search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-elasticsearch.c
bloba15733c371f0db2656e4cb2ff939126c11e36467
1 /* packet-elasticsearch.c
2 *
3 * Routines for dissecting Elasticsearch
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11 #include "config.h"
12
13 #include <epan/packet.h>
14 #include <epan/expert.h>
15 #include <epan/tfs.h>
16 #include "packet-tcp.h"
17
18 #define ELASTICSEARCH_DISCOVERY_PORT 54328 /* Not IANA registered */
19 #define ELASTICSEARCH_BINARY_PORT 9300 /* Not IANA registered */
20
21 #define ELASTICSEARCH_HEADER_SIZE_VERSION 7060099 /* First version to support variable header size */
22 #define ELASTICSEARCH_THREAD_CONTEXT_VERSION 5000099 /* First version to include the thread context */
23 #define ELASTICSEARCH_FEATURES_VERSION 6030099 /* First version which includes a feature list */
24
25 #define IPv4_ADDRESS_LENGTH 4
26 #define ELASTICSEARCH_STATUS_FLAG_RESPONSE 1 /* 001 */
27 #define ELASTICSEARCH_STATUS_FLAG_ERROR 2 /* 010 */
28 #define ELASTICSEARCH_STATUS_FLAG_COMPRESSED 4 /* 100 */
29
30 #define ELASTICSEARCH_VERSION_LABEL_LENGTH 19 /* This many characters: XX.XX.XX (XXXXXXXX) */
31 #define ELASTICSEARCH_HEADER_LENGTH 6 /* Bytes 3-6 are the length, 1-2 is the magic number */
32
33 #define ELASTICSEARCH_MESSAGE_LENGTH_OFFSET 2
34 #define ELASTICSEARCH_BINARY_HEADER_TOKEN 0x4553
35 #define BITS_IN_A_BYTE 8
36 typedef struct {
37 int length;
38 int value;
39 } vint_t;
40
41 typedef struct {
42 vint_t vint_length;
43 int length;
44 char *value;
45 } vstring_t;
46
47 typedef struct {
48 int length;
49 uint32_t value;
50 char string[9];
51 } version_t;
52
53 void proto_register_elasticsearch(void);
54 void proto_reg_handoff_elasticsearch(void);
55
56 static dissector_handle_t elasticsearch_handle_binary;
57 static dissector_handle_t elasticsearch_zen_handle;
58
59 static int proto_elasticsearch;
60
61 /* Fields */
62 static int hf_elasticsearch_internal_header;
63 static int hf_elasticsearch_version;
64 static int hf_elasticsearch_ping_request_id;
65 static int hf_elasticsearch_cluster_name;
66 static int hf_elasticsearch_node_name;
67 static int hf_elasticsearch_node_id;
68 static int hf_elasticsearch_host_name;
69 static int hf_elasticsearch_host_address;
70 static int hf_elasticsearch_address_type;
71 static int hf_elasticsearch_address_format;
72 static int hf_elasticsearch_address_name;
73 static int hf_elasticsearch_address_length;
74 static int hf_elasticsearch_address_ipv4;
75 static int hf_elasticsearch_address_ipv6;
76 static int hf_elasticsearch_address_ipv6_scope_id;
77 static int hf_elasticsearch_attributes_length;
78 static int hf_elasticsearch_address_port;
79 static int hf_elasticsearch_header_token;
80 static int hf_elasticsearch_header_message_length;
81 static int hf_elasticsearch_header_request_id;
82 static int hf_elasticsearch_header_status_flags;
83 static int hf_elasticsearch_header_status_flags_message_type;
84 static int hf_elasticsearch_header_status_flags_error;
85 static int hf_elasticsearch_header_status_flags_compression;
86 static int hf_elasticsearch_header_size;
87 static int hf_elasticsearch_header_request;
88 static int hf_elasticsearch_header_response;
89 static int hf_elasticsearch_header_key;
90 static int hf_elasticsearch_header_value;
91
92 static int hf_elasticsearch_feature;
93 static int hf_elasticsearch_action;
94 static int hf_elasticsearch_data;
95 static int hf_elasticsearch_data_compressed;
96
97 /* Expert info */
98 static expert_field ei_elasticsearch_unsupported_version;
99 static expert_field ei_elasticsearch_unsupported_address_format;
100 static expert_field ei_elasticsearch_unsupported_address_type;
101
102
103 /* Trees */
104 static int ett_elasticsearch;
105 static int ett_elasticsearch_address;
106 static int ett_elasticsearch_discovery_node;
