| blob | da1b0ccfcf71d1819dc3e7ca1b7a293cd510cae7 |
1 /* packet-http.c
2 * Routines for HTTP packet disassembly
3 * RFC 1945 (HTTP/1.0)
4 * RFC 2616 (HTTP/1.1)
5 *
6 * Guy Harris <guy@alum.mit.edu>
7 *
8 * Copyright 2017, Eugene Adell <eugene.adell@gmail.com>
9 * Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net>
10 * Copyright 2002, Tim Potter <tpot@samba.org>
11 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
12 *
13 * Wireshark - Network traffic analyzer
14 * By Gerald Combs <gerald@wireshark.org>
15 * Copyright 1998 Gerald Combs
16 *
17 * SPDX-License-Identifier: GPL-2.0-or-later
18 */
22 #include <errno.h>
24 #include <epan/packet.h>
25 #include <epan/prefs.h>
26 #include <epan/expert.h>
27 #include <epan/follow.h>
28 #include <epan/addr_resolv.h>
29 #include <epan/uat.h>
30 #include <epan/charsets.h>
31 #include <epan/strutil.h>
32 #include <epan/stats_tree.h>
33 #include <epan/to_str.h>
34 #include <epan/req_resp_hdrs.h>
35 #include <epan/proto_data.h>
36 #include <epan/export_object.h>
37 #include <epan/exceptions.h>
38 #include <epan/show_exception.h>
39 #include <epan/unit_strings.h>
40 #include <glib.h>
48 #include <ui/tap-credentials.h>
124 /*static int hf_http_next_request_in;
125 static int hf_http_next_response_in;
126 static int hf_http_prev_request_in;
127 static int hf_http_prev_response_in; */
171 /* RFC 3986 Ch 2.2 Reserved characters*/
172 /* patterns used for tvb_ws_mempbrk_pattern_uint8 */
176 /* reassembly table for streaming chunk mode */
181 /* HTTP chunk virtual frame number (similar to HTTP2 frame num) */
182 #define get_http_chunk_frame_num get_virtual_frame_num64
184 /* Stuff for generation/handling of fields for custom HTTP headers */
197 static bool
199 {
206 }
212 }
214 /* Check for invalid characters (to avoid asserting out when
215 * registering the field).
216 */
221 }
225 }
229 {
237 }
239 static void
241 {
246 }
251 /*
252 * desegmentation of HTTP headers
253 * (when we are over TCP or another protocol providing the desegmentation API)
254 */
257 /*
258 * desegmentation of HTTP bodies
259 * (when we are over TCP or another protocol providing the desegmentation API)
260 * TODO let the user filter on content-type the bodies he wants desegmented
261 */
264 /*
265 * De-chunking of content-encoding: chunk entity bodies.
266 */
269 /*
270 * Decompression of compressed content-encoded entities.
271 */
274 /*
275 * Extra checks for valid ASCII data in HTTP headers.
276 */
279 /* Simple Service Discovery Protocol
280 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
281 * SSDP is the discovery protocol of Universal Plug and Play
282 * UPnP http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
283 */
284 #define TCP_PORT_SSDP 1900
285 #define UDP_PORT_SSDP 1900
287 /*
288 * TCP and TLS ports
289 *
290 * 2710 is the XBT BitTorrent tracker
291 */
303 typedef void (*ReqRespDissector)(packet_info*, tvbuff_t*, proto_tree*, int, const unsigned char*,
306 /**
307 * Transfer codings from
308 * https://www.iana.org/assignments/http-parameters/http-parameters.xhtml#transfer-coding
309 * Note: chunked encoding is handled separately.
310 */
313 /* HTTP_TE_CHUNKED, */
314 HTTP_TE_COMPRESS,
315 HTTP_TE_DEFLATE,
316 HTTP_TE_GZIP,
317 HTTP_TE_IDENTITY,
321 /*
322 * Structure holding information from headers needed by main
323 * HTTP dissector code.
324 */
332 http_transfer_coding transfer_encoding;
336 /* request or response streaming reassembly data */
338 /* reassembly information only for request or response with chunked and streaming data */
340 /* subdissector handler for request or response with chunked and streaming data */
341 dissector_handle_t streaming_handle;
342 /* message being passed to subdissector if the request or response has chunked and streaming data */
347 /* http request or response private data */
349 /* direction of request message */
351 /* request or response streaming reassembly data */
359 nstime_t abs_time;
366 nstime_t delta_time;
388 static bool check_auth_digest(proto_item* hdr_item, tvbuff_t* tvb, packet_info* pinfo _U_, char* value, int offset, int len);
400 static tap_packet_status
401 http_eo_packet(void *tapdata, packet_info *pinfo, epan_dissect_t *edt _U_, const void *data, tap_flags_t flags _U_)
402 {
408 /* These values will be freed when the Export Object window
409 * is closed. */
413 /* XXX: Should this remove the port, if any? It's only
414 * for display, so probably not. */
417 /* XXX: Should this remove the query portion, if any, from
418 * the path? (Or should that be done in the dissector?) */
428 }
429 }
431 /* --- HTTP Status Codes */
432 /* Note: The reference for uncommented entries is RFC 2616 */
507 };
519 /* Parse HTTP path sub components RFC3986 Ch 3.3, 3.4 */
520 void
521 http_add_path_components_to_tree(tvbuff_t* tvb, packet_info* pinfo _U_, proto_item* item, int offset, int length)
522 {
527 /* The Content-Location (and Referer) headers in HTTP 1.1, and the
528 * :path header in HTTP/2 can be an absolute-URI or a partial-URI;
529 * i.e. that they can include a path and a query, but not a fragment.
530 * RFC 7230 2.7 Uniform Request Identifiers, RFC 7231 Appendices C and D,
531 * RFC 7540 8.1.2.3. Request Pseudo-Header Fields
532 * Look for a ? to mark a query.
533 */
536 parameter_offset = tvb_ws_mempbrk_pattern_uint8(tvb, offset + 1, end_path_offset - offset - 1, &pbrk_sub_delims, NULL);
538 /* Nothing interesting, no need to split. */
540 }
544 parameter_offset = tvb_ws_mempbrk_pattern_uint8(tvb, offset + 1, end_path_offset - offset - 1, &pbrk_sub_delims, NULL);
548 parameter_offset = tvb_ws_mempbrk_pattern_uint8(tvb, offset + 1, end_path_offset - offset - 1, &pbrk_sub_delims, NULL);
551 }
552 proto_tree_add_item(path_tree, hf_http_request_path_segment, tvb, offset, parameter_offset - offset, ENC_ASCII);
554 }
555 }
558 }
559 /* Skip past the delimiter. */
560 query_offset++;
563 ti = proto_tree_add_item(uri_tree, hf_http_request_query, tvb, query_offset, query_len, ENC_ASCII);
566 parameter_offset = tvb_ws_mempbrk_pattern_uint8(tvb, offset + 1, end_offset - offset - 1, &pbrk_sub_delims, NULL);
569 }
570 proto_tree_add_item(query_tree, hf_http_request_query_parameter, tvb, offset, parameter_offset - offset, ENC_ASCII);
572 }
573 }
575 /* HTTP/Load Distribution stats init function */
576 static void
578 {
580 st_node_reqs_by_srv_addr = stats_tree_create_node(st, st_str_reqs_by_srv_addr, st_node_reqs, STAT_DT_INT, true);
581 st_node_reqs_by_http_host = stats_tree_create_node(st, st_str_reqs_by_http_host, st_node_reqs, STAT_DT_INT, true);
582 st_node_resps_by_srv_addr = stats_tree_create_node(st, st_str_resps_by_srv_addr, 0, STAT_DT_INT, true);
583 }
585 /* HTTP/Load Distribution stats packet function */
586 static tap_packet_status
587 http_reqs_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt _U_, const void* p, tap_flags_t flags _U_)
588 {
610 }
626 }
631 }
634 }
640 /* HTTP/Requests stats init function */
641 static void
643 {
644 st_node_requests_by_host = stats_tree_create_node(st, st_str_requests_by_host, 0, STAT_DT_INT, true);
645 }
647 /* HTTP/Requests stats packet function */
648 static tap_packet_status
649 http_req_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p, tap_flags_t flags _U_)
650 {
662 }
663 }
666 }
669 }
694 /* HTTP/Packet Counter stats init function */
695 static void
697 {
700 st_node_responses = stats_tree_create_node(st, st_str_responses, st_node_packets, STAT_DT_INT, true);
701 st_node_resp_broken = stats_tree_create_node(st, st_str_resp_broken, st_node_responses, STAT_DT_INT, true);
702 st_node_resp_100 = stats_tree_create_node(st, st_str_resp_100, st_node_responses, STAT_DT_INT, true);
703 st_node_resp_200 = stats_tree_create_node(st, st_str_resp_200, st_node_responses, STAT_DT_INT, true);
704 st_node_resp_300 = stats_tree_create_node(st, st_str_resp_300, st_node_responses, STAT_DT_INT, true);
705 st_node_resp_400 = stats_tree_create_node(st, st_str_resp_400, st_node_responses, STAT_DT_INT, true);
706 st_node_resp_500 = stats_tree_create_node(st, st_str_resp_500, st_node_responses, STAT_DT_INT, true);
708 }
710 /* HTTP/Packet Counter stats packet function */
711 static tap_packet_status
712 http_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p, tap_flags_t flags _U_)
713 {
743 }
754 }
757 }
759 /*
760 Generates a referer tree - a best-effort representation of which web request led to which.
762 Some challenges:
763 A user can be forwarded to a single sites from multiple sources. For example,
764 google.com -> foo.com and bing.com -> foo.com. A URI alone is not unique.
