enable_version0) {
/* Version 0? */
if (len < V0_FIXED_HDR_SIZE) {
return -1;
}
v0_flags = tvb_get_guint8(tvb, 18);
ext = tvb_get_guint8(tvb, 17);
if ((v0_flags < ST_NUM_STATES) && (ext < EXT_NUM_EXT)) {
ver = 0;
offset = V0_FIXED_HDR_SIZE;
}
}
if (ver < 0) {
return ver;
}
/* In V0 we could use the microseconds value as a heuristic, because
* it was tv_usec, but in the modern V1 we cannot, because it is
* computed by converting a time_t into a 64 bit quantity of microseconds
* and then taking the lower 32 bits, so all possible values are likely.
*/
/* If we have an extension, then check the next two bytes,
* the first of which is another extension type (likely NO_EXTENSION)
* and the second of which is a length, which must be at least 4.
*/
if (ext != EXT_NO_EXTENSION) {
if (len < offset + 2) {
return -1;
}
ext = tvb_get_guint8(tvb, offset);
ext_len = tvb_get_guint8(tvb, offset+1);
if (ext >= EXT_NUM_EXT || ext_len < 4) {
return -1;
}
}
return ver;
}
static int
dissect_utp_header_v0(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint8 *extension_type)
{
/* "Original" (V0) */
utp_info_t *p_utp_info = NULL;
utp_stream_info_t *stream_info = NULL;
proto_item *ti;
guint32 type, connection, win, seq, ack;
p_utp_info = wmem_new(pinfo->pool, utp_info_t);
p_utp_info->v0 = TRUE;
p_add_proto_data(pinfo->pool, pinfo, proto_bt_utp, pinfo->curr_layer_num, p_utp_info);
proto_tree_add_item_ret_uint(tree, hf_bt_utp_connection_id_v0, tvb, offset, 4, ENC_BIG_ENDIAN, &connection);
offset += 4;
proto_tree_add_item(tree, hf_bt_utp_timestamp_sec, tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
proto_tree_add_item(tree, hf_bt_utp_timestamp_us, tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
proto_tree_add_item(tree, hf_bt_utp_timestamp_diff_us, tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
proto_tree_add_item_ret_uint(tree, hf_bt_utp_wnd_size_v0, tvb, offset, 1, ENC_BIG_ENDIAN, &win);
offset += 1;
proto_tree_add_item(tree, hf_bt_utp_next_extension_type, tvb, offset, 1, ENC_BIG_ENDIAN);
*extension_type = tvb_get_guint8(tvb, offset);
offset += 1;
proto_tree_add_item_ret_uint(tree, hf_bt_utp_flags, tvb, offset, 1, ENC_BIG_ENDIAN, &type);
offset += 1;
col_append_fstr(pinfo->cinfo, COL_INFO, "Connection ID:%d [%s]", connection, val_to_str(type, bt_utp_type_vals, "Unknown %d"));
p_utp_info->type = type;
p_utp_info->connection = connection;
proto_tree_add_item(tree, hf_bt_utp_seq_nr, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(tree, hf_bt_utp_ack_nr, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item_ret_uint(tree, hf_bt_utp_seq_nr, tvb, offset, 2, ENC_BIG_ENDIAN, &seq);
col_append_str_uint(pinfo->cinfo, COL_INFO, "Seq", seq, " ");
p_utp_info->seq = seq;