107 static int ett_elasticsearch_status_flags;
108 static int ett_elasticsearch_header;
109
110 /* Forward declarations */
111 static int dissect_elasticsearch_zen_ping(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data);
112
113 static const value_string address_types[] = {
114 { 0x0, "Dummy" },
115 { 0x1, "Inet Socket" },
116 #define ADDRESS_TYPE_SOCKET 0x1
117 { 0x2, "Local" },
118 { 0, NULL }
119 };
120
121 static const value_string address_format[] = {
122 #define ADDRESS_FORMAT_NUEMRIC 0x0
123 { 0x0, "Numeric" },
124 #define ADDRESS_FORMAT_STRING 0x1
125 { 0x1, "String" },
126 { 0, NULL }
127 };
128
129 static const value_string status_flag_message_type[] = {
130 { 0x0, "Request" },
131 { 0x1, "Response" },
132 { 0, NULL }
133 };
134
135 static void elasticsearch_format_version(char *buf, uint32_t value) {
136 snprintf(buf, ELASTICSEARCH_VERSION_LABEL_LENGTH, "%d.%d.%d (%d)", (value / 1000000) % 100,
137 (value / 10000) % 100, (value/ 100) % 100, value);
138 }
139
140 static vint_t read_vint(tvbuff_t *tvb, int offset){
141 /* See: org.elasticsearch.common.io.stream.StreamInput#readVInt */
142 vint_t vint;
143 uint8_t b = tvb_get_uint8(tvb, offset);
144 vint.value = b & 0x7F;
145 if ((b & 0x80) == 0) {
146 vint.length = 1;
147 return vint;
148 }
149 b = tvb_get_uint8(tvb, offset+1);
150 vint.value |= (b & 0x7F) << 7;
151 if ((b & 0x80) == 0) {
152 vint.length = 2;
153 return vint;
154 }
155 b = tvb_get_uint8(tvb, offset+2);
156 vint.value |= (b & 0x7F) << 14;
157 if ((b & 0x80) == 0) {
158 vint.length = 3;
159 return vint;
160 }
161 b = tvb_get_uint8(tvb, offset+3);
162 vint.value |= (b & 0x7F) << 21;
163 if ((b & 0x80) == 0) {
164 vint.length = 4;
165 return vint;
166 }
167 b = tvb_get_uint8(tvb, offset+4);
168 vint.length = 5;
169 vint.value |= ((b & 0x7F) << 28);
170 return vint;
171 }
172
173 static vstring_t read_vstring(wmem_allocator_t *scope, tvbuff_t *tvb, int offset) {
174 vstring_t vstring;
175 int string_starting_offset;
176 int string_length;
177
178 vstring.vint_length = read_vint(tvb, offset);
179 string_starting_offset = offset + vstring.vint_length.length;
180 string_length = vstring.vint_length.value;
181
182 vstring.value = tvb_get_string_enc(scope, tvb, string_starting_offset, string_length, ENC_UTF_8);
183 vstring.length = string_length + vstring.vint_length.length;
184
185 return vstring;
186 }
187
188 static int elasticsearch_partial_dissect_address(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) {
189 proto_tree *address_tree;
190 proto_item *address_item;
191 int start_offset;
192 uint8_t es_address_format;
193 uint8_t address_length;
194 vstring_t address_name;
195 uint16_t address_type_id;
196
197 /* Store this away for later */
198 start_offset = offset;
199
200 /* Address tree */
201 address_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_elasticsearch_address, &address_item, "Address" );
202
203 /* Address type */
204 proto_tree_add_item(address_tree, hf_elasticsearch_address_type, tvb, offset, 2, ENC_BIG_ENDIAN);
205 address_type_id = tvb_get_ntohs(tvb, offset);
206 offset += 2;
207 /* Only socket address types are supported (and only make sense to be supported) */
208 if(address_type_id != ADDRESS_TYPE_SOCKET) {
209 expert_add_info(pinfo, tree, &ei_elasticsearch_unsupported_address_type);
210 return offset;
211 }
212
213 /* Address format */
214 es_address_format = tvb_get_uint8(tvb, offset);
215 proto_tree_add_item(address_tree, hf_elasticsearch_address_format, tvb, offset, 1, ENC_BIG_ENDIAN);
216 offset += 1;
217
218 switch(es_address_format) {
219 case ADDRESS_FORMAT_NUEMRIC:
220 address_length = tvb_get_uint8(tvb, offset);
221 proto_tree_add_item(address_tree, hf_elasticsearch_address_length, tvb, offset, 1, ENC_BIG_ENDIAN);
222 offset += 1;