766 Additionally, if a user has a subsequent request to foo.com -> bar.com, the
767 full chain could either be:
768 google.com -> foo.com -> bar.com, or
769 bing.com -> foo.com -> bar.com,
771 This indicates that a URI and its referer are not unique. Only a URI and its
772 full referer chain are unique. However, HTTP requests only contain the URI
773 and the immediate referer. This means that any attempt at generating a
774 referer tree is inherently going to be a best-effort approach.
776 This code assumes that the referer in a request is from the most-recent request
777 to that referer.
779 * To maintain readability of the statistics, whenever a site is visited, all
780 prior referers are 'ticked' as well, so that one can easily see the breakdown.
781 */
783 /* Root node for all referer statistics */
785 /* Referer statistics root node's text */
788 /* Mapping of URIs to the most-recently seen node id */
790 /* Mapping of node ids to the node's URI ('name' value) */
792 /* Mapping of node ids to the parent node id */
796 /* HTTP/Request Sequences stats init function */
797 static void
799 {
805 refstats_node_id_to_parent_node_id_hash = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal);
809 /* Add the root node and its mappings */
810 st_node_requests_by_referer = stats_tree_create_node(st, st_str_request_sequences, root_node_id, STAT_DT_INT, true);
817 }
819 static int
821 {
830 /* Tick the referer's URI */
831 /* Does the node exist? */
832 if (!wmem_map_lookup_extended(refstats_uri_to_node_id_hash, arg_referer_uri, NULL, &referer_node_id_p)) {
833 /* The node for the referer didn't already exist, create the mappings */
841 wmem_map_insert(refstats_node_id_to_parent_node_id_hash, referer_node_id_p, referer_parent_node_id_p);
843 /* The node for the referer already exists, tick it */
844 referer_parent_node_id_p = wmem_map_lookup(refstats_node_id_to_parent_node_id_hash, referer_node_id_p);
847 }
849 }
851 static void
853 {
862 /* Update the mappings. Even if the URI was already seen, the URI->node mapping may need to be updated */
864 /* Is this a new node? */
867 /* node not found, add mappings for the node and uri */
874 /* We've seen the node id before. Update the URI mapping refer to this node id*/
876 }
877 }
880 determine_http_location_target(wmem_allocator_t *scope, const char *base_url, const char * location_url)
881 {
882 /* Resolving a base URI + relative URI to an absolute URI ("Relative Resolution")
883 is complicated. Because of that, we take shortcuts that may result in
884 inaccurate results, but is also significantly simpler.
885 It would be best to use an external library to do this for us.
886 For reference, the RFC is located at https://tools.ietf.org/html/rfc3986#section-5.4
888 Returns NULL if the resolution fails
889 */
892 /* base_url must be an absolute URL.*/
895 }
897 /* Empty Location */
901 }
902 /* Protocol Relative */
907 }
911 }
912 /* Absolute URL*/
916 }
917 /* Relative */
924 /* Strip off the fragment (which should never be present)*/
927 }
930 }
932 /* Strip off the query (Queries are stripped from all relative URIs) */
936 }
938 base_url_no_query = wmem_strndup(scope, base_url_no_fragment, start_query - base_url_no_fragment);
939 }
941 /* A leading question mark (?) means to replace the old query with the new*/
945 }
946 /* A leading slash means to put the location after the netloc */
948 /* We have already tested strstr(base_url) above */
956 }
960 }
964 }
966 final_target = wmem_strdup_printf(scope, "%.*s%s", netloc_length, base_url_no_query, location_url);
968 }
969 /* Otherwise, it replaces the last element in the URI */
976 final_target = wmem_strdup_printf(scope, "%.*s/%s", base_through_path, base_url_no_query, location_url);
977 }
980 }
983 }
984 }
986 }
988 /* HTTP/Request Sequences stats packet function */
989 static tap_packet_status
990 http_seq_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt _U_, const void* p, tap_flags_t flags _U_)
991 {
994 /* Track HTTP Redirects */
1002 char *absolute_target = determine_http_location_target(pinfo->pool, v->location_base_uri, v->location_target);
1003 /* absolute_target is NULL if the resolution fails */
1005 /* We assume the user makes the request to the absolute_target */
1006 /* Tick the base URI */
1009 /* Tick the location header's resolved URI */
1012 /* Tick all stats nodes above the location */
1014 while (wmem_map_lookup_extended(refstats_node_id_to_parent_node_id_hash, current_node_id_p, NULL, &parent_node_id_p)) {
1019 }
1020 }
1021 }
1023 /* Track HTTP Requests/Referers */
1030 /* Tick the referer's URI */
1033 /* Tick the request's URI */
1036 /* Tick all stats nodes above the referer */
1038 while (wmem_map_lookup_extended(refstats_node_id_to_parent_node_id_hash, current_node_id_p, NULL, &parent_node_id_p)) {
1043 }
1044 }
1046 }
1049 static void
1052 {
1059 else
1061 }
1063 static void
1066 {
1073 }
1078 {
1083 /* Retrieve information from conversation
1084 * or add it if it isn't there yet
1085 */
1088 /* Setup the conversation structure itself */
1096 conv_data);
1097 }
1100 }
1102 /**
1103 * create a new http_req_res_t and add it to the conversation.
1104 * @return the new allocated object which is already added to the linked list
1105 */
1108 {
1116 }
1118 /**
1119 * push a request frame number and its time stamp to the conversation data.
1120 */
1123 {
1124 /* a request will always create a new http_req_res_t object */
1130 /* XXX: Using the same proto key for the frame doesn't work well
1131 * with HTTP 1.1 pipelining, or other situations where more
1132 * than one request can appear in a frame.
1133 */
1137 }
1139 /**
1140 * push a response frame number to the conversation data.
1141 */
1144 {
1145 /* a response will create a new http_req_res_t object: if no
1146 object exists, or if the most recent one is already for
1147 a different response. (Exception: If the previous response
1148 code was in the Informational 1xx category, then it was
1149 an interim response, and this response could be for the same
1150 request.) In both cases the corresponding request was not
1151 detected/included in the conversation. In all other cases
1152 the http_req_res_t object created by the request is
1153 used. */
1154 /* XXX: This finds the only most recent request and doesn't support
1155 * HTTP 1.1 pipelining. This limitation has been addressed for
1156 * HTTP GETS if Range Requests are supported.
1157 */
1161 }
1163 /* XXX: Using the same proto key for the frame doesn't work well
1164 * with HTTP 1.1 pipelining, or other situations where more
1165 * than one request can appear in a frame and multiple outstanding
1166 * GET requests. The latter has been addressed with matches_table."
1167 */
1171 }
1173 static int
1178 {
1189 media_container_type_t http_type;
1191 ReqRespDissector reqresp_dissector;
1201 /*unsigned i;*/
1202 /*http_info_value_t *si;*/
1213 /*
1214 * For supporting dissecting chunked data in streaming reassembly mode.
1215 *
1216 * If a HTTP request or response is chunked encoding (the transfer-encoding
1217 * header is 'chunked') and its content-type matching a subdissector in
1218 * "streaming_content_type" dissector table, then we switch to dissect in
1219 * streaming chunk mode. In streaming chunk mode, we dissect the data as soon
1220 * as possible, unlike normal mode, we don't start reassembling until the end
1221 * of the request or response message or at the end of the TCP stream. In
1222 * streaming chunk mode, the first reassembled PDU contains HTTP headers
1223 * and at least one completed chunk of this request or response message. And
1224 * subsequent PDUs consist of one or more chunks:
1225 *
1226 * ----- +-- Reassembled Streaming Content PDU(s) --+-- Reassembled Streaming Content PDU(s) --+--- Reassembled ...
1227 * HLProtos | 1*high-proto-pdu | 1*high-proto-pdu | 1*high-proto-pdu
1228 * ----- +-------------------------------------+----+--------------------------------+---------+-------------------
1229 * | de-chunked-data | de-chunked-data | de-chunked-data
1230 * HTTP +-------- First Reassembled HTTP PDU -----------+--- Second Reassembled HTTP PDU -----+- Third PDU -+ +- Fourth ---
1231 * | headers and 1*chunk | 1*chunk | 1*chunk | | 1*chunk ...
1232 * ----- +--------- TCP segment ---------+ +-----------TCP segment -----------+ +---- TCP segment ---------+ +------------
1233 * TCP | headers | *chunk | part-chunk | | part-chunk | *chunk | part-chunk | | part-chunk | 1*chunk | | 1*chunk ...