offset += 2;
proto_tree_add_item_ret_uint(tree, hf_bt_utp_ack_nr, tvb, offset, 2, ENC_BIG_ENDIAN, &ack);
col_append_str_uint(pinfo->cinfo, COL_INFO, "Ack", ack, " ");
p_utp_info->ack = ack;
offset += 2;
col_append_str_uint(pinfo->cinfo, COL_INFO, "Win", win, " ");
stream_info = get_utp_stream_info(pinfo, p_utp_info);
ti = proto_tree_add_uint(tree, hf_bt_utp_stream, tvb, offset, 0, stream_info->stream);
p_utp_info->stream = stream_info->stream;
proto_item_set_generated(ti);
return offset;
}
static int
dissect_utp_header_v1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint8 *extension_type)
{
/* V1 */
utp_info_t *p_utp_info = NULL;
utp_stream_info_t *stream_info = NULL;
proto_item *ti;
guint32 type, connection, win, seq, ack;
p_utp_info = wmem_new(pinfo->pool, utp_info_t);
p_utp_info->v0 = FALSE;
p_add_proto_data(pinfo->pool, pinfo, proto_bt_utp, pinfo->curr_layer_num, p_utp_info);
proto_tree_add_item(tree, hf_bt_utp_ver, tvb, offset, 1, ENC_BIG_ENDIAN);
proto_tree_add_item_ret_uint(tree, hf_bt_utp_type, tvb, offset, 1, ENC_BIG_ENDIAN, &type);
offset += 1;
proto_tree_add_item(tree, hf_bt_utp_next_extension_type, tvb, offset, 1, ENC_BIG_ENDIAN);
*extension_type = tvb_get_guint8(tvb, offset);
offset += 1;
proto_tree_add_item_ret_uint(tree, hf_bt_utp_connection_id_v1, tvb, offset, 2, ENC_BIG_ENDIAN, &connection);
offset += 2;
col_append_fstr(pinfo->cinfo, COL_INFO, "Connection ID:%d [%s]", connection, val_to_str(type, bt_utp_type_vals, "Unknown %d"));
p_utp_info->type = type;
p_utp_info->connection = connection;
proto_tree_add_item(tree, hf_bt_utp_timestamp_us, tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
proto_tree_add_item(tree, hf_bt_utp_timestamp_diff_us, tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
proto_tree_add_item_ret_uint(tree, hf_bt_utp_wnd_size_v1, tvb, offset, 4, ENC_BIG_ENDIAN, &win);
offset += 4;
proto_tree_add_item_ret_uint(tree, hf_bt_utp_seq_nr, tvb, offset, 2, ENC_BIG_ENDIAN, &seq);
col_append_str_uint(pinfo->cinfo, COL_INFO, "Seq", seq, " ");
p_utp_info->seq = seq;
offset += 2;
proto_tree_add_item_ret_uint(tree, hf_bt_utp_ack_nr, tvb, offset, 2, ENC_BIG_ENDIAN, &ack);
col_append_str_uint(pinfo->cinfo, COL_INFO, "Ack", ack, " ");
p_utp_info->ack = ack;
offset += 2;
col_append_str_uint(pinfo->cinfo, COL_INFO, "Win", win, " ");
stream_info = get_utp_stream_info(pinfo, p_utp_info);
ti = proto_tree_add_uint(tree, hf_bt_utp_stream, tvb, offset, 0, stream_info->stream);
p_utp_info->stream = stream_info->stream;
proto_item_set_generated(ti);
/* XXX: Multisegment PDUs are the top priority to add, but a number of
* other features in the TCP dissector would be useful- relative sequence
* numbers, conversation completeness, maybe even tracking SACKs.