223 /* Its either IPv4 or IPv6 depending on the length */
224 if (address_length == IPv4_ADDRESS_LENGTH) {
225 proto_tree_add_item(address_tree, hf_elasticsearch_address_ipv4, tvb, offset, 4, ENC_NA);
226 offset += 4;
227 }
228 else {
229 proto_tree_add_item(address_tree, hf_elasticsearch_address_ipv6, tvb, offset, 16, ENC_NA);
230 offset += 16;
231 proto_tree_add_item(address_tree, hf_elasticsearch_address_ipv6_scope_id, tvb, offset, 4, ENC_BIG_ENDIAN);
232 offset += 4;
233 }
234 break;
235
236 case ADDRESS_FORMAT_STRING:
237 address_name = read_vstring(pinfo->pool, tvb, offset);
238 proto_tree_add_string(address_tree, hf_elasticsearch_address_name, tvb, offset, address_name.length, address_name.value);
239 offset += address_name.length;
240 break;
241
242 default:
243 /* Shouldn't get here, invalid format type */
244 expert_add_info(pinfo, tree, &ei_elasticsearch_unsupported_address_format);
245 break;
246 }
247
248 proto_tree_add_item(address_item, hf_elasticsearch_address_port, tvb, offset, 4, ENC_BIG_ENDIAN);
249 offset += 4;
250
251 /* Fix up the length of the subtree */
252 proto_item_set_len(address_item, offset - start_offset);
253
254 return offset;
255 }
256
257 static version_t elasticsearch_parse_version(tvbuff_t *tvb, int offset){
258 version_t version;
259 vint_t raw_version_value;
260
261 raw_version_value = read_vint(tvb, offset);
262 version.length = raw_version_value.length;
263 version.value = raw_version_value.value;
264 snprintf(version.string, sizeof(version.string), "%d.%d.%d", (version.value / 1000000) % 100,
265 (version.value / 10000) % 100, (version.value/ 100) % 100);
266
267 return version;
268 }
269
270 static int dissect_elasticsearch_zen_ping(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_){
271 int offset = 0;
272 version_t version;
273 vstring_t cluster_name;
274 vstring_t node_name;
275 vstring_t node_id;
276 vstring_t host_name;
277 vstring_t host_address;
278 vint_t attributes_length;
279 version_t node_version;
280 proto_item *root_elasticsearch_item;
281 proto_tree *elasticsearch_tree;
282 proto_tree *discovery_node_tree;
283 proto_item *discovery_node_item;
284
285
286 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Elasticsearch");
287 col_clear(pinfo->cinfo, COL_INFO);
288
289 root_elasticsearch_item = proto_tree_add_item(tree, proto_elasticsearch, tvb, 0, -1, ENC_NA);
290 elasticsearch_tree = proto_item_add_subtree(root_elasticsearch_item,ett_elasticsearch);
291
292 /* Let the user know its a discovery packet */
293 col_set_str(pinfo->cinfo, COL_INFO, "Zen Ping: ");
294
295
296 /* Add the internal header */
297 proto_tree_add_item(elasticsearch_tree, hf_elasticsearch_internal_header, tvb, offset, 4, ENC_BIG_ENDIAN);
298 offset += 4;
299
300 /* Add the variable length encoded version string */
301 version = elasticsearch_parse_version(tvb, offset);
302 proto_tree_add_uint(elasticsearch_tree, hf_elasticsearch_version, tvb, offset, version.length, version.value);
303 offset += version.length;
304
305 /* Ping request ID */
306 proto_tree_add_item(elasticsearch_tree, hf_elasticsearch_ping_request_id, tvb, offset, 4, ENC_BIG_ENDIAN);
307 offset += 4;
308
309 /* Cluster name */
310 cluster_name = read_vstring(pinfo->pool, tvb, offset);
311 proto_tree_add_string(elasticsearch_tree, hf_elasticsearch_cluster_name, tvb, offset, cluster_name.length, cluster_name.value);
312 col_append_fstr(pinfo->cinfo, COL_INFO, "cluster=%s", cluster_name.value);
313 offset += cluster_name.length;
314
315
316 /* Discovery node tree */
317 discovery_node_tree = proto_tree_add_subtree(elasticsearch_tree, tvb, offset, -1, ett_elasticsearch_discovery_node, &discovery_node_item, "Node" );
318
319 /* Node name */
320 node_name = read_vstring(pinfo->pool, tvb, offset);