1234 * ----- +---------+--------+------------+ +------------+--------+------------+ +------------+-------------+ +------------
1235 *
1236 * Notation:
1237 * - headers HTTP headers of a request or response message.
1238 * - part-chunk The front or rear part of a HTTP chunk.
1239 * - *chunk Zero or more completed HTTP chunks of a HTTP message.
1240 * - 1*chunk One or more completed HTTP chunks of a HTTP message.
1241 * - de-chunked-data De-chunked HTTP body data based on one or more completed chunks.
1242 * - 1*high-proto-pdu One or more high level protocol (on top of HTTP) PDUs.
1243 * - HLProtos High Level Protocols like GRPC-Web.
1244 *
1245 * The headers and content_info of the req_res are allocated in file scope that
1246 * helps to provide information for dissecting subsequent PDUs which only
1247 * contains chunks without headers.
1248 */
1253 http_req_res_t *curr = (http_req_res_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_http, HTTP_PROTO_DATA_REQRES);
1255 http_req_res_private_data_t* prv_data = curr ? (http_req_res_private_data_t*)curr->private_data : NULL;
1258 /* Determine the direction as in the TCP dissector, but don't call
1259 * get_tcp_conversation_data because we don't want to create a new
1260 * TCP stream if it doesn't exist (e.g., SSDP over UDP.)
1261 */
1263 /* if the addresses are equal, match the ports instead */
1266 }
1271 }
1275 /* Returns 0 when there is no entry in the map, as we want. */
1276 }
1281 }
1283 /* RFC 2616
1284 * In the interest of robustness, servers SHOULD ignore any empty
1285 * line(s) received where a Request-Line is expected. In other words, if
1286 * the server is reading the protocol stream at the beginning of a
1287 * message and receives a CRLF first, it should ignore the CRLF.
1288 */
1294 }
1295 }
1297 /*
1298 * If we previously dissected an HTTP request in this conversation then
1299 * we should be pretty sure that whatever we got in this TVB is
1300 * actually HTTP (even if what we have here is part of a file being
1301 * transferred over HTTP).
1302 */
1306 /*
1307 * If this is binary data then there's no point in doing all the string
1308 * operations below: they'll just be slow on this data.
1309 */
1311 /*
1312 * But, if we've seen some real HTTP then we're sure this is
1313 * an HTTP conversation, and this is binary file data.
1314 * Mark it as such.
1315 */
1326 /* If orig_offset > 0, this isn't the first message
1327 * dissected in this TCP segment, which means we had
1328 * a Content-Length, but more data after that body.
1329 */
1331 proto_tree_add_expert(http_tree, pinfo, &ei_http_excess_data, next_tvb, 0, tvb_captured_length(next_tvb));
1332 }
1333 /* Send it to Follow HTTP Stream and mark as file data */
1336 }
1341 }
1343 }
1345 /*
1346 * Is this a request or response?
1347 *
1348 * Note that "tvb_find_line_end()" will return a value that
1349 * is not longer than what's in the buffer, so the
1350 * "tvb_get_ptr()" call won't throw an exception.
1351 */
1357 /* No complete line was found in this segment, do
1358 * desegmentation if we're told to.
1359 */
1363 /*
1364 * More data needed for desegmentation.
1365 */
1367 }
1368 }
1370 if (!PINFO_FD_VISITED(pinfo) && conv_data->req_res_tail && conv_data->req_res_tail->private_data) {
1372 }
1374 /* Check whether the first line is the beginning of a chunk. If it is the beginning
1375 * of a chunk, the headers and at least one chunk of HTTP request or response should
1376 * be dissected in the previous packets, and now we are processing subsequent chunks.
1377 */
1383 /* and now we are in a HTTP request chunk stream */
1385 /* and now we are in a HTTP response chunk stream */
1387 ||
1388 (tail_prv_data && ( /* This packet has not been parsed and headers info in conv_data->req_res_tail */
1389 /* and now we are in a HTTP request chunk stream */
1391 /* and now we are in a HTTP response chunk stream */
1393 {
1395 }
1396 }
1398 /*
1399 * Is the first line a request or response?
1400 *
1401 * Note that "tvb_find_line_end()" will return a value that
1402 * is not longer than what's in the buffer, so the
1403 * "tvb_get_ptr()" call won't throw an exception.
1404 */
1415 /*
1416 * Yes, it's a request or response.
1417 * Put the first line from the buffer into the summary
1418 * (but leave out the line terminator).
1419 */
1420 col_add_fstr(pinfo->cinfo, COL_INFO, "%s ", format_text(pinfo->pool, firstline, first_linelen));
1421 }
1423 /*
1424 * Do header desegmentation if we've been told to,
1425 * and do body desegmentation if we've been told to and
1426 * we find a Content-Length header in requests.
1427 *
1428 * The following cases (from RFC 7230, Section 3.3) never have a
1429 * response body, so do not attempt to desegment the body for:
1430 * * Responses to HEAD requests.
1431 * * 2xx responses to CONNECT requests.
1432 * * 1xx, 204 No Content, 304 Not Modified responses.
1433 *
1434 * Additionally if we are at the end of stream, no more segments
1435 * will be added so disable body segmentation too in that case.
1436 */
1438 if (try_desegment_body && http_type == MEDIA_CONTAINER_HTTP_RESPONSE && !streaming_chunk_mode) {
1439 /*
1440 * The response_code is not yet set, so extract
1441 * the response code from the current line.
1442 */
1444 /*
1445 * On a second pass, we should have already associated
1446 * the response with the request. On a first sequential
1447 * pass, we haven't done so yet (as we don't know if we
1448 * need more data), so get the request method from the
1449 * most recent request, if it exists.
1450 */
1456 }
1464 /* No response body is present. */
1466 }
1467 }
1469 http_desegment_headers, try_desegment_body, http_type == MEDIA_CONTAINER_HTTP_RESPONSE, &chunk_offset,
1471 /*
1472 * More data needed for desegmentation.
1473 */
1476 }
1478 }
1481 /* This handle is set because there is a header 'Transfer-Encoding: chunked', and
1482 * a streaming mode reassembly supported subdissector is found according to the
1483 * header of Content-Type.
1484 */
1486 }
1488 /*
1489 * If we know this is HTTP then call it continuation.
1490 */
1491 /* If orig_offset > 0, this isn't the first message dissected
1492 * in this segment, which means we had a Content-Length, but
1493 * more data after the body. If this isn't a request or reply,
1494 * that's bogus, and probably means the Content-Length was
1495 * wrong.
1496 */
1499 }
1501 }
1504 /*
1505 * Now set COL_PROTOCOL and create the http tree for the
1506 * cases where we set COL_INFO above.
1507 */
1514 }
1516 proto_tree_add_expert(http_tree, pinfo, &ei_http_excess_data, tvb, offset, tvb_captured_length_remaining(tvb, offset));
1517 }
1518 }
1524 /* point this packet beginning with a chunk to req_res info created in previous packet. */
1528 }
1532 /* in request flow */
1535 /* in response flow */
1537 }
1545 }
1546 }
1548 // Ensure headers is valid before the `goto dissecting_body` below.
1550 DISSECTOR_ASSERT_HINT(!PINFO_FD_VISITED(pinfo) || (PINFO_FD_VISITED(pinfo) && !streaming_chunk_mode),
1551 "The headers variable should not be NULL if it is in streaming mode during a non first scan.");
1552 DISSECTOR_ASSERT_HINT(header_value_map == NULL, "The header_value_map variable should be NULL while headers is NULL.");
1555 header_value_map = wmem_map_new((streaming_chunk_mode ? wmem_file_scope() : pinfo->pool), g_str_hash, g_str_equal);
1556 }
1561 }
1575 /*
1576 * Process the packet data, a line at a time.
1577 */
1582 /*
1583 * Find the end of the line.
1584 * XXX - what if we don't find it because the packet
1585 * is cut short by a snapshot length or the header is
1586 * split across TCP segments? How much dissection should
1587 * we do on it?
1588 */
1595 /*
1596 * Get a buffer that refers to the line.
1597 *
1598 * Note that "tvb_find_line_end()" will return a value that
1599 * is not longer than what's in the buffer, so the
1600 * "tvb_get_ptr()" call won't throw an exception.
1601 */
1606 /*
1607 * OK, does it look like an HTTP request or response?
1608 */
1610 is_request_or_reply =
1616 /*
1617 * No. Does it look like a blank line (as would appear
1618 * at the end of an HTTP request)?
1619 */
1623 /*
1624 * No. Does it look like a header?
1625 */
1630 /*
1631 * Colon found, assume it is a header if we've seen a
1632 * valid line before. Check a little more if not.
1633 */
1640 /*
1641 * Non-ASCII! Return -2 for invalid
1642 * HTTP, distinct from -1 for possible
1643 * reassembly required.
1644 */
1646 }
1647 }
1648 }
1650 }
1651 }
1653 /*
1654 * We haven't seen the colon yet.
