| blob | ce5c5d3c744afabe466b45f0f19acfec001f59c7 |
1 /* packet-tcp.c
2 * Routines for TCP packet disassembly
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
13 #include <epan/packet.h>
14 #include <epan/capture_dissectors.h>
15 #include <epan/exceptions.h>
16 #include <epan/addr_resolv.h>
17 #include <epan/ipproto.h>
18 #include <epan/expert.h>
19 #include <epan/ip_opts.h>
20 #include <epan/follow.h>
21 #include <epan/prefs.h>
22 #include <epan/show_exception.h>
23 #include <epan/conversation_table.h>
24 #include <epan/conversation_filter.h>
25 #include <epan/sequence_analysis.h>
26 #include <epan/reassemble.h>
27 #include <epan/decode_as.h>
28 #include <epan/exported_pdu.h>
29 #include <epan/in_cksum.h>
30 #include <epan/proto_data.h>
31 #include <epan/tfs.h>
32 #include <epan/unit_strings.h>
34 #include <wsutil/array.h>
35 #include <wsutil/utf8_entities.h>
36 #include <wsutil/str_util.h>
37 #include <wsutil/wsgcrypt.h>
38 #include <wsutil/pint.h>
39 #include <wsutil/ws_assert.h>
52 /* Place TCP summary in proto tree */
57 }
59 #define MPTCP_DSS_FLAG_DATA_ACK_PRESENT 0x01
60 #define MPTCP_DSS_FLAG_DATA_ACK_8BYTES 0x02
61 #define MPTCP_DSS_FLAG_MAPPING_PRESENT 0x04
62 #define MPTCP_DSS_FLAG_DSN_8BYTES 0x08
63 #define MPTCP_DSS_FLAG_DATA_FIN_PRESENT 0x10
65 /*
66 * Flag to control whether to check the TCP checksum.
67 *
68 * In at least some Solaris network traces, there are packets with bad
69 * TCP checksums, but the traffic appears to indicate that the packets
70 * *were* received; the packets were probably sent by the host on which
71 * the capture was being done, on a network interface to which
72 * checksumming was offloaded, so that DLPI supplied an un-checksummed
73 * packet to the capture program but a checksummed packet got put onto
74 * the wire.
75 */
78 /*
79 * Window scaling values to be used when not known (set as a preference) */
83 WindowScaling_1,
84 WindowScaling_2,
85 WindowScaling_3,
86 WindowScaling_4,
87 WindowScaling_5,
88 WindowScaling_6,
89 WindowScaling_7,
90 WindowScaling_8,
91 WindowScaling_9,
92 WindowScaling_10,
93 WindowScaling_11,
94 WindowScaling_12,
95 WindowScaling_13,
96 WindowScaling_14
97 };
99 /*
100 * Analysis overriding values to be used when not satisfied by the automatic
101 * result. (Accessed through preferences but not stored as a preference)
102 */
105 OverrideAnalysis_1,
106 OverrideAnalysis_2,
107 OverrideAnalysis_3,
108 OverrideAnalysis_4
109 };
111 /*
112 * Using enum instead of boolean make API easier
113 */
115 DSN_CONV_64_TO_32,
116 DSN_CONV_32_TO_64,
117 DSN_CONV_NONE
118 } ;
120 #define MPTCP_TCPRST_FLAG_T_PRESENT 0x1
121 #define MPTCP_TCPRST_FLAG_W_PRESENT 0x2
122 #define MPTCP_TCPRST_FLAG_V_PRESENT 0x4
123 #define MPTCP_TCPRST_FLAG_U_PRESENT 0x8
134 };
487 /* static expert_field ei_mptcp_analysis_unexpected_idsn; */
493 /* static expert_field ei_mptcp_stream_incomplete; */
494 /* static expert_field ei_mptcp_analysis_dsn_out_of_order; */
496 /* Some protocols such as encrypted DCE/RPCoverHTTP have dependencies
497 * from one PDU to the next PDU and require that they are called in sequence.
498 * These protocols would not be able to handle PDUs coming out of order
499 * or for example when a PDU is seen twice, like for retransmissions.
500 * This preference can be set for such protocols to make sure that we don't
501 * invoke the subdissectors for retransmitted or out-of-order segments.
502 */
505 /* Enable buffering of out-of-order TCP segments before passing it to a
506 * subdissector (depends on "tcp_desegment"). */
509 /*
510 * FF: https://www.rfc-editor.org/rfc/rfc6994.html
511 * With this flag set we assume the option structure for experimental
512 * codepoints (253, 254) has an Experiment Identifier (ExID), which is
513 * the first 16-bit field after the Kind and Length.
514 * The ExID is used to differentiate different experiments and thus will
515 * be used in data dissection.
516 */
519 /*
520 * This flag indicates which of Fast Retransmission or Out-of-Order
521 * interpretation should supersede when analyzing an ambiguous packet as
522 * things are not always clear. The user is authorized to change this
523 * behavior.
524 * When set, we keep the historical interpretation (Fast RT > OOO)
525 */
528 /* Process info, currently discovered via IPFIX */
531 /* Read the sequence number as syn cookie */
534 /*
535 * TCP option
536 */
543 #define TCPOPT_ECHO 6
544 #define TCPOPT_ECHOREPLY 7
546 #define TCPOPT_CC 11
547 #define TCPOPT_CCNEW 12
548 #define TCPOPT_CCECHO 13
563 /* Non IANA registered option numbers */
567 /*
568 * TCP option lengths
569 */
570 #define TCPOLEN_MSS 4
571 #define TCPOLEN_WINDOW 3
572 #define TCPOLEN_SACK_PERM 2
573 #define TCPOLEN_SACK_MIN 2
574 #define TCPOLEN_ECHO 6
575 #define TCPOLEN_ECHOREPLY 6
576 #define TCPOLEN_TIMESTAMP 10
577 #define TCPOLEN_CC 6
578 #define TCPOLEN_CCNEW 6
579 #define TCPOLEN_CCECHO 6
580 #define TCPOLEN_MD5 18
581 #define TCPOLEN_SCPS 4
582 #define TCPOLEN_SNACK 6
583 #define TCPOLEN_RECBOUND 2
584 #define TCPOLEN_CORREXP 2
585 #define TCPOLEN_QS 8
586 #define TCPOLEN_USER_TO 4
587 #define TCPOLEN_MPTCP_MIN 3
588 #define TCPOLEN_TFO_MIN 2
589 #define TCPOLEN_RVBD_PROBE_MIN 3
590 #define TCPOLEN_RVBD_TRPY_MIN 16
591 #define TCPOLEN_EXP_MIN 4
593 /*
594 * TCP Experimental Option Experiment Identifiers (TCP ExIDs)
595 * See: https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-exids
596 * Wireshark only supports 16-bit ExIDs
597 */
599 #define TCPEXID_TARR 0x00ac
600 #define TCPEXID_HOST_ID 0x0348
601 #define TCPEXID_ASC 0x0a0d
602 #define TCPEXID_CAPABILITY 0x0ca0
603 #define TCPEXID_EDO 0x0ed0
604 #define TCPEXID_ENO 0x454e
605 #define TCPEXID_SNO 0x5323
607 #define TCPEXID_ACC_ECN_0 0xacc0
608 #define TCPEXID_ACC_ECN_1 0xacc1
609 #define TCPEXID_ACC_ECN 0xacce
611 #define TCPEXID_FO 0xf989
612 #define TCPEXID_LOW_LATENCY 0xf990
614 /*
615 * Multipath TCP subtypes
616 */
627 /*
628 * Conversation Completeness values
629 */
639 };
681 };
700 };
702 /* not all of the hf_fields below make sense for TCP but we have to provide
703 them anyways to comply with the API (which was aimed for IP fragment
704 reassembly) */
719 "Segments"
720 };
734 };
736 /* Source https://support.citrix.com/article/CTX200852/citrix-adc-netscaler-reset-codes-reference
737 Dates of source: Created: 31 Mar 2015 | Modified: 21 Jan 2023
738 Date of last dictionary update: 2024/07/11
739 NOTE: When updating don't just overwrite the dictionary, the definitions below are more polished than the ones in the CTX. */
742 { 8201, "NSDBG_RST_SSTRAY: This reset code is triggered when packets are received on a socket that has already been closed. For example, if a client computer continues transmitting after receiving a RST code for other reasons, then it receives this RST code for the subsequent packets." },
743 { 8202, "NSDBG_RST_CSTRAY: This code is triggered when the NetScaler appliance receives data through a connection, which does not have a PCB, and its SYN cookie has expired." },
746 { 8206, "Received a bad packet in TCPS_SYN_SENT state (non RST packet). Usually happens if the 4 tuples are reused and you receive packet from the old connection." },
747 { 8207, "Received SYN on established connection which is within the window. Protects from spoofing attacks." },
748 { 8208, "Resets the connection when you receive more than the configured value of duplicate retransmissions." },
751 { 8211, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
752 { 8212, "Stray packet (no listening service or listening service is present but SYN cookie does not match or there is no corresponding connection information). 8212 is specifically for SYN stray packets." },
755 { 9100, "NSDBG_RST_ORP: This code refers to an orphan HTTP connection. Probably, a connection where data is initially seen either from the server or client, but stopped because of some reason, without closing the TCP session. It indicates that the client request was not properly terminated. Therefore, the NetScaler appliance waits for the request to be completed. After a timeout, the NetScaler appliance resets the connection with the code 9100." },
756 { 9201, "HTTP connection multiplexing error. Server sent response packets belonging to previous transaction." },
757 { 9202, "NSDBG_RST_LERRCDM: CDM refers to Check Data Mixing. This reset code is set when there is a TCP sequence mismatch in the first data packet, arriving from a recently reused server connection." },
758 { 9203, "NSDBG_RST_CLT_CHK_MIX: This code refers to the server sending a FIN for a previous client over a reused connection." },
759 { 9205, "NSDBG_RST_CHUNK_FAIL: This code indicates that the NetScaler appliance experienced issues with the chunked encoding in the HTTP response from the server." },
773 { 9222, "This is sent when the response is RFC non-compliant. The issue is caused by both Content-Length and Transfer-Encoding in response being invalid, which may lead to a variety of attacks and leads to the reset." },
774 { 9300, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
775 { 9301, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
776 { 9302, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
777 { 9303, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
778 { 9304, "NSDBG_RST_LINK_GIVEUPS: This reset code might be part of a backend-persistence mechanism, which is used to free resources on the NetScaler. By default, the NetScaler uses a zero window probe 7 times before giving up and resetting the connection. By disabling this mechanism, the appliance holds the sessions without this limit. The following is the command to disable the persistence probe limit: root@ns# nsapimgr -ys limited_persistprobe=0 The default value is 1, which limits to 7 probes, which is around 2 minutes. Setting the value to zero disables it and keeps the session open as long as the server sends an ACK signal in response to the probes." },
786 { 9400, "Reset server connection which are in reusepool and are not reusable because of TCP or Session level properties. Usually this is done when we need to open new connections but there is limit on connection we can open to the server and there are some already built up connections which are not reusable." },
787 { 9401, "When you reach maximum system capacity flushing existing connections based time order to accommodate new connections. Or when we remove an configured entity which as associated connections those connection will be reset." },
800 { 9601, "Reset when Number of data packets with Sequence ACK mismatch > nscfg_max_orphan_pkts." },
802 { 9700, "NSDBG_RST_PASS: This code indicates that the NetScaler appliance receives a TCP RST code from either the client or the server, and is transferring it. For example, the back end server sends a RST code, and the NetScaler appliance forwards it to the client with this code." },
803 { 9701, "NSDBG_RST_NEST / NSDBG_RST_ACK_PASS: The NetScaler software release 9.1 and the later versions, this code indicates #define NSBE_DBG_RST_ACK_PASS. It indicates that a RST code was forwarded as in the preceding RST code 9700, and the ACK flag was also set." },
806 { 9800, "NSDBG_RST_PROBE: This connections used for monitoring the service are reset due to timeout." },
808 { 9811, "NSDBG_RST_ERRHANDLER: This reset code is used with SSL. After sending a Fatal Alert, the NetScaler sends a RST packet with this error code. If the client does not display any supported ciphers to the NetScaler appliance, the appliance sends a Fatal Alert and then this RST packet." },
811 { 9814, "NSDBG_RST_PETRIGGER: This reset code is used when a request or response matches a Policy Engine policy, whose action is RESET." },
813 { 9817, "SSL connection received at the time of bound certificate changing (configuration change)." },
819 { 9823, "Reset when the NSC_AAAC cookie is malformed in a request or /vpn/apilogin.html request does not have a query part, memory allocation failures in certificate processing." },
821 { 9825, "DBG_WRONG_GSLBRECDLEN: This code is a GSLB MEP error reset code, typically between mixed versions." },
833 { 9838, "NSBE_DBG_RST_SSL_BAD_RECORD: This code refers to error looking up SSL record when handling a request or a response." },
854 { 9860, "The pcb->link of this connection was cleaned for some reason, so resetting this PCB." },
857 { 9863, "Reset to old connection when new connection is established and old one is still not freed." },
886 { 9903, "GSLB feature is disabled. Donot accept any connections and close any existing ones." },
915 { 9973, "Reset on rest of SF after fallback to infinite map as only one SF should be present." },
957 };
973 /*
974 * Maps an MPTCP token to a mptcp_analysis structure
975 * Collisions are not handled
976 */
984 NULL
985 };
993 NULL
994 };
998 NULL
999 };
1007 NULL
1008 };
1015 NULL
1016 };
1020 static uint8_t
1022 {
1028 }
1031 }
1034 }
1036 }
1040 {
1041 static const char flags[][4] = { "FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECE", "CWR", "AE" };
1043 const int maxlength = 64; /* upper bounds, max 53B: 8 * 3 + 2 + strlen("Reserved") + 9 * 2 + 1 */
1058 }
1059 }
1064 }
1070 }
1076 }
1080 {
1087 /* upper three bytes are marked as reserved ('R'). */
1094 }
1100 }
1101 }
1102 }
1105 }
1107 /*
1108 * Print the first letter of each flag set, or the dot character otherwise
1109 */
1112 {
1117 else
1122 else
1127 else
1132 else
1137 else
1142 else
1146 }
1148 static void
1150 {
1151 uint32_t port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num));
1154 }
1158 {
1160 }
1162 static void
1164 {
1165 uint32_t port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
1168 }
1172 {
1174 }
1176 static void
1178 {
1179 uint32_t srcport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num)),
1180 destport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
1181 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport);
1182 }
1185 {
1198 }
1205 }
1212 }
1219 }
1222 }
1226 /*
1227 * callback function for conversation stats
1228 */
1230 {
1235 else
1237 }
1239 static tap_packet_status
1240 tcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
1241 {
1247 add_conversation_table_data_extended(hash, &tcphdr->ip_src, &tcphdr->ip_dst, tcphdr->th_sport, tcphdr->th_dport, (conv_id_t) tcphdr->th_stream, 1, pinfo->fd->pkt_len,
1248 &pinfo->rel_ts, &pinfo->abs_ts, &tcp_ct_dissector_info, CONVERSATION_TCP, (uint32_t)pinfo->num, tcp_conv_cb_update);
1252 }
1254 static tap_packet_status
1255 mptcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
1256 {
1268 }
1270 static const char* tcp_endpoint_get_filter_type(endpoint_item_t* endpoint, conv_filter_type_e filter)
1271 {
1283 }
1290 }
1297 }
1304 }
1307 }
1311 static tap_packet_status
1312 tcpip_endpoint_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
1313 {
1319 /* Take two "add" passes per packet, adding for each direction, ensures that all
1320 packets are counted properly (even if address is sending to itself)
1321 XXX - this could probably be done more efficiently inside endpoint_table */
1322 add_endpoint_table_data(hash, &tcphdr->ip_src, tcphdr->th_sport, true, 1, pinfo->fd->pkt_len, &tcp_endpoint_dissector_info, ENDPOINT_TCP);
1323 add_endpoint_table_data(hash, &tcphdr->ip_dst, tcphdr->th_dport, false, 1, pinfo->fd->pkt_len, &tcp_endpoint_dissector_info, ENDPOINT_TCP);
1326 }
1328 static bool
1330 {
1332 }
1336 {
1338 }
1341 /****************************************************************************/
1342 /* whenever a TCP packet is seen by the tap listener */
1343 /* Add a new tcp frame into the graph */
1344 static tap_packet_status
1345 tcp_seq_analysis_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U_, const void *tcp_info, tap_flags_t tapflags _U_)
1346 {
1364 }
1367 }
1373 else
1383 }
1386 char *tcp_follow_conv_filter(epan_dissect_t *edt _U_, packet_info *pinfo, unsigned *stream, unsigned *sub_stream _U_)
1387 {
1391 /* XXX: Since TCP doesn't use the endpoint API, we can only look
1392 * up using the current pinfo addresses and ports. We don't want
1393 * to create a new conversation or new TCP stream.
1394 * Eventually the endpoint API should support storing multiple
1395 * endpoints and TCP should be changed to use the endpoint API.
1396 */
1402 {
1403 /* TCP over IPv4/6 */
1410 }
1413 }
1416 {
1418 }
1420 char *tcp_follow_address_filter(address *src_addr, address *dst_addr, int src_port, int dst_port)
1421 {
1430 "(ip%s.dst eq %s and tcp.dstport eq %d))"
1431 " or "
1432 "((ip%s.src eq %s and tcp.srcport eq %d) and "
1439 }
1442 {
1449 /*
1450 * Tries to apply segments from fragments list to the reconstructed payload.
1451 * Fragments that can be appended to the end of the payload will be applied (and
1452 * removed from the list). Fragments that should have been received (according
1453 * to the ack number) will also be appended to the payload (preceded by some
1454 * dummy data to mark packet loss if any).
1455 *
1456 * Returns true if one fragment has been applied or false if no more fragments
1457 * can be added to the payload (there might still be unacked fragments with
1458 * missing segments before them).
1459 */
1460 static bool
1461 check_follow_fragments(follow_info_t *follow_info, bool is_server, uint32_t acknowledged, uint32_t packet_num, bool use_ack)
1462 {
1476 {
1481 }
1485 /* this sequence number seems dated, but
1486 check the end to make sure it has no more
1487 info than we have already seen */
1492 /* this one has more than we have seen. let's get the
1493 payload that we have not seen. This happens when
1494 part of this frame has been retransmitted */
1510 new_frag_size);
1513 }
1516 }
1518 /* Remove the fragment from the list as the "new" part of it
1519 * has been processed or its data has been seen already in
1520 * another packet. */
1523 follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
1525 }
1528 /* this fragment fits the stream */
1531 }
1534 follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
1536 }
1537 }
1540 /* There are frames missing in the capture file that were seen
1541 * by the receiving host. Add dummy stream chunk with the data
1542 * "[xxx bytes missing in capture file]".
1543 */
1546 // XXX the dummy replacement could be larger than the actual missing bytes.
1561 }
1564 }
1566 static tap_packet_status
1569 {
1582 sequence++;
1583 }
1590 }
1592 is_server = !(addresses_equal(&follow_info->client_ip, &pinfo->src) && follow_info->client_port == pinfo->srcport);
1594 /* Check whether this frame ACKs fragments in flow from the other direction.
1595 * This happens when frames are not in the capture file, but were actually
1596 * seen by the receiving host (Fixes bug 592).
1597 */
1599 while (check_follow_fragments(follow_info, !is_server, follow_data->tcph->th_ack, pinfo->fd->num, true));
1600 }
1602 /*
1603 * If this is the first segment of this stream, initialize the next expected
1604 * sequence number. If there is any data, it will be added below.
1605 */
1608 }
1610 /* We have already seen this src (and received some segments), let's figure
1611 * out whether this segment extends the stream or overlaps a previous gap. */
1613 /* This sequence number seems dated, but check the end in case it was a
1614 * retransmission with more data. */
1617 /* The begin of the segment was already seen, try to add the
1618 * remaining data that we have not seen to the payload. */
1624 }
1628 }
1629 }
1630 /*
1631 * Ignore segments that have no new data (either because it was empty, or
1632 * because it was fully overlapping with previously received data).
1633 */
1636 }
1645 data_length);
1648 /* The segment overlaps or extends the previous end of stream. */
1653 /* done with the packet, see if it caused a fragment to fit */
1656 /* Out of order packet (more preceding segments are expected). */
1657 follow_info->fragments[is_server] = g_list_append(follow_info->fragments[is_server], follow_record);
1658 }
1660 }
1662 #define EXP_PDU_TCP_INFO_DATA_LEN 20
1663 #define EXP_PDU_TCP_INFO_VERSION 1
1664 #define EXP_PDU_TAG_TCP_STREAM_ID_LEN 4
1667 {
1669 }
1671 static int exp_pdu_tcp_dissector_data_populate_data(packet_info *pinfo _U_, void* data, uint8_t *tlv_buffer, uint32_t buffer_size _U_)
1672 {
1686 }
1690 {
1691 /* Check to see if the tvb we're planning on exporting PDUs from was
1692 * dissected fully, or whether it requested further desegmentation.
1693 * This should only matter on the first pass (so in one-pass tshark.)
1694 */
1696 /* Desegmentation was requested. How much did we desegment here?
1697 * The rest, presumably, will be handled in another frame.