321 proto_tree_add_string(discovery_node_tree, hf_elasticsearch_node_name, tvb, offset, node_name.length, node_name.value);
322 col_append_fstr(pinfo->cinfo, COL_INFO, ", name=%s", node_name.value);
323 offset += node_name.length;
324
325 col_append_fstr(pinfo->cinfo, COL_INFO, ", version=%s", version.string);
326
327
328 /* Node ID */
329 node_id = read_vstring(pinfo->pool, tvb, offset);
330 proto_tree_add_string(discovery_node_tree, hf_elasticsearch_node_id, tvb, offset, node_id.length, node_id.value);
331 offset += node_id.length;
332
333 /* Hostname */
334 host_name = read_vstring(pinfo->pool, tvb, offset);
335 proto_tree_add_string(discovery_node_tree, hf_elasticsearch_host_name, tvb, offset, host_name.length, host_name.value);
336 offset += host_name.length;
337
338 /* Host address */
339 host_address = read_vstring(pinfo->pool, tvb, offset);
340 proto_tree_add_string(discovery_node_tree, hf_elasticsearch_host_address, tvb, offset, host_address.length, host_address.value);
341 offset += host_address.length;
342
343 /* Address */
344 offset = elasticsearch_partial_dissect_address(tvb, pinfo, discovery_node_tree, offset);
345
346 /* Attributes. These are zero for discovery packets */
347 attributes_length = read_vint(tvb, offset);
348 proto_tree_add_uint(discovery_node_tree, hf_elasticsearch_attributes_length, tvb, offset, attributes_length.length, attributes_length.value);
349 offset += attributes_length.length;
350
351 /* Version again */
352 node_version = elasticsearch_parse_version(tvb, offset);
353 proto_tree_add_uint(elasticsearch_tree, hf_elasticsearch_version, tvb, offset, node_version.length, node_version.value);
354 offset += node_version.length;
355
356 return offset;
357 }
358
359 static int elasticsearch_binary_header_is_valid(tvbuff_t *tvb){
360 /* Header was introduced in V0.20.0RC1. At the moment I'm not supporting versions before this
361 * See: org.elasticsearch.transport.netty.NettyHeader#writeHeader
362 * */
363 return tvb_captured_length(tvb) >= 2 && tvb_get_ntohs(tvb, 0) == ELASTICSEARCH_BINARY_HEADER_TOKEN;
364 }
365
366 static int elasticsearch_transport_status_flag_is_a_response(int8_t transport_status_flags) {
367 return transport_status_flags & ELASTICSEARCH_STATUS_FLAG_RESPONSE;
368 }
369
370 static int transport_status_flag_is_a_request(int8_t transport_status_flags){
371 return !elasticsearch_transport_status_flag_is_a_response(transport_status_flags);
372 }
373
374 static int elasticsearch_is_compressed(int8_t transport_status_flags){
375
376 return transport_status_flags & ELASTICSEARCH_STATUS_FLAG_COMPRESSED;
377 }
378
379 static void elasticsearch_decode_binary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int8_t transport_status_flags, uint32_t version) {
380
381 int i;
382 vint_t features;
383 vstring_t action, feature;
384
385 if(elasticsearch_is_compressed(transport_status_flags)){
386 proto_tree_add_item(tree, hf_elasticsearch_data_compressed, tvb, offset, -1, ENC_NA);
387 col_append_str(pinfo->cinfo, COL_INFO, "[COMPRESSED], ");
388 } else {
389 if (version >= ELASTICSEARCH_FEATURES_VERSION) {
390 features = read_vint(tvb, offset);
391 offset += features.length;
392 for (i = 0; i < features.value; i++) {
393 feature = read_vstring(pinfo->pool, tvb, offset);
394 proto_tree_add_string(tree, hf_elasticsearch_feature, tvb, offset, feature.length, feature.value);
395 offset += feature.length;
396 }
397 }
398
399 action = read_vstring(pinfo->pool, tvb, offset);
400 proto_tree_add_string(tree, hf_elasticsearch_action, tvb, offset, action.length, action.value);
401 col_append_fstr(pinfo->cinfo, COL_INFO, "action=%s, ", action.value);
402 offset += action.length;
403 proto_tree_add_item(tree, hf_elasticsearch_data, tvb, offset, -1, ENC_NA);
404 }
405 }
406
407 static void append_status_info_to_column(packet_info *pinfo, int8_t transport_status_flags) {