1655 *
1656 * If we've already seen an HTTP request or response
1657 * line, or a header line, and we're at the end of
1658 * the tvbuff, we assume this is an incomplete header
1659 * line. (We quit this loop after seeing a blank line,
1660 * so if we've seen a request or response line, or a
1661 * header line, this is probably more of the request
1662 * or response we're presumably seeing. There is some
1663 * risk of false positives, but the same applies for
1664 * full request or response lines or header lines,
1665 * although that's less likely.)
1666 *
1667 * We throw an exception in that case, by checking for
1668 * the existence of the next byte after the last one
1669 * in the line. If it exists, "tvb_ensure_bytes_exist()"
1670 * throws no exception, and we fall through to the
1671 * "not HTTP" case. If it doesn't exist,
1672 * "tvb_ensure_bytes_exist()" will throw the appropriate
1673 * exception.
1674 */
1678 /*
1679 * We don't consider this part of an HTTP request or
1680 * reply, so we don't display it.
1681 * (Yeah, that means we don't display, say, a text/http
1682 * page, but you can get that from the data pane.)
1683 */
1686 is_http:
1692 }
1693 }
1698 }
1702 /*
1703 * Process this line.
1704 */
1707 /*
1708 * This is a blank line, which means that
1709 * whatever follows it isn't part of this
1710 * request or reply.
1711 */
1715 }
1717 /*
1718 * Not a blank line - either a request, a reply, or a header
1719 * line.
1720 */
1738 }
1739 }
1743 }
1745 /*
1746 * Header.
1747 */
1752 /*
1753 * Line is not a good HTTP header.
1754 * Return -2 to mark as invalid HTTP;
1755 * this is distinct from returning -1 when
1756 * it may be HTTP but in need of reassembly.
1757 */
1759 }
1760 }
1762 }
1770 }
1775 }
1779 }
1780 }
1782 /* If the request has a range, this is, or potentially is, asynchronous I/O thus
1783 * full_uri must be reinitialized because it is set to that of the last request. */
1786 }
1806 /* The conv_data->matches_table is only used for GET requests with ranges and
1807 * response_codes of 206 (Partial Content). (Note: only GETs use ranges.)
1808 */
1823 {
1830 uri);
1833 }
1834 }
1835 }
1837 /* If responses don't have a range, the I/O is synchronous in which case a request is
1838 * matched with the following response. If a request or response is missing from the
1839 * capture file, correct matching resumes at the next request. */
1841 && curr
1848 nstime_t delta;
1853 }
1858 }
1864 }
1865 }
1868 {
1883 }
1884 }
1892 }
1893 }
1900 }
1906 }
1907 }
1908 }
1914 }
1915 }
1917 /* Give the follow tap what we've currently dissected */
1919 tap_queue_packet(http_follow_tap, pinfo, tvb_new_subset_length(tvb, orig_offset, offset-orig_offset));
1920 }
1925 /*
1926 * If a content length was supplied, the amount of data to be
1927 * processed as HTTP payload is the minimum of the content
1928 * length and the amount of data remaining in the frame.
1929 *
1930 * If a message is received with both a Transfer-Encoding
1931 * header field and a Content-Length header field, the latter
1932 * MUST be ignored.
1933 *
1934 * If no content length was supplied (or if a bad content length
1935 * was supplied), the amount of data to be processed is the amount
1936 * of data remaining in the frame.
1937 *
1938 * If there was no Content-Length entity header, we should
1939 * accumulate all data until the end of the connection.
1940 * That'd require that the TCP dissector call subdissectors
1941 * for all frames with FIN, even if they contain no data,
1942 * which would require subdissectors to deal intelligently
1943 * with empty segments.
1944 *
1945 * According to RFC 2616, however, 1xx responses, 204 responses,
1946 * and 304 responses MUST NOT include a message body; if no
1947 * content length is specified for them, we don't attempt to
1948 * dissect the body.
1949 *
1950 * XXX - it says the same about responses to HEAD requests;
1951 * unless there's a way to determine from the response
1952 * whether it's a response to a HEAD request, we have to
1953 * keep information about the request and associate that with
1954 * the response in order to handle that.
1955 */
1961 /*
1962 * XXX - limit the reported length in the tvbuff we'll
1963 * hand to a subdissector to be no greater than the
1964 * content length.
1965 *
1966 * We really need both unreassembled and "how long it'd
1967 * be if it were reassembled" lengths for tvbuffs, so
1968 * that we throw the appropriate exceptions for
1969 * "not enough data captured" (running past the length),
1970 * "packet needed reassembly" (within the length but
1971 * running past the unreassembled length), and
1972 * "packet is malformed" (running past the reassembled
1973 * length).
1974 */
1981 /*
1982 * Requests have no content if there's no
1983 * Content-Length header and no Transfer-Encoding
1984 * header.
1985 */
1988 else
1998 /*
1999 * XXX - responses to HEAD requests,
2000 * and possibly other responses,
2001 * "MUST NOT" include a
2002 * message-body.
2003 */
2005 }
2009 /*
2010 * XXX - what about MEDIA_CONTAINER_HTTP_NOTIFICATION?
2011 */
2014 }
2015 }
2036 }
2037 }
2044 }
2046 dissecting_body:
2049 /*
2050 * There's stuff left over; process it.
2051 */
2056 /*
2057 * Create a tvbuff for the payload.
2058 *
2059 * The amount of data to be processed that's
2060 * available in the tvbuff is "datalen", which
2061 * is the minimum of the amount of data left in
2062 * the tvbuff and any specified content length.
2063 *
2064 * The amount of data to be processed that's in
2065 * this frame, regardless of whether it was
2066 * captured or not, is "reported_datalen",
2067 * which, if no content length was specified,
2068 * is -1, i.e. "to the end of the frame.
2069 */
2071 reported_datalen);
2073 /*
2074 * Handle *transfer* encodings.
2075 */
2078 /* Chunking disabled, cannot dissect further. */
2079 /* XXX: Should this be sent to the follow tap? */
2082 }
2088 /*
2089 * The chunks weren't reassembled,
2090 * or there was a single zero
2091 * length chunk.
2092 */
2095 /*
2096 * Add a new data source for the
2097 * de-chunked data.
2098 */
2101 next_tvb);
2102 #endif
2105 /* chunked-body might be smaller than
2106 * datalen. */
2108 }
2109 }
2110 /* Handle other transfer codings after de-chunking. */
2115 /*
2116 * We currently can't handle, for example, "gzip",
2117 * "compress", or "deflate" as *transfer* encodings;
2118 * just handle them as data for now.
2119 * XXX: Should this be sent to the follow tap?
2120 */
2124 /* Nothing to do for "identity" or when header is
2125 * missing or invalid. */
2127 }
2128 /*
2129 * At this point, any chunked *transfer* coding has been removed
2130 * (the entity body has been dechunked) so it can be presented
2131 * for the following operation (*content* encoding), or it has
2132 * been handed off to the data dissector.
2133 *
2134 * Handle *content* encodings other than "identity" (which
2135 * shouldn't appear in a Content-Encoding header, but
2136 * we handle it in any case).
2137 */
2140 /*
2141 * We currently don't handle, for example, "compress";
2142 * just handle them as data for now.
2143 *
2144 * After July 7, 2004 the LZW patent expired, so
2145 * support could be added. However, I don't think
2146 * that anybody ever really implemented "compress",
2147 * due to the aforementioned patent.
2148 */
2153 #if defined(HAVE_ZLIB) || defined(HAVE_ZLIBNG)
2159 {
2162 }
2163 #endif
2165 #ifdef HAVE_BROTLI
2168 {
2171 }
2172 #endif
2174 #ifdef HAVE_SNAPPY
2177 {
2180 }
2181 #endif
2183 #ifdef HAVE_ZSTD
2186 {
2189 }
2190 #endif
2194 {
2195 /*
2196 * [MS-WUSP] 2.1.1 Xpress Compression
2197 * Segmented into a series of blocks and compressed with the
2198 * Plain LZ77 variant of [MS-XCA] Xpress Compression Algorithm.
2199 *
2200 * XXX - Does Microsoft use any other variants of [MS-XCA]
2201 * for Content-Encoding: xpress in any other situations
2202 * besides Windows Update Services?
2203 */
2210 /*
2211 * "The compressed size of each block MUST NOT be greater
2212 * than 65535 bytes."
2213 */
2216 }
2219 }
2227 }
2231 }
2233 }
2235 /*
2236 * XXX - Should we add an expert info for partial
2237 * decompression if we didn't finish? I.e., if
2238 * tvb_captured_length_remaining(next_tvb, comp_offset) > 0
2239 */
2241 }
2242 }
2244 /*
2245 * Add the encoded entity to the protocol tree
2246 */
2254 /*
2255 * Decompression worked
2256 */
2258 /* XXX - Don't free this, since it's possible
2259 * that the data was only partially
2260 * decompressed, such as when desegmentation
2261 * isn't enabled.
2262 *
2263 tvb_free(next_tvb);
2264 */
2271 /* XXX - We should distinguish between "failed", "unsupported
2272 * only because support wasn't compiled in", and "unsupported
2273 * by Wireshark", to indicate whether the problem is with
2274 * the capture file, the build, or Wireshark.
