search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-socks.c
blobf3c7b2110d259437d3ffa246e493d4eaaa765e25
1 /* packet-socks.c
2 * Routines for socks versions 4 &5 packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
4 * Copyright 2008, Jelmer Vernooij <jelmer@samba.org>
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 *
12 *
13 * The Version 4 decode is based on SOCKS4.protocol and SOCKS4A.protocol.
14 * The Version 5 decoder is based upon rfc-1928
15 * The Version 5 User/Password authentication is based on rfc-1929.
16 *
17 * See
18 * http://www.openssh.org/txt/socks4.protocol
19 * http://www.openssh.org/txt/socks4a.protocol
20 *
21 * for information on SOCKS version 4 and 4a.
22 *
23 * Revisions:
24 *
25 * 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel
26 * causing heap overflow because of an infinite loop
27 * where the socks dissect was call over and over.
28 *
29 * Also remove some old code marked with __JUNK__
30 *
31 * 2001-01-08 JCFoster Fixed problem with NULL pointer for hash data.
32 * Now test and exit if hash_info is null.
33 */
34
35 /* Possible enhancements -
36 *
37 * Add GSS-API authentication per rfc-1961
38 * Add CHAP authentication
39 * Decode FLAG bits per
40 * https://tools.ietf.org/html/draft-ietf-aft-socks-pro-v5-04
41 * In call_next_dissector, could load the destination address into
42 * pinfo->src or pinfo->dst structure before calling next dissector.
43 */
44
45
46
47
48 #include "config.h"
49
50 #include <epan/packet.h>
51 #include <epan/exceptions.h>
52 #include <epan/proto_data.h>
53
54 #include "packet-tcp.h"
55 #include "packet-udp.h"
56 #include "packet-tls.h"
57
58 #include <epan/strutil.h>
59
60 #define TCP_PORT_SOCKS 1080
61
62
63 /**************** Socks commands ******************/
64
65 #define CONNECT_COMMAND 1
66 #define BIND_COMMAND 2
67 #define UDP_ASSOCIATE_COMMAND 3
68 #define PING_COMMAND 0x80
69 #define TRACERT_COMMAND 0x81
70
71
72 /********** V5 Authentication methods *************/
73
74 #define NO_AUTHENTICATION 0
75 #define GSS_API_AUTHENTICATION 1
76 #define USER_NAME_AUTHENTICATION 2
77 #define CHAP_AUTHENTICATION 3
78 #define AUTHENTICATION_FAILED 0xff
79
80 void proto_register_socks(void);
81 void proto_reg_handoff_socks(void);
82
83 /*********** Header field identifiers *************/
84
85 static int proto_socks;
86
87 static int ett_socks;
88 static int ett_socks_auth;
89 static int ett_socks_name;
90
91 static int hf_socks_ver;
92 static int hf_socks_ip_dst;
93 static int hf_socks_ip6_dst;
94 static int hf_gssapi_payload;
95 static int hf_gssapi_command;
96 static int hf_gssapi_length;
97 static int hf_v4a_dns_name;
98 static int hf_socks_dstport;
99 static int hf_socks_cmd;
100 static int hf_socks_results_4;
101 static int hf_socks_results_5;
102 static int hf_client_auth_method_count;
103 static int hf_client_auth_method;
104 static int hf_socks_reserved;
105 static int hf_socks_reserved2;
106 static int hf_client_port;
107 static int hf_server_accepted_auth_method;
108 static int hf_server_auth_status;
109 static int hf_server_remote_host_port;
110 static int hf_socks_subnegotiation_version;
111 static int hf_socks_username;
112 static int hf_socks_password;
113 static int hf_socks_remote_name;
114 static int hf_socks_address_type;
115 static int hf_socks_fragment_number;
116 static int hf_socks_ping_end_command;
117 static int hf_socks_ping_results;
118 static int hf_socks_traceroute_end_command;
119 static int hf_socks_traceroute_results;
120
121 /************* Dissector handles ***********/
122
123 static dissector_handle_t socks_handle;
124 static dissector_handle_t socks_handle_tls;
125 static dissector_handle_t socks_udp_handle;
126
127 /************* State Machine names ***********/
128
129 enum ClientState {
130 clientNoInit = -1,
131 clientStart = 0,
132 clientWaitForAuthReply,
133 clientV5Command,
134 clientUserNameRequest,
135 clientGssApiAuthRequest,
136 clientDone,
137 clientError
138 };
139
140 enum ServerState {
141 serverNoInit = -1,
142 serverStart = 0,
143 serverInitReply,
144 serverCommandReply,
145 serverUserReply,
146 serverGssApiReply,
147 serverBindReply,
148 serverDone,
149 serverError
150 };
151
152 typedef struct {
153 int in_socks_dissector_flag;
154 enum ClientState client;
155 enum ServerState server;
156 } sock_state_t;
157
158 typedef struct {
159 enum ClientState clientState;
160 enum ServerState serverState;
161 int version;
162 int command;
163 int authentication_method;
164 uint32_t server_port;
165 uint32_t port;
166 uint32_t udp_port;
167 uint32_t udp_remote_port;
168 address dst_addr;
169
170 uint32_t start_done_frame;
171 }socks_hash_entry_t;
172
173
174 static const value_string address_type_table[] = {
175 {1, "IPv4"},
176 {3, "Domain Name"},
177 {4, "IPv6"},
178 {0, NULL}
179 };
180
181 /* String table for the V4 reply status messages */
182
183 static const value_string reply_table_v4[] = {
184 {90, "Granted"},
185 {91, "Rejected or Failed"},
186 {92, "Rejected because SOCKS server cannot connect to identd on the client"},
187 {93, "Rejected because the client program and identd report different user-ids"},
188 {0, NULL}
189 };
190
191 /* String table for the V5 reply status messages */
192
193 static const value_string reply_table_v5[] = {
194 {0, "Succeeded"},