408 if(transport_status_flags & ELASTICSEARCH_STATUS_FLAG_ERROR){
409 col_append_str(pinfo->cinfo, COL_INFO, "[ERROR], ");
410 }else{
411 col_append_str(pinfo->cinfo, COL_INFO, "[OK], ");
412 }
413 }
414
415 static void elasticsearch_decode_binary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int8_t transport_status_flags, uint32_t version _U_) {
416 append_status_info_to_column(pinfo, transport_status_flags);
417 if(elasticsearch_is_compressed(transport_status_flags)){
418 col_append_str(pinfo->cinfo, COL_INFO, "[COMPRESSED], ");
419 proto_tree_add_item(tree, hf_elasticsearch_data_compressed, tvb, offset, -1, ENC_NA);
420 } else {
421 proto_tree_add_item(tree, hf_elasticsearch_data, tvb, offset, tvb_reported_length_remaining(tvb, offset), ENC_NA);
422 }
423
424 }
425
426 static int elasticsearch_dissect_valid_binary_packet(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_){
427
428 int i, j;
429 int offset = 0;
430 int8_t transport_status_flags;
431 uint32_t version;
432 uint64_t request_id;
433 vint_t request_headers, response_headers;
434 vstring_t header_key;
435 vint_t header_values;
436 vstring_t header_value;
437 proto_item *header_item;
438 proto_tree *header_tree;
439 proto_item *transport_status_flags_item;
440 proto_tree *transport_status_flags_tree;
441
442 /* Dissects:
443 * Request: org.elasticsearch.transport.netty.NettyTransport#sendRequest
444 * Response: org.elasticsearch.transport.netty.NettyTransportChannel#sendResponse
445 */
446
447 /* org.elasticsearch.transport.netty.NettyHeader#writeHeader
448 *
449 * Token/Magic number that is at the start of all ES packets
450 */
451 proto_tree_add_item(tree, hf_elasticsearch_header_token, tvb, offset, 2, ENC_ASCII);
452 offset += 2;
453
454 /* Message length */
455 proto_tree_add_item(tree, hf_elasticsearch_header_message_length, tvb, offset, 4, ENC_BIG_ENDIAN);
456 offset += 4;
457
458 /* Request ID */
459 proto_tree_add_item(tree, hf_elasticsearch_header_request_id, tvb, offset, 8, ENC_BIG_ENDIAN);
460 request_id = tvb_get_ntoh64(tvb, offset);
461 offset += 8;
462
463 /* Transport status: org.elasticsearch.transport.support.TransportStatus */
464 transport_status_flags = tvb_get_uint8(tvb, offset);
465 transport_status_flags_item = proto_tree_add_uint(tree, hf_elasticsearch_header_status_flags, tvb, offset, 1, transport_status_flags);
466 transport_status_flags_tree = proto_item_add_subtree(transport_status_flags_item, ett_elasticsearch_status_flags);
467 if(elasticsearch_transport_status_flag_is_a_response(transport_status_flags)){
468 col_append_str(pinfo->cinfo, COL_INFO, "Response: ");
469 } else {
470 col_append_str(pinfo->cinfo, COL_INFO, "Request: ");
471 }
472 proto_tree_add_bits_item(transport_status_flags_tree, hf_elasticsearch_header_status_flags_compression, tvb, offset * BITS_IN_A_BYTE + 5, 1, ENC_BIG_ENDIAN);
473 proto_tree_add_bits_item(transport_status_flags_tree, hf_elasticsearch_header_status_flags_error, tvb, offset * BITS_IN_A_BYTE + 6, 1, ENC_BIG_ENDIAN);
474 proto_tree_add_bits_item(transport_status_flags_tree, hf_elasticsearch_header_status_flags_message_type, tvb, offset * BITS_IN_A_BYTE + 7, 1, ENC_BIG_ENDIAN);
475 offset += 1;
476
477 /* Version */
478 proto_tree_add_item_ret_uint(tree, hf_elasticsearch_version, tvb, offset, 4, ENC_BIG_ENDIAN, &version);
479 offset += 4;
480
481 /* Variable header size */
482 if (version >= ELASTICSEARCH_HEADER_SIZE_VERSION) {
483 proto_tree_add_item(tree, hf_elasticsearch_header_size, tvb, offset, 4, ENC_BIG_ENDIAN);
484 offset += 4;
485 }
486
487 if (version >= ELASTICSEARCH_THREAD_CONTEXT_VERSION) {
488 /* Request headers */
489 request_headers = read_vint(tvb, offset);
490 offset += request_headers.length;
491 for (i = 0; i < request_headers.value; i++) {