2275 */
2277 }
2280 }
2281 /* XXX: Should this be sent to the follow tap? */
2285 }
2286 }
2287 /*
2288 * Note that a new data source is added for the entity body
2289 * only if it was content-encoded and/or transfer-encoded.
2290 */
2292 /* Save values for the Export Object GUI feature if we have
2293 * an active listener to process it (which happens when
2294 * the export object window is open). */
2295 /* XXX: Do we really want to send it to Export Object if we didn't
2296 * get the headers, so that this is just a fragment of Continuation
2297 * Data and not a complete object?
2298 */
2305 }
2310 }
2312 /* Send it to Follow HTTP Stream and mark as file data */
2315 }
2323 /*
2324 * Do subdissector checks.
2325 *
2326 * First, if we have a Content-Type value, check whether
2327 * there's a subdissector for that media type.
2328 */
2330 /*
2331 * We didn't find any subdissector that
2332 * registered for the port, and we have a
2333 * Content-Type value. Is there any subdissector
2334 * for that content type?
2335 */
2337 /*
2338 * Calling the string handle for the media type
2339 * dissector table will set pinfo->match_string
2340 * to headers->content_type for us.
2341 */
2344 media_type_subdissector_table,
2348 /* Try to decode the unknown multipart subtype anyway */
2350 media_type_subdissector_table,
2352 }
2353 }
2355 /*
2356 * Now, if we didn't find such a subdissector, check
2357 * whether some subdissector asked that they be called
2358 * if HTTP traffic was on some particular port. This
2359 * handles protocols that use HTTP syntax but don't have
2360 * a media type and instead use a specified port.
2361 */
2363 /* If the HTTP dissector was called heuristically
2364 * (or the HTTP dissector was called from the TLS
2365 * dissector, which was called heuristically), then
2366 * match_uint doesn't get set (or is likely set to
2367 * 6 for IP_PROTO_TCP.) Some protocols (e.g., IPP)
2368 * use the same specified port for both HTTP and
2369 * HTTP over TLS, and one will be a heuristic match.
2370 * In those cases, look at the src or dest port.
2371 */
2381 }
2382 }
2385 /*
2386 * We have a subdissector - call it.
2387 */
2390 /* reassemble and call subdissector */
2399 }
2402 }
2405 /*
2406 * We don't have a subdissector or we have one and it did not
2407 * dissect the payload - try the heuristic subdissectors.
2408 */
2411 /* If this isn't a request or reply, and we're not
2412 * in streaming chunk mode, then we didn't try to
2413 * desegment the body. (We think this is file data
2414 * in the middle of a connection.) Allow the heuristic
2415 * dissectors to desegment, if possible.
2416 */
2418 }
2422 }
2425 /*
2426 * The subdissector dissected the body.
2427 * Fix up the top-level item so that it doesn't
2428 * include the stuff for that protocol.
2429 */
2434 /*
2435 * Calling the default media handle if there is a content-type that
2436 * wasn't handled above.
2437 */
2440 /* Call the default data dissector */
2442 }
2443 }
2445 body_dissected:
2446 /*
2447 * We've processed "datalen" bytes worth of data
2448 * (which may be no data at all); advance the
2449 * offset past whatever data we've processed.
2450 */
2452 }
2454 /* Detect protocol changes after receiving full response headers. */
2455 if (http_type == MEDIA_CONTAINER_HTTP_RESPONSE && curr && pinfo->desegment_offset <= 0 && pinfo->desegment_len <= 0) {
2459 /*
2460 * SSTP uses a special request method (instead of the Upgrade
2461 * header) and expects a 200 response to set up the session.
2462 */
2466 }
2468 /*
2469 * An HTTP/1.1 upgrade only proceeds if the server responds
2470 * with 101 Switching Protocols. See RFC 7230 Section 6.7.
2471 */
2477 /* Try again without version suffix. */
2480 }
2481 }
2483 }
2491 }
2492 }
2498 }
2500 /* This can be used to dissect an HTTP request until such time
2501 * that a more complete dissector is written for that HTTP request.
2502 * This simple dissector only puts the request method, URI, and
2503 * protocol version into a sub-tree.
2504 */
2505 static void
2509 {
2514 http_info_value_t *stat_info = p_get_proto_data(pinfo->pool, pinfo, proto_http, HTTP_PROTO_DATA_INFO);
2516 /* The first token is the method. */
2521 ENC_ASCII);
2523 /* Two spaces in a now indicates empty URI, so roll back one here */
2524 next_token--;
2525 }
2529 /* The next token is the URI. */
2532 /* Save the request URI for various later uses */
2541 }
2547 /* Everything to the end of the line is the version. */
2550 ENC_ASCII);
2551 }
2553 static int
2555 {
2561 /*
2562 * The first token is the HTTP Version.
2563 */
2569 /*
2570 * The second token is the Status Code.
2571 */
2582 }
2584 static void
2588 {
2593 http_info_value_t *stat_info = p_get_proto_data(pinfo->pool, pinfo, proto_http, HTTP_PROTO_DATA_INFO);
2595 /*
2596 * The first token is the HTTP Version.
2597 */
2602 ENC_ASCII);
2603 /* Advance to the start of the next token. */
2607 /*
2608 * The second token is the Status Code.
2609 */
2614 /* The Status Code characters must be copied into a null-terminated
2615 * buffer for strtoul() to parse them into an unsigned integer value.
2616 */
2624 }
2635 /* Advance to the start of the next token. */
2639 /*
2640 * The remaining tokens in the line comprise the Reason Phrase.
2641 */
2646 }
2647 }
2649 /*
2650 * Dissect the http data chunks and add them to the tree.
2651 */
2652 static unsigned
2655 {
2669 }
2679 /* Dechunk the "chunked response" to a new memory buffer */
2680 /* XXX: Composite tvbuffers do work now, so we should probably
2681 * use that to avoid the memcpys unless necessary.
2682 */
2698 /* Can't get the chunk size line */
2700 }
2705 /* Can't get the chunk size line */
2707 }
2711 /*
2712 * We don't care about the extensions.
2713 */
2716 }
2721 /*
2722 * The chunk size is more than what's in the tvbuff,
2723 * so either the user hasn't enabled decoding, or all
2724 * of the segments weren't captured.
2725 */
2727 }
2743 offset,
2750 offset,
2754 }
2760 /* last-chunk does not have chunk-data CRLF. */
2762 /*
2763 * Adding the chunk as FT_BYTES means that, in
2764 * TShark, you get the entire chunk dumped
2765 * out in hex, in addition to whatever
2766 * dissection is done on the reassembled data.
2767 */
2771 }
2772 }
2778 /* This is the last chunk */
2780 /* Check for: trailer-part CRLF.
2781 * trailer-part = *( header-field CRLF ) */
2784 /* Skip all header-fields. */
2788 trailer_offset,
2794 hf_http_chunked_trailer_part,
2798 }
2800 /* last CRLF of chunked-body is found. */
2805 }
2807 }
2808 }
2810 /* datalen is the remaining bytes that are available for consumption. If
2811 * smaller than orig_datalen, then bytes were consumed. */
2817 }
2826 /* only append text to column while starting with last chunk */
2828 }
2829 }
2831 /* Size of chunked-body or 0 if none was found. */
2833 }
2835 static bool
2837 {
2838 dissector_handle_t conv_handle;
2846 }
2848 /* Call a subdissector to handle HTTP CONNECT's traffic */
2849 static void
2852 {
2862 /* Grab the destination port number from the request URI to find the right subdissector */
2866 /*
2867 * The string was successfully split in two
2868 * Create a proxy-connect subtree
2869 */
2881 }
2891 }
2893 conv = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_TCP, srcport, destport, 0);
2895 /* We may get stuck in a recursion loop if we let process_tcp_payload() call us.
2896 * So, if the port in the URI is one we're registered for or we have set up a
2897 * conversation (e.g., one we detected heuristically or via Decode-As) call the data
2898 * dissector directly.
2899 */
2904 /* set pinfo->{src/dst port} and call the TCP sub-dissector lookup */
2907 else
2910 /* Increase pinfo->can_desegment because we are traversing
2911 * http and want to preserve desegmentation functionality for
2912 * the proxied protocol
2913 */
2923 }
2924 }
2925 }
2929 /*
2930 * XXX - this won't handle HTTP 0.9 replies, but they're all data
2931 * anyway.
2932 */
2933 static int
2934 is_http_request_or_reply(packet_info *pinfo, const char *data, int linelen, media_container_type_t *type,
2937 {
2938 http_info_value_t *stat_info = p_get_proto_data(pinfo->pool, pinfo, proto_http, HTTP_PROTO_DATA_INFO);
2941 /*
2942 * From RFC 2774 - An HTTP Extension Framework
2943 *
2944 * Support the command prefix that identifies the presence of
2945 * a "mandatory" header.
2946 */
2950 }
2952 /*
2953 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
2954 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
2955 *
2956 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
2957 * SEARCH
2958 */
2969 /* Look for the space following the Method */
2974 ptr++;
2975 indx++;
2976 }
2977 }
2979 /* Check the methods that have same length */
2987 }
2999 }
3012 }
3023 }
3027 }
3037 }
3046 }
3057 }
3066 }
3078 }
3085 }
3092 }
3102 }
3107 }
3113 }
3117 }
3120 }
3122 /*
3123 * Process headers.