195 {1, "General SOCKS server failure"},
196 {2, "Connection not allowed by ruleset"},
197 {3, "Network unreachable"},
198 {4, "Host unreachable"},
199 {5, "Connection refused"},
200 {6, "TTL expired"},
201 {7, "Command not supported"},
202 {8, "Address type not supported"},
203 {0, NULL},
204 };
205
206 static const value_string cmd_strings[] = {
207 {CONNECT_COMMAND, "Connect"},
208 {BIND_COMMAND, "Bind"},
209 {UDP_ASSOCIATE_COMMAND, "UdpAssociate"},
210 {PING_COMMAND, "Ping"},
211 {TRACERT_COMMAND, "Traceroute"},
212 {0, NULL}
213 };
214
215 static const value_string gssapi_command_table[] = {
216 { 1, "Authentication" },
217 { 0xFF, "Failure" },
218 { 0, NULL }
219 };
220
221
222 /************************* Support routines ***************************/
223
224 static const char *get_auth_method_name( unsigned Number){
225
226 /* return the name of the authentication method */
227
228 if ( Number == 0) return "No authentication";
229 if ( Number == 1) return "GSSAPI";
230 if ( Number == 2) return "Username/Password";
231 if ( Number == 3) return "Chap";
232 if (( Number >= 4) && ( Number <= 0x7f))return "IANA assigned";
233 if (( Number >= 0x80) && ( Number <= 0xfe)) return "private method";
234 if ( Number == 0xff) return "no acceptable method";
235
236 /* shouldn't reach here */
237
238 return "Bad method number (not 0-0xff)";
239 }
240
241 static int display_address(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree) {
242
243 /* decode and display the v5 address, return offset of next byte */
244
245 int a_type = tvb_get_uint8(tvb, offset);
246
247 proto_tree_add_item( tree, hf_socks_address_type, tvb, offset, 1, ENC_BIG_ENDIAN);
248 offset += 1;
249
250 switch (a_type)
251 {
252 case 1: /* IPv4 address */
253 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset, 4, ENC_BIG_ENDIAN);
254 offset += 4;
255 break;
256 case 3: /* domain name address */
257 {
258 uint8_t len;
259 char* str;
260
261 len = tvb_get_uint8(tvb, offset);
262 str = tvb_get_string_enc(pinfo->pool, tvb, offset+1, len, ENC_ASCII);
263 proto_tree_add_string(tree, hf_socks_remote_name, tvb, offset, len+1, str);
264 offset += (len+1);
265 }
266 break;
267 case 4: /* IPv6 address */
268 proto_tree_add_item( tree, hf_socks_ip6_dst, tvb, offset, 16, ENC_NA);
269 offset += 16;
270 break;
271 }
272
273 return offset;
274 }
275
276
277 static int get_address_v5(tvbuff_t *tvb, int offset,
278 socks_hash_entry_t *hash_info) {
279
280 /* decode the v5 address and return offset of next byte */
281 int a_type;
282 address addr;
283
284 a_type = tvb_get_uint8(tvb, offset);
285 offset += 1;
286
287 switch(a_type)
288 {
289 case 1: /* IPv4 address */
290 if ( hash_info) {
291 set_address_tvb(&addr, AT_IPv4, 4, tvb, offset);
292 copy_address_wmem(wmem_file_scope(), &hash_info->dst_addr, &addr);
293 }
294 offset += 4;
295 break;
296
297 case 4: /* IPv6 address */
298 if ( hash_info) {
299 set_address_tvb(&addr, AT_IPv6, 16, tvb, offset);
300 copy_address_wmem(wmem_file_scope(), &hash_info->dst_addr, &addr);
301 }
302 offset += 16;
303 break;
304
305 case 3: /* domain name address */
306 offset += tvb_get_uint8(tvb, offset) + 1;
307 break;
308 }
309
310 return offset;
311 }
312
313
314 /********************* V5 UDP Associate handlers ***********************/
315
316 static int
317 socks_udp_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) {
318
319 /* Conversation dissector called from UDP dissector. Decode and display */
320 /* the socks header, the pass the rest of the data to the udp port */
321 /* decode routine to handle the payload. */
322
323 int offset = 0;
324 uint32_t *ptr;
325 socks_hash_entry_t *hash_info;
326 conversation_t *conversation;
327 proto_tree *socks_tree;
328 proto_item *ti;
329
330 conversation = find_conversation_pinfo( pinfo, 0);
331
332 DISSECTOR_ASSERT( conversation); /* should always find a conversation */
333
334 hash_info = (socks_hash_entry_t *)conversation_get_proto_data(conversation, proto_socks);
335
336 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Socks");
337 col_set_str(pinfo->cinfo, COL_INFO, "Version: 5, UDP Associated packet");
338
339 if ( tree) {
340 ti = proto_tree_add_protocol_format( tree, proto_socks, tvb, offset, -1, "Socks" );
341
342 socks_tree = proto_item_add_subtree(ti, ett_socks);
343
344 proto_tree_add_item(socks_tree, hf_socks_reserved2, tvb, offset, 2, ENC_BIG_ENDIAN);
345 offset += 2;
346
347 proto_tree_add_item(socks_tree, hf_socks_fragment_number, tvb, offset, 1, ENC_BIG_ENDIAN);
348 offset += 1;
349
350 offset = display_address(pinfo, tvb, offset, socks_tree);
351 hash_info->udp_remote_port = tvb_get_ntohs(tvb, offset);
352
353 proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb,
354 offset, 2, hash_info->udp_remote_port);
355
356 offset += 2;
357 }
358 else { /* no tree, skip past the socks header */
359 offset += 3;
360 offset = get_address_v5( tvb, offset, 0) + 2;
361 }
362
363 /* set pi src/dst port and call the udp sub-dissector lookup */
364
365 if ( pinfo->srcport == hash_info->port)
366 ptr = &pinfo->destport;
367 else
368 ptr = &pinfo->srcport;
369
370 *ptr = hash_info->udp_remote_port;
371
372 decode_udp_ports( tvb, offset, pinfo, tree, pinfo->srcport, pinfo->destport, -1);
373
374 *ptr = hash_info->udp_port;