492 header_key = read_vstring(pinfo->pool, tvb, offset);
493 header_value = read_vstring(pinfo->pool, tvb, offset + header_key.length);
494
495 header_item = proto_tree_add_item(tree, hf_elasticsearch_header_request, tvb, offset, header_key.length + header_value.length, ENC_NA);
496 header_tree = proto_item_add_subtree(header_item, ett_elasticsearch_header);
497
498 proto_tree_add_string(header_tree, hf_elasticsearch_header_key, tvb, offset, header_key.length, header_key.value);
499 proto_tree_add_string(header_tree, hf_elasticsearch_header_value, tvb, offset + header_key.length, header_value.length, header_value.value);
500
501 proto_item_append_text(header_item, ": %s: %s", header_key.value, header_value.value);
502
503 offset += header_key.length;
504 offset += header_value.length;
505 }
506
507 /* Response headers */
508 response_headers = read_vint(tvb, offset);
509 offset += response_headers.length;
510 for (i = 0; i < response_headers.value; i++) {
511 header_item = proto_tree_add_item(tree, hf_elasticsearch_header_response, tvb, offset, 0, ENC_NA);
512 header_tree = proto_item_add_subtree(header_item, ett_elasticsearch_header);
513
514 header_key = read_vstring(pinfo->pool, tvb, offset);
515 proto_tree_add_string(header_tree, hf_elasticsearch_header_key, tvb, offset, header_key.length, header_key.value);
516 proto_item_append_text(header_item, ": %s", header_key.value);
517 offset += header_key.length;
518
519 header_values = read_vint(tvb, offset);
520 offset += header_values.length;
521
522 for (j = 0; j < header_values.value; j++) {
523 header_value = read_vstring(pinfo->pool, tvb, offset);
524 proto_tree_add_string(header_tree, hf_elasticsearch_header_value, tvb, offset, header_value.length, header_value.value);
525 proto_item_append_text(header_item, j > 0 ? ", %s" : "%s", header_value.value);
526 offset += header_value.length;
527 }
528
529 proto_item_set_end(header_item, tvb, offset);
530 }
531 }
532
533 /* Only requests have features and actions */
534 if (transport_status_flag_is_a_request(transport_status_flags)) {
535 elasticsearch_decode_binary_request(tvb, pinfo, tree, offset, transport_status_flags, version);
536 } else {
537 elasticsearch_decode_binary_response(tvb, pinfo, tree, offset, transport_status_flags, version);
538 }
539 col_append_fstr(pinfo->cinfo, COL_INFO, "request_id=%"PRIu64" ", request_id);
540
541
542 /* Everything is marked as data, return the whole tvb as the length */
543 return tvb_captured_length(tvb);
544 }
545
546 static unsigned elasticsearch_get_binary_message_len(packet_info *pinfo _U_, tvbuff_t *tvb,
547 int offset, void *data _U_)
548 {
549 /* length is two bytes into the packet, also the length doesn't include the starting 6 bytes */
550 return (unsigned)tvb_get_ntohl(tvb, offset+ELASTICSEARCH_MESSAGE_LENGTH_OFFSET) + ELASTICSEARCH_HEADER_LENGTH;
551 }
552
553 static int dissect_elasticsearch_binary(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data) {
554
555 int offset = 0;
556 proto_item *root_elasticsearch_item;
557 proto_tree *elasticsearch_tree;
558
559 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Elasticsearch");
560 col_clear(pinfo->cinfo, COL_INFO);
561
562 root_elasticsearch_item = proto_tree_add_item(tree, proto_elasticsearch, tvb, 0, -1, ENC_NA);
563 elasticsearch_tree = proto_item_add_subtree(root_elasticsearch_item,ett_elasticsearch);
564
565 if(elasticsearch_binary_header_is_valid(tvb)){
566 /* pass all packets through TCP-reassembly */
567 tcp_dissect_pdus(tvb, pinfo, elasticsearch_tree, true, ELASTICSEARCH_HEADER_LENGTH,
568 elasticsearch_get_binary_message_len, elasticsearch_dissect_valid_binary_packet, data);
569 } else {
570 proto_tree_add_item(elasticsearch_tree, hf_elasticsearch_data, tvb, offset, -1, ENC_NA);
571 expert_add_info(pinfo, elasticsearch_tree, &ei_elasticsearch_unsupported_version);
