search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
regen pidl all: rm epan/dissectors/pidl/*-stamp; pushd epan/dissectors/pidl/ && make...
[wireshark-sm.git] / plugins / epan / transum / decoders.c
bloba67db053f08eaecc869ca4ed9bd137d29aa5de8b
1 /* decoders.c
2 * Routines for the TRANSUM response time analyzer post-dissector
3 * By Paul Offord <paul.offord@advance7.com>
4 * Copyright 2016 Advance Seven Limited
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 #include "config.h"
14
15 #include <stdio.h>
16 #include <epan/packet.h>
17 #include <epan/prefs.h>
18 #include <epan/dissectors/packet-tcp.h>
19 #include "packet-transum.h"
20 #include "preferences.h"
21 #include "extractors.h"
22 #include "decoders.h"
23
24 extern TSUM_PREFERENCES preferences;
25
26
27 /* Returns the number of sub-packets of interest */
28 int decode_syn(packet_info *pinfo _U_, proto_tree *tree _U_, PKT_INFO* pkt_info)
29 {
30 if (pkt_info->tcp_flags_ack)
31 pkt_info->rrpd.c2s = false;
32 else
33 {
34 pkt_info->rrpd.c2s = true;
35 add_detected_tcp_svc(pkt_info->dstport);
36 }
37
38 pkt_info->rrpd.session_id = 1; /* Fake session ID */
39 pkt_info->rrpd.msg_id = 1; /* Fake message ID */
40 pkt_info->rrpd.decode_based = true;
41 pkt_info->rrpd.calculation = RTE_CALC_SYN;
42 pkt_info->pkt_of_interest = true;
43
44 return 1;
45 }
46
47 /*
48 This function sets basic information in the sub_packet entry.
49 Because we don't expect multiple DCE-RPC messages in a single packet
50 we only use single PKT_INFO
51
52 Returns the number of sub-packets of interest, which in this case is always 1.
53 */
54 int decode_dcerpc(packet_info *pinfo _U_, proto_tree *tree, PKT_INFO* pkt_info)
55 {
56 uint32_t field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */
57 size_t field_value_count; /* How many entries are there in the extracted field array */
58 uint32_t dcerpc_cn_ctx_id = 0;
59
60 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DCERPC_VER].hf, field_uint, &field_value_count))
61 {
62 if (field_value_count)
63 pkt_info->dcerpc_ver = field_uint[0];
64 }
65
66 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DCERPC_PKT_TYPE].hf, field_uint, &field_value_count))
67 {
68 if (field_value_count)
69 pkt_info->dcerpc_pkt_type = field_uint[0];
70 }
71
72 if (field_value_count)
73 {
74 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DCERPC_CN_CTX_ID].hf, field_uint, &field_value_count))
75 {
76 if (field_value_count)
77 dcerpc_cn_ctx_id = field_uint[0];
78 }
79
80 if (is_dcerpc_context_zero(pkt_info->dcerpc_pkt_type))
81 { /* This is needed to overcome an apparent Wireshark bug
82 found in the Lua code - is this still true in C? */
83 pkt_info->rrpd.session_id = 1;
84 }
85 else
86 {
87 if (dcerpc_cn_ctx_id)
88 pkt_info->rrpd.session_id = dcerpc_cn_ctx_id;
89 else
90 pkt_info->rrpd.session_id = 1;
91 }
92 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DCERPC_CN_CALL_ID].hf, field_uint, &field_value_count))
93 {
94 if (field_value_count)
95 pkt_info->rrpd.msg_id = field_uint[0];
96 }
97 }
98 else
99 {
100 /*
101 we don't have header information and so by setting the session_id and msg_id to zero
102 the rrpd functions will either create a new rrpd_list (or temp_rsp_rrpd_list) entry
103 or update the last entry for this ip_proto:stream_no.