375 return tvb_captured_length(tvb);
376 }
377
378
379 static void
380 new_udp_conversation( socks_hash_entry_t *hash_info, packet_info *pinfo){
381
382 conversation_t *conversation = conversation_new( pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_UDP,
383 hash_info->udp_port, hash_info->port, 0);
384
385 DISSECTOR_ASSERT( conversation);
386
387 conversation_add_proto_data(conversation, proto_socks, hash_info);
388 conversation_set_dissector(conversation, socks_udp_handle);
389 }
390
391 static void
392 save_client_state(packet_info *pinfo, enum ClientState state)
393 {
394 sock_state_t* state_info = (sock_state_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_socks, 0);
395 if ((state_info != NULL) && (state_info->client == clientNoInit)) {
396 state_info->client = state;
397 }
398 }
399
400 static void
401 save_server_state(packet_info *pinfo, enum ServerState state)
402 {
403 sock_state_t* state_info = (sock_state_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_socks, 0);
404 if ((state_info != NULL) && (state_info->server == serverNoInit)) {
405 state_info->server = state;
406 }
407 }
408
409
410 /**************** Protocol Tree Display routines ******************/
411
412 static void
413 display_socks_v4(tvbuff_t *tvb, int offset, packet_info *pinfo,
414 proto_tree *tree, socks_hash_entry_t *hash_info, sock_state_t* state_info) {
415
416
417 /* Display the protocol tree for the V4 version. This routine uses the */
418 /* stored frame information to decide what to do with the row. */
419
420 unsigned char ipaddr[4];
421 unsigned str_len;
422
423 /* Either there is an error, or we're done with the state machine
424 (so there's nothing to display) */
425 if (state_info == NULL)
426 return;
427
428 if (hash_info->server_port == pinfo->destport) {
429 /* Client side */
430 switch (state_info->client)
431 {
432 case clientStart:
433 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, ENC_BIG_ENDIAN);
434 offset += 1;
435
436 proto_tree_add_item( tree, hf_socks_cmd, tvb, offset, 1, ENC_BIG_ENDIAN);
437 offset += 1;
438
439 /* Do remote port */
440 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2, ENC_BIG_ENDIAN);
441 offset += 2;
442
443 /* Do destination address */
444 tvb_memcpy(tvb, ipaddr, offset, 4);
445 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset, 4, ENC_BIG_ENDIAN);
446 offset += 4;
447
448 /* display user name */
449 str_len = tvb_strsize(tvb, offset);
450 proto_tree_add_item( tree, hf_socks_username, tvb, offset, str_len, ENC_ASCII);
451 offset += str_len;
452
453 if ( ipaddr[0] == 0 && ipaddr[1] == 0 &&
454 ipaddr[2] == 0 && ipaddr[3] != 0) {
455 /* 0.0.0.x , where x!=0 means v4a support */
456 str_len = tvb_strsize(tvb, offset);
457 proto_tree_add_item( tree, hf_v4a_dns_name, tvb, offset, str_len, ENC_ASCII);
458 }
459 break;
460 default:
461 break;
462 }
463 } else {
464 /* Server side */
465 switch (state_info->server)
466 {
467 case serverStart:
468 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, ENC_BIG_ENDIAN);
469 offset += 1;
470 /* Do results code */
471 proto_tree_add_item( tree, hf_socks_results_4, tvb, offset, 1, ENC_BIG_ENDIAN);
472 offset += 1;
473
474 /* Do remote port */
475 proto_tree_add_item( tree, hf_socks_dstport, tvb, offset, 2, ENC_BIG_ENDIAN);
476 offset += 2;
477 /* Do remote address */
478 proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset, 4, ENC_BIG_ENDIAN);
479 break;
480 default:
481 break;
482 }
483 }
484 }
485
486 static void
487 // NOLINTNEXTLINE(misc-no-recursion)
488 client_display_socks_v5(tvbuff_t *tvb, int offset, packet_info *pinfo,
489 proto_tree *tree, socks_hash_entry_t *hash_info, sock_state_t* state_info) {
490
491 /* Display the protocol tree for the version. This routine uses the */
492 /* stored conversation information to decide what to do with the row. */
493 /* Per packet information would have been better to do this, but we */
494 /* didn't have that when I wrote this. And I didn't expect this to get */
495 /* so messy. */
496
497 unsigned int i;
498 const char *AuthMethodStr;
499 sock_state_t new_state_info;
500 proto_item *ti;
501
502 /* Either there is an error, or we're done with the state machine
503 (so there's nothing to display) */
504 if (state_info == NULL)
505 return;
506
507 if (state_info->client == clientStart)
508 {
509 proto_tree *AuthTree;
510 uint8_t num_auth_methods, auth;
511
512 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server request");
513
514 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, ENC_BIG_ENDIAN);
515 offset += 1;
516
517 AuthTree = proto_tree_add_subtree( tree, tvb, offset, -1, ett_socks_auth, &ti, "Client Authentication Methods");
518
519 num_auth_methods = tvb_get_uint8(tvb, offset);
520 proto_item_set_len(ti, num_auth_methods+1);
521
522 proto_tree_add_item( AuthTree, hf_client_auth_method_count, tvb, offset, 1, ENC_BIG_ENDIAN);
523 offset += 1;
524
525 for( i = 0; i < num_auth_methods; ++i) {
526 auth = tvb_get_uint8( tvb, offset);
527 AuthMethodStr = get_auth_method_name(auth);
528
529 proto_tree_add_uint_format(AuthTree, hf_client_auth_method, tvb, offset, 1, auth,
530 "Method[%u]: %u (%s)", i, auth, AuthMethodStr);
531 offset += 1;
532 }
533
534 if ((num_auth_methods == 1) &&
535 (tvb_bytes_exist(tvb, offset + 2, 1)) &&