*/
return offset;
}
static int
dissect_utp_extension(tvbuff_t *tvb, packet_info _U_*pinfo, proto_tree *tree, int offset, guint8 *extension_type)
{
proto_item *ti;
proto_tree *ext_tree;
guint8 extension_length;
/* display the extension tree */
while(*extension_type != EXT_NO_EXTENSION && offset < (int)tvb_reported_length(tvb))
{
switch(*extension_type){
case EXT_SELECTIVE_ACKS: /* 1 */
{
ti = proto_tree_add_item(tree, hf_bt_utp_extension, tvb, offset, -1, ENC_NA);
ext_tree = proto_item_add_subtree(ti, ett_bt_utp_extension);
proto_tree_add_item(ext_tree, hf_bt_utp_next_extension_type, tvb, offset, 1, ENC_BIG_ENDIAN);
*extension_type = tvb_get_guint8(tvb, offset);
offset += 1;
proto_tree_add_item(ext_tree, hf_bt_utp_extension_len, tvb, offset, 1, ENC_BIG_ENDIAN);
extension_length = tvb_get_guint8(tvb, offset);
proto_item_append_text(ti, " Selective ACKs, Len=%d", extension_length);
offset += 1;
proto_tree_add_item(ext_tree, hf_bt_utp_extension_bitmask, tvb, offset, extension_length, ENC_NA);
offset += extension_length;
proto_item_set_len(ti, 1 + 1 + extension_length);
break;
}
case EXT_EXTENSION_BITS: /* 2 */
{
ti = proto_tree_add_item(tree, hf_bt_utp_extension, tvb, offset, -1, ENC_NA);
ext_tree = proto_item_add_subtree(ti, ett_bt_utp_extension);
proto_tree_add_item(ext_tree, hf_bt_utp_next_extension_type, tvb, offset, 1, ENC_BIG_ENDIAN);
*extension_type = tvb_get_guint8(tvb, offset);
offset += 1;
proto_tree_add_item(ext_tree, hf_bt_utp_extension_len, tvb, offset, 1, ENC_BIG_ENDIAN);
extension_length = tvb_get_guint8(tvb, offset);
proto_item_append_text(ti, " Extension Bits, Len=%d", extension_length);
offset += 1;
proto_tree_add_item(ext_tree, hf_bt_utp_extension_bitmask, tvb, offset, extension_length, ENC_NA);
offset += extension_length;
proto_item_set_len(ti, 1 + 1 + extension_length);
break;
}
default:
ti = proto_tree_add_item(tree, hf_bt_utp_extension, tvb, offset, -1, ENC_NA);
ext_tree = proto_item_add_subtree(ti, ett_bt_utp_extension);
proto_tree_add_item(ext_tree, hf_bt_utp_next_extension_type, tvb, offset, 1, ENC_BIG_ENDIAN);
*extension_type = tvb_get_guint8(tvb, offset);
offset += 1;
proto_tree_add_item(ext_tree, hf_bt_utp_extension_len, tvb, offset, 1, ENC_BIG_ENDIAN);
extension_length = tvb_get_guint8(tvb, offset);
proto_item_append_text(ti, " Unknown, Len=%d", extension_length);
offset += 1;
proto_tree_add_item(ext_tree, hf_bt_utp_extension_unknown, tvb, offset, extension_length, ENC_NA);
offset += extension_length;
proto_item_set_len(ti, 1 + 1 + extension_length);
break;
}
}
return offset;
}
static gboolean
decode_utp(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree)
{
proto_tree *parent_tree;
tvbuff_t *next_tvb;
int save_desegment_offset;
guint32 save_desegment_len;
/* XXX: Check for retransmission? */
next_tvb = tvb_new_subset_remaining(tvb, offset);
save_desegment_offset = pinfo->desegment_offset;
save_desegment_len = pinfo->desegment_len;
/* The only possible payload is bittorrent */
parent_tree = proto_tree_get_parent_tree(tree);
if (call_dissector_with_data(bittorrent_handle, next_tvb, pinfo, parent_tree, NULL)) {
pinfo->want_pdu_tracking -= !!(pinfo->want_pdu_tracking);
return TRUE;
}
DISSECTOR_ASSERT(save_desegment_offset == pinfo->desegment_offset &&
save_desegment_len == pinfo->desegment_len);
call_data_dissector(tvb, pinfo, parent_tree);
pinfo->want_pdu_tracking -= !!(pinfo->want_pdu_tracking);
return FALSE;
}
static void
process_utp_payload(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree, guint16 seq, gboolean is_utp_segment,
utp_stream_info_t *stream_info)
{
volatile int offset = 0;
pinfo->want_pdu_tracking = 0;
TRY {
if (is_utp_segment) {
/* See if an unaligned PDU */
if (stream_info && utp_analyze_seq && (!utp_desegment)) {
offset = scan_for_next_pdu(tvb, tree, pinfo,
stream_info->fwd->multisegment_pdus);
}
}
if ((offset != -1) && decode_utp(tvb, offset, pinfo, tree)) {
/*
* We succeeded in handing off to bittorent.