104 */
105 pkt_info->rrpd.session_id = 0;
106 pkt_info->rrpd.msg_id = 0;
107 }
108
109
110 if (is_dcerpc_req_pkt_type(pkt_info->dcerpc_pkt_type))
111 {
112 pkt_info->rrpd.c2s = true;
113 wmem_map_insert(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport), GUINT_TO_POINTER(RTE_CALC_DCERPC)); /* make sure we have this DCE-RPC service port set */
114 }
115 else
116 {
117 pkt_info->rrpd.c2s = false;
118 wmem_map_insert(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->srcport), GUINT_TO_POINTER(RTE_CALC_DCERPC)); /* make sure we have this DCE-RPC service port set */
119 }
120
121 pkt_info->rrpd.decode_based = true;
122 pkt_info->rrpd.calculation = RTE_CALC_DCERPC;
123 pkt_info->pkt_of_interest = true;
124
125 return 1;
126 }
127
128 /* Returns the number of sub-packets of interest */
129 int decode_smb(packet_info *pinfo _U_, proto_tree *tree, PKT_INFO* pkt_info, PKT_INFO* subpackets)
130 {
131 uint32_t field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */
132 size_t field_value_count; /* How many entries are there in the extracted field array */
133
134 uint64_t ses_id[MAX_RETURNED_ELEMENTS];
135 size_t ses_id_count;
136 uint64_t msg_id[MAX_RETURNED_ELEMENTS];
137 size_t msg_id_count;
138
139 /* set the direction information */
140 if (pkt_info->dstport == 445)
141 pkt_info->rrpd.c2s = true;
142 else
143 pkt_info->rrpd.c2s = false;
144
145 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_SMB_MID].hf, field_uint, &field_value_count))
146 {
147 if (field_value_count)
148 {
149 pkt_info->rrpd.calculation = RTE_CALC_SMB1;
150 pkt_info->pkt_of_interest = false; /* can't process SMB1 at the moment */
151 return 0;
152 }
153 }
154 /* Default in case we don't have header information */
155 pkt_info->rrpd.session_id = 0;
156 pkt_info->rrpd.msg_id = 0;
157 pkt_info->rrpd.decode_based = true;
158 pkt_info->rrpd.calculation = RTE_CALC_SMB2;
159 pkt_info->pkt_of_interest = true;
160
161 extract_ui64(tree, hf_of_interest[HF_INTEREST_SMB2_MSG_ID].hf, msg_id, &msg_id_count);
162 if (msg_id_count) /* test for header information */
163 {
164 extract_ui64(tree, hf_of_interest[HF_INTEREST_SMB2_SES_ID].hf, ses_id, &ses_id_count);
165
166 for (size_t i = 0; (i < msg_id_count) && (i < MAX_SUBPKTS_PER_PACKET); i++)
167 {
168 subpackets[i].rrpd.c2s = pkt_info->rrpd.c2s;
169 subpackets[i].rrpd.ip_proto = pkt_info->rrpd.ip_proto;
170 subpackets[i].rrpd.stream_no = pkt_info->rrpd.stream_no;
171
172 subpackets[i].rrpd.session_id = ses_id[i];
173 subpackets[i].rrpd.msg_id = msg_id[i];
174
175 subpackets[i].rrpd.decode_based = true;
176 subpackets[i].rrpd.calculation = RTE_CALC_SMB2;
177 subpackets[i].pkt_of_interest = true;
178 }
179 return (int)msg_id_count;
180 }
181
182 return 1;
183 }
184
185 /* Returns the number of sub-packets of interest */
186 int decode_gtcp(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info)
187 {
188 uint32_t field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */
189 bool field_bool[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */
190 size_t field_value_count; /* How many entries are there in the extracted field array */
191
192 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_TCP_STREAM].hf, field_uint, &field_value_count)) {
193 if (field_value_count)
194 pkt_info->rrpd.stream_no = field_uint[0];
195 }
196
197 pkt_info->srcport = pinfo->srcport;
198 pkt_info->dstport = pinfo->destport;
199
200 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_TCP_LEN].hf, field_uint, &field_value_count)) {
201 if (field_value_count)
202 pkt_info->len = field_uint[0];
203 }
204
205 if (!extract_bool(tree, hf_of_interest[HF_INTEREST_TCP_FLAGS_SYN].hf, field_bool, &field_value_count)) {
206 if (field_value_count)
207 pkt_info->tcp_flags_syn = field_bool[0];
208 }
209
210 if (!extract_bool(tree, hf_of_interest[HF_INTEREST_TCP_FLAGS_ACK].hf, field_bool, &field_value_count)) {
211 if (field_value_count)
212 pkt_info->tcp_flags_ack = field_bool[0];
213 }
214
215 if (!extract_bool(tree, hf_of_interest[HF_INTEREST_TCP_FLAGS_RESET].hf, field_bool, &field_value_count)) {
216 if (field_value_count)
217 pkt_info->tcp_flags_reset = field_bool[0];
218 }
219
220 /*
221 * This is an expert info, not a field with a value, so it's either
222 * present or not; if present, it's a retransmission.