536 (tvb_get_uint8(tvb, offset + 2) == 0) &&
537 (tvb_reported_length_remaining(tvb, offset + 2 + num_auth_methods) > 0)) {
538 new_state_info.client = clientV5Command;
539 increment_dissection_depth(pinfo);
540 client_display_socks_v5(tvb, offset, pinfo, tree, hash_info, &new_state_info);
541 decrement_dissection_depth(pinfo);
542 }
543 }
544 else if (state_info->client == clientV5Command) {
545 col_append_fstr(pinfo->cinfo, COL_INFO, " Command Request - %s",
546 val_to_str_const(hash_info->command, cmd_strings, "Unknown"));
547
548 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, ENC_BIG_ENDIAN);
549 offset += 1;
550
551 proto_tree_add_item( tree, hf_socks_cmd, tvb, offset, 1, ENC_BIG_ENDIAN);
552 offset += 1;
553
554 proto_tree_add_item( tree, hf_socks_reserved, tvb, offset, 1, ENC_BIG_ENDIAN);
555 offset += 1;
556
557 offset = display_address(pinfo, tvb, offset, tree);
558 proto_tree_add_item( tree, hf_client_port, tvb, offset, 2, ENC_BIG_ENDIAN);
559 }
560 else if ((state_info->client == clientWaitForAuthReply) &&
561 (state_info->server == serverInitReply)) {
562 uint16_t len;
563 char* str;
564
565 ti = proto_tree_add_uint( tree, hf_socks_ver, tvb, offset, 0, 5);
566 proto_item_set_generated(ti);
567
568 proto_tree_add_item( tree, hf_socks_subnegotiation_version, tvb, offset, 1, ENC_BIG_ENDIAN);
569 offset += 1;
570
571 switch(hash_info->authentication_method)
572 {
573 case NO_AUTHENTICATION:
574 break;
575 case USER_NAME_AUTHENTICATION:
576 col_append_str(pinfo->cinfo, COL_INFO, " User authentication request");
577
578 /* process user name */
579 len = tvb_get_uint8(tvb, offset);
580 str = tvb_get_string_enc(pinfo->pool, tvb, offset+1, len, ENC_ASCII);
581 proto_tree_add_string(tree, hf_socks_username, tvb, offset, len+1, str);
582 offset += (len+1);
583
584 len = tvb_get_uint8(tvb, offset);
585 str = tvb_get_string_enc(pinfo->pool, tvb, offset+1, len, ENC_ASCII);
586 proto_tree_add_string(tree, hf_socks_password, tvb, offset, len+1, str);
587 /* offset += (len+1); */
588 break;
589 case GSS_API_AUTHENTICATION:
590 col_append_str(pinfo->cinfo, COL_INFO, " GSSAPI authentication request");
591
592 proto_tree_add_item( tree, hf_gssapi_command, tvb, offset, 1, ENC_BIG_ENDIAN);
593 proto_tree_add_item( tree, hf_gssapi_length, tvb, offset+1, 2, ENC_BIG_ENDIAN);
594 len = tvb_get_ntohs(tvb, offset+1);
595 if (len > 0)
596 proto_tree_add_item( tree, hf_gssapi_payload, tvb, offset+3, len, ENC_NA);
597 break;
598 default:
599 break;
600 }
601 }
602 else {
603 if (hash_info->port != 0)
604 col_append_fstr(pinfo->cinfo, COL_INFO, ", Remote Port: %u",
605 hash_info->port);
606 }
607 }
608
609 static void
610 server_display_socks_v5(tvbuff_t *tvb, int offset, packet_info *pinfo,
611 proto_tree *tree, socks_hash_entry_t *hash_info _U_, sock_state_t* state_info) {
612
613 /* Display the protocol tree for the version. This routine uses the */
614 /* stored conversation information to decide what to do with the row. */
615 /* Per packet information would have been better to do this, but we */
616 /* didn't have that when I wrote this. And I didn't expect this to get */
617 /* so messy. */
618
619 const char *AuthMethodStr;
620 uint8_t auth, auth_status;
621 proto_item *ti;
622
623 /* Either there is an error, or we're done with the state machine
624 (so there's nothing to display) */
625 if (state_info == NULL)
626 return;
627
628 switch(state_info->server)
629 {
630 case serverStart:
631 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server response");
632
633 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, ENC_BIG_ENDIAN);
634 offset += 1;
635
636 auth = tvb_get_uint8( tvb, offset);
637 AuthMethodStr = get_auth_method_name(auth);
638
639 proto_tree_add_uint_format_value(tree, hf_server_accepted_auth_method, tvb, offset, 1, auth,
640 "0x%0x (%s)", auth, AuthMethodStr);
641 break;
642
643 case serverUserReply:
644 col_append_str(pinfo->cinfo, COL_INFO, " User authentication reply");
645
646 ti = proto_tree_add_uint( tree, hf_socks_ver, tvb, offset, 0, 5);
647 proto_item_set_generated(ti);
648
649 proto_tree_add_item( tree, hf_socks_subnegotiation_version, tvb, offset, 1, ENC_BIG_ENDIAN);
650 offset += 1;
651
652 auth_status = tvb_get_uint8(tvb, offset);
653 ti = proto_tree_add_item(tree, hf_server_auth_status, tvb, offset, 1, ENC_BIG_ENDIAN);
654 if(auth_status != 0)
655 proto_item_append_text(ti, " (failure)");
656 else
657 proto_item_append_text(ti, " (success)");
658 break;
659
660 case serverGssApiReply:
661 col_append_str(pinfo->cinfo, COL_INFO, " GSSAPI authentication reply");
662
663 ti = proto_tree_add_uint( tree, hf_socks_ver, tvb, offset, 0, 5);
664 proto_item_set_generated(ti);
665
666 proto_tree_add_item( tree, hf_socks_subnegotiation_version, tvb, offset, 1, ENC_BIG_ENDIAN);
667 offset += 1;
668
669 auth_status = tvb_get_uint8(tvb, offset);
670 proto_tree_add_item( tree, hf_gssapi_command, tvb, offset, 1, ENC_BIG_ENDIAN);
671 if (auth_status != 0xFF) {
672 uint16_t len;
673
674 proto_tree_add_item( tree, hf_gssapi_length, tvb, offset+1, 2, ENC_BIG_ENDIAN);
675 len = tvb_get_ntohs(tvb, offset+1);
676 if (len > 0)
677 proto_tree_add_item( tree, hf_gssapi_payload, tvb, offset+3, len, ENC_NA);
678 }
679 break;
680
681 case serverCommandReply:
682 col_append_fstr(pinfo->cinfo, COL_INFO, " Command Response - %s",
683 val_to_str_const(hash_info->command, cmd_strings, "Unknown"));
684
685 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, ENC_BIG_ENDIAN);
686 offset += 1;
687
688 proto_tree_add_item( tree, hf_socks_results_5, tvb, offset, 1, ENC_BIG_ENDIAN);
689 offset += 1;
690
691 proto_tree_add_item( tree, hf_socks_reserved, tvb, offset, 1, ENC_BIG_ENDIAN);
692 offset += 1;
693
694 offset = display_address(pinfo, tvb, offset, tree);
695 proto_tree_add_item( tree, hf_client_port, tvb, offset, 2, ENC_BIG_ENDIAN);
696 break;
697
698 case serverBindReply:
699 col_append_str(pinfo->cinfo, COL_INFO, " Command Response: Bind remote host info");
700
701 proto_tree_add_item( tree, hf_socks_ver, tvb, offset, 1, ENC_BIG_ENDIAN);
702 offset += 1;
703
704 proto_tree_add_item( tree, hf_socks_results_5, tvb, offset, 1, ENC_BIG_ENDIAN);
705 offset += 1;
706
707 proto_tree_add_item( tree, hf_socks_reserved, tvb, offset, 1, ENC_BIG_ENDIAN);
708 offset += 1;
709
710 offset = display_address(pinfo, tvb, offset, tree);
711 proto_tree_add_item( tree, hf_server_remote_host_port, tvb, offset, 2, ENC_BIG_ENDIAN);
712 break;
713
714 default:
715 if ( hash_info->port != 0)
716 col_append_fstr(pinfo->cinfo, COL_INFO, ", Remote Port: %u",
717 hash_info->port);
718
719 break;
720 }
721 }
722
723
724 /**************** Decoder State Machines ******************/
725
726
727 static void
728 state_machine_v4( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
729 int offset, packet_info *pinfo) {
730
731 /* Decode V4 protocol. This is done on the first pass through the */
732 /* list. Based upon the current state, decode the packet and determine */
733 /* what the next state should be. */
734 address addr;
735
736 if (hash_info->clientState != clientDone)
737 save_client_state(pinfo, hash_info->clientState);
738
739 if (hash_info->serverState != serverDone)
740 save_server_state(pinfo, hash_info->serverState);
741
742 if (hash_info->server_port == pinfo->destport) {
743 /* Client side, only a single request */
744 col_append_str(pinfo->cinfo, COL_INFO, " Connect to server request");
745
746 hash_info->command = tvb_get_uint8(tvb, offset + 1);
747
748 /* get remote port */
749 if ( hash_info->command == CONNECT_COMMAND)
750 hash_info->port = tvb_get_ntohs(tvb, offset + 2);
751
752 /* get remote address */
753 set_address_tvb(&addr, AT_IPv4, 4, tvb, offset);
754 copy_address_wmem(wmem_file_scope(), &hash_info->dst_addr, &addr);
755
756 hash_info->clientState = clientDone;
757 }
758 else {
759 col_append_str(pinfo->cinfo, COL_INFO, " Connect Response");
760
761 if (tvb_get_uint8(tvb, offset + 1) == 90)
762 hash_info->serverState = serverDone;
763 else
764 hash_info->serverState = serverError;
765 }
766 }
767
768 static void
769 // NOLINTNEXTLINE(misc-no-recursion)
770 client_state_machine_v5( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
771 int offset, packet_info *pinfo, bool start_of_frame) {
772
773 /* Decode client side of V5 protocol. This is done on the first pass through the */
774 /* list. Based upon the current state, decode the packet and determine */
775 /* what the next state should be. */
776
777 if (start_of_frame) {
778 save_client_state(pinfo, hash_info->clientState);
779 save_server_state(pinfo, hash_info->serverState);
780 }
781
782 if (hash_info->clientState == clientStart)
783 {
784 uint8_t num_auth_methods;
785
786 num_auth_methods = tvb_get_uint8(tvb, offset + 1);
787 /* skip past auth methods */
788
789 if ((num_auth_methods == 0) ||
790 ((num_auth_methods == 1) &&
791 (tvb_get_uint8(tvb, offset + 2) == 0))) {
792 /* No authentication needed */
793 hash_info->clientState = clientV5Command;
794 if (tvb_reported_length_remaining(tvb, offset + 2 + num_auth_methods) > 0) {
795 increment_dissection_depth(pinfo);
796 client_state_machine_v5(hash_info, tvb, offset + 2 + num_auth_methods, pinfo, false);
797 decrement_dissection_depth(pinfo);
798 }
799 } else {
800 hash_info->clientState = clientWaitForAuthReply;
801 }
802 } else if ((hash_info->clientState == clientWaitForAuthReply) &&
803 (hash_info->serverState == serverInitReply)) {
804
805 switch(hash_info->authentication_method)
806 {
807 case NO_AUTHENTICATION:
808 hash_info->clientState = clientV5Command;
809 hash_info->serverState = serverCommandReply;
810 break;
811 case USER_NAME_AUTHENTICATION:
812 hash_info->clientState = clientV5Command;
813 hash_info->serverState = serverUserReply;
814 break;
815 case GSS_API_AUTHENTICATION:
816 hash_info->clientState = clientV5Command;
817 hash_info->serverState = serverGssApiReply;
818 break;
819 default:
820 hash_info->clientState = clientError; /*Auth failed or error*/
821 break;
822 }
823 } else if (hash_info->clientState == clientV5Command) {
824 hash_info->command = tvb_get_uint8(tvb, offset + 1); /* get command */
825
826 offset += 3; /* skip to address type */
827
828 offset = get_address_v5(tvb, offset, hash_info);
829
830 /** temp = tvb_get_uint8(tvb, offset); XX: what was this for ? **/
831
832 if (( hash_info->command == CONNECT_COMMAND) ||
833 ( hash_info->command == UDP_ASSOCIATE_COMMAND))
834 /* get remote port */
835 hash_info->port = tvb_get_ntohs(tvb, offset);
836
837 hash_info->clientState = clientDone;
838 }
839 }
840
841 static void