3124 */
3131 #define HDR_NO_SPECIAL 0
3132 #define HDR_AUTHORIZATION 1
3133 #define HDR_AUTHENTICATE 2
3134 #define HDR_CONTENT_TYPE 3
3135 #define HDR_CONTENT_LENGTH 4
3136 #define HDR_CONTENT_ENCODING 5
3137 #define HDR_TRANSFER_ENCODING 6
3138 #define HDR_HOST 7
3139 #define HDR_UPGRADE 8
3140 #define HDR_COOKIE 9
3141 #define HDR_WEBSOCKET_PROTOCOL 10
3142 #define HDR_WEBSOCKET_EXTENSIONS 11
3143 #define HDR_REFERER 12
3144 #define HDR_LOCATION 13
3145 #define HDR_HTTP2_SETTINGS 14
3146 #define HDR_RANGE 15
3147 #define HDR_CONTENT_RANGE 16
3182 };
3184 /*
3185 * Look up a header name (assume lower-case header_name).
3186 */
3189 {
3196 }
3199 }
3201 /*
3202 *
3203 */
3204 static void
3206 {
3208 /* Deregister all fields */
3212 }
3217 }
3222 }
3223 }
3225 static void
3227 {
3256 }
3259 }
3260 }
3262 static void
3264 {
3266 }
3268 /**
3269 * Parses the transfer-coding, returning true if everything was fully understood
3270 * or false when unknown names were encountered.
3271 */
3272 static bool
3274 {
3277 /* Mark header as set, but with unknown encoding. */
3281 /* skip OWS (SP / HTAB) and commas; stop at the end. */
3283 value++;
3291 }
3293 /* For now assume that chunked can only combined with exactly
3294 * one other (compression) encoding. Anything else is
3295 * unsupported. */
3297 /* No more transfer codings are expected. */
3300 }
3321 /* Unknown transfer encoding, skip until next comma.
3322 * Stop when no more names are found. */
3327 }
3328 }
3331 }
3333 static bool
3335 {
3336 /* tchar according to https://tools.ietf.org/html/rfc7230#section-3.2.6 */
3338 }
3340 static bool
3342 {
3344 /*
3345 * Validate the header name. This allows no space between the field name
3346 * and colon (RFC 7230, Section. 3.2.4).
3347 */
3350 }
3352 /*
3353 * NUL is not a valid character; treat it specially
3354 * due to C's notion that strings are NUL-terminated.
3355 */
3358 }
3361 }
3362 }
3364 }
3366 static bool
3372 {
3391 http_info_value_t *stat_info = p_get_proto_data(pinfo->pool, pinfo, proto_http, HTTP_PROTO_DATA_INFO);
3392 wmem_allocator_t *scope = (!PINFO_FD_VISITED(pinfo) && streaming_chunk_mode) ? wmem_file_scope() :
3399 /**
3400 * Not a valid header name? Just add a line plus expert info.
3401 */
3404 /* If we're offering the chance for other dissectors to parse,
3405 * we shouldn't add any tree items ourselves.
3406 */
3408 }
3415 }
3420 }
3422 /*
3423 * Make a null-terminated, all-lower-case version of the header
3424 * name.
3425 */
3430 /*
3431 * Skip whitespace after the colon.
3432 */
3436 value_offset++;
3438 /*
3439 * Fetch the value.
3440 *
3441 * XXX - RFC 9110 5.5 "Specification for newly defined fields
3442 * SHOULD limit their values to visible US-ASCII octets (VCHAR),
3443 * SP, and HTAB. A recipient SHOULD treat other allowed octets in
3444 * field content (i.e., obs-text [%x80-FF]) as opaque data...
3445 * Field values containing CR, LF, or NUL characters are invalid
3446 * and dangerous." (Up to RFC 7230, an obsolete "line-folding"
3447 * mechanism that included CRLF was allowed.)
3448 *
3449 * So NUL is not allowed, and we should have one or more
3450 * expert infos if the field value has anything other than
3451 * ASCII printable + TAB. (Possibly different severities
3452 * depending on whether it contains obsolete characters
3453 * like \x80-\xFF vs characters never allowed like NUL.)
3454 * All known field types respect this (using Base64, etc.)
3455 * Unknown field types (possibly including those registered
3456 * through the UAT) should be treated like FT_BYTES with
3457 * BASE_SHOW_ASCII_PRINTABLE instead of FT_STRING, but it's
3458 * more difficult to do that with the custom formatting
3459 * that uses the header name.
3460 *
3461 * Instead, for now for display purposes we will treat strings
3462 * as ASCII and pass the raw value to subdissectors via the
3463 * header_value_map. For the latter, we allocate a buffer that's
3464 * value_bytes_len+1 bytes long, copy value_bytes_len bytes, and
3465 * stick in a NUL terminator, so that the buffer for value actually
3466 * has value_bytes_len bytes in it.
3467 */
3473 /* The length of the value might change after UTF-8 sanitization */
3483 /*
3484 * Not a header we know anything about.
3485 * Check if a HF generated from UAT information exists.
3486 */
3495 hf_http_response_line :
3496 hf_http_request_line,
3505 }
3515 hf_http_response_line :
3516 hf_http_request_line,
3522 }
3523 }
3524 }
3526 /*
3527 * Add it to the protocol tree as a particular field,
3528 * but display the line as is.
3529 */
3550 hf_http_response_line :
3551 hf_http_request_line,
3556 }
3561 value,
3567 hf_http_response_line :
3568 hf_http_request_line,
3574 }
3575 }
3579 /*
3580 * Do any special processing that particular headers
3581 * require.
3582 */
3613 }
3619 /*
3620 * End of subtype - either
3621 * white space or a ";"
3622 * separating the subtype from
3623 * a parameter.
3624 */
3626 }
3628 /*
3629 * Map the character to lower case;
3630 * content types are case-insensitive.
3631 */
3633 }
3635 /*
3636 * Now find the start of the optional parameters;
3637 * skip the optional white space and the semicolon
3638 * if this has not been done before.
3639 */
3640 f++;
3644 /* Skip till start of parameters */
3645 f++;
3646 else
3648 }
3651 else
3656 DISSECTOR_ASSERT_HINT(!streaming_chunk_mode, "In streaming chunk mode, there will never be content-length header.");
3664 /*
3665 * Content length not valid; pretend
3666 * we don't have it.
3667 */
3672 /*
3673 * We do have a valid content length.
3674 */
3682 }
3683 }
3689 }
3696 }
3699 }
3706 }
3712 }
3724 /* skip whitespace and ';' (terminates at '\0' or earlier) */
3732 /* find "cookie=foo " in "cookie=foo ; bar" */
3737 else
3740 /* finally add cookie to tree */
3744 }
3745 }
3751 }
3757 }
3768 }
3771 {
3775 TRY{
3779 }
3780 ENDTRY;
3783 }
3785 {
3786 /* THIS IS A GET REQUEST
3787 * Note: GET is the only method that employs ranges.
3788 * (Unless the data has errors or is noncompliant.)
3789 */
3791 /*
3792 * Unlike protocols such as NFS and SMB, the HTTP protocol (RFC 9110) does not
3793 * provide an identifier with which to match requests and responses. Instead,
3794 * matching is solely based upon the order in which responses are received.
3795 * HTTP I/O is 'asynchronously ordered' such that, for example, the first of four
3796 * GET responses are matched with the first outstanding request, the next
3797 * response with the second oldest outstanding request and so on (FIFO).
3798 * The previous method instead matched responses with the last of several
3799 * async requests rather than the first (LIFO), and did not handle requests
3800 * with no responses such as the case where one or more HTTP packets were
3801 * not captured. Whenever there were multiple outstanding requests, the SRT
3802 * (RTT) stats were incorrect, in some cases massively so.
3803 *
3804 * While RFC 9110 expressly prohibits matching via byte ranges because, among
3805 * other things, the server may return fewer bytes than requested,
3806 * the first number of the range does not change. Unlike HTTP implementations,
3807 * Wireshark has the problem of requests/responses missing from the capture
3808 * file. In such cases resumption of correct matching was virtually impossible.
3809 * In addition, all matching was incorrect from that point on.
3810 *
3811 * The method of matching used herein is able to recover from packet loss,
3812 * any number of missing frames, and duplicate range requests. The
3813 * method used is explained within the comments.
3814 */
3815 /* https://www.rfc-editor.org/rfc/rfc9110.html#name-range-requests
3816 * Note that RFC 9110 16.5 defines a registry for
3817 * range units, but only bytes are registered.
3818 * ABNF:
3819 * Range = ranges-specifier
3820 * ranges-specifier = range-unit "=" range-set
3821 * range-set = 1#range-spec
3822 * range-spec = int-range / suffix-range / other-range
3823 * 1# is an ABNF extension defined in RFC 9110 5.6.1
3824 * which covers comma separated list with optional
3825 * white space:
3826 * 1#element => element *( OWS "," OWS element )
3827 * We don't care about other-range, but will try to
3828 * handle int-range and suffix-range.