1698 */
1700 /* We couldn't, in fact, dissect any of it. */
1702 }
1704 }
1706 }
1708 static void
1709 handle_export_pdu_dissection_table(packet_info *pinfo, tvbuff_t *tvb, uint32_t port, struct tcpinfo *tcpinfo)
1710 {
1715 }
1716 exp_pdu_data_item_t exp_pdu_data_table_value = {exp_pdu_data_dissector_table_num_value_size, exp_pdu_data_dissector_table_num_value_populate_data, NULL};
1717 exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
1728 NULL
1729 };
1736 exp_pdu_data = export_pdu_create_tags(pinfo, "tcp.port", EXP_PDU_TAG_DISSECTOR_TABLE_NAME, tcp_exp_pdu_items);
1741 /* match uint is restored after calling dissector, so in order to have the right value in exported PDU
1742 * we need to set it here.
1743 */
1745 }
1746 }
1748 static void
1749 handle_export_pdu_heuristic(packet_info *pinfo, tvbuff_t *tvb, heur_dtbl_entry_t *hdtbl_entry, struct tcpinfo *tcpinfo)
1750 {
1757 }
1762 exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
1771 NULL
1772 };
1776 exp_pdu_data = export_pdu_create_tags(pinfo, hdtbl_entry->short_name, EXP_PDU_TAG_HEUR_DISSECTOR_NAME, tcp_exp_pdu_items);
1777 }
1785 }
1786 }
1787 }
1789 static void
1790 handle_export_pdu_conversation(packet_info *pinfo, tvbuff_t *tvb, int src_port, int dst_port, struct tcpinfo *tcpinfo)
1791 {
1796 }
1797 conversation_t *conversation = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_TCP, src_port, dst_port, 0);
1799 {
1800 dissector_handle_t handle = (dissector_handle_t)wmem_tree_lookup32_le(conversation->dissector_tree, pinfo->num);
1802 {
1803 exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
1812 NULL
1813 };
1819 exp_pdu_data = export_pdu_create_tags(pinfo, dissector_handle_get_dissector_name(handle), EXP_PDU_TAG_DISSECTOR_NAME, tcp_exp_pdu_items);
1825 }
1826 }
1827 }
1828 }
1830 /*
1831 * display the TCP Conversation Completeness
1832 * we of course pay much attention on complete conversations but also incomplete ones which
1833 * have a regular start, as in practice we are often looking for such thing
1834 */
1836 {
1842 TCP_COMPLETENESS_SYNACK):
1846 TCP_COMPLETENESS_SYNACK|
1847 TCP_COMPLETENESS_ACK):
1851 TCP_COMPLETENESS_SYNACK|
1852 TCP_COMPLETENESS_ACK|
1853 TCP_COMPLETENESS_DATA):
1857 TCP_COMPLETENESS_SYNACK|
1858 TCP_COMPLETENESS_ACK|
1859 TCP_COMPLETENESS_DATA|
1860 TCP_COMPLETENESS_FIN):
1862 TCP_COMPLETENESS_SYNACK|
1863 TCP_COMPLETENESS_ACK|
1864 TCP_COMPLETENESS_DATA|
1865 TCP_COMPLETENESS_RST):
1867 TCP_COMPLETENESS_SYNACK|
1868 TCP_COMPLETENESS_ACK|
1869 TCP_COMPLETENESS_DATA|
1870 TCP_COMPLETENESS_FIN|
1871 TCP_COMPLETENESS_RST):
1875 TCP_COMPLETENESS_SYNACK|
1876 TCP_COMPLETENESS_ACK|
1877 TCP_COMPLETENESS_FIN):
1879 TCP_COMPLETENESS_SYNACK|
1880 TCP_COMPLETENESS_ACK|
1881 TCP_COMPLETENESS_RST):
1883 TCP_COMPLETENESS_SYNACK|
1884 TCP_COMPLETENESS_ACK|
1885 TCP_COMPLETENESS_FIN|
1886 TCP_COMPLETENESS_RST):
1892 }
1893 }
1895 /* TCP structs and definitions */
1897 /* **************************************************************************
1898 * RTT, relative sequence numbers, window scaling & etc.
1899 * **************************************************************************/
1912 #define TCP_A_RETRANSMISSION 0x0001
1913 #define TCP_A_LOST_PACKET 0x0002
1914 #define TCP_A_ACK_LOST_PACKET 0x0004
1915 #define TCP_A_KEEP_ALIVE 0x0008
1916 #define TCP_A_DUPLICATE_ACK 0x0010
1917 #define TCP_A_ZERO_WINDOW 0x0020
1918 #define TCP_A_ZERO_WINDOW_PROBE 0x0040
1919 #define TCP_A_ZERO_WINDOW_PROBE_ACK 0x0080
1920 #define TCP_A_KEEP_ALIVE_ACK 0x0100
1921 #define TCP_A_OUT_OF_ORDER 0x0200
1922 #define TCP_A_FAST_RETRANSMISSION 0x0400
1923 #define TCP_A_WINDOW_UPDATE 0x0800
1924 #define TCP_A_WINDOW_FULL 0x1000
1925 #define TCP_A_REUSED_PORTS 0x2000
1926 #define TCP_A_SPURIOUS_RETRANSMISSION 0x4000
1928 /* This flag for desegment_tcp to exclude segments with previously
1929 * seen sequence numbers.
1930 * It is from the perspective of Wireshark's reassembler, whereas
1931 * the other flags above are from the perspective of the sender.
1932 * (E.g., TCP_A_RETRANSMISSION or TCP_A_SPURIOUS_RETRANSMISSION
1933 * can be set even when first appearance in the capture file.)
1934 */
1935 #define TCP_A_OLD_DATA 0x8000
1937 /* Static TCP flags. Set in tcp_flow_t:static_flags */
1938 #define TCP_S_BASE_SEQ_SET 0x01
1939 #define TCP_S_SAW_SYN 0x03
1940 #define TCP_S_SAW_SYNACK 0x05
1943 /* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
1944 #define MPTCP_META_HAS_BASE_DSN_MSB 0x01
1945 #define MPTCP_META_HAS_KEY 0x03
1946 #define MPTCP_META_HAS_TOKEN 0x04
1947 #define MPTCP_META_HAS_ADDRESSES 0x08
1949 /* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
1950 #define MPTCP_SUBFLOW_HAS_NONCE 0x01
1951 #define MPTCP_SUBFLOW_HAS_ADDRESS_ID 0x02
1953 /* MPTCP meta analysis related */
1954 #define MPTCP_META_CHECKSUM_REQUIRED 0x0002
1956 /* if we have no key for this connection, some conversion become impossible,
1957 * thus return false
1958 */
1959 static
1960 bool
1961 mptcp_convert_dsn(uint64_t dsn, mptcp_meta_flow_t *meta, enum mptcp_dsn_conversion conv, bool relative, uint64_t *result ) {
1965 /* if relative is set then we need the 64 bits version anyway
1966 * we assume no wrapping was done on the 32 lsb so this may be wrong for elephant flows
1967 */
1971 /* can't do those without the expected_idsn based on the key */
1973 }
1974 }
1978 }
1982 }
1986 }
1989 }
1992 static void
2001 {
2004 /* Initialize the tcp protocol data structure to add to the tcp conversation */
2017 }
2019 /* Only allocate the data if its actually going to be analyzed */
2021 {
2022 tcpd->flow1.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
2023 tcpd->flow2.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
2024 }
2025 /* Only allocate the data if its actually going to be displayed */
2027 {
2030 }
2055 }
2057 /* setup meta as well */
2058 static void
2060 {
2067 }
2070 /* add a new subflow to an mptcp connection */
2071 static void
2076 }
2078 /* in case we merge 2 mptcp connections */
2080 }
2084 {
2087 /* Get the data for this conversation */
2091 }
2095 {
2100 /* Did the caller supply the conversation pointer? */
2102 /* If the caller didn't supply a conversation, don't
2103 * clear the analysis, it may be needed */
2106 }
2108 /* Get the data for this conversation */
2112 /* if the addresses are equal, match the ports instead */
2115 }
2116 /* If the conversation was just created or it matched a
2117 * conversation with template options, tcpd will not
2118 * have been initialized. So, initialize
2119 * a new tcpd structure for the conversation.
2120 */
2124 }
2128 }
2130 /* check direction and get ua lists */
2137 }
2141 }
2143 }
2145 /* Attach process info to a flow */
2146 /* XXX - We depend on the TCP dissector finding the conversation first */
2147 void
2148 add_tcp_process_info(uint32_t frame_num, address *local_addr, address *remote_addr, uint16_t local_port, uint16_t remote_port, uint32_t uid, uint32_t pid, char *username, char *command) {
2156 conv = find_conversation(frame_num, local_addr, remote_addr, CONVERSATION_TCP, local_port, remote_port, 0);
2159 }
2164 }
2166 if (cmp_address(local_addr, conversation_key_addr1(conv->key_ptr)) == 0 && local_port == conversation_key_port1(conv->key_ptr)) {
2168 } else if (cmp_address(remote_addr, conversation_key_addr1(conv->key_ptr)) == 0 && remote_port == conversation_key_port1(conv->key_ptr)) {
2170 }
2173 }
2182 }
2184 /* Return the current stream count */
2186 {
2188 }
2190 /* Return the mptcp current stream count */
2192 {
2194 }
2196 /* Calculate the timestamps relative to this conversation */
2197 static void
2200 {
2204 }
2209 /* pre-increment so packet numbers start at 1 */
2217 }
2219 /* Add a subtree with the timestamps relative to this conversation */
2220 static void
2221 tcp_print_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree, struct tcp_analysis *tcpd, struct tcp_per_packet_data_t *tcppd)
2222 {
2225 nstime_t ts;
2238 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
2244 }
2245 }
2247 static void
2248 print_pdu_tracking_data(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tcp_tree, struct tcp_multisegment_pdu *msp)
2249 {
2256 }
2258 /* if we know that a PDU starts inside this segment, return the adjusted
2259 offset to where that PDU starts or just return offset back
2260 and let TCP try to find out what it can about this segment
2261 */
2262 static int
2263 scan_for_next_pdu(tvbuff_t *tvb, proto_tree *tcp_tree, packet_info *pinfo, int offset, uint32_t seq, uint32_t nxtseq, wmem_tree_t *multisegment_pdus)
2264 {
2270 /* If this is a continuation of a PDU started in a
2271 * previous segment we need to update the last_frame
2272 * variables.
2273 */
2278 }
2280 /* If this segment is completely within a previous PDU
2281 * then we just skip this packet
2282 */
2285 }
2289 }
2291 }
2293 /* First we try to find the start and transfer time for a PDU.
2294 * We only print this for the very first segment of a PDU
2295 * and only for PDUs spanning multiple segments.
2296 * Se we look for if there was any multisegment PDU started
2297 * just BEFORE the end of this segment. I.e. either inside this
2298 * segment or in a previous segment.
2299 * Since this might also match PDUs that are completely within
2300 * this segment we also verify that the found PDU does span
2301 * beyond the end of this segment.
2302 */
2307 nstime_t ns;
2316 }
2317 }
2319 /* Second we check if this segment is part of a PDU started
2320 * prior to the segment (seq-1)
2321 */
2324 /* If this segment is completely within a previous PDU
2325 * then we just skip this packet
2326 */
2330 }
2335 }
2336 }
2338 }
2340 }
2342 /* if we saw a PDU that extended beyond the end of the segment,
2343 use this function to remember where the next pdu starts
2344 */
2346 pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, uint32_t seq, uint32_t nxtpdu, wmem_tree_t *multisegment_pdus)
2347 {
2359 /*ws_warning("pdu_store_sequencenumber_of_next_pdu: seq %u", seq);*/
2361 }
2363 /* This is called for SYN and SYN+ACK packets and the purpose is to verify
2364 * that we have seen window scaling in both directions.
2365 * If we can't find window scaling being set in both directions
2366 * that means it was present in the SYN but not in the SYN+ACK
2367 * (or the SYN was missing) and then we disable the window scaling
2368 * for this tcp session.
2369 */
2370 static void
2372 {
2374 /* We know window scaling will not be used as:
2375 * a) this is the SYN and it does not have the WS option
2376 * (we set the reverse win_scale also in case we miss
2377 * the SYN/ACK)
2378 * b) this is the SYN/ACK and either the SYN packet has not
2379 * been seen or it did have the WS option. As the SYN/ACK
2380 * does not have the WS option, window scaling will not be used.
2381 *
2382 * Setting win_scale to -2 to indicate that we can
2383 * trust the window_size value in the TCP header.
2384 */
2389 /* The SYN/ACK has the WS option, while the SYN did not,
2390 * this should not happen, but the endpoints will not
2391 * have used window scaling, so we will neither
2392 */
2394 }
2395 }
2397 /* given a tcpd, returns the mptcp_subflow that sides with meta */
2400 {
2401 /* select the tcp_flow with appropriate direction */
2404 }
2407 }
2408 }
2410 /* if we saw a window scaling option, store it for future reference
2411 */
2412 static void
2414 {
2417 }
2419 /* when this function returns, it will (if createflag) populate the ta pointer.
2420 */
2421 static void
2422 tcp_analyze_get_acked_struct(uint32_t frame, uint32_t seq, uint32_t ack, bool createflag, struct tcp_analysis *tcpd)
2423 {
2441 }
2447 }
2448 }
2452 /* fwd contains a list of all segments processed but not yet ACKed in the
2453 * same direction as the current segment.
2454 * rev contains a list of all segments received but not yet ACKed in the
2455 * opposite direction to the current segment.
2456 *
2457 * New segments are always added to the head of the fwd/rev lists.
2458 *
2459 * Changes below should be synced with ChAdvTCPAnalysis in the User's
2460 * Guide: doc/wsug_src/WSUG_chapter_advanced.adoc
2461 */
2462 static void
2463 tcp_analyze_sequence_number(packet_info *pinfo, uint32_t seq, uint32_t ack, uint32_t seglen, uint16_t flags, uint32_t window, struct tcp_analysis *tcpd, struct tcp_per_packet_data_t *tcppd)
2464 {
2469 #if 0
2471 printf("FWD list lastflags:0x%04x base_seq:%u: nextseq:%u lastack:%u\n",tcpd->fwd->lastsegmentflags,tcpd->fwd->base_seq,tcpd->fwd->tcp_analyze_seq_info->nextseq,tcpd->rev->tcp_analyze_seq_info->lastack);
2474 printf("REV list lastflags:0x%04x base_seq:%u nextseq:%u lastack:%u\n",tcpd->rev->lastsegmentflags,tcpd->rev->base_seq,tcpd->rev->tcp_analyze_seq_info->nextseq,tcpd->fwd->tcp_analyze_seq_info->lastack);
2477 #endif
2481 }
2485 }
2487 /* ZERO WINDOW PROBE
2488 * it is a zero window probe if
2489 * the sequence number is the next expected one
2490 * the window in the other direction is 0
2491 * the segment is exactly 1 byte
2492 */
2498 }
2501 }
2504 /* ZERO WINDOW
2505 * a zero window packet has window == 0 but none of the SYN/FIN/RST set
2506 */
2511 }
2513 }
2516 /* LOST PACKET
2517 * If this segment is beyond the last seen nextseq we must
2518 * have missed some previous segment
2519 *
2520 * We only check for this if we have actually seen segments prior to this
2521 * one.
2522 * RST packets are not checked for this.
2523 */
2529 }
2532 /* Disable BiF until an ACK is seen in the other direction */
2534 }
2537 /* KEEP ALIVE
2538 * a keepalive contains 0 or 1 bytes of data and starts one byte prior
2539 * to what should be the next sequence number.
2540 * SYN/FIN/RST segments are never keepalives
2541 */
2547 }
2549 }
2551 /* WINDOW UPDATE
2552 * A window update is a 0 byte segment with the same SEQ/ACK numbers as
2553 * the previous seen segment and with a new window value
2554 */
2556 && window
2563 }
2565 }
2568 /* WINDOW FULL
2569 * If we know the window scaling
2570 * and if this segment contains data and goes all the way to the
2571 * edge of the advertised window
2572 * then we mark it as WINDOW FULL
2573 * SYN/RST/FIN packets are never WINDOW FULL
2574 */
2577 && (seq+seglen)==(tcpd->rev->tcp_analyze_seq_info->lastack+(tcpd->rev->window<<(tcpd->rev->is_first_ack?0:(tcpd->rev->win_scale==-2?0:tcpd->rev->win_scale))))
2581 }
2583 }
2586 /* KEEP ALIVE ACK
2587 * It is a keepalive ack if it repeats the previous ACK and if
2588 * the last segment in the reverse direction was a keepalive
2589 */
2591 && window
2599 }
2602 }
2605 /* ZERO WINDOW PROBE ACK
2606 * It is a zerowindowprobe ack if it repeats the previous ACK and if
2607 * the last segment in the reverse direction was a zerowindowprobe
2608 * It also repeats the previous zero window indication
2609 */
2614 && (ack==tcpd->fwd->tcp_analyze_seq_info->lastack || EQ_SEQ(ack,tcpd->fwd->tcp_analyze_seq_info->lastack+1))
2619 }
2622 /* Some receivers consume that extra byte brought in the PROBE,
2623 * but it was too early to know that during the WINDOW PROBE analysis.
2624 * Do it now by moving the rev nextseq & maxseqtobeacked.
2625 * See issue 10745.
2626 */
2630 }
2632 }
2635 /* DUPLICATE ACK
2636 * It is a duplicate ack if window/seq/ack is the same as the previous
2637 * segment and if the segment length is 0
2638 */
2640 && window
2646 /* MPTCP tolerates duplicate acks in some circumstances, see RFC 8684 4. */
2648 /* just ignore this DUPLICATE ACK */
2654 }
2658 }
2659 }
2663 finished_fwd:
2664 /* If the ack number changed we must reset the dupack counters */
2668 }
2671 /* ACKED LOST PACKET
2672 * If this segment acks beyond the 'max seq to be acked' in the other direction
2673 * then that means we have missed packets going in the
2674 * other direction.
2675 * It might also indicate we are resuming from a Zero Window,
2676 * where a Probe is just followed by an ACK opening again the window.
2677 * See issue 8404.
2678 *
2679 * We only check this if we have actually seen some seq numbers
2680 * in the other direction.
2681 */
2687 }
2689 /* resuming from a Zero Window Probe which re-opens the window,
2690 * mark it as a Window Update
2691 */
2698 }
2699 /* real ACKED LOST PACKET */
2701 /* We ensure there is no matching packet waiting in the unacked list,
2702 * and take this opportunity to push the tail further than this single packet
2703 */
2711 }
2713 /* Only look at what happens above the current ACK value,
2714 * as what happened before is definetely ACKed here and can be
2715 * safely ignored. */
2718 /* if the left edge is contiguous, move the tail leftward */
2721 }
2723 /* otherwise, we have isolated segments above what is being ACKed here,
2724 * and we reinit the tails with the current values */
2728 }
2729 }
2730 }
2732 /* a tail was found and we can push the maxseqtobeacked further */
2735 }
2737 /* otherwise, just take into account the value being ACKed now */
2740 }
2743 }
2744 }
2747 /* RETRANSMISSION/FAST RETRANSMISSION/OUT-OF-ORDER
2748 * If the segment contains data (or is a SYN or a FIN) and
2749 * if it does not advance the sequence number, it must be one
2750 * of these three.
2751 * Only test for this if we know what the seq number should be
2752 * (tcpd->fwd->nextseq)
2753 *
2754 * Note that a simple KeepAlive is not a retransmission
2755 */
2766 }
2768 /* This segment is *not* considered a retransmission/out-of-order if
2769 * the segment length is larger than one (it really adds new data)
2770 * the sequence number is one less than the previous nextseq and
2771 * (the previous segment is possibly a zero window probe)
2772 *
2773 * We should still try to flag Spurious Retransmissions though.
2774 */
2777 }
2779 /* Check for spurious retransmission. If the current seq + segment length
2780 * is less than or equal to the current lastack, the packet contains
2781 * duplicate data and may be considered spurious.
2782 */
2788 }
2791 }
2798 /* Some OOO vs Retrans interpretations can be wrong when the capture needs a reorder.
2799 * Avoid such cases by enforcing the delta to 0 when the order seems bad, instead of
2800 * calculating an absurd value.
2801 */
2803 /* regular case */
2806 }
2810 }
2813 }
2818 /* If there were >=2 duplicate ACKs in the reverse direction
2819 * (there might be duplicate acks missing from the trace)
2820 * and if this sequence number matches those ACKs
2821 * and if the packet occurs within 20ms of the last
2822 * duplicate ack
2823 * then this is a fast retransmission
2824 */
2830 }
2833 }
2835 /* Look for this segment in reported SACK ranges,
2836 * if not present this might very well be a FAST Retrans,
2837 * when the conditions above (timing, number of retrans) are still true */
2847 i++;
2848 }
2850 /* fine, it's probably a Fast Retrans triggered by the SACK sender algo */
2856 }
2857 }
2861 /* If the segment came relatively close since the segment with the highest
2862 * seen sequence number and it doesn't look like a retransmission
2863 * then it is an OUT-OF-ORDER segment.
2864 */
2869 }
2871 /* If the segment is already seen and waiting to be acknowledged, ignore the
2872 * Fast-Retrans/OOO debate and go ahead, as it only can be an ordinary Retrans.
2873 * Fast-Retrans/Retrans are never ambiguous in the context of packets seen but
2874 * this code could be moved above.