842 server_state_machine_v5( socks_hash_entry_t *hash_info, tvbuff_t *tvb,
843 int offset, packet_info *pinfo, bool start_of_frame) {
844
845 /* Decode server side of V5 protocol. This is done on the first pass through the */
846 /* list. Based upon the current state, decode the packet and determine */
847 /* what the next state should be. */
848
849 if (start_of_frame)
850 save_server_state(pinfo, hash_info->serverState);
851
852 switch (hash_info->serverState) {
853 case serverStart:
854 hash_info->authentication_method = tvb_get_uint8(tvb, offset + 1);
855 switch (hash_info->authentication_method)
856 {
857 case NO_AUTHENTICATION:
858 /* If there is no authentication, client should expect command immediately */
859 hash_info->serverState = serverCommandReply;
860 hash_info->clientState = clientV5Command;
861 break;
862 case USER_NAME_AUTHENTICATION:
863 hash_info->serverState = serverInitReply;
864 break;
865 case GSS_API_AUTHENTICATION:
866 hash_info->serverState = serverInitReply;
867 break;
868 default:
869 hash_info->serverState = serverError;
870 break;
871 }
872 break;
873 case serverUserReply:
874 hash_info->serverState = serverCommandReply;
875 break;
876 case serverGssApiReply:
877 if (tvb_get_uint8(tvb, offset+1) == 0xFF) {
878 hash_info->serverState = serverError;
879 } else {
880 if (tvb_get_ntohs(tvb, offset+2) == 0)
881 hash_info->serverState = serverCommandReply;
882 }
883 break;
884 case serverCommandReply:
885 switch(hash_info->command)
886 {
887 case CONNECT_COMMAND:
888 case PING_COMMAND:
889 case TRACERT_COMMAND:
890 hash_info->serverState = serverDone;
891 break;
892
893 case BIND_COMMAND:
894 hash_info->serverState = serverBindReply;
895 if ((tvb_get_uint8(tvb, offset + 2) == 0) &&
896 (tvb_reported_length_remaining(tvb, offset) > 5)) {
897 offset = display_address(pinfo, tvb, offset, NULL);
898 client_state_machine_v5(hash_info, tvb, offset, pinfo, false);
899 }
900 break;
901
902 case UDP_ASSOCIATE_COMMAND:
903 offset += 3; /* skip to address type */
904 offset = get_address_v5(tvb, offset, hash_info);
905
906 /* save server udp port and create udp conversation */
907 hash_info->udp_port = tvb_get_ntohs(tvb, offset);
908
909 if (!pinfo->fd->visited)
910 new_udp_conversation( hash_info, pinfo);
911
912 break;
913 }
914 break;
915 case serverBindReply:
916 break;
917 default:
918 break;
919 }
920 }
921
922
923 static void
924 display_ping_and_tracert(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, socks_hash_entry_t *hash_info) {
925
926 /* Display the ping/trace_route conversation */
927
928 const unsigned char *data, *dataend;
929 const unsigned char *lineend, *eol;
930 int linelen;
931
932 /* handle the end command */
933 if ( pinfo->destport == TCP_PORT_SOCKS){
934 col_append_str(pinfo->cinfo, COL_INFO, ", Terminate Request");
935
936 proto_tree_add_item(tree, (hash_info->command == PING_COMMAND) ? hf_socks_ping_end_command : hf_socks_traceroute_end_command, tvb, offset, 1, ENC_NA);
937 }
938 else { /* display the PING or Traceroute results */
939 col_append_str(pinfo->cinfo, COL_INFO, ", Results");
940
941 if ( tree){
942 proto_tree_add_item(tree, (hash_info->command == PING_COMMAND) ? hf_socks_ping_results : hf_socks_traceroute_results, tvb, offset, -1, ENC_NA);
943
944 data = tvb_get_ptr(tvb, offset, -1);
945 dataend = data + tvb_captured_length_remaining(tvb, offset);
946
947 while (data < dataend) {
948
949 lineend = find_line_end(data, dataend, &eol);
950 linelen = (int)(lineend - data);
951
952 proto_tree_add_format_text( tree, tvb, offset, linelen);
953 offset += linelen;
954 data = lineend;
955 }
956 }
957 }
958 }
959
960 static void clear_in_socks_dissector_flag(void *s)
961 {
962 sock_state_t* state_info = (sock_state_t*)s;
963 state_info->in_socks_dissector_flag = 0; /* avoid recursive overflow */
964 }
965
966 static void call_next_dissector(tvbuff_t *tvb, int offset, packet_info *pinfo,
967 proto_tree *tree, proto_tree *socks_tree,
968 socks_hash_entry_t *hash_info, sock_state_t* state_info, struct tcpinfo *tcpinfo)
969 {
970
971 /* Display the results for PING and TRACERT extensions or */
972 /* Call TCP dissector for the port that was passed during the */
973 /* connect process */
974 /* Load pointer to pinfo->XXXport depending upon the direction, */
975 /* change pinfo port to the remote port, call next dissector to decode */
976 /* the payload, and restore the pinfo port after that is done. */
977
978 uint32_t *ptr;
979 uint16_t save_can_desegment;
980 struct tcp_analysis *tcpd=NULL;
981
982
983 if (( hash_info->command == PING_COMMAND) ||
984 ( hash_info->command == TRACERT_COMMAND))
985
986 display_ping_and_tracert(tvb, offset, pinfo, tree, hash_info);
987
988 else { /* call the tcp port decoder to handle the payload */
989
990 /*XXX may want to load dest address here */
991
992 if (pinfo->destport == TCP_PORT_SOCKS) {
993 ptr = &pinfo->destport;
994 } else {
995 ptr = &pinfo->srcport;
996 }
997
998 *ptr = hash_info->port;
999
1000 tcpd = get_tcp_conversation_data(NULL, pinfo);
1001 /* 2003-09-18 JCFoster Fixed problem with socks tunnel in socks tunnel */
1002
1003 state_info->in_socks_dissector_flag = 1; /* avoid recursive overflow */
1004 CLEANUP_PUSH(clear_in_socks_dissector_flag, state_info);
1005
1006 save_can_desegment = pinfo->can_desegment;