*
* Is this a segment (so we're not desegmenting for whatever
* reason)? Then at least do rudimentary PDU tracking.
*/
if(is_utp_segment) {
/* if !visited, check want_pdu_tracking and
store it in table */
if(stream_info && (!pinfo->fd->visited) &&
utp_analyze_seq && pinfo->want_pdu_tracking) {
pdu_store_sequencenumber_of_next_pdu(
pinfo,
seq,
offset,
pinfo->bytes_until_next_pdu,
stream_info->fwd->multisegment_pdus);
}
}
}
}
CATCH_ALL {
/* We got an exception. Before dissection is aborted and execution
* is transferred back to (probably) the frame dissector, do PDU
* tracking if we need to because this is a segment.
*/
if (is_utp_segment) {
if(stream_info && (!pinfo->fd->visited) &&
utp_analyze_seq && pinfo->want_pdu_tracking) {
pdu_store_sequencenumber_of_next_pdu(
pinfo,
seq,
offset,
pinfo->bytes_until_next_pdu,
stream_info->fwd->multisegment_pdus);
}
}
RETHROW;
}
ENDTRY;
}
static guint
dissect_utp_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_item *ti;
utp_info_t *p_utp_info;
guint len_tvb;
gboolean save_fragmented;
p_utp_info = (utp_info_t *)p_get_proto_data(pinfo->pool, pinfo, proto_bt_utp, pinfo->curr_layer_num);
p_utp_info->tree = tree;
utp_stream_info_t *stream_info;
stream_info = get_utp_stream_info(pinfo, p_utp_info);
len_tvb = tvb_reported_length(tvb);
/* As with TCP, if we've been handed an IP fragment, we don't really
* know how big the segment is, and we don't really want to do anything
* if this is an error packet from ICMP or similar.
*
* XXX: We don't want to desegment if the UDP checksum is bad either.
* Need to add that to the per-packet info that UDP stores and access
* it.
*/
pinfo->can_desegment = 0;
if (!pinfo->fragmented && !pinfo->flags.in_error_pkt) {
p_utp_info->seglen = len_tvb;
p_utp_info->have_seglen = TRUE;
ti = proto_tree_add_uint(tree, hf_bt_utp_len, tvb, 0, 0, len_tvb);
proto_item_set_generated(ti);
col_append_str_uint(pinfo->cinfo, COL_INFO, "Len", len_tvb, " ");
if (utp_desegment && tvb_bytes_exist(tvb, 0, len_tvb)) {
/* If we actually have the bytes too then we can desegment. */
pinfo->can_desegment = 2;
}
} else {
p_utp_info->have_seglen = FALSE;
}
if(tvb_captured_length(tvb)) {
proto_tree_add_item(tree, hf_bt_utp_data, tvb, 0, len_tvb, ENC_NA);
if (pinfo->can_desegment) {
/* XXX: desegment_utp() is not implemented, but we can't get
* into this code path yet because utp_desegment is FALSE. */
} else {
save_fragmented = pinfo->fragmented;
pinfo->fragmented = TRUE;
process_utp_payload(tvb, pinfo, tree, p_utp_info->seq, TRUE, stream_info);
pinfo->fragmented = save_fragmented;
}
}
return len_tvb;
}
static int
dissect_bt_utp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
gint version;
version = get_utp_version(tvb);
/* try dissecting */
if (version >= 0)
{
proto_tree *sub_tree = NULL;
proto_item *ti;
gint offset = 0;
guint8 extension_type;
/* set the protocol column */
col_set_str(pinfo->cinfo, COL_PROTOCOL, "BT-uTP");
col_clear(pinfo->cinfo, COL_INFO);
/* Determine header version */
if (version == 0) {
ti = proto_tree_add_protocol_format(tree, proto_bt_utp, tvb, 0, -1,
"uTorrent Transport Protocol V0");
sub_tree = proto_item_add_subtree(ti, ett_bt_utp);