2875 * See Issues 13284, 13843
2876 * XXX: if compared packets have different sizes, it's not handled yet
2877 */
2884 }
2886 }
2889 /* ordinary OOO with SEQ numbers and lengths clearly stating the situation */
2890 if( tcpd->fwd->tcp_analyze_seq_info->nextseq != (seq + seglen + (flags&(TH_SYN|TH_FIN) ? 1 : 0))) {
2893 }
2897 }
2899 /* facing an OOO closing a series of disordered packets,
2900 all preceded by a pure ACK. See issue 17214 */
2904 }
2908 }
2909 }
2910 }
2912 }
2915 /* Then it has to be a generic retransmission */
2918 }
2921 /*
2922 * worst case scenario: if we don't have better than a recent packet,
2923 * use it as the reference for RTO
2924 */
2925 nstime_delta(&tcpd->ta->rto_ts, &pinfo->abs_ts, &tcpd->fwd->tcp_analyze_seq_info->nextseqtime);
2928 /*
2929 * better case scenario: if we have a list of the previous unacked packets,
2930 * go back to the eldest one, which in theory is likely to be the one retransmitted here.
2931 * It's not always the perfect match, particularly when original captured packet used LSO
2932 * We may parse this list and try to find an obvious matching packet present in the
2933 * capture. If such packet is actually missing, we'll reach the list first entry.
2934 * See : issue #12259
2935 * See : issue #17714
2936 */
2942 }
2944 }
2945 }
2947 finished_checking_retransmission_type:
2949 /* Override the TCP sequence analysis with the value given
2950 * manually by the user. This only applies to flagged packets.
2951 */
2959 /* clean flags set during the automatic analysis */
2961 TCP_A_OUT_OF_ORDER|
2962 TCP_A_FAST_RETRANSMISSION|
2963 TCP_A_SPURIOUS_RETRANSMISSION);
2965 /* set the corresponding flag chosen by the user */
2968 /* the user asked for an empty overriding, which
2969 * means removing any previous value, thus restoring
2970 * the automatic analysis.
2971 */
2991 /* there is no expected default case */
2993 }
2994 }
2997 if ((seglen || flags&(TH_SYN|TH_FIN)) && tcpd->fwd->tcp_analyze_seq_info->segment_count < TCP_MAX_UNACKED_SEGMENTS) {
2998 /* Add this new sequence number to the fwd list. But only if there
2999 * aren't "too many" unacked segments (e.g., we're not seeing the ACKs).
3000 */
3009 /* next sequence number is seglen bytes away, plus SYN/FIN which counts as one byte */
3012 }
3014 }
3016 /* Every time we are moving the highest number seen,
3017 * we are also tracking the segment length then we will know for sure,
3018 * later, if this was a pure ACK or an ordinary data packet. */
3020 || GT_SEQ(nextseq, tcpd->fwd->tcp_analyze_seq_info->nextseq + (flags&(TH_SYN|TH_FIN) ? 1 : 0))) {
3022 }
3024 /* Store the highest number seen so far for nextseq so we can detect
3025 * when we receive segments that arrive with a "hole"
3026 * If we don't have anything since before, just store what we got.
3027 * ZeroWindowProbes are special and don't really advance the nextseq
3028 */
3029 if(GT_SEQ(nextseq, tcpd->fwd->tcp_analyze_seq_info->nextseq) || !tcpd->fwd->tcp_analyze_seq_info->nextseq) {
3036 /* Count the flows turns by checking all packets carrying real data
3037 * Packets not ordered are ignored.
3038 */
3046 /* check direction */
3050 /* if the addresses are equal, match the ports instead */
3053 }
3055 /* invert the direction and increment the counter */
3059 }
3060 /* if the direction was not reversed, maybe are we
3061 * facing the first flow ? Yes, if the counter still equals 0.
3062 */
3066 }
3067 }
3068 }
3069 }
3070 }
3071 }
3073 /* Store the highest continuous seq number seen so far for 'max seq to be acked',
3074 * so we can detect TCP_A_ACK_LOST_PACKET condition.
3075 * If this ever happens, this boundary value can "jump" further in order to
3076 * avoid duplicating multiple messages for the very same lost packet. See later
3077 * how ACKED LOST PACKET are handled.
3078 * Zero Window Probes are logically left out at this moment, but if their data
3079 * really were to be ack'ed, then it will be done later when analyzing their
3080 * Probe ACK (be it a real Probe ACK, or an ordinary ACK moving the RCV Window).
3081 */
3082 if(EQ_SEQ(seq, tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) || !tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) {
3085 }
3086 }
3089 /* remember what the ack/window is so we can track window updates and retransmissions */
3095 /* remember the MPTCP operations if any */
3098 }
3100 /* if there were any flags set for this segment we need to remember them
3101 * we only remember the flags for the very last segment though.
3102 */
3107 }
3110 /* remove all segments this ACKs and we don't need to keep around any more
3111 */
3117 /* If this ack matches the segment, process accordingly */
3122 /* mark it as a full segment ACK */
3124 }
3125 /* If this acknowledges part of the segment, adjust the segment info for the acked part.
3126 * This typically happens in the context of GSO/GRO or Retransmissions with
3127 * segment repackaging (elsewhere called repacketization). For the user, looking at the
3128 * previous packets for any Retransmission or at the SYN MSS Option presence would
3129 * answer what case is precisely encountered.
3130 */
3137 /* mark it as a partial segment ACK
3138 *
3139 * XXX - This mark is used later to create an Expert Note,
3140 * but other ways of tracking these packets are possible:
3141 * for example a similar indication to ta->frame_acked
3142 * would help differentiating the SEQ/ACK analysis messages.
3143 * Also, a TCP Analysis Flag could be added, but doesn't seem
3144 * essential yet, as matching packets can be selected with
3145 * 'tcp.analysis.partial_ack'.
3146 */
3149 }
3150 /* If this acknowledges a segment prior to this one, leave this segment alone and move on */
3155 }
3157 /* This segment is old, or an exact match. Delete the segment from the list */
3161 /* Track largest segment successfully sent for SNACK analysis*/
3164 }
3165 }
3169 }
3172 }
3176 }
3178 /* how many bytes of data are there in flight after this frame
3179 * was sent
3180 * The historical evaluation is done from the payload seen in the
3181 * segments captured. Another method deduced from the SEQ numbers
3182 * is introduced with issue 7703, but not used by default now. The
3183 * method is chosen by the user preference tcp_bif_seq_based.
3184 */
3187 /*
3188 * "don't repeat yourself" boolean, for the shared part
3189 * between both methods
3190 */
3193 /*
3194 * historical calculation method based on payloads, which is
3195 * by now still the default.
3196 */
3210 }
3213 }
3215 }
3217 }
3225 }
3226 }
3228 /* subtract any SACK block */
3234 }
3236 }
3241 }
3243 /* Decrement in_flight bytes by one when we have a SYN or FIN bit
3244 * flag set as it is only virtual.
3245 */
3248 }
3249 }
3262 }
3265 }
3267 }
3268 }
3270 }
3272 /*
3273 * Prints results of the sequence number analysis concerning tcp segments
3274 * retransmitted or out-of-order
3275 */
3276 static void
3281 )
3282 {
3283 /* TCP Retransmission */
3296 }
3297 }
3298 /* TCP Fast Retransmission */
3304 }
3305 /* TCP Spurious Retransmission */
3311 }
3313 /* TCP Out-Of-Order */
3317 }
3318 }
3320 /* Prints results of the sequence number analysis concerning reused ports */
3321 static void
3325 )
3326 {
3327 /* TCP Ports Reused */
3332 }
3333 }
3335 /* Prints results of the sequence number analysis concerning lost tcp segments */
3336 static void
3340 )
3341 {
3342 /* TCP Lost Segment */
3347 }
3348 /* TCP Ack lost segment */
3353 }
3354 }
3356 /* Prints results of the sequence number analysis concerning tcp window */
3357 static void
3361 )
3362 {
3363 /* TCP Window Update */
3367 }
3368 /* TCP Full Window */
3372 }
3373 }
3375 /* Prints results of the sequence number analysis concerning tcp keepalive */
3376 static void
3380 )
3381 {
3382 /*TCP Keep Alive */
3386 }
3387 /* TCP Ack Keep Alive */
3391 }
3392 }
3394 /* Prints results of the sequence number analysis concerning tcp duplicate ack */
3395 static void
3400 proto_tree * tree
3401 )
3402 {
3405 /* TCP Duplicate ACK */
3409 hf_tcp_analysis_duplicate_ack,
3411 "This is a TCP duplicate ack"
3412 );
3417 ta->dupack_num
3418 );
3420 }
3427 expert_add_info_format(pinfo, flags_item, &ei_tcp_analysis_duplicate_ack, "Duplicate ACK (#%u)", ta->dupack_num);
3428 }
3429 }
3431 /* Prints results of the sequence number analysis concerning tcp zero window */
3432 static void
3436 )
3437 {
3438 /* TCP Zero Window Probe */
3442 }
3443 /* TCP Zero Window */
3447 }
3448 /* TCP Zero Window Probe Ack */
3453 }
3454 }
3457 /* Prints results of the sequence number analysis concerning how many bytes of data are in flight */
3458 static void
3463 )
3464 {
3469 hf_tcp_analysis_bytes_in_flight,
3473 }
3474 }
3476 /* Generate the initial data sequence number and MPTCP connection token from the key. */
3477 static void
3479 {
3487 /* memcpy to prevent -Wstrict-aliasing errors with GCC 4 */
3492 }
3494 /* Generate the initial data sequence number and MPTCP connection token from the key. */
3495 static void
3497 {
3505 /* memcpy to prevent -Wstrict-aliasing errors with GCC 4 */
3510 }
3513 /* Print formatted list of tcp stream ids that are part of the connection */
3514 static void
3517 {
3523 /* for the analysis, we set each subflow tcp stream id */
3527 }
3529 item = proto_tree_add_string(parent_tree, hf_mptcp_analysis_subflows, tvb, 0, 0, wmem_strbuf_get_str(val));
3531 }
3533 /* Compute raw dsn if relative tcp seq covered by DSS mapping */
3534 static bool
3536 {
3539 }
3543 }
3546 /* Add duplicated data */
3548 mptcp_add_duplicated_dsn(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, struct mptcp_subflow *subflow,
3550 )
3551 {
3559 rawdsn64low,
3560 rawdsn64high
3561 );
3566 {
3573 }
3576 }
3578 }
3581 }
3584 /* Lookup mappings that describe the packet and then converts the tcp seq number
3585 * into the MPTCP Data Sequence Number (DSN)
3586 */
3587 static void
3589 proto_tree *parent_tree, struct tcp_analysis* tcpd, struct tcpheader * tcph, mptcp_per_packet_data_t *mptcppd)
3590 {
3599 {
3600 /* abort analysis */
3602 }
3604 /* for this to work, we need to know the original seq number from the SYN, not from a subsequent packet
3605 * hence, we abort if we didn't capture the SYN
3606 */
3609 }
3611 /* if seq not relative yet, we compute it */
3617 /* in case of a SYN, there is no mapping covering the DSN */
3622 }
3623 /* if it's a non-syn packet without data (just used to convey TCP options)
3624 * then there would be no mappings */
3628 }
3638 ssn_low,
3640 );
3644 }
3648 }
3651 }
3655 /* Finds mappings that cover the sent data and adds them to the dissection tree */
3659 {
3665 }
3666 }
3670 }
3672 /* Make sure we have the 64bit raw DSN */
3676 /* always display the rawdsn64 (helpful for debug) */
3677 item = proto_tree_add_uint64(parent_tree, hf_mptcp_rawdsn64, tvb, 0, 0, tcph->th_mptcp->mh_rawdsn64);
3679 /* converts to relative if required */
3681 && mptcp_convert_dsn(tcph->th_mptcp->mh_rawdsn64, tcpd->fwd->mptcp_subflow->meta, DSN_CONV_NONE, true, &tcph->th_mptcp->mh_dsn)) {
3684 }
3686 /* register dsn->packet mapping */
3690 ) {
3699 packet
3700 );
3701 }
3704 /* We can do this only if rawdsn64 is valid !
3705 if enabled, look for overlapping mappings on other subflows */
3712 /* results should be some kind of list in case 2 DSS are needed to cover this packet */
3713 for(subflow_it = wmem_list_head(mptcpd->subflows); subflow_it != NULL; subflow_it = wmem_list_frame_next(subflow_it)) {
3715 struct mptcp_subflow *sf = mptcp_select_subflow_from_meta(sf_tcpd, tcpd->fwd->mptcp_subflow->meta);
3717 /* for current subflow */
3719 /* skip, this is the current subflow */
3720 }
3721 /* in case there were retransmissions on other subflows */
3726 }
3727 }
3728 }
3729 }
3731 /* could not get the rawdsn64, ignore and continue */
3732 }
3734 }
3737 /* Print subflow list */
3738 static void
3741 {
3749 }
3756 /* set field with mptcp stream */
3762 );
3764 }
3768 }
3773 /* store the TCP Options related to MPTCP then we will avoid false DUP ACKs later */
3777 nbOptionsChanged++;
3778 }
3781 nbOptionsChanged++;
3782 }
3785 nbOptionsChanged++;
3786 }
3789 nbOptionsChanged++;
3790 }
3793 nbOptionsChanged++;
3794 }
3797 nbOptionsChanged++;
3798 }
3801 nbOptionsChanged++;
3802 }
3805 nbOptionsChanged++;
3806 }
3807 /* we could track MPTCP option changes here, with nbOptionsChanged */
3808 #endif
3813 /* retrieve saved analysis of packets, else create it */
3814 mptcppd = (mptcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_mptcp, pinfo->curr_layer_num);
3818 }
3820 /* Print formatted list of tcp stream ids that are part of the connection */
3823 /* Converts TCP seq number into its MPTCP DSN */
3826 }
3829 static void
3834 )
3835 {
3840 hf_tcp_analysis_push_bytes_sent,
3844 }
3845 }
3847 static void
3850 {
3858 }
3861 }
3865 }
3871 /* encapsulate all proto_tree_add_xxx in ifs so we only print what
3872 data we actually have */
3880 }
3882 /* only display RTT if we actually have something we are acking */
3887 }
3888 }
3893 }
3896 /* print results for amount of data in flight */
3899 }
3906 /* print results for reused tcp ports */
3909 /* print results for retransmission and out-of-order segments */
3912 /* print results for lost tcp segments */
3915 /* print results for tcp window information */
3918 /* print results for tcp keep alive information */
3921 /* print results for tcp duplicate acks */
3924 /* print results for tcp zero window */
3927 }
3929 }
3931 static void
3932 print_tcp_fragment_tree(fragment_head *ipfd_head, proto_tree *tree, proto_tree *tcp_tree, packet_info *pinfo, tvbuff_t *next_tvb)
3933 {
3936 /*
3937 * The subdissector thought it was completely
3938 * desegmented (although the stuff at the
3939 * end may, in turn, require desegmentation),
3940 * so we show a tree with all segments.
3941 */
3944 /*
3945 * The toplevel fragment subtree is now
3946 * behind all desegmented data; move it
3947 * right behind the TCP tree.
3948 */
3952 }
3953 }
3955 /* **************************************************************************
3956 * End of tcp sequence number analysis
3957 * **************************************************************************/
3960 /* Minimum TCP header length. */
3961 #define TCPH_MIN_LEN 20
3963 /* Desegmentation of TCP streams */
3965 /* The primary ID is the first frame of a multisegment PDU, which is
3966 * most likely unique in the capture (unlike sequence numbers which
3967 * can be re-used, especially when relative sequence numbers are enabled).
3968 * However, frames can have multiple PDUs with certain encapsulations like
3969 * GSE or MPE over DVB BaseBand Frames.
3970 */
3974 address src_addr;
3975 address dst_addr;
3976 port_type ptype;
3981 static void
3983 {
3989 }
3991 static void
3993 {
3999 }
4002 address src_addr;
4003 address dst_addr;
4010 static unsigned
4012 {
4018 /* In most captures there is only one fragment per id / first_frame,
4019 so we only use it in the hash as an optimization.
4021 int i;
4022 for (i = 0; i < key->src.len; i++)
4023 hash_val += key->src_addr.data[i];
4024 for (i = 0; i < key->dst.len; i++)
4025 hash_val += key->dst_addr.data[i];
4026 hash_val += key->src_port;
4027 hash_val += key->dst_port;
4028 hash_val += key->seq;
4029 */
4032 }
4034 static int
4036 {
4040 /*
4041 * key.id is the first item to compare since it's the item most
4042 * likely to differ between sessions, thus short-circuiting
4043 * the comparison of addresses and ports.
4044 */
4051 }
4053 /*
4054 * Create a fragment key for temporary use; it can point to non-
4055 * persistent data, and so must only be used to look up and
4056 * delete entries, not to add them.
4057 */
4061 {
4066 /*
4067 * Do a shallow copy of the addresses.
4068 */
4077 }
4079 /*
4080 * Create a fragment key for permanent use; it must point to persistent
4081 * data, so that it can be used to add entries.
4082 */
4086 {
4091 /*
4092 * Do a deep copy of the addresses.
4093 */
4102 }
4104 static void
4106 {
4109 }
4111 static void
4113 {
4117 /*
4118 * Free up the copies of the addresses from the old key.
4119 */
4124 }
4125 }
4127 const reassembly_table_functions
4128 tcp_reassembly_table_functions = {
4129 tcp_segment_hash,
4130 tcp_segment_equal,
4131 tcp_segment_temporary_key,
4132 tcp_segment_persistent_key,
4133 tcp_segment_free_temporary_key,
4134 tcp_segment_free_persistent_key
4135 };
4139 /* functions to trace tcp segments */
4140 /* Enable desegmenting of TCP streams */
4143 /* Returns the maximum contiguous sequence number of the reassembly associated
4144 * with the msp *if* a new fragment were added ending in the given maxnextseq.
4145 * The new fragment is from the current frame and may not have been added yet.
4146 */
4147 static uint32_t
4149 {
4155 /* msp implies existence of fragments, this should never be NULL. */
4158 /* Find length of contiguous fragments.
4159 * Start with the first gap, but the new fragment is allowed to
4160 * fill that gap. */
4165 }
4168 }
4172 {
4179 /* This is for splitting defragmented MSPs, so fd_head should exist
4180 * and be defragmented. This also ensures that fd_i->tvb_data exists.
4181 */
4186 /* The fragment list is sorted in offset order, but not nec. frame order
4187 * or end offset order due to out of order reassembly and possible overlap.
4188 * fd_i->offset < split_offset - some bytes are before the split
4189 * fd_i->offset + fd_i->len >= split_offset - some bytes are after split
4190 * Look through all the fragments that have some data before the split point.
4191 */
4195 }
4202 }
4203 }
4204 };
4206 /* Now look through all the remaining fragments that only have bytes after
4207 * the split.
4208 */
4213 }
4214 }
4216 /* We only call this when the frame the fragments were reassembled in
4217 * (which is the current frame) includes some data before the split
4218 * point, so that it won't change and we can be consistent dissecting
4219 * between passes. We also should have at least some data after the
4220 * split point (because the subdissector claimed there was undissected
4221 * data.)
4222 */
4233 /* XXX: Could do the adding the new fragments in fragment_truncate */
4237 /* Check for some unusual out of order overlapping segment situations. */
4242 }
4246 }
4247 }
4252 /* The newmsp nxtpdu will be adjusted after leaving this function. */
4254 }
4263 static int
4265 {
4269 /* We only insert segments into this list that satisfy
4270 * LT_SEQ(tcpd->fwd->maxnextseq, seq), for the current value
4271 * of maxnextseq (removing segments when maxnextseq is advanced)
4272 * so these rollover-aware comparisons are transitive over the
4273 * domain (never greater than 2^31).
4274 */
4288 }
4290 /* Search through our list of out of order segments and add the ones that are
4291 * now contiguous onto a MSP until we use them all or reach another gap.
4292 *
4293 * If the MSP parameter is a incomplete, returns it with any OOO segments added.
4294 * If the MSP parameter is NULL or complete, returns a newly created MSP with
4295 * OOO segments added, or NULL if there were no segments to add.
4296 */
4298 msp_add_out_of_order(packet_info *pinfo, struct tcp_multisegment_pdu *msp, struct tcp_analysis *tcpd, uint32_t seq)
4299 {
4301 /* Whether a previous MSP exists with missing segments. */
4309 }
4311 }
4319 /* There might be segments already added to the msp that now extend
4320 * the maximum contiguous sequence number. Check for them. */
4324 }
4327 }
4328 }
4329 /* We have filled in the gap, so this out of order
4330 * segment is now contiguous and can be processed along
4331 * with the segment we just received.
4332 */
4337 /* Increase the expected MSP size if necessary. Yes, the
4338 * subdissector may have told us that a PDU ended here, but we
4339 * might have enough newly contiguous data to dissect another
4340 * PDU past that, and we should send that to the subdissector
4341 * too. */
4344 }
4345 /* Add this OOO segment to the unfinished MSP */
4352 /* No MSP in progress, so create one starting
4353 * at the sequence number of segment received
4354 * in this frame. Note that we will be adding
4355 * the first segment below, and this is the frame
4356 * of the first segment, so first_frame_with_seq
4357 * is already correct (and unnecessary) and
4358 * we don't need MSP_FLAGS_MISSING_FIRST_SEGMENT. */
4367 }
4373 }
4374 /* There might be segments already added to the msp that now extend
4375 * the maximum contiguous sequence number. Check for them. */
4378 }
4380 }
4382 static void
4388 {
4402 const bool reassemble_ooo = tcp_analyze_seq && tcp_desegment && tcp_reassemble_out_of_order && tcpd && tcpd->fwd->ooo_segments;
4409 again:
4418 /*
4419 * Initialize these to assume no desegmentation.
4420 * If that's not the case, these will be set appropriately
4421 * by the subdissector.