572 }
573
574 return tvb_captured_length(tvb);
575 }
576
577 void proto_register_elasticsearch(void) {
578
579 static hf_register_info hf[] = {
580 { &hf_elasticsearch_internal_header,
581 { "Internal header", "elasticsearch.internal_header",
582 FT_UINT32, BASE_HEX,
583 NULL, 0x0,
584 NULL, HFILL
585 }
586 },
587 { &hf_elasticsearch_version,
588 { "Version", "elasticsearch.version",
589 FT_UINT32, BASE_CUSTOM,
590 CF_FUNC(elasticsearch_format_version), 0x0,
591 NULL, HFILL
592 }
593 },
594 { &hf_elasticsearch_ping_request_id,
595 { "Ping ID", "elasticsearch.ping_request_id",
596 FT_UINT32, BASE_DEC,
597 NULL, 0x0,
598 NULL, HFILL
599 }
600 },
601 { &hf_elasticsearch_cluster_name,
602 { "Cluster name", "elasticsearch.cluster_name",
603 FT_STRING, BASE_NONE,
604 NULL, 0x0,
605 NULL, HFILL
606 }
607 },
608 { &hf_elasticsearch_node_name,
609 { "Node name", "elasticsearch.node_name",
610 FT_STRING, BASE_NONE,
611 NULL, 0x0,
612 NULL, HFILL
613 }
614 },
615 { &hf_elasticsearch_node_id,
616 { "Node ID", "elasticsearch.node_id",
617 FT_STRING, BASE_NONE,
618 NULL, 0x0,
619 NULL, HFILL
620 }
621 },
622 { &hf_elasticsearch_host_name,
623 { "Hostname", "elasticsearch.host_name",
624 FT_STRING, BASE_NONE,
625 NULL, 0x0,
626 NULL, HFILL
627 }
628 },
629 { &hf_elasticsearch_host_address,
630 { "Host address", "elasticsearch.host_address",
631 FT_STRING, BASE_NONE,
632 NULL, 0x0,
633 NULL, HFILL
634 }
635 },
636 { &hf_elasticsearch_address_type,
637 { "Type", "elasticsearch.address.type",
638 FT_UINT16, BASE_DEC,
639 VALS(address_types), 0x0,
640 NULL, HFILL
641 }
642 },
643 { &hf_elasticsearch_address_format,
644 { "Format", "elasticsearch.address.format",
645 FT_UINT8, BASE_DEC,
646 VALS(address_format), 0x0,
647 NULL, HFILL
648 }
649 },
650 { &hf_elasticsearch_address_name,
651 { "Name", "elasticsearch.address.name",
652 FT_STRING, BASE_NONE,
653 NULL, 0x0,
654 NULL, HFILL
655 }
656 },
657 { &hf_elasticsearch_address_length,
658 { "Length", "elasticsearch.address.length",
659 FT_UINT8, BASE_DEC,
660 NULL, 0x0,
661 NULL, HFILL
662 }
663 },
664 { &hf_elasticsearch_address_ipv4,
665 { "IP", "elasticsearch.address.ipv4",
666 FT_IPv4, BASE_NONE,
667 NULL, 0x0,
668 NULL, HFILL
669 }
670 },
671 { &hf_elasticsearch_address_ipv6,
672 { "IP", "elasticsearch.address.ipv6",
673 FT_IPv6, BASE_NONE,
674 NULL, 0x0,
675 NULL, HFILL
676 }
677 },
678 { &hf_elasticsearch_address_ipv6_scope_id,
679 { "IP", "elasticsearch.address.ipv6.scope_id",
680 FT_UINT32, BASE_DEC,
681 NULL, 0x0,
682 NULL, HFILL
683 }
684 },
685 { &hf_elasticsearch_address_port,
686 { "Port", "elasticsearch.address.port",
687 FT_UINT32, BASE_DEC,
688 NULL, 0x0,
689 NULL, HFILL
690 }
691 },
692 { &hf_elasticsearch_attributes_length,
693 { "Attributes length", "elasticsearch.attributes.length",
694 FT_UINT32, BASE_DEC,
695 NULL, 0x0,
696 NULL, HFILL
697 }
698 },
699 { &hf_elasticsearch_header_token,
700 { "Token", "elasticsearch.header.token",
701 FT_STRING, BASE_NONE,
702 NULL, 0x0,
703 NULL, HFILL
704 }
705 },
706 { &hf_elasticsearch_header_message_length,
707 { "Message length", "elasticsearch.header.message_length",
708 FT_UINT32, BASE_DEC,
709 NULL, 0x0,
710 NULL, HFILL
711 }
712 },
713 { &hf_elasticsearch_header_request_id,
714 { "Request ID", "elasticsearch.header.request_id",
715 FT_UINT64, BASE_DEC,
716 NULL, 0x0,
717 NULL, HFILL
718 }
719 },
720 { &hf_elasticsearch_header_status_flags,
721 { "Status flags", "elasticsearch.header.status_flags",
722 FT_UINT8, BASE_HEX,
723 NULL, 0x0,
724 NULL, HFILL
725 }
726 },
727 { &hf_elasticsearch_header_status_flags_message_type,
728 { "Message type", "elasticsearch.header.status_flags.message_type",
729 FT_UINT8, BASE_DEC,
730 VALS(status_flag_message_type), 0x0,
731 NULL, HFILL
732 }
733 },