offset = dissect_utp_header_v0(tvb, pinfo, sub_tree, offset, &extension_type);
} else {
ti = proto_tree_add_item(tree, proto_bt_utp, tvb, 0, -1, ENC_NA);
sub_tree = proto_item_add_subtree(ti, ett_bt_utp);
offset = dissect_utp_header_v1(tvb, pinfo, sub_tree, offset, &extension_type);
}
offset = dissect_utp_extension(tvb, pinfo, sub_tree, offset, &extension_type);
offset += dissect_utp_payload(tvb_new_subset_remaining(tvb, offset), pinfo, sub_tree);
return offset;
}
return 0;
}
static gboolean
dissect_bt_utp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
gint version;
version = get_utp_version(tvb);
if (version >= 0)
{
conversation_t *conversation;
conversation = find_or_create_conversation(pinfo);
conversation_set_dissector_from_frame_number(conversation, pinfo->num, bt_utp_handle);
dissect_bt_utp(tvb, pinfo, tree, data);
return TRUE;
}
return FALSE;
}
static void
utp_init(void)
{
bt_utp_stream_count = 0;
}
void
proto_register_bt_utp(void)
{
static hf_register_info hf[] = {
{ &hf_bt_utp_ver,
{ "Version", "bt-utp.ver",
FT_UINT8, BASE_DEC, NULL, 0x0F,
NULL, HFILL }
},
{ &hf_bt_utp_flags,
{ "Flags", "bt-utp.flags",
FT_UINT8, BASE_DEC, VALS(bt_utp_type_vals), 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_type,
{ "Type", "bt-utp.type",
FT_UINT8, BASE_DEC, VALS(bt_utp_type_vals), 0xF0,
NULL, HFILL }
},
{ &hf_bt_utp_extension,
{ "Extension", "bt-utp.extension",
FT_NONE, BASE_NONE, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_next_extension_type,
{ "Next Extension Type", "bt-utp.next_extension_type",
FT_UINT8, BASE_DEC, VALS(bt_utp_extension_type_vals), 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_extension_len,
{ "Extension Length", "bt-utp.extension_len",
FT_UINT8, BASE_DEC|BASE_UNIT_STRING, &units_byte_bytes, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_extension_bitmask,
{ "Extension Bitmask", "bt-utp.extension_bitmask",
FT_BYTES, BASE_NONE, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_extension_unknown,
{ "Extension Unknown", "bt-utp.extension_unknown",
FT_BYTES, BASE_NONE, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_connection_id_v0,
{ "Connection ID", "bt-utp.connection_id",
FT_UINT32, BASE_DEC, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_connection_id_v1,
{ "Connection ID", "bt-utp.connection_id",
FT_UINT16, BASE_DEC, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_stream,
{ "Stream index", "bt-utp.stream",
FT_UINT32, BASE_DEC, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_timestamp_sec,
{ "Timestamp seconds", "bt-utp.timestamp_sec",
FT_UINT32, BASE_DEC, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_timestamp_us,
{ "Timestamp Microseconds", "bt-utp.timestamp_us",
FT_UINT32, BASE_DEC, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_timestamp_diff_us,
{ "Timestamp Difference Microseconds", "bt-utp.timestamp_diff_us",
FT_UINT32, BASE_DEC, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_wnd_size_v0,
{ "Window Size", "bt-utp.wnd_size",
FT_UINT8, BASE_DEC, NULL, 0x0,
"V0 receive window size, in multiples of 350 bytes", HFILL }
},
{ &hf_bt_utp_wnd_size_v1,
{ "Window Size", "bt-utp.wnd_size",