4422 */
4426 /*
4427 * Initialize this to assume that this segment will just be
4428 * added to the middle of a desegmented chunk of data, so
4429 * that we should show it all as data.
4430 * If that's not the case, it will be set appropriately.
4431 */
4434 /*
4435 * TODO: Some notes on current limitations with TCP desegmentation:
4436 *
4437 * This function can be called with either relative or absolute sequence
4438 * numbers; the ??_SEQ macros are called for comparisons to deal with
4439 * with sequence number rollover. (With relative sequence numbers, if
4440 * early TCP segments are received out of order before the SYN it can be
4441 * possible for rollover to occur at the very beginning of a connection.)
4442 *
4443 * However, multi-segment PDU lookup does not work for MSPs that span
4444 * TCP sequence number rollover, and desegmentation fails.
4445 *
4446 * When there is a single TCP connection that is longer than 4 GiB and
4447 * thus sequence numbers are reused, multi-segment PDU lookup and
4448 * retransmission identification does not work. (Bug 10503).
4449 *
4450 * Distinguishing between sequence number reuse on a very long connection
4451 * and sequence number reuse due to retransmission is difficult. Right
4452 * now very long connections are just not handled as the rarer case.
4453 * Perhaps retransmission identification could be entirely left up to TCP
4454 * analysis (if enabled, not done at all if disabled), instead of TCP
4455 * analysis results only used to supplement work here?
4456 *
4457 * TCP sequence analysis can set TCP_A_RETRANSMISSION in cases where
4458 * we still need to process the segment anyway because something other
4459 * than the sequence number is different from the prior segment. That
4460 * includes "retransmitted but with additional data" (Bug 13523) and
4461 * "retransmitted due to bad checksum" (especially if checksum verification
4462 * is enabled.)
4463 *
4464 * "Reassemble out-of-order segments" uses its own method of detecting
4465 * retranmission, but uses more memory and CPU, and when used, a TCP stream
4466 * that has missing segments that are never retransmitted stop processing
4467 * after the missing segment.
4468 *
4469 * If multiple TCP/IP packets are encapsulated in the same frame (such
4470 * as with GSE, which has very long Baseband Frames) this causes issues:
4471 *
4472 * If a subdissector reports that it can handle a payload, but needs
4473 * more data (pinfo->desegment_len > 0) and did not actually dissect
4474 * any of it (pinfo->desegment_offset == 0), on the first pass it
4475 * still adds layers to the frame. On subsequent passes, the MSP created
4476 * (or extended) in the first pass means that the subdissector won't be
4477 * called at all. If there are other protocols contained in the frame
4478 * that are dissected on the second pass they will have different
4479 * layer numbers than in the first pass, which can disturb proto_data
4480 * lookup, reassembly, etc. (Bug 16109 describes this for TLS.)
4481 */
4486 /* If we are reassembling out of order, we can do this retransmission
4487 * check. Anything before the latest consecutive sequence number we've
4488 * already processed is a retransmission (from the perspective of has
4489 * been passed to subdissectors; the judgment of TCP Sequence Analysis
4490 * may be different, because it considers RTO and ACKs and so forth).
4491 *
4492 * XXX: If these segments are part of incomplete MSPs, we pass them
4493 * to the reassembly code which tests for overlap conflicts.
4494 * For those which are part of completed reassemblies or not part
4495 * of MSPs, we just don't process them. The former would throw a
4496 * ReassemblyError, which is likely acceptable in the case of
4497 * retransmission of the same segment but not if retransmitted with
4498 * additional data, where we'd need to catch the exception to
4499 * process the extra data. For ones that were not added to MSPs at
4500 * all, we can't do much. (Bug #13061)
4501 *
4502 * Retransmissions of out of order segments after our latest
4503 * consecutive sequence number will all be stored and then eventually
4504 * put on multisegment PDUs and go to the reassembler, which should
4505 * be able to handle retransmission, as those are still incomplete.
4506 */
4511 if (msp && LE_SEQ(msp->seq, seq) && GT_SEQ(msp->nxtpdu, seq) && !(msp->flags & MSP_FLAGS_GOT_ALL_SEGMENTS)) {
4513 }
4519 }
4525 }
4526 }
4527 }
4544 }
4545 }
4548 /* Have we seen this PDU before (and is it the start of a multi-
4549 * segment PDU)?
4550 *
4551 * If the sequence number was seen before, it is part of a
4552 * retransmission if the whole segment fits within the MSP.
4553 * (But if this is this frame was already visited and the first frame of
4554 * the MSP matches the current frame, then it is not a retransmission,
4555 * but the start of a new MSP.)
4556 *
4557 * If only part of the segment fits in the MSP, then either:
4558 * - The previous segment included with the MSP was a Zero Window Probe
4559 * with one byte of data and the subdissector just asked for one more
4560 * byte. Do not mark it as retransmission (Bug 15427).
4561 * - Data was actually being retransmitted, but with additional data
4562 * (Bug 13523). Do not mark it as retransmission to handle the extra
4563 * bytes. (NOTE Due to the TCP_A_RETRANSMISSION check below, such
4564 * extra data will still be ignored.)
4565 * - The MSP contains multiple segments, but the subdissector finished
4566 * reassembly using a subset of the final segment (thus "msp->nxtpdu"
4567 * is smaller than the nxtseq of the previous segment). If that final
4568 * segment was retransmitted, then "nxtseq > msp->nxtpdu".
4569 * Unfortunately that will *not* be marked as retransmission here.
4570 * The next TCP_A_RETRANSMISSION hopefully takes care of it though.
4571 *
4572 * Only shortcircuit here when the first segment of the MSP is known,
4573 * and when this first segment is not one to complete the MSP.
4574 */
4575 if ((msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(tcpd->fwd->multisegment_pdus, seq)) &&
4581 /* Yes. This could be because we've dissected this frame before
4582 * or because this is a retransmission of a previously-seen
4583 * segment. Either way, we don't need to hand it off to the
4584 * subdissector and we certainly don't want to re-add it to the
4585 * multisegment_pdus list: if we did, subsequent lookups would
4586 * find this retransmission instead of the original transmission
4587 * (breaking desegmentation if we'd already linked other segments
4588 * to the original transmission's entry).
4589 *
4590 * Cases to handle here:
4591 * - In-order stream, pinfo->num matches begin of MSP.
4592 * - In-order stream, but pinfo->num does not match the begin of the
4593 * MSP. Must be a retransmission.
4594 * - OoO stream where this segment fills the gap in the begin of the
4595 * MSP. msp->first_frame is the start where the gap was detected
4596 * (and does NOT match pinfo->num).
4597 */
4604 /* TCP analysis already flags this (in COL_INFO) as a retransmission--if it's enabled */
4605 }
4607 /* Fix for bug 3264: look up ipfd for this (first) segment,
4608 so can add tcp.reassembled_in generated field on this code path. */
4620 }
4621 }
4622 }
4623 }
4631 }
4633 /* Else, find the most previous PDU starting before this sequence number */
4635 msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(tcpd->fwd->multisegment_pdus, seq-1);
4636 }
4639 if (msp && LE_SEQ(msp->seq, seq) && GT_SEQ(msp->nxtpdu, seq) && !(msp->flags & MSP_FLAGS_GOT_ALL_SEGMENTS)) {
4641 }
4643 /* The above code only finds retransmission if the PDU boundaries and the seq coincide
4644 * If we have sequence analysis active use the TCP_A_RETRANSMISSION flag.
4645 * XXXX Could the above code be improved?
4646 */
4648 /* If we have an unfinished MSP that this segment belongs to
4649 * or if the sequence number is newer than anything we've seen,
4650 * then this is Out of Order from the reassembly perspective
4651 * and we want to process it anyway.
4652 */
4653 if (!PINFO_FD_VISITED(pinfo) && tcpd->fwd->maxnextseq && LE_SEQ(seq, tcpd->fwd->maxnextseq) && !has_unfinished_msp) {
4654 /* Otherwise, if TCP Analysis calls the segment a
4655 * Spurious Retransmission or Retransmission, ignore it
4656 * here and on future passes.
4657 * See issue 10289
4658 * XXX: There are still some cases where TCP Analysis
4659 * marks segments as Retransmissions when they are
4660 * Out of Order from this perspective (#10725, #13843)
4661 */
4666 }
4667 }
4675 }
4676 }
4677 }
4678 }
4682 /* If there is a gap between this segment and any previous ones
4683 * (that is, seqno is larger than the maximum expected seqno), then
4684 * it is possibly an out-of-order segment. The very first segment
4685 * is expected to be in-order though (otherwise captures starting
4686 * in midst of a connection would never be reassembled).
4687 * (maxnextseq is 0 if we have not seen a SYN packet, even with
4688 * absolute sequence numbers.)
4689 *
4690 * Do not bother checking for OoO segments for streams that are
4691 * reassembled at FIN, the order of segments before FIN does not
4692 * matter as reordering and reassembly occurs at FIN.
4693 */
4696 /* Segments may be missing due to packet loss (assume later
4697 * retransmission) or out-of-order (assume it appears later).
4698 *
4699 * XXX: It would be nice to handle captures that have both
4700 * out-of-order packets and some lost packets that are
4701 * never retransmitted. But using the reverse flow ACK
4702 * (like follow_tcp_tap_listener) or using a known end of
4703 * a MSP (that we haven't fully received yet) to process a
4704 * segment that starts right afterwards would both break the
4705 * promise of in-order delivery, if a missing packet did arrive
4706 * later, which is a problem for any state-based dissector
4707 * (including TLS.)
4708 */
4710 /* Whether the new segment has a gap from our latest contiguous
4711 * sequence number. */
4713 }
4716 /* Update the maximum expected seqno if no SYN packet was seen
4717 * before, or if the new segment succeeds previous segments. */
4720 /* If there is no gap, look for any OOO packets that are now
4721 * contiguous. */
4723 }
4725 /* If we have visited this frame before, look for the frame in the
4726 * list of unused out of order segments. Since we know the gap will
4727 * never be filled, we could pass it to the subdissector, but
4728 * we want to be consistent between passes.
4729 */
4737 }
4738 }
4739 }
4741 /* If we are not processing out of order, update the max nextseq value if
4742 * is later than our current value (or our first value.)
4743 */
4748 }
4749 }
4750 }
4758 }
4760 /* OK, this PDU was found, which means the segment continues
4761 * a higher-level PDU and that we must desegment it.
4762 */
4764 /* The dissector asked for the entire segment */
4767 /* Wraparound is possible, so subtraction does not
4768 * distribute across MIN(x, y)
4769 */
4771 }
4776 /*
4777 * If the previous segment requested more data (setting
4778 * FD_PARTIAL_REASSEMBLY as the next segment length is unknown), but
4779 * subsequently an OoO segment was received (for an earlier hole),
4780 * then "fragment_add" would truncate the reassembled PDU to the end
4781 * of this OoO segment. To prevent that, explicitly specify the MSP
4782 * length before calling "fragment_add".
4783 *
4784 * When a subdissector requests reassembly at the end of the
4785 * connection (DESEGMENT_UNTIL_FIN), then it is not
4786 * possible for an earlier segment to complete reassembly
4787 * (more_frags for fragment_add is always true). Thus we do not
4788 * have to worry about increasing the fragment length here.
4789 */
4793 }
4804 /* If we consumed the entire segment there is no
4805 * other pdu starting anywhere inside this segment.
4806 * So update nxtpdu to point at least to the start
4807 * of the next segment.
4808 * (If the subdissector asks for even more data we
4809 * will advance nxtpdu even further later down in
4810 * the code.)
4811 */
4814 }
4815 }
4818 /* Remember when all segments are ready to avoid subsequent
4819 * out-of-order packets from extending this MSP. If a subsdissector
4820 * needs more segments, the flag will be cleared below. */
4823 }
4824 }
4830 }
4832 /* This is an OOO segment with a gap and past the known end of
4833 * the current MSP, if any. We don't know for certain which MSP
4834 * it belongs to, and the reassembly functions don't let us remove
4835 * fragment items added by mistake. Keep it around in a separate
4836 * structure, and add it later.
4837 *
4838 * On the second and later passes, we know that this gap will
4839 * never be filled in, so we could hand the segment to the
4840 * subdissector anyway. However, we want dissection to be
4841 * consistent between passes.
4842 */
4849 /* We only enter here if dissect_tcp set can_desegment,
4850 * which means that these bytes exist. */
4853 }
4856 /* This segment was not found in our table, so it doesn't
4857 * contain a continuation of a higher-level PDU.
4858 * Call the normal subdissector.
4859 */
4861 /*
4862 * Supply the sequence number of this segment. We set this here
4863 * because this segment could be after another in the same packet,
4864 * in which case seq was incremented at the end of the loop.
4865 */
4871 /* Unless it failed to dissect any data at all, the subdissector
4872 * might have changed the addresses and/or ports. Save them, and
4873 * set them back to the original values temporarily so that the
4874 * fragment functions work correctly (including in any later PDU.)
4875 *
4876 * (If we didn't dissect any data, the subdissector *shouldn't*
4877 * have changed the addresses or ports, so don't save them, but
4878 * restore them just in case.)
4879 */
4882 }
4886 /* Did the subdissector ask us to desegment some more data
4887 * before it could handle the packet?
4888 * If so we'll have to handle that later.
4889 */
4893 /*
4894 * Set "deseg_offset" to the offset in "tvb"
4895 * of the first byte of data that the
4896 * subdissector didn't process.
4897 */
4899 }
4901 /* Either no desegmentation is necessary, or this is
4902 * segment contains the beginning but not the end of
4903 * a higher-level PDU and thus isn't completely
4904 * desegmented.
4905 */
4907 }
4910 /* is it completely desegmented? */
4912 /*
4913 * Yes, we think it is.
4914 * We only call subdissector for the last segment.
4915 * Note that the last segment may include more than what
4916 * we needed.
4917 */
4918 if (ipfd_head->reassembled_in == pinfo->num && ipfd_head->reas_in_layer_num == pinfo->curr_layer_num) {
4919 /*
4920 * OK, this is the last segment.
4921 * Let's call the subdissector with the desegmented
4922 * data.
4923 */
4926 /* create a new TVB structure for desegmented data */
4929 /* add desegmented data to the data source list */
4932 /*
4933 * Supply the sequence number of the first of the
4934 * reassembled bytes.
4935 */
4938 /* indicate that this is reassembled data */
4941 /* call subdissector */
4945 /* Unless it failed to dissect any data at all, the subdissector
4946 * might have changed the addresses and/or ports. Save them, and
4947 * set them back to the original values temporarily so that the
4948 * fragment functions work correctly (including in any later PDU.)
4949 *
4950 * (If we didn't dissect any data, the subdissector *shouldn't*
4951 * have changed the addresses or ports, so don't save them, but
4952 * restore them just in case.)
4953 */
4956 }
4960 /*
4961 * OK, did the subdissector think it was completely
4962 * desegmented, or does it think we need even more
4963 * data?
4964 */
4966 /*
4967 * "desegment_len" isn't 0, so it needs more data
4968 * to fully dissect the current MSP. msp->nxtpdu was
4969 * not accurate and needs to be updated.
4970 *
4971 * This can happen if a dissector asked for one
4972 * more segment (but didn't know exactly how much data)
4973 * or if segments were added out of order.
4974 *
4975 * This is opposed to the current MSP being completely
4976 * desegmented, but the stuff at the end of the
4977 * current frame past last_fragment_len starting a new
4978 * higher-level PDU that may also need desegmentation.
4979 * That case is handled on the next loop.
4980 *
4981 * We want to keep the same dissection and protocol layer
4982 * numbers on subsequent passes.
4983 *
4984 * If "desegment_offset" is 0, then nothing in the reassembled
4985 * TCP segments was dissected, so remove the data source.
4986 */
4990 }
4994 msp);
4996 /* If "desegment_offset" is not 0, then a PDU in the
4997 * reassembled segments was dissected, but some stuff
4998 * that was added previously is part of a later PDU.
4999 */
5001 /* If we don't use anything from the current frame's
5002 * segment, then we can't split the msp. The frames of
5003 * the earlier PDU weren't reassembled until now, so
5004 * they need to point to a reassembled_in frame here
5005 * or later.
5006 *
5007 * Since this segment is the first of newly contiguous
5008 * segments, this means the subdissector is asking for
5009 * fewer bytes than it did before.
5010 * XXX: Report this as a dissector bug?
5011 */
5014 }
5017 msp);
5019 /* If we did use bytes from the current segment, then
5020 * we want to split the MSP; the earlier part is
5021 * dissected in this frame on the first pass, so for
5022 * consistency we want to do so on future passes, but
5023 * the latter part we cannot dissect until later.
5024 * We only need to do this on the first pass; split_msp
5025 * truncates the msp so we don't get here a second
5026 * time.
5027 */
5028 /* nxtpdu adjustment for the new msp is the same. */
5030 /* We don't need to clear MSP_FLAGS_GOT_ALL_SEGMENTS
5031 * since we are spliting the MSP.
5032 */
5034 }
5036 }
5037 }
5040 /* Update msp->nxtpdu to point to the new next
5041 * pdu boundary.
5042 * We only do this on the first pass, though we shouldn't
5043 * get here on a second pass (since we truncated the msp.)
5044 */
5046 /* We want reassembly of at least one
5047 * more segment so set the nxtpdu
5048 * boundary to one byte into the next
5049 * segment.
5050 * This means that the next segment
5051 * will complete reassembly even if it
5052 * is only one single byte in length.
5053 * If this is an OoO segment, then increment
5054 * the MSP end.
5055 */
5060 /* This is not the first segment, and we thought the
5061 * reassembly would be done now, but now know we must
5062 * desgment until FIN. (E.g., HTTP Response with headers
5063 * split across segments, and no Content-Length or
5064 * Transfer-Encoding (RFC 7230, Section 3.3.3, case 7.)
5065 * For the same reasons as below when we encounter
5066 * DESEGMENT_UNTIL_FIN on the first segment, give
5067 * msp->nxtpdu a big (but not too big) offset so
5068 * reassembly will pick up the segments later.
5069 */
5073 /* This is the segment (overlapping) the end of
5074 * the MSP.
5075 */
5078 /* This is a segment before the end of the MSP, so
5079 * it must be an out-of-order segment that completed
5080 * the MSP. The requested additional data is
5081 * relative to that end.
5082 */
5084 }
5085 }
5086 }
5088 /* Since we need at least some more data
5089 * there can be no pdu following in the
5090 * tail of this segment.
5091 */
5098 /*
5099 * Show the stuff in this TCP segment as
5100 * just raw TCP segment data.
5101 */
5103 ? another_pdu_follows
5110 }
5111 }
5112 }
5115 /*
5116 * The sequence number at which the stuff to be desegmented
5117 * starts is the sequence number of the byte at an offset
5118 * of "deseg_offset" into "tvb".
5119 *
5120 * The sequence number of the byte at an offset of "offset"
5121 * is "seq", i.e. the starting sequence number of this
5122 * segment, so the sequence number of the byte at
5123 * "deseg_offset" is "seq + (deseg_offset - offset)".
5124 */
5127 /* We have to create some structures in our table but
5128 * this is something we only do the first time we see this
5129 * packet. */
5131 /* If the dissector requested "reassemble until FIN"
5132 * just set this flag for the flow and let reassembly
5133 * proceed at normal. We will check/pick up these
5134 * reassembled PDUs later down in dissect_tcp() when checking
5135 * for the FIN flag.
5136 */
5139 }
5142 /* The subdissector asked to reassemble using the
5143 * entire next segment.
5144 * Just ask reassembly for one more byte
5145 * but set this msp flag so we can pick it up
5146 * above.
5147 */
5152 /*
5153 * The subdissector asked to reassemble at the end of the
5154 * connection. That will be done in dissect_tcp, but here we
5155 * have to ask reassembly to collect all future segments.
5156 * Note that TCP_FLOW_REASSEMBLE_UNTIL_FIN was set before,
5157 * this ensures that OoO detection is skipped.
5158 * The exact nxtpdu offset does not matter, but it should be
5159 * smaller than half of the maximum 32-bit unsigned integer
5160 * to allow detection of sequence number wraparound, and
5161 * larger than the largest possible stream size. Hopefully
5162 * 1GiB (0x40000000 bytes) should be enough.
5163 */
5169 }
5171 /* add this segment as the first one for this new pdu */
5176 }
5178 /* If this is not the first time we have seen the packet, then
5179 * the MSP should already be created. Retrieve it to see if we
5180 * know what later frame the PDU is reassembled in.
5181 */
5182 if (tcpd && (msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(tcpd->fwd->multisegment_pdus, deseg_seq))) {
5184 }
5185 }
5186 }
5192 /*
5193 * We know what other frame this PDU is reassembled in;
5194 * let the user know.
5195 */
5199 }
5201 /*
5202 * Either we didn't call the subdissector at all (i.e.,
5203 * this is a segment that contains the middle of a
5204 * higher-level PDU, but contains neither the beginning
5205 * nor the end), or the subdissector couldn't dissect it
5206 * all, as some data was missing (i.e., it set
5207 * "pinfo->desegment_len" to the amount of additional
5208 * data it needs).
5209 */
5211 /*
5212 * It couldn't, in fact, dissect any of it (the
5213 * first byte it couldn't dissect is at an offset
5214 * of "pinfo->desegment_offset" from the beginning
5215 * of the payload, and that's 0).
5216 * Just mark this as TCP.