1007 pinfo->can_desegment = pinfo->saved_can_desegment;
1008 dissect_tcp_payload(tvb, pinfo, offset, tcpinfo->seq,
1009 tcpinfo->nxtseq, pinfo->srcport, pinfo->destport,
1010 tree, socks_tree, tcpd, tcpinfo);
1011 pinfo->can_desegment = save_can_desegment;
1012
1013 CLEANUP_CALL_AND_POP;
1014
1015 *ptr = TCP_PORT_SOCKS;
1016 }
1017 }
1018
1019
1020
1021 static int
1022 dissect_socks(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) {
1023
1024 int offset = 0;
1025 proto_tree *socks_tree = NULL;
1026 proto_item *ti;
1027 socks_hash_entry_t *hash_info;
1028 conversation_t *conversation;
1029 sock_state_t* state_info;
1030 uint8_t version;
1031 struct tcpinfo *tcpinfo = (struct tcpinfo*)data;
1032
1033 state_info = (sock_state_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_socks, 0);
1034 if (state_info == NULL) {
1035 state_info = wmem_new(wmem_file_scope(), sock_state_t);
1036 state_info->in_socks_dissector_flag = 0;
1037 state_info->client = clientNoInit;
1038 state_info->server = serverNoInit;
1039
1040 p_add_proto_data(wmem_file_scope(), pinfo, proto_socks, 0, state_info);
1041 }
1042
1043 /* avoid recursive overflow */
1044 if (state_info->in_socks_dissector_flag)
1045 return 0;
1046
1047 conversation = find_conversation_pinfo(pinfo, 0);
1048 if (conversation == NULL) {
1049 /* If we don't already have a conversation, make sure the first
1050 byte is a valid version number */
1051 version = tvb_get_uint8(tvb, offset);
1052 if ((version != 4) && (version != 5))
1053 return 0;
1054
1055 conversation = conversation_new(pinfo->num, &pinfo->src, &pinfo->dst,
1056 conversation_pt_to_conversation_type(pinfo->ptype), pinfo->srcport, pinfo->destport, 0);
1057 }
1058
1059 hash_info = (socks_hash_entry_t *)conversation_get_proto_data(conversation,proto_socks);
1060 if (hash_info == NULL){
1061 hash_info = wmem_new0(wmem_file_scope(), socks_hash_entry_t);
1062 hash_info->start_done_frame = INT_MAX;
1063 hash_info->clientState = clientStart;
1064 hash_info->serverState = serverStart;
1065
1066 hash_info->server_port = pinfo->destport;
1067 hash_info->port = 0;
1068 hash_info->version = tvb_get_uint8(tvb, offset); /* get version*/
1069
1070 conversation_add_proto_data(conversation, proto_socks, hash_info);
1071
1072 /* set dissector for now */
1073 if (conversation_get_dissector(conversation, pinfo->num) != NULL) {
1074 conversation_set_dissector(conversation, socks_handle);
1075 }
1076 }
1077
1078 /* display summary window information */
1079 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Socks");
1080
1081 if (( hash_info->version == 4) || ( hash_info->version == 5)){
1082 col_add_fstr(pinfo->cinfo, COL_INFO, "Version: %d",
1083 hash_info->version);
1084 }
1085 else /* unknown version display error */
1086 col_set_str(pinfo->cinfo, COL_INFO, "Unknown");
1087
1088
1089 if ( hash_info->command == PING_COMMAND)
1090 col_append_str(pinfo->cinfo, COL_INFO, ", Ping Req");
1091 if ( hash_info->command == TRACERT_COMMAND)
1092 col_append_str(pinfo->cinfo, COL_INFO, ", Traceroute Req");
1093
1094 /* run state machine if needed */
1095 if ((!pinfo->fd->visited) &&
1096 (!((hash_info->clientState == clientDone) &&
1097 (hash_info->serverState == serverDone)))) {
1098
1099 if (hash_info->server_port == pinfo->destport) {
1100 if ((hash_info->clientState != clientError) &&
1101 (hash_info->clientState != clientDone))
1102 {
1103 if ( hash_info->version == 4) {
1104 state_machine_v4( hash_info, tvb, offset, pinfo);
1105 } else if ( hash_info->version == 5) {
1106 client_state_machine_v5( hash_info, tvb, offset, pinfo, true);
1107 }
1108 }
1109 } else {
1110 if ((hash_info->serverState != serverError) &&
1111 (hash_info->serverState != serverDone)) {
1112 if ( hash_info->version == 4) {
1113 state_machine_v4( hash_info, tvb, offset, pinfo);
1114 } else if ( hash_info->version == 5) {
1115 server_state_machine_v5( hash_info, tvb, offset, pinfo, true);
1116 }
1117 }
1118 }
1119
1120 if ((hash_info->clientState == clientDone) &&
1121 (hash_info->serverState == serverDone)) { /* if done now */
1122 hash_info->start_done_frame = pinfo->num;
1123 }
1124 }
1125
1126 /* if proto tree, decode and display */
1127 if (tree) {
1128 ti = proto_tree_add_item( tree, proto_socks, tvb, offset, -1, ENC_NA );
1129 socks_tree = proto_item_add_subtree(ti, ett_socks);
1130
1131 /* if past startup, add the faked stuff */
1132 if ( pinfo->num > hash_info->start_done_frame){
1133 /* add info to tree */
1134 ti = proto_tree_add_uint( socks_tree, hf_socks_ver, tvb, offset, 0, hash_info->version);
1135 proto_item_set_generated(ti);
1136
1137 ti = proto_tree_add_uint( socks_tree, hf_socks_cmd, tvb, offset, 0, hash_info->command);
1138 proto_item_set_generated(ti);
1139
1140 if (hash_info->dst_addr.type == AT_IPv4) {
1141 ti = proto_tree_add_ipv4( socks_tree, hf_socks_ip_dst, tvb,
1142 offset, 0, *((const uint32_t*)hash_info->dst_addr.data));
1143 proto_item_set_generated(ti);
1144 } else if (hash_info->dst_addr.type == AT_IPv6) {
1145 ti = proto_tree_add_ipv6( socks_tree, hf_socks_ip6_dst, tvb,
1146 offset, 0, (const ws_in6_addr *)hash_info->dst_addr.data);
1147 proto_item_set_generated(ti);
1148 }
1149
1150 /* no fake address for ping & traceroute */
1151
1152 if (( hash_info->command != PING_COMMAND) &&