3829 * This ignores any entries past the first in a list,
3830 * though responses to such would be multipart.
3831 * As mentioned above, this breaks down if the
3832 * response does not include all requested ranges
3833 * fully in one response.
3834 */
3838 }
3839 pos++;
3841 /* Get the first range number */
3843 /* If the first number of the range is missing or '0',
3844 * use the second number in the range instead if we can.
3845 * XXX - Unlike strtoul, we can check the return value
3846 * of ws_strtou64() to distinguish between "converted
3847 * successfully as 0" and "failed conversion."
3848 * Note that strtoul allows an unsigned integer to
3849 * begin with a negative sign and applies unsigned
3850 * integer wraparound rules.
3851 * ws_strtouXX rejects an initial hyphen-minus, which
3852 * is good, as we want to properly handle:
3853 * suffix-range = "-" suffix-length
3854 */
3856 pos++;
3857 /* Pass in an end pointer to convert
3858 * a list of ranges, the first of which is
3859 * a suffix-range.
3860 */
3862 }
3863 /* req_list is used for req/resp matching and the deletion (and freeing) of matching
3864 * requests and any orphans that preceed them. A GSList is used instead of a wmem map
3865 * because there are rarely more than 10 requests in the list."
3866 */
3874 /* XXX - This leaks if matching responses aren't
3875 * found (the data does not, but the list node
3876 * does.) A wmem_list would prevent that.
3877 */
3880 }
3881 }
3884 }
3886 /*
3887 * THIS IS A GET RESPONSE
3888 * GET is the only method that employs ranges.
3889 * XXX - Except that RFC 9110 14.4 & 14.5 note that by
3890 * private agreement it can be included in a request
3891 * to request a partial PUT.
3892 * ABNF:
3893 * Content-Range = range-unit SP ( range-resp / unsatisfied-range )
3894 * range-resp = incl-range "/" ( complete-length / "*" )
3895 * We do not attempt to handle unsatisfied-range.
3896 * Note that only one range can be included; multiple
3897 * ranges are transmitted with the media type of
3898 * "multipart/byteranges" and each body part contains
3899 * its own Content-Type and Content-Range fields.
3900 * The multipart dissector does not handle this nor
3901 * access the request list.
3902 */
3906 nstime_t ns;
3909 /* Note SP instead of '=' in ABNF. */
3913 }
3914 pos++;
3916 /* Get the first content range number */
3920 pos++;
3922 }
3924 /* Get the position of the matching request if any in the reqs_table.
3925 * This is used to remove and free the matching request, and the unmatched
3926 * requests (orphans) that preceed it.
3927 * XXX - There is *NO* guarantee that there is
3928 * a perfectly matching request, see 15.3.7:
3929 * "However, a server might want to send only a
3930 * subset of the data requested for reasons of
3931 * its own... A client MUST inspect a 206
3932 * response's Content-Type and Content-Range
3933 * field(s) to determine what parts are enclosed
3934 * and whether additional requests are needed."
3935 * Also 15.3.7.2 Multiple Parts, noting that
3936 * the response may be sent in a Content-Type
3937 * multipart/byteranges, also "When multiple
3938 * ranges are requested, a server MAY coalesce
3939 * any of the ranges that overlap, or that are
3940 * separated by a gap that is smaller than the
3941 * overhead of sending multiple parts, regardless
3942 * of the order in which the corresponding range-
3943 * spec appeared in the received Range header
3944 * field." and 15.3.7.3 Combining Parts.
3945 * However, as mentioned above, the LIFO method
3946 * had issues with that as well. Truly proper
3947 * handling of such edge cases is more difficult.
3948 */
3955 }
3956 }
3957 }
3973 /* Remove and free all of the list entries up to and including the
3974 * matching one from req_list. */
3982 }
3986 }
3988 }
3989 }
3990 }
3994 }
3995 }
3997 }
3999 /* Returns index of header tag in headers */
4000 static int
4002 {
4010 }
4013 }
4015 /*
4016 * Dissect Microsoft's abomination called NTLMSSP over HTTP.
4017 */
4018 static bool
4020 {
4024 NULL
4025 };
4030 /*
4031 * Check for NTLM credentials and challenge; those can
4032 * occur with WWW-Authenticate.
4033 */
4039 ett_http_ntlmssp);
4045 }
4046 }
4048 }
4052 {
4058 }
4068 }
4070 /*
4071 * Dissect HTTP Basic authorization.
4072 */
4073 static bool
4075 {
4078 NULL
4079 };
4091 ett_http_ntlmssp);
4098 /* RFC 7617 says that the character encoding is only
4099 * known to be UTF-8 if the 'charset' parameter was
4100 * used. Otherwise, after Base64 decoding it could be
4101 * any character encoding.
4102 * XXX: Perhaps the field should be a FT_BYTES with
4103 * BASE_SHOW_UTF_8_PRINTABLE?
4104 */
4105 proto_tree_add_item_ret_string(hdr_tree, hf_http_basic, auth_tvb, 0, tvb_reported_length(auth_tvb), ENC_UTF_8, pinfo->pool, &decoded_value);
4111 }
4114 }
4115 }
4117 }
4119 /*
4120 * Dissect HTTP Digest authorization.
4121 */
4122 static bool
4123 check_auth_digest(proto_item* hdr_item, tvbuff_t* tvb, packet_info* pinfo _U_, char* value, int offset, int len)
4124 {
4133 }
4137 /* Find comma/end of line */
4145 }
4146 }
4150 }
4151 }
4152 /*
4153 * Dissect HTTP CitrixAGBasic authorization.
4154 */
4155 static bool
4156 check_auth_citrixbasic(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo, char *value, int offset)
4157 {
4160 NULL
4161 };
4177 ett_http_ntlmssp);
4195 /* XXX: We don't know for certain the string encoding here. */
4196 pi = proto_tree_add_item_ret_string(hdr_tree, hf_http_citrix_user, data_tvb, 0, tvb_reported_length(data_tvb), ENC_UTF_8, pinfo->pool, &user);
4199 }
4203 }
4204 }
4214 pi = proto_tree_add_item(hdr_tree, hf_http_citrix_domain, data_tvb, 0, tvb_reported_length(data_tvb), ENC_UTF_8);
4217 }
4221 }
4222 }
4232 pi = proto_tree_add_item_ret_string(hdr_tree, hf_http_citrix_passwd, data_tvb, 0, tvb_reported_length(data_tvb), ENC_UTF_8, pinfo->pool, &passwd);
4235 }
4239 }
4240 }
4250 pi = proto_tree_add_item(hdr_tree, hf_http_citrix_session, data_tvb, 0, tvb_reported_length(data_tvb), ENC_UTF_8);
4254 }
4256 }
4257 }
4267 }
4269 }
4270 }
4272 }
4274 static bool
4275 check_auth_kerberos(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo, const char *value)
4276 {
4287 }
4289 }
4291 static int
4294 {
4299 /* Switch protocol if the data starts after response headers. */
4303 /* Increase pinfo->can_desegment because we are traversing
4304 * http and want to preserve desegmentation functionality for
4305 * the proxied protocol
4306 */
4310 call_dissector_only(conv_data->next_handle, tvb_new_subset_remaining(tvb, offset), pinfo, tree, NULL);
4313 }
4314 /*
4315 * If a subdissector requests reassembly, be sure not to
4316 * include the preceding HTTP headers.
4317 */
4320 }
4322 }
4323 len = dissect_http_message(tvb, offset, pinfo, tree, conv_data, "HTTP", proto_http, end_of_stream, seq);
4328 /*
4329 * OK, we've set the Protocol and Info columns for the
4330 * first HTTP message; set a fence so that subsequent
4331 * HTTP messages don't overwrite the Info column.
4332 */
4334 }
4335 /* dissect_http_message() returns -2 if message is not valid HTTP */
4339 }
4341 static int
4343 {
4351 /* Call HTTP2 dissector directly when detected via heuristics, but not
4352 * when it was upgraded (the conversation started with HTTP). */
4358 }
4360 /*
4361 * Check if this is proxied connection and if so, hand of dissection to the
4362 * payload-dissector.