5217 */
5221 }
5222 }
5224 /*
5225 * Show what's left in the packet as just raw TCP segment
5226 * data. (It's possible that another PDU follows in the case
5227 * of an out of order frame that is part of two MSPs.)
5228 * XXX - remember what protocol the last subdissector
5229 * was, and report it as a continuation of that, instead?
5230 */
5231 nbytes = another_pdu_follows ? another_pdu_follows : tvb_reported_length_remaining(tvb, deseg_offset);
5236 }
5242 /* there was another pdu following this one. */
5244 /* we also have to prevent the dissector from changing the
5245 * PROTOCOL and INFO columns since what follows may be an
5246 * incomplete PDU and we don't want it be changed back from
5247 * <Protocol> to <TCP>
5248 */
5257 /* remove any blocking set above otherwise the
5258 * proto,colinfo tap will break
5259 */
5262 }
5263 }
5265 clean_exit:
5266 /* Restore the addresses and ports to whatever they were after
5267 * the last segment that successfully dissected some data, if any.
5268 */
5270 }
5272 void
5277 {
5289 tcp_endpoint_t orig_endpoint;
5294 /*
5295 * We use "tvb_ensure_captured_length_remaining()" to make
5296 * sure there actually *is* data remaining. The protocol
5297 * we're handling could conceivably consists of a sequence of
5298 * fixed-length PDUs, and therefore the "get_pdu_len" routine
5299 * might not actually fetch anything from the tvbuff, and thus
5300 * might not cause an exception to be thrown if we've run past
5301 * the end of the tvbuff.
5302 *
5303 * This means we're guaranteed that "captured_length_remaining" is positive.
5304 */
5307 /*
5308 * Can we do reassembly?
5309 */
5311 /*
5312 * Yes - is the fixed-length part of the PDU split across segment
5313 * boundaries?
5314 */
5316 /*
5317 * Yes. Tell the TCP dissector where the data for this message
5318 * starts in the data it handed us and that we need "some more
5319 * data." Don't tell it exactly how many bytes we need because
5320 * if/when we ask for even more (after the header) that will
5321 * break reassembly.
5322 */
5326 }
5327 }
5329 /*
5330 * Get the length of the PDU.
5331 */
5334 /*
5335 * Support protocols which have a variable length which cannot
5336 * always be determined within the given fixed_len.
5337 */
5338 /*
5339 * If another segment was requested but we can't do reassembly,
5340 * abort and warn about the unreassembled packet.
5341 */
5343 /*
5344 * Tell the TCP dissector where the data for this message
5345 * starts in the data it handed us, and that we need one
5346 * more segment, and return.
5347 */
5351 }
5353 /*
5354 * Either:
5355 *
5356 * 1) the length value extracted from the fixed-length portion
5357 * doesn't include the fixed-length portion's length, and
5358 * was so large that, when the fixed-length portion's
5359 * length was added to it, the total length overflowed;
5360 *
5361 * 2) the length value extracted from the fixed-length portion
5362 * includes the fixed-length portion's length, and the value
5363 * was less than the fixed-length portion's length, i.e. it
5364 * was bogus.
5365 *
5366 * Report this as a bounds error.
5367 */
5370 }
5372 /* give a hint to TCP where the next PDU starts
5373 * so that it can attempt to find it in case it starts
5374 * somewhere in the middle of a segment.
5375 */
5382 }
5383 }
5385 /*
5386 * Can we do reassembly?
5387 */
5389 /*
5390 * Yes - is the PDU split across segment boundaries?
5391 */
5393 /*
5394 * Yes. Tell the TCP dissector where the data for this message
5395 * starts in the data it handed us, and how many more bytes we
5396 * need, and return.
5397 */
5401 }
5402 }
5408 curr_layer_num--;
5409 }
5410 #if 0
5412 {
5413 #endif
5414 /*
5415 * Display the PDU length as a field
5416 */
5417 item=proto_tree_add_uint((proto_tree *)p_get_proto_data(pinfo->pool, pinfo, proto_tcp, curr_layer_num),
5418 hf_tcp_pdu_size,
5421 #if 0
5423 item = proto_tree_add_expert_format((proto_tree *)p_get_proto_data(pinfo->pool, pinfo, proto_tcp, curr_layer_num),
5427 }
5428 #endif
5430 /*
5431 * Construct a tvbuff containing the amount of the payload we have
5432 * available. Make its reported length the amount of data in the PDU.
5433 */
5440 /* If we can't do reassembly but the PDU is split across
5441 * segment boundaries, mark the tvbuff as a fragment so
5442 * we throw FragmentBoundsError instead of malformed
5443 * errors.
5444 */
5446 }
5447 }
5450 /*
5451 * Dissect the PDU.
5452 *
5453 * If it gets an error that means there's no point in
5454 * dissecting any more PDUs, rethrow the exception in
5455 * question.
5456 *
5457 * If it gets any other error, report it and continue, as that
5458 * means that PDU got an error, but that doesn't mean we should
5459 * stop dissecting PDUs within this frame or chunk of reassembled
5460 * data.
5461 */
5464 TRY {
5466 }
5467 CATCH_NONFATAL_ERRORS {
5470 /*
5471 * Restore the saved protocol as well; we do this after
5472 * show_exception(), so that the "Malformed packet" indication
5473 * shows the protocol for which dissection failed.
5474 */
5476 }
5477 ENDTRY;
5479 /*
5480 * Step to the next PDU.
5481 * Make sure we don't overflow.
5482 */
5487 }
5488 }
5490 static void
5492 {
5493 /* fstr(" %s=%u", abbrev, val) */
5495 }
5497 static void
5499 {
5501 }
5503 static bool
5504 tcp_option_len_check(proto_item* length_item, packet_info *pinfo, unsigned len, unsigned optlen)
5505 {
5507 /* Bogus - option length isn't what it's supposed to be for this option. */
5511 }
5514 }
5516 static int
5517 dissect_tcpopt_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
5518 {
5529 proto_tree_add_item(exp_tree, hf_tcp_option_unknown_payload, tvb, offset + 2, optlen - 2, ENC_NA);
5532 }
5534 static int
5535 dissect_tcpopt_default_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto, int ett)
5536 {
5546 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5552 }
5554 static int
5556 {
5557 return dissect_tcpopt_default_option(tvb, pinfo, tree, proto_tcp_option_scpsrec, ett_tcp_opt_recbound);
5558 }
5560 static int
5562 {
5563 return dissect_tcpopt_default_option(tvb, pinfo, tree, proto_tcp_option_scpscor, ett_tcp_opt_scpscor);
5564 }
5566 static void
5569 {
5575 /* Fast Open Cookie Request */
5580 /* Fast Open Cookie */
5587 /* Is this a SYN with data and the cookie? */
5592 }
5593 }
5594 }
5595 }
5596 }
5598 static int
5600 {
5612 }
5614 /*
5615 * TCP ACK Rate Request option is based on
5616 * https://datatracker.ietf.org/doc/html/draft-gomez-tcpm-ack-rate-request-06
5617 */
5619 #define TCPOPT_TARR_RATE_MASK 0xfe
5620 #define TCPOPT_TARR_RESERVED_MASK 0x01
5621 #define TCPOPT_TARR_RATE_SHIFT 1
5623 static void
5626 {
5640 }
5641 }
5643 static void
5646 {
5665 }
5676 }
5678 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_eceb, tvb, data_offset + 3, 3, ENC_BIG_ENDIAN);
5684 }
5695 }
5697 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_eceb, tvb, data_offset + 3, 3, ENC_BIG_ENDIAN);
5701 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_ee1b, tvb, data_offset + 6, 3, ENC_BIG_ENDIAN);
5706 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_ee0b, tvb, data_offset + 6, 3, ENC_BIG_ENDIAN);
5709 }
5711 }
5715 }
5716 }
5718 static int
5720 {
5733 length_item = proto_tree_add_item(acc_ecn_tree, hf_tcp_option_len, tvb, offset, 1, ENC_BIG_ENDIAN);
5739 dissect_tcpopt_acc_ecn_data(tvb, offset, length - 2, kind == TCPOPT_ACC_ECN_0, pinfo, acc_ecn_tree, item, data);
5740 }
5742 }
5744 static int
5746 {
5757 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5769 optlen);
5773 }
5780 optlen);
5786 }
5796 }
5799 }
5803 }
5808 }
5810 }
5812 static int
5814 {
5825 {
5827 }
5830 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5838 }
5840 static int
5842 {
5854 {
5856 }
5859 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5864 proto_tree_add_item_ret_uint(exp_tree, hf_tcp_option_mss_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN, &mss);
5869 }
5871 /* The window scale extension is defined in RFC 1323 */
5872 static int
5874 {
5883 /* find the conversation for this TCP session and its stored data */
5893 length_item = proto_tree_add_item(wscale_tree, hf_tcp_option_len, tvb, offset, 1, ENC_BIG_ENDIAN);
5899 shift_pi = proto_tree_add_item_ret_uint(wscale_tree, hf_tcp_option_wscale_shift, tvb, offset, 1, ENC_BIG_ENDIAN, &shift);
5901 /* RFC 1323: "If a Window Scale option is received with a shift.cnt
5902 * value exceeding 14, the TCP should log the error but use 14 instead
5903 * of the specified value." */
5906 }
5919 }
5922 }
5924 static int
5926 {
5938 /*
5939 * SEQ analysis is the condition for both relative analysis obviously,
5940 * and SACK handling for the in-flight update
5941 */
5943 /* find the conversation for this TCP session and its stored data */
5950 }
5952 /*
5953 * initialize the number of SACK blocks to 0, it will be
5954 * updated some lines later
5955 */
5958 }
5959 }
5960 }
5962 /* Late discovery of a 'false' Window Update in presence of SACK option,
5963 * which means we are dealing with a Dup ACK rather than a Window Update.
5964 * Classify accordingly by removing the UPDATE and adding the DUP flags.
5965 * Mostly a copy/paste from tcp_analyze_sequence_number(), ensure consistency
5966 * whenever the latter changes.
5967 * see Issue #14937
5968 */
5971 /* MPTCP tolerates duplicate acks in some circumstances, see RFC 8684 4. */
5973 /* just ignore this DUPLICATE ACK */
5975 /* no initialization required of the tcpd->ta as this code would
5976 * be unreachable otherwise
5977 */
5986 }
5987 }
5988 }
6006 }
6016 }
6017 /* XXX - check whether it goes past end of packet */
6027 /* Store blocks for BiF analysis */
6028 if (tcp_analyze_seq && tcpd && tcpd->fwd->tcp_analyze_seq_info && tcp_track_bytes_in_flight && num_sack_ranges < MAX_TCP_SACK_RANGES) {
6032 }
6034 /* Update tap info */
6039 }
6043 }
6046 /* Show number of SACK ranges in this option as a generated field */
6051 /* RFC 2883 "An Extension to the Selective Acknowledgement (SACK) Option for TCP" aka "D-SACK"
6052 * Section 4
6053 * Conditions: Either the first sack-block is inside the already acknowledged range or
6054 * the first sack block is inside the second sack block.
6055 *
6056 * Maybe add later:
6057 * (1) A D-SACK block is only used to report a duplicate contiguous sequence of data received by
6058 * the receiver in the most recent packet.
6059 */
6065 )) {
6067 tf = proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_dsack_le, tvb, sackoffset, 4, leftedge,
6068 "D-SACK Left Edge = %u%s", leftedge, (tcp_analyze_seq && tcp_relative_seq) ? " (relative)" : "");
6071 tf = proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_dsack_re, tvb, sackoffset+4, 4, rightedge,
6072 "D-SACK Right Edge = %u%s", rightedge, (tcp_analyze_seq && tcp_relative_seq) ? " (relative)" : "");
6075 }
6078 }
6080 static int
6082 {
6107 }
6109 /* If set, do not put the TCP timestamp information on the summary line */
6112 static int
6114 {
6144 }
6150 proto_tree_add_uint_bits_format_value(syncookie_ti, hf_tcp_syncookie_option_timestamp, tvb, offset * 8,
6151 26, timestamp, ENC_TIME_SECS, "%s", abs_time_secs_to_str(pinfo->pool, timestamp, ABSOLUTE_TIME_LOCAL, true));
6152 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_option_ecn, tvb, offset * 8 + 26, 1, ENC_NA);
6153 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_option_sack, tvb, offset * 8 + 27, 1, ENC_NA);
6154 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_option_wscale, tvb, offset * 8 + 28, 4, ENC_NA);
6155 }
6158 }
6175 /* arbitrary assignment. Callers may override this */
6180 }
6183 /* will create necessary structure if fails to find a match on the token */
6195 /* if token already set for this meta */
6196 if( tcp_flow->mptcp_subflow->meta && (tcp_flow->mptcp_subflow->meta->static_flags & MPTCP_META_HAS_TOKEN)) {
6198 }
6200 /* else look for a registered meta with this token */
6203 /* if token already registered than just share it across TCP connections */
6207 }
6209 /* we create it if this connection */
6211 /* don't care which meta to choose assign each meta to a direction */
6214 }
6217 /* already exists, thus some meta may already have been configured */
6220 }
6223 }
6226 }
6228 }
6235 }
6240 /* compute the meta id assigned to tcp_flow */
6243 /* computes the metaId tcpd->fwd should be assigned to */
6250 }
6252 /* setup from_key */
6253 static
6255 get_or_create_mptcpd_from_key(struct tcp_analysis* tcpd, tcp_flow_t *fwd, uint8_t version, uint64_t key, uint8_t hmac_algo _U_) {
6261 if(fwd->mptcp_subflow->meta && (fwd->mptcp_subflow->meta->static_flags & MPTCP_META_HAS_KEY)) {
6263 }
6265 /* MPTCP v0 only standardizes SHA1, and v1 SHA256. */
6280 }
6282 /* record this mapping */
6283 static
6284 void analyze_mapping(struct tcp_analysis *tcpd, packet_info *pinfo, uint16_t len, uint64_t dsn, bool extended, uint32_t ssn) {
6286 /* store mapping only if analysis is enabled and mapping is not unlimited */
6289 }
6293 }
6295 /* register SSN range described by the mapping into a subflow interval_tree */
6308 mapping
6309 );
6310 }
6312 /*
6313 * The TCP Extensions for Multipath Operation with Multiple Addresses
6314 * are defined in RFC 6824
6315 *
6316 * https://tools.ietf.org/html/rfc6824
6317 *
6318 * Author: Andrei Maruseac <andrei.maruseac@intel.com>
6319 * Matthieu Coudron <matthieu.coudron@lip6.fr>
6320 *
6321 * This function just generates the mptcpheader, i.e. the generation of
6322 * datastructures is delayed/delegated to mptcp_analyze
6323 */
6324 static int
6326 {
6340 /* There may be several MPTCP options per packet, don't duplicate the structure */
6346 }
6351 /* seeing an MPTCP packet on the subflow automatically qualifies it as an mptcp subflow */
6354 }
6357 }
6373 proto_item_append_text(main_item, ": %s", val_to_str(subtype, mptcp_subtype_vs, "Unknown (%d)"));
6375 /** preemptively allocate mptcpd when subtype won't allow to find a meta */
6378 }
6389 ett_tcp_option_mptcp,
6391 ENC_BIG_ENDIAN);
6395 }
6398 }
6401 /* optlen == 12 => SYN or SYN/ACK; optlen == 20 => ACK;
6402 * optlen == 22 => ACK + data (v1 only);
6403 * optlen == 24 => ACK + data + csum (v1 only)
6404 */
6408 proto_tree_add_uint64(mptcp_tree, hf_tcp_option_mptcp_sender_key, tvb, offset, 8, mph->mh_key);
6411 mptcpd = get_or_create_mptcpd_from_key(tcpd, tcpd->fwd, version, mph->mh_key, mph->mh_capable_flags & MPTCP_CAPABLE_CRYPTO_MASK);
6422 /* last ACK of 3WHS, repeats both keys */
6431 /* compare the echoed key with the server key */
6434 }
6435 }
6437 mptcpd = get_or_create_mptcpd_from_key(tcpd, tcpd->rev, version, recv_key, mph->mh_capable_flags & MPTCP_CAPABLE_CRYPTO_MASK);
6438 }
6439 }
6441 /* MPTCP v1 ACK + data, contains data_len and optional checksum */
6443 proto_tree_add_item(mptcp_tree, hf_tcp_option_mptcp_data_lvl_len, tvb, offset, 2, ENC_BIG_ENDIAN);
6449 }
6451 /* when data len is present, this MP_CAPABLE also carries an implicit mapping ... */
6452 analyze_mapping(tcpd, pinfo, mph->mh_dss_length, tcpd->fwd->mptcp_subflow->meta->base_dsn + 1, true, tcph->th_seq);
6454 /* ... with optional checksum */
6456 {
6457 proto_tree_add_checksum(mptcp_tree, tvb, offset, hf_tcp_option_mptcp_checksum, -1, NULL, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
6458 }
6459 }
6460 }
6467 }
6469 /* Syn */
6471 {
6474 ENC_BIG_ENDIAN);
6489 /* if the negotiated version is v1 the first key was exchanged on SYN/ACK packet: we must swap the meta */
6492 }
6497 }
6504 ENC_BIG_ENDIAN);
6530 }
6533 /* display only *raw* values since it is harder to guess a correct value than for TCP.
6534 One needs to enable mptcp_analysis to get more interesting data
6535 */
6544 ENC_BIG_ENDIAN);
6547 /* displays "raw" DataAck , ie does not convert it to its 64 bits form
6548 to do so you need to enable
6549 */
6554 /* 64bits ack */
6558 proto_tree_add_uint64_format_value(mptcp_tree, hf_tcp_option_mptcp_data_ack_raw, tvb, offset, 8, mph->mh_dss_rawack, "%" PRIu64 " (64bits)", mph->mh_dss_rawack);
6560 }
6561 /* 32bits ack */
6564 proto_tree_add_item(mptcp_tree, hf_tcp_option_mptcp_data_ack_raw, tvb, offset, 4, ENC_BIG_ENDIAN);
6566 }
6569 (mph->mh_dss_flags & MPTCP_DSS_FLAG_DATA_ACK_8BYTES) ? DSN_CONV_NONE : DSN_CONV_32_TO_64, mptcp_relative_seq, &dack64)) {
6573 }
6576 }
6578 /* ignore and continue */
6579 }
6581 }
6583 /* Mapping present */
6591 proto_tree_add_uint64_format_value(mptcp_tree, hf_tcp_option_mptcp_data_seq_no_raw, tvb, offset, 8, dsn, "%" PRIu64 " (64bits version)", dsn);
6593 /* if we have the opportunity to complete the 32 Most Significant Bits of the
6594 *
6595 */
6599 }
6603 proto_tree_add_uint64_format_value(mptcp_tree, hf_tcp_option_mptcp_data_seq_no_raw, tvb, offset, 4, dsn, "%" PRIu64 " (32bits version)", dsn);
6605 }
6608 proto_tree_add_item_ret_uint(mptcp_tree, hf_tcp_option_mptcp_subflow_seq_no, tvb, offset, 4, ENC_BIG_ENDIAN, &mph->mh_dss_ssn);
6611 proto_tree_add_item(mptcp_tree, hf_tcp_option_mptcp_data_lvl_len, tvb, offset, 2, ENC_BIG_ENDIAN);
6617 }
6619 /* print head & tail dsn */
6621 (mph->mh_dss_flags & MPTCP_DSS_FLAG_DATA_ACK_8BYTES) ? DSN_CONV_NONE : DSN_CONV_32_TO_64, mptcp_relative_seq, &dsn)) {
6625 }
6628 }
6630 /* ignore and continue */
6631 }
6633 analyze_mapping(tcpd, pinfo, mph->mh_dss_length, mph->mh_dss_rawdsn, mph->mh_dss_flags & MPTCP_DSS_FLAG_DATA_ACK_8BYTES, mph->mh_dss_ssn);
6636 {
6637 proto_tree_add_checksum(mptcp_tree, tvb, offset, hf_tcp_option_mptcp_checksum, -1, NULL, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
6638 }
6639 }
6648 else
6661 }
6667 }
6673 }
6678 }
6683 item = proto_tree_add_uint(mptcp_tree, hf_mptcp_number_of_removed_addresses, tvb, start_offset+2,
6691 }
6698 ENC_BIG_ENDIAN);
6704 }
6732 ENC_BIG_ENDIAN);
6735 ENC_BIG_ENDIAN);
6740 }
6744 /* if mptcpd just got allocated, remember the initial addresses
6745 * which will serve as identifiers for the conversation filter
6746 */
6752 copy_address_shallow(&tcpd->rev->mptcp_subflow->meta->ip_src, &tcpd->fwd->mptcp_subflow->meta->ip_dst);
6753 copy_address_shallow(&tcpd->rev->mptcp_subflow->meta->ip_dst, &tcpd->fwd->mptcp_subflow->meta->ip_src);
6757 }
6760 }
6763 }
6765 static int
6767 {
6790 }
6792 static int
6794 {
6816 }
6818 static int
6820 {
6839 }
6852 }
6854 static int
6856 {
6877 COL_ADD_LSTR_TERMINATOR);
6884 }
6886 static int
6888 {
6902 /* check direction and get ua lists */
6905 /* if the addresses are equal, match the ports instead */
6908 }
6912 else
6924 /* If the option length == 4, this is a real SCPS capability option
6925 * See "CCSDS 714.0-B-2 (CCSDS Recommended Standard for SCPS Transport Protocol
6926 * (SCPS-TP)" Section 3.2.3 for definition.