734 { &hf_elasticsearch_header_status_flags_error,
735 { "Error", "elasticsearch.header.status_flags.error",
736 FT_BOOLEAN, BASE_NONE,
737 TFS(&tfs_set_notset), 0x0,
738 NULL, HFILL
739 }
740 },
741 { &hf_elasticsearch_header_status_flags_compression,
742 { "Compression", "elasticsearch.header.status_flags.compression",
743 FT_BOOLEAN, BASE_NONE,
744 TFS(&tfs_set_notset), 0x0,
745 NULL, HFILL
746 }
747 },
748 { &hf_elasticsearch_header_size,
749 { "Header size", "elasticsearch.header.size",
750 FT_UINT32, BASE_DEC,
751 NULL, 0x0,
752 NULL, HFILL
753 }
754 },
755 { &hf_elasticsearch_header_request,
756 { "Request header", "elasticsearch.header.request",
757 FT_NONE, BASE_NONE, NULL, 0x0,
758 NULL, HFILL }
759 },
760 { &hf_elasticsearch_header_response,
761 { "Response header", "elasticsearch.header.response",
762 FT_NONE, BASE_NONE, NULL, 0x0,
763 NULL, HFILL }
764 },
765 { &hf_elasticsearch_header_key,
766 { "Key", "elasticsearch.header.key",
767 FT_STRING, BASE_NONE, NULL, 0x0,
768 NULL, HFILL }
769 },
770 { &hf_elasticsearch_header_value,
771 { "Value", "elasticsearch.header.value",
772 FT_STRING, BASE_NONE, NULL, 0x0,
773 NULL, HFILL }
774 },
775 { &hf_elasticsearch_feature,
776 { "Feature", "elasticsearch.feature",
777 FT_STRING, BASE_NONE, NULL, 0x0,
778 NULL, HFILL }
779 },
780 { &hf_elasticsearch_action,
781 { "Action", "elasticsearch.action",
782 FT_STRING, BASE_NONE,
783 NULL, 0x0,
784 NULL, HFILL
785 }
786 },
787 { &hf_elasticsearch_data,
788 { "Data", "elasticsearch.data",
789 FT_NONE, BASE_NONE,
790 NULL, 0x0,
791 NULL, HFILL
792 }
793 },
794 { &hf_elasticsearch_data_compressed,
795 { "Compressed data", "elasticsearch.data_compressed",
796 FT_NONE, BASE_NONE,
797 NULL, 0x0,
798 NULL, HFILL
799 }
800 },
801
802 };
803
804 static int *ett[] = {
805 &ett_elasticsearch,
806 &ett_elasticsearch_address,
807 &ett_elasticsearch_discovery_node,
808 &ett_elasticsearch_status_flags,
809 &ett_elasticsearch_header,
810 };
811
812 static ei_register_info ei[] = {
813 { &ei_elasticsearch_unsupported_version, { "elasticsearch.version.unsupported", PI_UNDECODED, PI_WARN, "Unsupported header type: Elasticsearch version < 0.20.0RC1", EXPFILL }},
814 { &ei_elasticsearch_unsupported_address_format, { "elasticsearch.address.format.unsupported", PI_MALFORMED, PI_WARN, "Unsupported address format", EXPFILL }},
815 { &ei_elasticsearch_unsupported_address_type, { "elasticsearch.address.type.unsupported", PI_MALFORMED, PI_WARN, "Unsupported address type", EXPFILL }},
816 };
817
818 expert_module_t*expert_elasticsearch;
819
820 proto_elasticsearch = proto_register_protocol("Elasticsearch", "Elasticsearch", "elasticsearch");
821
822 expert_elasticsearch = expert_register_protocol(proto_elasticsearch);
823 expert_register_field_array(expert_elasticsearch, ei, array_length(ei));
824
825 proto_register_field_array(proto_elasticsearch, hf, array_length(hf));
826 proto_register_subtree_array(ett, array_length(ett));
827
828 elasticsearch_handle_binary = register_dissector("elasticsearch_binary", dissect_elasticsearch_binary, proto_elasticsearch);
829 elasticsearch_zen_handle = register_dissector("elasticsearch_zen_ping", dissect_elasticsearch_zen_ping, proto_elasticsearch);
830
831 }
832
833 void proto_reg_handoff_elasticsearch(void) {
834
835 dissector_add_uint_with_preference("udp.port", ELASTICSEARCH_DISCOVERY_PORT, elasticsearch_zen_handle);
836 dissector_add_uint_with_preference("tcp.port", ELASTICSEARCH_BINARY_PORT, elasticsearch_handle_binary);
837
838 }
839
840 /*
841 * Editor modelines - https://www.wireshark.org/tools/modelines.html
842 *
843 * Local variables:
844 * c-basic-offset: 4
845 * tab-width: 8
846 * indent-tabs-mode: nil
847 * End:
848 *
849 * vi: set shiftwidth=4 tabstop=8 expandtab:
850 * :indentSize=4:tabSize=8:noTabs=true:
851 */
Metzes wireshark repo