4363 * Response code 200 means "OK" and strncmp() == 0 means the strings match exactly */
4366 curr_req_res &&
4376 }
4380 }
4382 /* XXX - how to detect end-of-stream without tcpinfo */
4384 return dissect_http_on_stream(tvb, pinfo, tree, conv_data, end_of_stream, tcpinfo ? &tcpinfo->seq : NULL);
4385 }
4387 static bool
4389 {
4394 /* Check if we have a line terminated by CRLF
4395 * Return the length of the line (not counting the line terminator at
4396 * the end), or, if we don't find a line terminator:
4397 *
4398 * if "deseg" is true, return -1;
4399 */
4403 }
4405 /* Check if the line start or ends with the HTTP token */
4406 if((tvb_strncaseeql(tvb, linelen-8, "HTTP/1.", 7) == 0)||(tvb_strncaseeql(tvb, 0, "HTTP/1.", 7) == 0)){
4411 }
4414 }
4416 static int
4418 {
4427 return dissect_http_on_stream(tvb, pinfo, tree, conv_data, end_of_stream, tlsinfo ? &tlsinfo->seq : NULL);
4428 }
4430 static bool
4432 {
4439 /* A http conversation was previously started, assume it is still active */
4443 }
4445 /* Check if we have a line terminated by CRLF
4446 * Return the length of the line (not counting the line terminator at
4447 * the end), or, if we don't find a line terminator:
4448 *
4449 * if "deseg" is true, return -1;
4450 */
4454 }
4456 /* Check if the line start or ends with the HTTP token */
4457 if((tvb_strncaseeql(tvb, linelen-8, "HTTP/1.", 7) != 0) && (tvb_strncaseeql(tvb, 0, "HTTP/1.", 7) != 0)) {
4458 /* we couldn't find the Magic Hello HTTP/1.X. */
4460 }
4464 }
4466 static int
4468 {
4474 /*
4475 * XXX - we need to provide an end-of-stream indication.
4476 */
4478 }
4480 static int
4482 {
4488 /*
4489 * XXX - what should be done about reassembly, pipelining, etc.
4490 * here?
4491 */
4493 }
4495 static int
4497 {
4504 }
4506 static void
4509 }
4511 static void
4514 }
4525 }
4527 void
4529 {
4801 /* Body fragments */
4803 };
4818 };
4821 { &ei_http_te_and_length, { "http.te_and_length", PI_MALFORMED, PI_WARN, "The Content-Length and Transfer-Encoding header must not be set together", EXPFILL }},
4822 { &ei_http_te_unknown, { "http.te_unknown", PI_UNDECODED, PI_WARN, "Unknown transfer coding name in Transfer-Encoding header", EXPFILL }},
4823 { &ei_http_subdissector_failed, { "http.subdissector_failed", PI_MALFORMED, PI_NOTE, "HTTP body subdissector failed, trying heuristic subdissector", EXPFILL }},
4824 { &ei_http_tls_port, { "http.tls_port", PI_SECURITY, PI_WARN, "Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.", EXPFILL }},
4825 { &ei_http_excess_data, { "http.excess_data", PI_PROTOCOL, PI_WARN, "Excess data after a body (not a new request/response), previous Content-Length bogus?", EXPFILL }},
4826 { &ei_http_leading_crlf, { "http.leading_crlf", PI_MALFORMED, PI_ERROR, "Leading CRLF previous message in the stream may have extra CRLF", EXPFILL }},
4827 { &ei_http_bad_header_name, { "http.bad_header_name", PI_PROTOCOL, PI_WARN, "Illegal characters found in header name", EXPFILL }},
4828 { &ei_http_decompression_failed, { "http.decompression_failed", PI_UNDECODED, PI_WARN, "Decompression failed", EXPFILL }},
4829 { &ei_http_decompression_disabled, { "http.decompression_disabled", PI_UNDECODED, PI_CHAT, "Decompression disabled", EXPFILL }}
4831 };
4833 /* UAT for header fields */
4836 UAT_FLD_CSTRING(header_fields, header_desc, "Field desc", "Description of the value contained in the header"),
4837 UAT_END_FIELDS
4838 };
4854 http_tls_handle = register_dissector("http-over-tls", dissect_http_tls, proto_http); /* RFC 2818 */
4857 reassembly_table_register(&http_streaming_reassembly_table, &addresses_ports_reassembly_table_functions);
4862 "Whether the HTTP dissector should reassemble headers "
4863 "of a request spanning multiple TCP segments. "
4864 "To use this option, you must also enable "
4869 "Whether the HTTP dissector should use the "
4871 "the body of a request spanning multiple TCP segments, "
4872 "and reassemble chunked data spanning multiple TCP segments. "
4873 "To use this option, you must also enable "
4878 "Whether to reassemble bodies of entities that are transferred "
4883 "Whether to uncompress entity bodies that are compressed "
4888 "Whether to treat non-ASCII in headers as non-HTTP data "
4898 /* UAT */
4905 /* specifies named fields, so affects dissection
4906 and the set of named fields */
4908 NULL,
4909 header_fields_copy_cb,
4910 header_fields_update_cb,
4911 header_fields_free_cb,
4912 header_fields_post_update_cb,
4913 header_fields_reset_cb,
4914 custom_header_uat_fields
4915 );
4917 prefs_register_uat_preference(http_module, "custom_http_header_fields", "Custom HTTP header fields",
4918 "A table to define custom HTTP header for which fields can be setup and used for filtering/data extraction etc.",
4919 headers_uat);
4921 /*
4922 * Dissectors shouldn't register themselves in this table;
4923 * instead, they should call "http_tcp_dissector_add()", and
4924 * we'll register the port number they specify as a port
4925 * for HTTP, and register them in our subdissector table.
4926 *
4927 * This only works for protocols such as IPP that run over
4928 * HTTP on a specific non-HTTP port.
4929 */
4933 /*
4934 * Maps the lowercase Upgrade header value.
4935 * https://tools.ietf.org/html/rfc7230#section-8.6
4936 */
4937 upgrade_subdissector_table = register_dissector_table("http.upgrade", "HTTP Upgrade", proto_http, FT_STRING, STRING_CASE_SENSITIVE);
4939 /*
4940 * Heuristic dissectors SHOULD register themselves in
4941 * this table using the standard heur_dissector_add()
4942 * function.
4943 */
4944 heur_subdissector_list = register_heur_dissector_list_with_description("http", "HTTP payload fallback", proto_http);
4946 /*
4947 * Register for tapping
4948 */
4953 register_follow_stream(proto_http, "http_follow", tcp_follow_conv_filter, tcp_follow_index_filter, tcp_follow_address_filter,
4958 /* compile patterns, excluding "/" */
4960 /* exclude "=", separating key and value should be done separately */
4963 }
4965 /*
4966 * Called by dissectors for protocols that run atop HTTP/TCP.
4967 */
4968 void
4970 {
4971 /*
4972 * Register ourselves as the handler for that port number
4973 * over TCP. "Auto-preference" not needed
4974 */
4977 /*
4978 * And register them in *our* table for that port.
4979 */
4981 }
4983 WS_DLL_PUBLIC
4985 {
4986 /*
4987 * Unregister ourselves as the handler for that port number
4988 * over TCP. "Auto-preference" not needed
4989 */
4992 /*
4993 * And unregister them in *our* table for that port.
4994 */
4996 }
4998 void
5000 {
5001 /*
5002 * Register ourselves as the handler for that port number
5003 * over TCP. We rely on our caller having registered
5004 * themselves for the appropriate media type.
5005 * No "auto-preference" used.
5006 */
5008 }
5010 void
5012 {
5013 dissector_handle_t ssdp_handle;
5017 /*
5018 * XXX - is there anything to dissect in the body of an SSDP
5019 * request or reply? I.e., should there be an SSDP dissector?
5020 */
5024 /*
5025 * TLS Application-Layer Protocol Negotiation (ALPN) protocol ID.
5026 */
5034 st_config = stats_tree_register("http", "http", "HTTP" STATS_TREE_MENU_SEPARATOR "Packet Counter", 0, http_stats_tree_packet, http_stats_tree_init, NULL );
5036 st_config = stats_tree_register("http", "http_req", "HTTP" STATS_TREE_MENU_SEPARATOR "Requests", 0, http_req_stats_tree_packet, http_req_stats_tree_init, NULL );
5038 st_config = stats_tree_register("http", "http_srv", "HTTP" STATS_TREE_MENU_SEPARATOR "Load Distribution",0, http_reqs_stats_tree_packet, http_reqs_stats_tree_init, NULL );
5040 st_config = stats_tree_register("http", "http_seq", "HTTP" STATS_TREE_MENU_SEPARATOR "Request Sequences",0, http_seq_stats_tree_packet, http_seq_stats_tree_init, NULL );
5047 }
5049 /*
5050 * Content-Type: message/http
5051 */
5056 static int
5058 {
5077 }
5078 }
5080 }
5082 void
5084 {
5087 };
5089 proto_message_http = proto_register_protocol("Media Type: message/http", "message/http", "message-http");
5091 }
5093 void
5095 {
5096 dissector_handle_t message_http_handle;
5099 proto_message_http);
5103 heur_dissector_add("tcp", dissect_http_heur_tcp, "HTTP over TCP", "http_tcp", proto_http, HEURISTIC_ENABLE);
5104 heur_dissector_add("tls", dissect_http_heur_tls, "HTTP over TLS", "http_tls", proto_http, HEURISTIC_ENABLE);
5111 /*
5112 * Get the content type and Internet media type table
5113 */
5119 }
5121 /*
5122 * Editor modelines - https://www.wireshark.org/tools/modelines.html
5123 *
5124 * Local variables:
5125 * c-basic-offset: 8
5126 * tab-width: 8
5127 * indent-tabs-mode: t
5128 * End:
5129 *
5130 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
5131 * :indentSize=8:tabSize=8:noTabs=false:
5132 */