6927 */
6947 struct capvec
6948 {
6958 };
6970 COL_ADD_LSTR_TERMINATOR);
6972 }
6973 }
6976 }
6986 /* The option length != 4, so this is an infamous "extended capabilities
6987 * option. See "CCSDS 714.0-B-2 (CCSDS Recommended Standard for SCPS
6988 * Transport Protocol (SCPS-TP)" Section 3.2.5 for definition.
6989 *
6990 * As the format of this option is only partially defined (it is
6991 * a community (or more likely vendor) defined format beyond that, so
6992 * at least for now, we only parse the standardized portion of the option.
6993 */
6999 /* There was no SCPS capabilities option preceding this */
7002 optlen);
7006 optlen);
7008 /* There may be multiple binding spaces included in a single option,
7009 * so we will semi-parse each of the stacked binding spaces - skipping
7010 * over the octets following the binding space identifier and length.
7011 */
7014 /* 1st octet is Extended Capability Binding Space */
7017 /* 2nd octet (upper 4-bits) has binding space length in 16-bit words.
7018 * As defined by the specification, this length is exclusive of the
7019 * octets containing the extended capability type and length
7020 */
7021 extended_cap_length =
7024 /* Convert the extended capabilities length into bytes for display */
7027 proto_tree_add_item(field_tree, hf_tcp_option_scps_binding, tvb, offset + local_offset, 1, ENC_BIG_ENDIAN);
7028 proto_tree_add_uint(field_tree, hf_tcp_option_scps_binding_len, tvb, offset + local_offset + 1, 1, extended_cap_length);
7030 /* Step past the binding space and length octets */
7033 proto_tree_add_item(field_tree, hf_tcp_option_scps_binding_data, tvb, offset + local_offset, extended_cap_length, ENC_NA);
7037 /* Step past the Extended capability data
7038 * Treat the extended capability data area as opaque;
7039 * If one desires to parse the extended capability data
7040 * (say, in a vendor aware build of wireshark), it would
7041 * be triggered here.
7042 */
7044 }
7045 }
7046 }
7049 }
7051 static int
7053 {
7071 proto_tree_add_item(field_tree, hf_tcp_option_user_to_granularity, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
7073 proto_tree_add_item(field_tree, hf_tcp_option_user_to_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
7077 }
7079 /* This is called for SYN+ACK packets and the purpose is to verify that
7080 * the SCPS capabilities option has been successfully negotiated for the flow.
7081 * If the SCPS capabilities option was offered by only one party, the
7082 * proactively set scps_capable attribute of the flow (set upon seeing
7083 * the first instance of the SCPS option) is revoked.
7084 */
7085 static void
7087 {
7096 }
7097 }
7098 }
7100 /* See "CCSDS 714.0-B-2 (CCSDS Recommended Standard for SCPS
7101 * Transport Protocol (SCPS-TP)" Section 3.5 for definition of the SNACK option
7102 */
7103 static int
7105 {
7132 /* The SNACK option reports missing data with a granularity of segments. */
7143 }
7145 /* To aid analysis, we can use a simple but generally effective heuristic
7146 * to report the most likely boundaries of the missing data. If the
7147 * flow is scps_capable, we track the maximum sized segment that was
7148 * acknowledged by the receiver and use that as the reporting granularity.
7149 * This may be different from the negotiated MTU due to PMTUD or flows
7150 * that do not send max-sized segments.
7151 */
7155 /* Scale the reported offset and hole size by the largest segment acked */
7167 proto_tree_add_expert_format(field_tree, pinfo, &ei_tcp_option_snack_sequence, tvb, offset+2, 4,
7168 "SNACK Sequence %u - %u%s", hole_start, hole_end, ((tcp_analyze_seq && tcp_relative_seq) ? " (relative)" : ""));
7172 }
7175 }
7177 enum
7178 {
7182 PROBE_VERSION_MAX
7183 };
7185 /* Probe type definition. */
7186 enum
7187 {
7199 PROBE_TYPE_MAX
7200 };
7215 };
7217 #define PROBE_OPTLEN_OFFSET 1
7219 #define PROBE_VERSION_TYPE_OFFSET 2
7220 #define PROBE_V1_RESERVED_OFFSET 3
7221 #define PROBE_V1_PROBER_OFFSET 4
7222 #define PROBE_V1_APPLI_VERSION_OFFSET 8
7223 #define PROBE_V1_PROXY_ADDR_OFFSET 8
7224 #define PROBE_V1_PROXY_PORT_OFFSET 12
7225 #define PROBE_V1_SH_CLIENT_ADDR_OFFSET 8
7226 #define PROBE_V1_SH_PROXY_ADDR_OFFSET 12
7227 #define PROBE_V1_SH_PROXY_PORT_OFFSET 16
7229 #define PROBE_V2_INFO_OFFSET 3
7231 #define PROBE_V2_INFO_CLIENT_ADDR_OFFSET 4
7232 #define PROBE_V2_INFO_STOREID_OFFSET 4
7234 #define PROBE_VERSION_MASK 0x01
7236 /* Probe Query Extra Info flags */
7237 #define RVBD_FLAGS_PROBE_LAST 0x01
7238 #define RVBD_FLAGS_PROBE_NCFE 0x04
7240 /* Probe Response Extra Info flags */
7241 #define RVBD_FLAGS_PROBE_SERVER 0x01
7242 #define RVBD_FLAGS_PROBE_SSLCERT 0x02
7243 #define RVBD_FLAGS_PROBE 0x10
7246 {
7253 static void
7255 {
7262 }
7263 }
7265 static void
7266 rvbd_probe_resp_add_info(proto_item *pitem, packet_info *pinfo, tvbuff_t *tvb, int ip_offset, uint16_t port)
7267 {
7268 proto_item_append_text(pitem, ", Server Steelhead: %s:%u", tvb_ip_to_str(pinfo->pool, tvb, ip_offset), port);
7271 }
7273 static int
7275 {
7293 /* Bogus - option length is less than what it's supposed to be for
7294 this option. */
7297 TCPOLEN_RVBD_PROBE_MIN);
7299 }
7305 proto_item_append_text(pitem, ": %s", val_to_str_const(type, rvbd_probe_type_vs, "Probe Unknown"));
7321 proto_tree_add_item(field_tree, hf_tcp_option_rvbd_probe_reserved, tvb, offset + PROBE_V1_RESERVED_OFFSET, 1, ENC_BIG_ENDIAN);
7331 {
7335 ENC_BIG_ENDIAN);
7337 proto_item_append_text(pitem, ", CSH IP: %s", tvb_ip_to_str(pinfo->pool, tvb, offset + PROBE_V1_PROBER_OFFSET));
7339 option_data = (rvbd_option_data*)p_get_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num);
7341 {
7343 p_add_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num, option_data);
7344 }
7349 }
7367 ENC_BIG_ENDIAN);
7378 }
7379 }
7392 /* Use version1 for filtering purposes because version2 packet
7393 value is 0, but filtering is usually done for value 2 */
7410 hf_tcp_option_rvbd_probe_flag_not_cfe,
7413 hf_tcp_option_rvbd_probe_flag_last_notify,
7417 {
7419 {
7420 rvbd_option_data* option_data = (rvbd_option_data*)p_get_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num);
7422 {
7424 p_add_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num, option_data);
7425 }
7428 }
7442 }
7449 }
7460 hf_tcp_option_rvbd_probe_flag_probe_cache,
7463 hf_tcp_option_rvbd_probe_flag_sslcert,
7466 hf_tcp_option_rvbd_probe_flag_server_connected,
7475 }
7476 }
7479 }
7491 };
7493 /* Trpy Flags */
7494 #define RVBD_FLAGS_TRPY_MODE 0x0001
7495 #define RVBD_FLAGS_TRPY_OOB 0x0002
7496 #define RVBD_FLAGS_TRPY_CHKSUM 0x0004
7497 #define RVBD_FLAGS_TRPY_FW_RST 0x0100
7498 #define RVBD_FLAGS_TRPY_FW_RST_INNER 0x0200
7499 #define RVBD_FLAGS_TRPY_FW_RST_PROBE 0x0400
7503 "Full Transparency"
7504 };
7506 static int
7508 {
7522 NULL
7523 };
7539 proto_tree_add_bitmask_with_flags(field_tree, tvb, offset + TRPY_OPTIONS_OFFSET, hf_tcp_option_rvbd_trpy_flags,
7560 /* Client port only set on SYN: optlen == 18 */
7565 /* Despite that we have the right TCP ports for other protocols,
7566 * the data is related to the Riverbed Optimization Protocol and
7567 * not understandable by normal protocol dissectors. If the sport
7568 * protocol is available then use that, otherwise just output it
7569 * as a hex-dump.
7570 */
7576 }
7582 }
7583 }
7586 }
7588 /* Started as a copy of dissect_ip_tcp_options(), but was changed to support
7589 options as a dissector table */
7590 static void
7594 {
7599 dissector_handle_t option_dissector;
7609 proto_tree_add_expert_format(opt_tree, pinfo, &ei_tcp_non_zero_bytes_after_eol, tvb, offset, length,
7612 }
7618 /* We assume that the only options with no length are EOL and
7619 NOP options, so that we can treat unknown options as having
7620 a minimum length of 2, and at least be able to move on to
7621 the next option by using the length in the option. */
7629 /* Count number of NOP in a row within a uint32 */
7630 nop_count++;
7634 }
7637 }
7640 }
7645 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s", proto_get_protocol_short_name(find_protocol_by_id(local_proto)));
7654 }
7656 /* Option has a length. Is it in the packet? */
7658 /* Bogus - packet must at least include option code byte and
7659 length byte! */
7663 }
7669 /* Bogus - option length is too short to include option code and
7670 option length. */
7676 /* Bogus - option goes past the end of the header. */
7681 }
7684 {
7687 {
7689 }
7697 }
7698 }
7701 {
7703 {
7705 }
7707 {
7709 }
7710 }
7711 }
7713 /* Determine if there is a sub-dissector and call it; return true
7714 if there was a sub-dissector, false otherwise.
7716 This has been separated into a stand alone routine to other protocol
7717 dissectors can call to it, e.g., SOCKS. */
7722 /* this function can be called with tcpd==NULL as from the msproxy dissector */
7723 bool
7727 {
7736 /* Don't call subdissectors for keepalives. Even though they do contain
7737 * payload "data", it's just garbage. Display any data the keepalive
7738 * packet might contain though.
7739 */
7745 }
7746 }
7751 /* Don't try to dissect a retransmission high chance that it will mess
7752 * subdissectors for protocols that require in-order delivery of the
7753 * PDUs. (i.e. DCE/RPCoverHTTP and encryption)
7754 * If OoO reassembly is enabled and if this segment was previously lost,
7755 * then this retransmission could have finished reassembly, so continue.
7756 * XXX should this option be removed? "tcp_reassemble_out_of_order"
7757 * should have addressed the above in-order requirement.
7758 */
7760 }
7766 /* determine if this packet is part of a conversation and call dissector */
7767 /* for the conversation if available */
7774 }
7776 /* If the user has manually configured one of the server, low, or high
7777 * ports to a dissector other than the default (via Decode As or the
7778 * preferences associated with Decode As), try those first, in that order.
7779 */
7783 if (dissector_try_uint_new(subdissector_table, tcpd->server_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7787 }
7789 /* The default; try it later */
7791 }
7792 }
7800 }
7805 if (dissector_try_uint_new(subdissector_table, low_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7809 }
7811 /* The default; try it later */
7813 }
7814 }
7819 if (dissector_try_uint_new(subdissector_table, high_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7823 }
7825 /* The default; try it later */
7827 }
7828 }
7831 /* do lookup with the heuristic subdissector table */
7832 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, tcpinfo)) {
7836 }
7837 }
7839 /* Do lookups with the subdissector table.
7840 Try the server port captured on the SYN or SYN|ACK packet. After that
7841 try the port number with the lower value first, followed by the
7842 port number with the higher value. This means that, for packets
7843 where a dissector is registered for *both* port numbers:
7845 1) we pick the same dissector for traffic going in both directions;
7847 2) we prefer the port number that's more likely to be the right
7848 one (as that prefers well-known ports to reserved ports);
7850 although there is, of course, no guarantee that any such strategy
7851 will always pick the right port number.
7853 XXX - we ignore port numbers of 0, as some dissectors use a port
7854 number of 0 to disable the port. */
7857 dissector_try_uint_new(subdissector_table, tcpd->server_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7861 }
7868 }
7874 }
7877 /* do lookup with the heuristic subdissector table */
7878 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, tcpinfo)) {
7882 }
7883 }
7885 /*
7886 * heuristic / conversation / port registered dissectors rejected the packet;
7887 * make sure they didn't also request desegmentation (we could just override
7888 * the request, but rejecting a packet *and* requesting desegmentation is a sign
7889 * of the dissector's code needing clearer thought, so we fail so that the
7890 * problem is made more obvious).
7891 */
7895 /* Oh, well, we don't know this; dissect it as data. */
7906 }
7908 }
7910 static void
7915 {
7918 TRY {
7920 /*qqq see if it is an unaligned PDU */
7925 }
7926 }
7927 }
7928 /* if offset is -1 this means that this segment is known
7929 * to be fully inside a previously detected pdu
7930 * so we don't even need to try to dissect it either.
7931 */
7935 /*
7936 * We succeeded in handing off to a subdissector.
7937 *
7938 * Is this a TCP segment or a reassembled chunk of
7939 * TCP payload?
7940 */
7942 /* if !visited, check want_pdu_tracking and
7943 store it in table */
7948 pinfo,
7949 seq,
7952 }
7953 }
7954 }
7955 }
7956 }
7957 CATCH_ALL {
7958 /* We got an exception. At this point the dissection is
7959 * completely aborted and execution will be transferred back
7960 * to (probably) the frame dissector.
7961 * Here we have to place whatever we want the dissector
7962 * to do before aborting the tcp dissection.
7963 */
7964 /*
7965 * Is this a TCP segment or a reassembled chunk of TCP
7966 * payload?
7967 */
7969 /*
7970 * It's from a TCP segment.
7971 *
7972 * if !visited, check want_pdu_tracking and store it
7973 * in table
7974 */
7978 seq,
7981 }
7982 }
7983 }
7984 RETHROW;
7985 }
7986 ENDTRY;
7987 }
7989 void
7994 {
8003 /* Can we desegment this segment? */
8005 /* Yes. */
8009 /* No - just call the subdissector.
8010 Mark this as fragmented, so if somebody throws an exception,
8011 we don't report it as a malformed frame. */
8018 }
8019 }
8021 static bool
8022 capture_tcp(const unsigned char *pd, int offset, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header)
8023 {
8040 }
8050 /* We've at least identified one type of packet, so this shouldn't be "other" */
8052 }
8062 {
8066 }
8068 static int
8070 {
8118 }
8129 /* If we're dissecting the headers of a TCP packet in an ICMP packet
8130 * then go ahead and put the sequence numbers in the tree now (because
8131 * they won't be put in later because the ICMP packet only contains up
8132 * to the sequence number).
8133 * We should only need to do this for IPv4 since IPv6 will hopefully
8134 * carry enough TCP payload for this dissector to put the sequence
8135 * numbers in via the regular code path.
8136 */
8137 {
8145 }
8146 }
8147 }
8148 }
8150 /* Set the source and destination port numbers as soon as we get them,
8151 so that they're available to the "Follow TCP Stream" code even if
8152 we throw an exception dissecting the rest of the TCP header. */
8157 p_add_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num, GUINT_TO_POINTER(tcph->th_sport));
8158 p_add_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num, GUINT_TO_POINTER(tcph->th_dport));
8168 /* find(or create if needed) the conversation for this tcp session
8169 * This is a slight deviation from find_or_create_conversation so it's
8170 * done manually. This is done to avoid conversation overlapping when
8171 * reusing ports (see issue 15097), as find_or_create_conversation automatically
8172 * extends the conversation found. This extension is done later.
8173 */
8179 }
8184 /* If this is a SYN packet, then check if its seq-nr is different
8185 * from the base_seq of the retrieved conversation. If this is the
8186 * case, create a new conversation with the same addresses and ports
8187 * and set the TA_PORTS_REUSED flag. (XXX: There is a small chance
8188 * that this is an old duplicate SYN received after the connection
8189 * is ESTABLISHED on both sides, the other side will respond with
8190 * an appropriate ACK, and this SYN ought to be ignored rather than
8191 * create a new conversation.)
8192 *
8193 * If the seq-nr is the same as the base_seq, it might be a simple
8194 * retransmission, reattempting a handshake that was reset (due
8195 * to a half-open connection) with the same sequence number, or
8196 * (unlikely) a new connection that happens to use the same sequence
8197 * number as the previous one (#18333).
8198 *
8199 * If we have received a RST or FIN on the retrieved conversation,
8200 * we can detect that unlikely case, and create a new conversation
8201 * in order to clear out the follow info, sequence analysis,
8202 * desegmentation, etc.
8203 * If not, it's probably a retransmission, and will be marked
8204 * as one later, but restore some flow values to reduce the
8205 * sequence analysis warnings if our capture file is missing a RST
8206 * or FIN segment that was present on the network.
8207 *
8208 * XXX - Is this affected by MPTCP which can use multiple SYNs?
8209 */
8212 if(tcph->th_seq!=tcpd->fwd->base_seq || (tcpd->conversation_completeness & TCP_COMPLETENESS_RST) || (tcpd->conversation_completeness & TCP_COMPLETENESS_FIN)) {
8220 /* As above, a new conversation starting with a SYN implies conversation completeness value 1 */
8223 /*
8224 * Sometimes we need to restore the nextseq value.
8225 * As stated in RFC 793 3.4 a RST packet might be
8226 * sent with SEQ being equal to the ACK received,
8227 * thus breaking our flow monitoring. (issue 17616)
8228 */
8231 }
8235 }
8237 /*
8238 * TCP_S_BASE_SEQ_SET being not set, we are dealing with a new conversation,
8239 * either created ad hoc above (general case), or by a higher protocol such as FTP.
8240 * Track this information, as the Completeness value will be initialized later.
8241 * See issue 19092.
8242 */
8244 }
8245 tcpd->had_acc_ecn_setup_syn = (tcph->th_flags & (TH_AE|TH_CWR|TH_ECE)) == (TH_AE|TH_CWR|TH_ECE);
8246 }
8248 /* Handle cases of a SYN/ACK packet where there's evidence of a new
8249 * conversation but the capture is missing the SYN packet of the
8250 * new conversation.
8251 *
8252 * If this is a SYN/ACK packet, then check if its seq-nr is different
8253 * from the base_seq of the retrieved conversation. If this is the
8254 * case, create a new conversation as above with a SYN packet, and set
8255 * the TA_PORTS_REUSED flag and override the base seq.
8256 * If the seq-nr is the same as the base_seq, then do nothing so it
8257 * will be marked as a retransmission later, unless we have received
8258 * a RST or FIN on the conversation (in which case this is the case
8259 * of a RST followed by the same initial sequence number being picked.)
8260 *
8261 * If this is an unacceptable SYN-ACK and the other side believes that
8262 * the conversation is ESTABLISHED, it will be replied to with an
8263 * empty ACK with the current sequence number (according to the other
8264 * side.) See RFC 9293 3.5.2. This *probably* leads to a situation where
8265 * the side sending this SYN-ACK then issues a RST, because the two
8266 * sides have different ideas about the connection state. It's not clear
8267 * how to handle the annoying edge case where A sends a SYN, B responds
8268 * with a SYN-ACK that A intends to accept, but before A can finish
8269 * the handshake B responds with another SYN-ACK _with a different seq-nr_
8270 * instead of retransmitting, then A responds accepting the first SYN-ACK,
8271 * and then B goes on happily using the sequence number from the first
8272 * SYN-ACK, forgetting all about the second one it sent instead of sending
8273 * a RST. In such a case we'll have changed the seq-nr to the new one
8274 * and/or set up a new conversation instead of just ignoring that SYN-ACK.
8275 *
8276 * XXX - Is this affected by MPTCP which can use multiple SYNs?
8277 */
8283 /* the retrieved conversation might have a different base_seq (issue 16944) */
8292 /* As above, a new conversation */
8294 }
8297 }
8299 /* Do we need to calculate timestamps relative to the tcp-stream? */
8301 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
8303 /* Calculate the timestamps relative to this conversation */
8305 }
8306 }
8316 }
8318 /* Display the completeness of this TCP conversation */
8326 NULL};
8335 item = proto_tree_add_string(field_tree, hf_tcp_completeness_str, tvb, 0, 0, flags_str_first_letter);
8338 /* Copy the stream index into the header as well to make it available
8339 * to tap listeners.
8340 */
8343 /* Copy the stream index into pinfo as well to make it available
8344 * to callback functions (essentially conversation following events in GUI)
8345 */
8348 /* initialize the SACK blocks seen to 0 */
8351 }
8352 }
8354 /* is there any manual analysis waiting ? */
8356 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
8358 }
8360 /* We have have the absolute sequence numbers (we would have thrown an
8361 * exception if not) and tcpd, so set relative sequence numbers now. */
8363 /* XXX - Why not in an error packet? */
8365 /* initialize base_seq numbers if needed */
8367 /* if this is the first segment for this list we need to store the
8368 * base_seq
8369 * We use TCP_S_SAW_SYN/SYNACK to distinguish between client and server
8370 *
8371 * Start relative seq and ack numbers at 1 if this
8372 * is not a SYN packet. This makes the relative
8373 * seq/ack numbers to be displayed correctly in the
8374 * event that the SYN or SYN/ACK packet is not seen
8375 * (this solves bug 1542)
8376 */
8381 }
8384 }
8386 }
8388 /* Only store reverse sequence if this isn't the SYN
8389 * There's no guarantee that the ACK field of a SYN
8390 * contains zeros; get the ISN from the first segment
8391 * with the ACK bit set instead (usually the SYN/ACK).