FT_UINT32, BASE_DEC|BASE_UNIT_STRING, &units_byte_bytes, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_seq_nr,
{ "Sequence number", "bt-utp.seq_nr",
FT_UINT16, BASE_DEC, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_ack_nr,
{ "ACK number", "bt-utp.ack_nr",
FT_UINT16, BASE_DEC, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_len,
{ "uTP Segment Len", "bt-utp.len",
FT_UINT32, BASE_DEC, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_data,
{ "Data", "bt-utp.data",
FT_BYTES, BASE_NONE, NULL, 0x0,
NULL, HFILL }
},
{ &hf_bt_utp_pdu_size,
{ "PDU Size", "bt-utp.pdu.size",
FT_UINT32, BASE_DEC, NULL, 0x0,
"The size of this PDU", HFILL }
},
{ &hf_bt_utp_continuation_to,
{ "This is a continuation to the PDU in frame",
"bt-utp.continuation_to", FT_FRAMENUM, BASE_NONE,
NULL, 0x0, "This is a continuation to the PDU in frame #", HFILL }
},
};
/* Setup protocol subtree array */
static gint *ett[] = { &ett_bt_utp, &ett_bt_utp_extension };
module_t *bt_utp_module;
/* Register protocol */
proto_bt_utp = proto_register_protocol ("uTorrent Transport Protocol", "BT-uTP", "bt-utp");
bt_utp_module = prefs_register_protocol(proto_bt_utp, NULL);
prefs_register_obsolete_preference(bt_utp_module, "enable");
prefs_register_bool_preference(bt_utp_module,
"analyze_sequence_numbers",
"Analyze uTP sequence numbers",
"Make the uTP dissector analyze uTP sequence numbers. Currently this "
"just means that it tries to find the correct start offset of a PDU "
"if it detected that previous in-order packets spanned multiple "
"frames.",
&utp_analyze_seq);
prefs_register_bool_preference(bt_utp_module,
"enable_version0",
"Dissect prerelease (version 0) packets",
"Whether the dissector should attempt to dissect packets with the "
"obsolete format (version 0) that predates BEP 29 (22-Jun-2009)",
&enable_version0);
prefs_register_uint_preference(bt_utp_module,
"max_window_size",
"Maximum window size (in hex)",
"Maximum receive window size allowed by the dissector. Early clients "
"(and a few modern ones) set this value to 0x380000 (the default), "
"later ones use smaller values like 0x100000 and 0x40000. A higher "
"value can detect nonstandard packets, but at the cost of false "
"positives.",
16, &max_window_size);
proto_register_field_array(proto_bt_utp, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
register_init_routine(utp_init);
}
void
proto_reg_handoff_bt_utp(void)
{
/* disabled by default since heuristic is weak */
/* XXX: The heuristic is stronger now, but might still get false positives
* on packets with lots of zero bytes. Needs more testing before enabling
* by default.
*/
heur_dissector_add("udp", dissect_bt_utp_heur, "BitTorrent UTP over UDP", "bt_utp_udp", proto_bt_utp, HEURISTIC_DISABLE);
bt_utp_handle = create_dissector_handle(dissect_bt_utp, proto_bt_utp);
dissector_add_for_decode_as_with_preference("udp.port", bt_utp_handle);
bittorrent_handle = find_dissector_add_dependency("bittorrent.utp", proto_bt_utp);
}
/*
* Editor modelines
*
* Local Variables:
* c-basic-offset: 2
* tab-width: 8
* indent-tabs-mode: nil
* End:
*
* ex: set shiftwidth=2 tabstop=8 expandtab:
* :indentSize=2:tabSize=8:noTabs=true:
*/
Reference in New Issue View Git Blame Copy Permalink