223 */
224 if (!extract_instance_count(tree, hf_of_interest[HF_INTEREST_TCP_RETRAN].hf, &field_value_count)) {
225 if (field_value_count)
226 pkt_info->tcp_retran = true;
227 else
228 pkt_info->tcp_retran = false;
229 }
230
231 /*
232 * Another expert info.
233 */
234 if (!extract_instance_count(tree, hf_of_interest[HF_INTEREST_TCP_KEEP_ALIVE].hf, &field_value_count)) {
235 if (field_value_count)
236 pkt_info->tcp_retran = true;
237 else
238 pkt_info->tcp_retran = false;
239 }
240
241 /* we use the SSL Content Type to detect SSL Alerts */
242 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_SSL_CONTENT_TYPE].hf, field_uint, &field_value_count))
243 {
244 if (field_value_count)
245 pkt_info->ssl_content_type = field_uint[0];
246 else
247 pkt_info->ssl_content_type = 0;
248 }
249
250 if (wmem_map_lookup(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport)) != NULL ||
251 wmem_map_lookup(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->srcport)) != NULL)
252 {
253 if (wmem_map_lookup(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport)) != NULL)
254 pkt_info->rrpd.c2s = true;
255
256 pkt_info->rrpd.is_retrans = pkt_info->tcp_retran;
257 pkt_info->rrpd.session_id = 0;
258 pkt_info->rrpd.msg_id = 0;
259 pkt_info->rrpd.calculation = RTE_CALC_GTCP;
260 pkt_info->rrpd.decode_based = false;
261 if (pkt_info->len > 0)
262 pkt_info->pkt_of_interest = true;
263
264 return 1;
265 }
266
267 return 0;
268 }
269
270 /* Returns the number of sub-packets of interest */
271 int decode_dns(packet_info *pinfo _U_, proto_tree *tree, PKT_INFO* pkt_info)
272 {
273 uint32_t field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */
274 size_t field_value_count; /* How many entries are there in the extracted field array */
275
276 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DNS_ID].hf, field_uint, &field_value_count)) {
277 if (field_value_count)
278 pkt_info->rrpd.msg_id = field_uint[0];
279 }
280
281 pkt_info->rrpd.session_id = 1;
282 pkt_info->rrpd.decode_based = true;
283 pkt_info->rrpd.calculation = RTE_CALC_DNS;
284 pkt_info->pkt_of_interest = true;
285
286 return 1;
287 }
288
289 /* Returns the number of sub-packets of interest */
290 int decode_gudp(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info)
291 {
292 uint32_t field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */
293 size_t field_value_count; /* How many entries are there in the extracted field array */
294
295 pkt_info->srcport = pinfo->srcport;
296 pkt_info->dstport = pinfo->destport;
297
298 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_UDP_STREAM].hf, field_uint, &field_value_count)) {
299 if (field_value_count)
300 pkt_info->rrpd.stream_no = field_uint[0];
301 }
302
303 if (!extract_uint(tree, hf_of_interest[HF_INTEREST_UDP_LENGTH].hf, field_uint, &field_value_count)) {
304 if (field_value_count)
305 pkt_info->len = field_uint[0];
306 }
307
308 if ((wmem_map_lookup(preferences.udp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport)) != NULL) ||
309 (wmem_map_lookup(preferences.udp_svc_ports, GUINT_TO_POINTER(pkt_info->srcport)) != NULL))
310 {
311 if (wmem_map_lookup(preferences.udp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport)) != NULL)
312 pkt_info->rrpd.c2s = true;
313
314 pkt_info->rrpd.session_id = 0;
315 pkt_info->rrpd.msg_id = 0;
316 pkt_info->rrpd.decode_based = false;
317 pkt_info->rrpd.calculation = RTE_CALC_GUDP;
318 pkt_info->pkt_of_interest = true;
319 }
320
321 return 1;
322 }
323
324 /*
325 * Editor modelines - https://www.wireshark.org/tools/modelines.html
326 *
327 * Local variables:
328 * c-basic-offset: 4
329 * tab-width: 8
330 * indent-tabs-mode: nil
331 * End:
332 *
333 * vi: set shiftwidth=4 tabstop=8 expandtab:
334 * :indentSize=4:tabSize=8:noTabs=true:
335 */
Metzes wireshark repo