8392 *
8393 * If the SYN and SYN/ACK were received out-of-order,
8394 * the ISN is ack-1. If we missed the SYN/ACK, but got
8395 * the last ACK of the 3WHS, the ISN is ack-1. For all
8396 * other packets the ISN is unknown, so ack-1 is
8397 * as good a guess as ack.
8398 */
8402 }
8403 }
8408 }
8409 }
8410 }
8412 /*
8413 * If we've been handed an IP fragment, we don't know how big the TCP
8414 * segment is, so don't do anything that requires that we know that.
8415 *
8416 * The same applies if we're part of an error packet. (XXX - if the
8417 * ICMP and ICMPv6 dissectors could set a "this is how big the IP
8418 * header says it is" length in the tvbuff, we could use that; such
8419 * a length might also be useful for handling packets where the IP
8420 * length is bigger than the actual data available in the frame; the
8421 * dissectors should trust that length, and then throw a
8422 * ReportedBoundsError exception when they go past the end of the frame.)
8423 *
8424 * We also can't determine the segment length if the reported length
8425 * of the TCP packet is less than the TCP header length.
8426 */
8432 "Short segment. Segment/fragment does not contain a full TCP header"
8438 /* Compute the length of data in this segment. */
8445 /* handle TCP seq# analysis parse all new segments we see */
8446 /* We need the window size to perform sequence analysis.
8447 * (Zero is a possible value treated specially. */
8450 /* Get it on every pass so that dissection is the same. */
8454 tcp_analyze_sequence_number(pinfo, tcph->th_rawseq, tcph->th_rawack, tcph->th_seglen, tcph->th_flags, tcph->th_win, tcpd, tcppd);
8455 }
8456 }
8458 /* Compute the sequence number of next octet after this segment. */
8460 }
8464 /*
8465 * Decode the ECN related flags as ACE if it is not a SYN segment,
8466 * and an AccECN-setup SYN and SYN ACK have been observed, or an
8467 * AccECN option was observed (this covers the case where Wireshark
8468 * did not observe the initial handshake).
8469 */
8479 COL_ADD_LSTR_TERMINATOR);
8486 }
8490 proto_tree_add_uint_format_value(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq, "%u (relative sequence number)", tcph->th_seq);
8496 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_time, tvb, (offset + 4) * 8, 5, ENC_NA);
8497 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_mss, tvb, (offset + 4) * 8 + 5, 3, ENC_NA);
8499 }
8503 hide_seqack_abs_item = proto_tree_add_uint(tcp_tree, hf_tcp_seq_abs, tvb, offset + 4, 4, tcph->th_rawseq);
8505 }
8506 }
8509 /* Give up at this point; we put the source and destination port in
8510 the tree, before fetching the header length, so that they'll
8511 show up if this is in the failing packet in an ICMP error packet,
8512 but it's now time to give up if the header length is bogus. */
8516 tf = proto_tree_add_uint_bits_format_value(tcp_tree, hf_tcp_hdr_len, tvb, (offset + 12) << 3, 4, tcph->th_hlen,
8521 }
8523 /* Now we certainly have enough information to be willing to send
8524 * the header information to the tap. The options can add information
8525 * about the SACKs, but the other taps don't really *require* that.
8526 * Add a CLEANUP function so that the tap_queue_packet gets called
8527 * if any exception is thrown.
8528 *
8529 * XXX - We haven't necessarily retrieved the window size yet. We'll
8530 * try to do so before sending it to the tap, but if the header is
8531 * truncated to 14 octets, the taps will receive a window size of 0.
8532 * Can they handle it with minimal problems?
8533 */
8540 /* initialize or move forward the conversation completeness */
8547 }
8548 }
8549 }
8551 /* Explicitly and immediately move forward the conversation last_frame,
8552 * although it would one way or another be changed later
8553 * in the conversation helper functions.
8554 */
8558 }
8559 }
8562 }
8564 /* SYN-ACK */
8567 }
8569 /* ACKs */
8573 }
8576 }
8577 }
8579 /* FIN-ACK */
8582 }
8584 /* RST */
8585 /* XXX: A RST segment should be validated (RFC 9293 3.5.3),
8586 * and if not valid should not change the conversation state.
8587 */
8590 }
8592 /* Store the completeness at the conversation level,
8593 * both as numerical and as Flag First Letters string, to avoid
8594 * computing many times the same thing.
8595 */
8599 tcpd->conversation_completeness_str = completeness_flags_to_str_first_letter(wmem_file_scope(), tcpd->conversation_completeness) ;
8600 }
8601 }
8604 tcpd->conversation_completeness_str = completeness_flags_to_str_first_letter(wmem_file_scope(), tcpd->conversation_completeness) ;
8605 }
8606 }
8611 }
8614 }
8619 tf=proto_tree_add_uint_format_value(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq + 1, "%u (relative sequence number)", nxtseq + 1);
8621 tf=proto_tree_add_uint_format_value(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq, "%u (relative sequence number)", nxtseq);
8622 }
8628 }
8629 }
8631 }
8634 hide_seqack_abs_item = proto_tree_add_uint(tcp_tree, hf_tcp_ack_abs, tvb, offset + 8, 4, tcph->th_rawack);
8640 }
8647 }
8648 }
8650 /* Note if the ACK field is non-zero */
8653 }
8654 }
8657 // This should be consistent with ip.hdr_len.
8658 proto_tree_add_uint_bits_format_value(tcp_tree, hf_tcp_hdr_len, tvb, (offset + 12) << 3, 4, tcph->th_hlen,
8671 ace);
8676 }
8680 tf_rst = proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, tcph->th_flags);
8681 tf_syn = proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, tcph->th_flags);
8682 tf_fin = proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, tcph->th_flags);
8684 tf = proto_tree_add_string(field_tree, hf_tcp_flags_str, tvb, offset + 12, 2, flags_str_first_letter);
8686 }
8692 /* Save the server port to help determine dissector used */
8694 }
8698 /* Save the server port to help determine dissector used */
8701 }
8702 /* Remember where the next segment will start. */
8706 }
8707 }
8708 /* Initialize the is_first_ack */
8710 }
8712 /* XXX - find a way to know the server port and output only that one */
8715 /* Track closing initiator.
8716 If it was not already closed by the reverse flow, it means we are the first */
8722 }
8723 }
8725 /* XXX - find a way to know the server port and output only that one */
8728 }
8733 /* If all of the following:
8734 * - we care (the pref is set)
8735 * - this is a pure ACK
8736 * - we have a timestamp for the most-recently-transmitted SYN
8737 * - we haven't seen a pure ACK yet (no ts_first_rtt stored)
8738 * then assume it's the last part of the handshake and store the initial
8739 * RTT time
8740 */
8742 }
8744 /*
8745 * Remember if we have already seen at least one ACK,
8746 * then we can neutralize the Window Scale side-effect at the beginning (issue 14690)
8747 */
8752 }
8753 }
8757 /* re-calculate window size based on scaling factor */
8761 }
8763 /* i.e. Unknown, but wasn't signalled with no scaling, so use preference setting instead! */
8766 }
8767 }
8768 }
8773 /* As discussed in bug 5541, it is better to use two separate
8774 * fields for the real and calculated window size.
8775 */
8778 /* Check if the window value of this reset packet is in the NetScaler error code range */
8779 const char *tcp_ns_reset_window_error_descr = try_val_to_str(real_window, netscaler_reset_window_error_code_vals);
8784 }
8785 }
8786 scaled_pi = proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, tcph->th_win);
8793 /* Unknown */
8794 {
8798 /* Use preference setting (if set) */
8802 }
8804 scaled_pi = proto_tree_add_int_format_value(tcp_tree, hf_tcp_window_size_scalefactor, tvb, offset + 14, 2,
8806 win_scale,
8809 }
8813 /* No window scaling used */
8814 scaled_pi = proto_tree_add_int_format_value(tcp_tree, hf_tcp_window_size_scalefactor, tvb, offset + 14, 2, tcpd->fwd->win_scale, "%d (no window scaling used)", tcpd->fwd->win_scale);
8819 /* Scaling from signalled value */
8820 scaled_pi = proto_tree_add_int_format_value(tcp_tree, hf_tcp_window_size_scalefactor, tvb, offset + 14, 2, 1<<tcpd->fwd->win_scale, "%d", 1<<tcpd->fwd->win_scale);
8822 }
8823 }
8824 }
8826 /* Supply the sequence number of the first byte and of the first byte
8827 after the segment. */
8832 /* Assume we'll pass un-reassembled data to subdissectors. */
8835 /*
8836 * Assume, initially, that we can't desegment.
8837 */
8841 /* The packet isn't part of an un-reassembled fragmented datagram
8842 and isn't truncated. This means we have all the data, and thus
8843 can checksum it and, unless it's being returned in an error
8844 packet, are willing to allow subdissectors to request reassembly
8845 on it. */
8848 /* We haven't turned checksum checking off; checksum it. */
8850 /* Set up the fields of the pseudo-header. */
8867 /* TCP runs only atop IPv4 and IPv6.... */
8870 }
8871 /* See discussion in packet-udp.c of partial checksums used in
8872 * checksum offloading in Linux and Windows (and possibly others.)
8873 */
8886 /* XXX - What should this special status be? */
8894 /* Checksum is treated as valid on most systems, so we're willing to desegment it. */
8900 /* Don't use PROTO_CHECKSUM_IN_CKSUM because we expect the value
8901 * to match what we pass in. */
8902 item = proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, g_htons(partial_cksum),
8904 proto_item_append_text(item, " (matches partial checksum, not 0x%04x, likely caused by \"TCP checksum offload\")", shouldbe_cksum);
8907 /* XXX Add a new status, e.g. PROTO_CHECKSUM_E_PARTIAL? */
8909 item = proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, computed_cksum,
8911 }
8917 /* Checksum is valid, so we're willing to desegment it. */
8923 /* Checksum is invalid, so we're not willing to desegment it. */
8927 }
8928 }
8930 proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, 0,
8933 /* We didn't check the checksum, and don't care if it's valid,
8934 so we're willing to desegment it. */
8936 }
8938 /* We don't have all the packet data, so we can't checksum it... */
8939 proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, 0,
8942 /* ...and aren't willing to desegment it. */
8944 }
8947 /* We're willing to desegment this. Is desegmentation enabled? */
8949 /* Yes - is this segment being returned in an error packet? */
8951 /* No - indicate that we will desegment.
8952 We do NOT want to desegment segments returned in error
8953 packets, as they're not part of a TCP connection. */
8955 }
8956 }
8957 }
8959 item = proto_tree_add_item_ret_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, ENC_BIG_ENDIAN, &th_urp);
8962 /* Export the urgent pointer, for the benefit of protocols such as
8963 rlogin. */
8968 /* Note if the urgent pointer field is non-zero */
8970 }
8971 }
8976 /* If there's more than just the fixed-length header (20 bytes), create
8977 a protocol tree item for the options. (We already know there's
8978 not less than the fixed-length header - we checked that above.)
8980 We ensure that we don't throw an exception here, so that we can
8981 do some analysis before we dissect the options and possibly
8982 throw an exception. (Trying to avoid throwing an exception when
8983 dissecting options is not something we should do.) */
8995 }
8996 }
9000 /* handle conversation timestamps */
9003 }
9005 /* Now dissect the options. */
9013 /* Do some post evaluation of some Riverbed probe options in the list */
9014 option_data = (rvbd_option_data*)p_get_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num);
9016 {
9018 {
9019 /* Distinguish S+ from S+* */
9023 }
9024 }
9026 }
9028 /* handle TCP seq# analysis, print any extra SEQ/ACK data for this segment*/
9032 /* May need to recover absolute values here... */
9037 }
9038 }
9040 }
9044 /* Check the validity of the window scale value
9045 */
9047 }
9050 /* If the SYN or the SYN+ACK offered SCPS capabilities,
9051 * validate the flow's bidirectional scps capabilities.
9052 * The or protects against broken implementations offering
9053 * SCPS capabilities on SYN+ACK even if it wasn't offered with the SYN
9054 */
9057 }
9059 }
9060 }
9066 }
9067 }
9069 /* Skip over header + options */
9072 /* Check the packet length to see if there's more data
9073 (it could be an ACK-only packet) */
9085 }
9086 }
9088 /* Nothing more to add to tcph, go ahead and send to the taps. */
9089 CLEANUP_CALL_AND_POP;
9091 /* if it is an MPTCP packet */
9094 }
9096 /* If we're reassembling something whose length isn't known
9097 * beforehand, and that runs all the way to the end of
9098 * the data stream, a FIN indicates the end of the data
9099 * stream and thus the completion of reassembly, so we
9100 * need to explicitly check for that here.
9101 */
9107 /* Is this the FIN that ended the data stream or is it a
9108 * retransmission of that FIN?
9109 */
9111 /* Either we haven't seen a FIN for this flow or we
9112 * have and it's this frame. Note that this is the FIN
9113 * for this flow, terminate reassembly and dissect the
9114 * results. */
9116 msp=(struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(tcpd->fwd->multisegment_pdus, tcph->th_seq);
9125 if(ipfd_head && ipfd_head->reassembled_in == pinfo->num && ipfd_head->reas_in_layer_num == pinfo->curr_layer_num) {
9128 /* create a new TVB structure for desegmented data
9129 * datalen-1 to strip the dummy FIN byte off
9130 */
9133 /* add desegmented data to the data source list */
9136 /* Show details of the reassembly */
9139 /* call the payload dissector
9140 * but make sure we don't offer desegmentation any more
9141 */
9144 process_tcp_payload(next_tvb, 0, pinfo, tree, tcp_tree, tcph->th_sport, tcph->th_dport, tcph->th_seq,
9148 }
9149 }
9151 /* Yes. This is a retransmission of the final FIN (or it's
9152 * the final FIN transmitted via a different path).
9153 * XXX - we need to flag retransmissions a bit better.
9154 */
9156 }
9157 }
9159 if (tcp_display_process_info && tcpd && ((tcpd->fwd && tcpd->fwd->process_info && tcpd->fwd->process_info->command) ||
9161 field_tree = proto_tree_add_subtree(tcp_tree, tvb, offset, 0, ett_tcp_process_info, &ti, "Process Information");
9164 proto_tree_add_uint(field_tree, hf_tcp_proc_dst_uid, tvb, 0, 0, tcpd->fwd->process_info->process_uid);
9165 proto_tree_add_uint(field_tree, hf_tcp_proc_dst_pid, tvb, 0, 0, tcpd->fwd->process_info->process_pid);
9166 proto_tree_add_string(field_tree, hf_tcp_proc_dst_uname, tvb, 0, 0, tcpd->fwd->process_info->username);
9167 proto_tree_add_string(field_tree, hf_tcp_proc_dst_cmd, tvb, 0, 0, tcpd->fwd->process_info->command);
9168 }
9170 proto_tree_add_uint(field_tree, hf_tcp_proc_src_uid, tvb, 0, 0, tcpd->rev->process_info->process_uid);
9171 proto_tree_add_uint(field_tree, hf_tcp_proc_src_pid, tvb, 0, 0, tcpd->rev->process_info->process_pid);
9172 proto_tree_add_string(field_tree, hf_tcp_proc_src_uname, tvb, 0, 0, tcpd->rev->process_info->username);
9173 proto_tree_add_string(field_tree, hf_tcp_proc_src_cmd, tvb, 0, 0, tcpd->rev->process_info->command);
9174 }
9175 }
9177 /*
9178 * XXX - what, if any, of this should we do if this is included in an
9179 * error packet? It might be nice to see the details of the packet
9180 * that caused the ICMP error, but it might not be nice to have the
9181 * dissector update state based on it.
9182 * Also, we probably don't want to run TCP taps on those packets.
9183 */
9186 /*
9187 * RFC1122 says:
9188 *
9189 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
9190 *
9191 * A TCP SHOULD allow a received RST segment to include data.
9192 *
9193 * DISCUSSION
9194 * It has been suggested that a RST segment could contain
9195 * ASCII text that encoded and explained the cause of the
9196 * RST. No standard has yet been established for such
9197 * data.
9198 *
9199 * so for segments with RST we just display the data as text.
9200 */
9201 proto_tree_add_item(tcp_tree, hf_tcp_reset_cause, tvb, offset, captured_length_remaining, ENC_NA|ENC_ASCII);
9203 /* When we have a frame with TCP SYN bit set and segmented TCP payload we need
9204 * to increment seq and nxtseq to detect the overlapping byte(s). This is to fix Bug 9882.
9205 */
9212 }
9213 }
9214 }
9216 }
9218 static void
9220 {
9223 /* MPTCP init */
9226 }
9228 void
9230 {
9313 // "Data Offset" in https://tools.ietf.org/html/rfc793#section-3.1 and
9314 // "Data offset" in https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
9375 /* 32 bits so we can present some values adjusted to window scaling */
9389 { "Checksum Status", "tcp.checksum.status", FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,
9413 { "Duplicate to the ACK in frame", "tcp.analysis.duplicate_ack_frame", FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_DUP_ACK), 0x0,
9417 { "This is a continuation to the PDU in frame", "tcp.continuation_to", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
9425 { "This is an ACK to the segment in frame", "tcp.analysis.acks_frame", FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_ACK), 0x0,
9433 { "Bytes sent since last PSH flag", "tcp.analysis.push_bytes_sent", FT_UINT32, BASE_DEC, NULL, 0x0,
9437 { "The RTT to ACK the segment was", "tcp.analysis.ack_rtt", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
9449 { "RTO based on delta from frame", "tcp.analysis.rto_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
9461 { "Conflicting data in segment overlap", "tcp.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
9465 { "Multiple tail segments found", "tcp.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
9506 BASE_DEC, NULL, 0x0, "Length of this TCP option in bytes (including kind and length fields)", HFILL }},
9597 { "Do not attempt to establish new subflows to this address and port", "tcp.options.mptcp.nomoresubflows.flag", FT_UINT8,
9617 { "Data Sequence Number, Subflow Sequence Number, Data-level Length, Checksum present", "tcp.options.mptcp.dseqnpresent.flag", FT_UINT8,
9936 RVBD_FLAGS_TRPY_FW_RST_PROBE,
9938 HFILL }},
9943 RVBD_FLAGS_TRPY_FW_RST_INNER,
9944 "Reset state created by transparent inner on all firewalls"
9946 HFILL }},
9951 RVBD_FLAGS_TRPY_FW_RST,
9952 "Reset state created by probe on all firewalls before "
9999 { "Time until the last segment of this PDU", "tcp.pdu.time", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
10011 { "Time since first frame in this TCP stream", "tcp.time_relative", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
10015 { "Time since previous frame in this TCP stream", "tcp.time_delta", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
10067 { "Retransmission of FIN from frame", "tcp.fin_retransmission", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
10087 { "SYN Cookie Timestamp", "tcp.options.timestamp.tsval.syncookie.timestamp", FT_UINT32, BASE_DEC, NULL, 0x0,
10091 { "SYN Cookie ECN", "tcp.options.timestamp.tsval.syncookie.ecn", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
10095 { "SYN Cookie SACK", "tcp.options.timestamp.tsval.syncookie.sack", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
10099 { "SYN Cookie WScale", "tcp.options.timestamp.tsval.syncookie.wscale", FT_UINT8, BASE_DEC, NULL, 0x0,
10103 { "NetScaler TCP Reset Window Error Code", "tcp.nstrace.rst.window_error_code", FT_STRING, BASE_NONE, NULL, 0x0,
10105 };
10146 &ett_tcp_syncookie_option
10147 };
10151 &ett_mptcp_analysis_subflows
10152 };
10172 };
10181 };
10184 { &ei_tcp_opt_len_invalid, { "tcp.option.len.invalid", PI_SEQUENCE, PI_NOTE, "Invalid length for option", EXPFILL }},
10185 { &ei_tcp_analysis_retransmission, { "tcp.analysis.retransmission", PI_SEQUENCE, PI_NOTE, "This frame is a (suspected) retransmission", EXPFILL }},
10186 { &ei_tcp_analysis_fast_retransmission, { "tcp.analysis.fast_retransmission", PI_SEQUENCE, PI_NOTE, "This frame is a (suspected) fast retransmission", EXPFILL }},
10187 { &ei_tcp_analysis_spurious_retransmission, { "tcp.analysis.spurious_retransmission", PI_SEQUENCE, PI_NOTE, "This frame is a (suspected) spurious retransmission", EXPFILL }},
10188 { &ei_tcp_analysis_out_of_order, { "tcp.analysis.out_of_order", PI_SEQUENCE, PI_WARN, "This frame is a (suspected) out-of-order segment", EXPFILL }},
10189 { &ei_tcp_analysis_reused_ports, { "tcp.analysis.reused_ports", PI_SEQUENCE, PI_NOTE, "A new tcp session is started with the same ports as an earlier session in this trace", EXPFILL }},
10190 { &ei_tcp_analysis_lost_packet, { "tcp.analysis.lost_segment", PI_SEQUENCE, PI_WARN, "Previous segment(s) not captured (common at capture start)", EXPFILL }},
10191 { &ei_tcp_analysis_ack_lost_packet, { "tcp.analysis.ack_lost_segment", PI_SEQUENCE, PI_WARN, "ACKed segment that wasn't captured (common at capture start)", EXPFILL }},
10192 { &ei_tcp_analysis_window_update, { "tcp.analysis.window_update", PI_SEQUENCE, PI_CHAT, "TCP window update", EXPFILL }},
10193 { &ei_tcp_analysis_window_full, { "tcp.analysis.window_full", PI_SEQUENCE, PI_WARN, "TCP window specified by the receiver is now completely full", EXPFILL }},
10194 { &ei_tcp_analysis_keep_alive, { "tcp.analysis.keep_alive", PI_SEQUENCE, PI_NOTE, "TCP keep-alive segment", EXPFILL }},
10195 { &ei_tcp_analysis_keep_alive_ack, { "tcp.analysis.keep_alive_ack", PI_SEQUENCE, PI_NOTE, "ACK to a TCP keep-alive segment", EXPFILL }},
10196 { &ei_tcp_analysis_duplicate_ack, { "tcp.analysis.duplicate_ack", PI_SEQUENCE, PI_NOTE, "Duplicate ACK", EXPFILL }},
10197 { &ei_tcp_analysis_zero_window_probe, { "tcp.analysis.zero_window_probe", PI_SEQUENCE, PI_NOTE, "TCP Zero Window Probe", EXPFILL }},
10198 { &ei_tcp_analysis_zero_window, { "tcp.analysis.zero_window", PI_SEQUENCE, PI_WARN, "TCP Zero Window segment", EXPFILL }},
10199 { &ei_tcp_analysis_zero_window_probe_ack, { "tcp.analysis.zero_window_probe_ack", PI_SEQUENCE, PI_NOTE, "ACK to a TCP Zero Window Probe", EXPFILL }},
10200 { &ei_tcp_analysis_tfo_syn, { "tcp.analysis.tfo_syn", PI_SEQUENCE, PI_NOTE, "TCP SYN with TFO Cookie", EXPFILL }},
10201 { &ei_tcp_analysis_tfo_ack, { "tcp.analysis.tfo_ack", PI_SEQUENCE, PI_NOTE, "TCP SYN-ACK accepting TFO data", EXPFILL }},
10202 { &ei_tcp_analysis_tfo_ignored, { "tcp.analysis.tfo_ignored", PI_SEQUENCE, PI_NOTE, "TCP SYN-ACK ignoring TFO data", EXPFILL }},
10203 { &ei_tcp_analysis_partial_ack, { "tcp.analysis.partial_ack", PI_SEQUENCE, PI_NOTE, "Partial Acknowledgement of a segment", EXPFILL }},
10204 { &ei_tcp_connection_fin_active, { "tcp.connection.fin_active", PI_SEQUENCE, PI_NOTE, "This frame initiates the connection closing", EXPFILL }},
10205 { &ei_tcp_connection_fin_passive, { "tcp.connection.fin_passive", PI_SEQUENCE, PI_NOTE, "This frame undergoes the connection closing", EXPFILL }},
10206 { &ei_tcp_scps_capable, { "tcp.analysis.scps_capable", PI_SEQUENCE, PI_NOTE, "Connection establish request (SYN-ACK): SCPS Capabilities Negotiated", EXPFILL }},
10207 { &ei_tcp_option_sack_dsack, { "tcp.options.sack.dsack", PI_SEQUENCE, PI_WARN, "D-SACK Sequence", EXPFILL }},
10208 { &ei_tcp_option_snack_sequence, { "tcp.options.snack.sequence", PI_SEQUENCE, PI_NOTE, "SNACK Sequence", EXPFILL }},
10209 { &ei_tcp_option_wscale_shift_invalid, { "tcp.options.wscale.shift.invalid", PI_PROTOCOL, PI_WARN, "Window scale shift exceeds 14", EXPFILL }},
10210 { &ei_tcp_option_mss_absent, { "tcp.options.mss.absent", PI_PROTOCOL, PI_NOTE, "The SYN packet does not contain a MSS option", EXPFILL }},
10211 { &ei_tcp_option_mss_present, { "tcp.options.mss.present", PI_PROTOCOL, PI_WARN, "The non-SYN packet does contain a MSS option", EXPFILL }},
10212 { &ei_tcp_option_sack_perm_absent, { "tcp.options.sack_perm.absent", PI_PROTOCOL, PI_NOTE, "The SYN packet does not contain a SACK PERM option", EXPFILL }},
10213 { &ei_tcp_option_sack_perm_present, { "tcp.options.sack_perm.present", PI_PROTOCOL, PI_WARN, "The non-SYN packet does contain a SACK PERM option", EXPFILL }},
10214 { &ei_tcp_short_segment, { "tcp.short_segment", PI_MALFORMED, PI_WARN, "Short segment", EXPFILL }},
10215 { &ei_tcp_ack_nonzero, { "tcp.ack.nonzero", PI_PROTOCOL, PI_NOTE, "The acknowledgment number field is nonzero while the ACK flag is not set", EXPFILL }},
10216 { &ei_tcp_connection_synack, { "tcp.connection.synack", PI_SEQUENCE, PI_CHAT, "Connection establish acknowledge (SYN+ACK)", EXPFILL }},
10217 { &ei_tcp_connection_syn, { "tcp.connection.syn", PI_SEQUENCE, PI_CHAT, "Connection establish request (SYN)", EXPFILL }},
10218 { &ei_tcp_connection_fin, { "tcp.connection.fin", PI_SEQUENCE, PI_CHAT, "Connection finish (FIN)", EXPFILL }},
10219 /* According to RFCs, RST is an indication of an error. Some applications use it
10220 * to terminate a connection as well, which is a misbehavior (see e.g. rfc3360)
10221 */
10222 { &ei_tcp_connection_rst, { "tcp.connection.rst", PI_SEQUENCE, PI_WARN, "Connection reset (RST)", EXPFILL }},
10223 { &ei_tcp_checksum_ffff, { "tcp.checksum.ffff", PI_CHECKSUM, PI_WARN, "TCP Checksum 0xffff instead of 0x0000 (see RFC 1624)", EXPFILL }},
10224 { &ei_tcp_checksum_partial, { "tcp.checksum.partial", PI_CHECKSUM, PI_NOTE, "Partial (pseudo header) checksum (likely caused by \"TCP checksum offload\")", EXPFILL }},
10225 { &ei_tcp_checksum_bad, { "tcp.checksum_bad.expert", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
10226 { &ei_tcp_urgent_pointer_non_zero, { "tcp.urgent_pointer.non_zero", PI_PROTOCOL, PI_NOTE, "The urgent pointer field is nonzero while the URG flag is not set", EXPFILL }},
10227 { &ei_tcp_suboption_malformed, { "tcp.suboption_malformed", PI_MALFORMED, PI_ERROR, "suboption would go past end of option", EXPFILL }},
10228 { &ei_tcp_nop, { "tcp.nop", PI_PROTOCOL, PI_WARN, "4 NOP in a row - a router may have removed some options", EXPFILL }},
10229 { &ei_tcp_non_zero_bytes_after_eol, { "tcp.non_zero_bytes_after_eol", PI_PROTOCOL, PI_ERROR, "Non zero bytes in option space after EOL option", EXPFILL }},
10230 { &ei_tcp_bogus_header_length, { "tcp.bogus_header_length", PI_PROTOCOL, PI_ERROR, "Bogus TCP Header length", EXPFILL }},
10231 };
10234 #if 0
10235 { &ei_mptcp_analysis_unexpected_idsn, { "mptcp.connection.unexpected_idsn", PI_PROTOCOL, PI_NOTE, "Unexpected initial sequence number", EXPFILL }},
10236 #endif
10237 { &ei_mptcp_analysis_echoed_key_mismatch, { "mptcp.connection.echoed_key_mismatch", PI_PROTOCOL, PI_WARN, "The echoed key in the ACK of the MPTCP handshake does not match the key of the SYN/ACK", EXPFILL }},
10238 { &ei_mptcp_analysis_missing_algorithm, { "mptcp.connection.missing_algorithm", PI_PROTOCOL, PI_WARN, "No crypto algorithm specified", EXPFILL }},
10239 { &ei_mptcp_analysis_unsupported_algorithm, { "mptcp.connection.unsupported_algorithm", PI_PROTOCOL, PI_WARN, "Unsupported algorithm", EXPFILL }},
10240 { &ei_mptcp_infinite_mapping, { "mptcp.dss.infinite_mapping", PI_PROTOCOL, PI_WARN, "Fallback to infinite mapping", EXPFILL }},
10241 { &ei_mptcp_mapping_missing, { "mptcp.dss.missing_mapping", PI_PROTOCOL, PI_WARN, "No mapping available", EXPFILL }},
10242 #if 0
10243 { &ei_mptcp_stream_incomplete, { "mptcp.incomplete", PI_PROTOCOL, PI_WARN, "Everything was not captured", EXPFILL }},
10244 { &ei_mptcp_analysis_dsn_out_of_order, { "mptcp.analysis.dsn.out_of_order", PI_PROTOCOL, PI_WARN, "Out of order dsn", EXPFILL }},
10245 #endif
10246 };
10305 };
10310 static decode_as_value_t tcp_da_values[3] = {{tcp_src_prompt, 1, tcp_da_src_values}, {tcp_dst_prompt, 1, tcp_da_dst_values}, {tcp_both_prompt, 2, tcp_da_both_values}};
10327 /* subdissector code */
10330 heur_subdissector_list = register_heur_dissector_list_with_description("tcp", "TCP heuristic", proto_tcp);
10334 /* Register TCP options as their own protocols so we can get the name of the option */
10335 proto_tcp_option_nop = proto_register_protocol_in_name_only("TCP Option - No-Operation (NOP)", "No-Operation (NOP)", "tcp.options.nop", proto_tcp, FT_BYTES);
10336 proto_tcp_option_eol = proto_register_protocol_in_name_only("TCP Option - End of Option List (EOL)", "End of Option List (EOL)", "tcp.options.eol", proto_tcp, FT_BYTES);
10337 proto_tcp_option_timestamp = proto_register_protocol_in_name_only("TCP Option - Timestamps", "Timestamps", "tcp.options.timestamp", proto_tcp, FT_BYTES);
10338 proto_tcp_option_mss = proto_register_protocol_in_name_only("TCP Option - Maximum segment size", "Maximum segment size", "tcp.options.mss", proto_tcp, FT_BYTES);
10339 proto_tcp_option_wscale = proto_register_protocol_in_name_only("TCP Option - Window scale", "Window scale", "tcp.options.wscale", proto_tcp, FT_BYTES);
10340 proto_tcp_option_sack_perm = proto_register_protocol_in_name_only("TCP Option - SACK permitted", "SACK permitted", "tcp.options.sack_perm", proto_tcp, FT_BYTES);
10341 proto_tcp_option_sack = proto_register_protocol_in_name_only("TCP Option - SACK", "SACK", "tcp.options.sack", proto_tcp, FT_BYTES);
10342 proto_tcp_option_echo = proto_register_protocol_in_name_only("TCP Option - Echo", "Echo", "tcp.options.echo", proto_tcp, FT_BYTES);
10343 proto_tcp_option_echoreply = proto_register_protocol_in_name_only("TCP Option - Echo reply", "Echo reply", "tcp.options.echoreply", proto_tcp, FT_BYTES);
10344 proto_tcp_option_cc = proto_register_protocol_in_name_only("TCP Option - CC", "CC", "tcp.options.cc", proto_tcp, FT_BYTES);
10345 proto_tcp_option_cc_new = proto_register_protocol_in_name_only("TCP Option - CC.NEW", "CC.NEW", "tcp.options.ccnew", proto_tcp, FT_BYTES);
10346 proto_tcp_option_cc_echo = proto_register_protocol_in_name_only("TCP Option - CC.ECHO", "CC.ECHO", "tcp.options.ccecho", proto_tcp, FT_BYTES);
10347 proto_tcp_option_ao = proto_register_protocol_in_name_only("TCP Option - TCP AO", "TCP AO", "tcp.options.ao", proto_tcp, FT_BYTES);
10348 proto_tcp_option_md5 = proto_register_protocol_in_name_only("TCP Option - TCP MD5 signature", "TCP MD5 signature", "tcp.options.md5", proto_tcp, FT_BYTES);
10349 proto_tcp_option_scps = proto_register_protocol_in_name_only("TCP Option - SCPS capabilities", "SCPS capabilities", "tcp.options.scps", proto_tcp, FT_BYTES);
10350 proto_tcp_option_snack = proto_register_protocol_in_name_only("TCP Option - Selective Negative Acknowledgment", "Selective Negative Acknowledgment", "tcp.options.snack", proto_tcp, FT_BYTES);
10351 proto_tcp_option_scpsrec = proto_register_protocol_in_name_only("TCP Option - SCPS record boundary", "SCPS record boundary", "tcp.options.scpsrec", proto_tcp, FT_BYTES);
10352 proto_tcp_option_scpscor = proto_register_protocol_in_name_only("TCP Option - SCPS corruption experienced", "SCPS corruption experienced", "tcp.options.scpscor", proto_tcp, FT_BYTES);
10353 proto_tcp_option_qs = proto_register_protocol_in_name_only("TCP Option - Quick-Start", "Quick-Start", "tcp.options.qs", proto_tcp, FT_BYTES);
10354 proto_tcp_option_user_to = proto_register_protocol_in_name_only("TCP Option - User Timeout", "User Timeout", "tcp.options.user_to", proto_tcp, FT_BYTES);
10355 proto_tcp_option_tfo = proto_register_protocol_in_name_only("TCP Option - TCP Fast Open", "TCP Fast Open", "tcp.options.tfo", proto_tcp, FT_BYTES);
10356 proto_tcp_option_acc_ecn = proto_register_protocol_in_name_only("TCP Option - Accurate ECN", "Accurate ECN", "tcp.options.acc_ecn", proto_tcp, FT_BYTES);
10357 proto_tcp_option_rvbd_probe = proto_register_protocol_in_name_only("TCP Option - Riverbed Probe", "Riverbed Probe", "tcp.options.rvbd.probe", proto_tcp, FT_BYTES);
10358 proto_tcp_option_rvbd_trpy = proto_register_protocol_in_name_only("TCP Option - Riverbed Transparency", "Riverbed Transparency", "tcp.options.rvbd.trpy", proto_tcp, FT_BYTES);
10359 proto_tcp_option_exp = proto_register_protocol_in_name_only("TCP Option - Experimental", "Experimental", "tcp.options.experimental", proto_tcp, FT_BYTES);
10360 proto_tcp_option_unknown = proto_register_protocol_in_name_only("TCP Option - Unknown", "Unknown", "tcp.options.unknown", proto_tcp, FT_BYTES);
10364 /* Register configuration preferences */
10372 "Whether to validate the TCP checksum or not. "
10381 "Whether out-of-order segments should be buffered and reordered before passing it to a subdissector. "
10386 "Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT",
10390 "Make the TCP dissector use relative sequence numbers instead of absolute ones. "
10401 "Make the TCP dissector use this scaling factor for streams where the signalled scaling factor "
10405 /* Presumably a retired, unconditional version of what has been added back with the preference above... */
10410 "Make the TCP dissector track the number on un-ACKed bytes of data are in flight per packet. "
10412 "This takes a lot of memory but allows you to track how much data are in flight at a time and graphing it in io-graphs",
10416 "Evaluate BiF on actual sequence numbers or use the historical method based on payloads (default). "
10421 "Calculate relative packet number and timestamps relative to the first frame and the previous frame in the tcp conversation",
10425 "Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",
10443 "Assume TCP Experimental Options (253, 254) have an Experiment Identifier and use it for dissection",
10462 register_conversation_table(proto_tcp, false, tcpip_conversation_packet, tcpip_endpoint_packet);
10465 register_seq_analysis("tcp", "TCP Flows", proto_tcp, NULL, TL_REQUIRES_NOTHING, tcp_seq_analysis_packet);
10467 /* considers MPTCP as a distinct protocol (even if it's a TCP option) */
10468 proto_mptcp = proto_register_protocol("Multipath Transmission Control Protocol", "MPTCP", "mptcp");
10473 /* Register configuration preferences */
10490 "Scales logarithmically with the number of packets"
10491 "You need to capture the handshake for this to work."
10497 "(Greedy algorithm: Scales linearly with number of subflows and"
10498 " logarithmic scaling with number of packets)"
10502 register_conversation_table(proto_mptcp, false, mptcpip_conversation_packet, tcpip_endpoint_packet);
10503 register_follow_stream(proto_tcp, "tcp_follow", tcp_follow_conv_filter, tcp_follow_index_filter, tcp_follow_address_filter,
10509 }
10511 void
10513 {
10521 /* Create dissection function handles for all TCP options */
10522 dissector_add_uint("tcp.option", TCPOPT_TIMESTAMP, create_dissector_handle( dissect_tcpopt_timestamp, proto_tcp_option_timestamp ));
10523 dissector_add_uint("tcp.option", TCPOPT_MSS, create_dissector_handle( dissect_tcpopt_mss, proto_tcp_option_mss ));
10524 dissector_add_uint("tcp.option", TCPOPT_WINDOW, create_dissector_handle( dissect_tcpopt_wscale, proto_tcp_option_wscale ));
10525 dissector_add_uint("tcp.option", TCPOPT_SACK_PERM, create_dissector_handle( dissect_tcpopt_sack_perm, proto_tcp_option_sack_perm ));
10526 dissector_add_uint("tcp.option", TCPOPT_SACK, create_dissector_handle( dissect_tcpopt_sack, proto_tcp_option_sack ));
10527 dissector_add_uint("tcp.option", TCPOPT_ECHO, create_dissector_handle( dissect_tcpopt_echo, proto_tcp_option_echo ));
10528 dissector_add_uint("tcp.option", TCPOPT_ECHOREPLY, create_dissector_handle( dissect_tcpopt_echo, proto_tcp_option_echoreply ));
10529 dissector_add_uint("tcp.option", TCPOPT_CC, create_dissector_handle( dissect_tcpopt_cc, proto_tcp_option_cc ));
10530 dissector_add_uint("tcp.option", TCPOPT_CCNEW, create_dissector_handle( dissect_tcpopt_cc, proto_tcp_option_cc_new ));
10531 dissector_add_uint("tcp.option", TCPOPT_CCECHO, create_dissector_handle( dissect_tcpopt_cc, proto_tcp_option_cc_echo ));
10532 dissector_add_uint("tcp.option", TCPOPT_MD5, create_dissector_handle( dissect_tcpopt_md5, proto_tcp_option_md5 ));
10533 dissector_add_uint("tcp.option", TCPOPT_AO, create_dissector_handle( dissect_tcpopt_ao, proto_tcp_option_ao ));
10534 dissector_add_uint("tcp.option", TCPOPT_SCPS, create_dissector_handle( dissect_tcpopt_scps, proto_tcp_option_scps ));
10535 dissector_add_uint("tcp.option", TCPOPT_SNACK, create_dissector_handle( dissect_tcpopt_snack, proto_tcp_option_snack ));
10536 dissector_add_uint("tcp.option", TCPOPT_RECBOUND, create_dissector_handle( dissect_tcpopt_recbound, proto_tcp_option_scpsrec ));
10537 dissector_add_uint("tcp.option", TCPOPT_CORREXP, create_dissector_handle( dissect_tcpopt_correxp, proto_tcp_option_scpscor ));
10538 dissector_add_uint("tcp.option", TCPOPT_QS, create_dissector_handle( dissect_tcpopt_qs, proto_tcp_option_qs ));
10539 dissector_add_uint("tcp.option", TCPOPT_USER_TO, create_dissector_handle( dissect_tcpopt_user_to, proto_tcp_option_user_to ));
10540 dissector_add_uint("tcp.option", TCPOPT_TFO, create_dissector_handle( dissect_tcpopt_tfo, proto_tcp_option_tfo ));
10541 dissector_add_uint("tcp.option", TCPOPT_RVBD_PROBE, create_dissector_handle( dissect_tcpopt_rvbd_probe, proto_tcp_option_rvbd_probe ));
10542 dissector_add_uint("tcp.option", TCPOPT_RVBD_TRPY, create_dissector_handle( dissect_tcpopt_rvbd_trpy, proto_tcp_option_rvbd_trpy ));
10543 dissector_add_uint("tcp.option", TCPOPT_ACC_ECN_0, create_dissector_handle( dissect_tcpopt_acc_ecn, proto_tcp_option_acc_ecn ));
10544 dissector_add_uint("tcp.option", TCPOPT_ACC_ECN_1, create_dissector_handle( dissect_tcpopt_acc_ecn, proto_tcp_option_acc_ecn ));
10545 dissector_add_uint("tcp.option", TCPOPT_EXP_FD, create_dissector_handle( dissect_tcpopt_exp, proto_tcp_option_exp ));
10546 dissector_add_uint("tcp.option", TCPOPT_EXP_FE, create_dissector_handle( dissect_tcpopt_exp, proto_tcp_option_exp ));
10547 dissector_add_uint("tcp.option", TCPOPT_MPTCP, create_dissector_handle( dissect_tcpopt_mptcp, proto_mptcp ));
10548 /* Common handle for all the unknown/unsupported TCP options */
10549 tcp_opt_unknown_handle = create_dissector_handle( dissect_tcpopt_unknown, proto_tcp_option_unknown );
10555 }
10557 /*
10558 * Editor modelines
10559 *
10560 * Local Variables:
10561 * c-basic-offset: 4
10562 * tab-width: 8
10563 * indent-tabs-mode: nil
10564 * End:
10565 *
10566 * ex: set shiftwidth=4 tabstop=8 expandtab:
10567 * :indentSize=4:tabSize=8:noTabs=true:
10568 */