1153 ( hash_info->command != TRACERT_COMMAND)){
1154 ti = proto_tree_add_uint( socks_tree, hf_socks_dstport, tvb, offset, 0, hash_info->port);
1155 proto_item_set_generated(ti);
1156 }
1157 } else {
1158 if (hash_info->server_port == pinfo->destport) {
1159 if ( hash_info->version == 4) {
1160 display_socks_v4(tvb, offset, pinfo, socks_tree, hash_info, state_info);
1161 } else if ( hash_info->version == 5) {
1162 client_display_socks_v5(tvb, offset, pinfo, socks_tree, hash_info, state_info);
1163 }
1164 } else {
1165 if ( hash_info->version == 4) {
1166 display_socks_v4(tvb, offset, pinfo, socks_tree, hash_info, state_info);
1167 } else if ( hash_info->version == 5) {
1168 server_display_socks_v5(tvb, offset, pinfo, socks_tree, hash_info, state_info);
1169 }
1170 }
1171 }
1172
1173 }
1174
1175
1176 /* call next dissector if ready */
1177 if ( pinfo->num > hash_info->start_done_frame){
1178 call_next_dissector(tvb, offset, pinfo, tree, socks_tree,
1179 hash_info, state_info, tcpinfo);
1180 }
1181
1182 return tvb_reported_length(tvb);
1183 }
1184
1185
1186 static int
1187 dissect_socks_tls(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) {
1188 if (data != NULL) {
1189 return dissect_socks(tvb, pinfo, tree, data);
1190 } else {
1191 /* lets fake a tcpinfo, which TLS does not give us */
1192 struct tcpinfo tmp;
1193 tmp.flags = 0;
1194 tmp.is_reassembled = false;
1195 tmp.lastackseq = 0;
1196 tmp.nxtseq = 0;
1197 tmp.seq = 0;
1198 tmp.urgent_pointer = 0;
1199 return dissect_socks(tvb, pinfo, tree, &tmp);
1200 }
1201 }
1202
1203 void
1204 proto_register_socks( void){
1205
1206 static int *ett[] = {
1207 &ett_socks,
1208 &ett_socks_auth,
1209 &ett_socks_name
1210 };
1211
1212 static hf_register_info hf[] = {
1213
1214
1215 { &hf_socks_ver,
1216 { "Version", "socks.version", FT_UINT8, BASE_DEC, NULL,
1217 0x0, NULL, HFILL
1218 }
1219 },
1220 { &hf_socks_ip_dst,
1221 { "Remote Address", "socks.dst", FT_IPv4, BASE_NONE, NULL,
1222 0x0, NULL, HFILL
1223 }
1224 },
1225 { &hf_socks_ip6_dst,
1226 { "Remote Address(ipv6)", "socks.dstV6", FT_IPv6, BASE_NONE, NULL,
1227 0x0, NULL, HFILL
1228 }
1229 },
1230 { &hf_gssapi_payload,
1231 { "GSSAPI data", "socks.gssapi.data", FT_BYTES, BASE_NONE, NULL,
1232 0x0, NULL, HFILL
1233 }
1234 },
1235 { &hf_gssapi_command,
1236 { "SOCKS/GSSAPI command", "socks.gssapi.command", FT_UINT8, BASE_DEC,
1237 VALS(gssapi_command_table), 0x0, NULL, HFILL
1238 }
1239 },
1240 { &hf_gssapi_length,
1241 { "SOCKS/GSSAPI data length", "socks.gssapi.length", FT_UINT16, BASE_DEC, NULL,
1242 0x0, NULL, HFILL
1243 }
1244 },
1245 { &hf_v4a_dns_name,
1246 { "SOCKS v4a Remote Domain Name", "socks.v4a_dns_name", FT_STRINGZ, BASE_NONE,
1247 NULL, 0x0, NULL, HFILL
1248 }
1249 },
1250 { &hf_socks_dstport,
1251 { "Remote Port", "socks.dstport", FT_UINT16,
1252 BASE_DEC, NULL, 0x0, NULL, HFILL
1253 }
1254 },
1255 { &hf_socks_cmd,
1256 { "Command", "socks.command", FT_UINT8,
1257 BASE_DEC, VALS(cmd_strings), 0x0, NULL, HFILL
1258 }
1259 },
1260 { &hf_socks_results_4,
1261 { "Results(V4)", "socks.results", FT_UINT8,
1262 BASE_DEC, VALS(reply_table_v4), 0x0, NULL, HFILL
1263 }
1264 },
1265 { &hf_socks_results_5,
1266 { "Results(V5)", "socks.results", FT_UINT8,
1267 BASE_DEC, VALS(reply_table_v5), 0x0, NULL, HFILL
1268 }
1269 },
1270 { &hf_client_auth_method_count,
1271 { "Authentication Method Count", "socks.auth_method_count", FT_UINT8,
1272 BASE_DEC, NULL, 0x0, NULL, HFILL
1273 }
1274 },
1275 { &hf_client_auth_method,
1276 { "Method", "socks.auth_method", FT_UINT8,
1277 BASE_DEC, NULL, 0x0, NULL, HFILL
1278 }
1279 },
1280 { &hf_socks_reserved,
1281 { "Reserved", "socks.reserved", FT_UINT8,
1282 BASE_DEC, NULL, 0x0, NULL, HFILL
1283 }
1284 },
1285 { &hf_socks_reserved2,
1286 { "Reserved", "socks.reserved", FT_UINT16,
1287 BASE_DEC, NULL, 0x0, NULL, HFILL
1288 }
1289 },
1290 { &hf_client_port,
1291 { "Port", "socks.port", FT_UINT16,
1292 BASE_DEC, NULL, 0x0, NULL, HFILL
1293 }
1294 },
1295 { &hf_server_accepted_auth_method,
1296 { "Accepted Auth Method", "socks.auth_accepted_method", FT_UINT8,
1297 BASE_DEC, NULL, 0x0, NULL, HFILL
1298 }
1299 },
1300 { &hf_server_auth_status,
1301 { "Status", "socks.auth_status", FT_UINT8,
1302 BASE_DEC, NULL, 0x0, NULL, HFILL
1303 }
1304 },
1305 { &hf_server_remote_host_port,
1306 { "Remote Host Port", "socks.remote_host_port", FT_UINT16,
1307 BASE_DEC, NULL, 0x0, NULL, HFILL
1308 }
1309 },
1310 { &hf_socks_subnegotiation_version,
1311 { "Subnegotiation Version", "socks.subnegotiation_version", FT_UINT8, BASE_DEC, NULL,
1312 0x0, NULL, HFILL
1313 }
1314 },
1315 { &hf_socks_username,
1316 { "User name", "socks.username", FT_STRING, BASE_NONE,
1317 NULL, 0x0, NULL, HFILL
1318 }
1319 },
1320 { &hf_socks_password,
1321 { "Password", "socks.password", FT_STRING, BASE_NONE,
1322 NULL, 0x0, NULL, HFILL
1323 }
1324 },
1325 { &hf_socks_remote_name,
1326 { "Remote name", "socks.remote_name", FT_STRING, BASE_NONE,
1327 NULL, 0x0, NULL, HFILL
1328 }
1329 },
1330 { &hf_socks_address_type,
1331 { "Address Type", "socks.address_type", FT_UINT8,
1332 BASE_DEC, VALS(address_type_table), 0x0, NULL, HFILL
1333 }
1334 },
1335 { &hf_socks_fragment_number,
1336 { "Fragment Number", "socks.fragment_number", FT_UINT8,
1337 BASE_DEC, NULL, 0x0, NULL, HFILL
1338 }
1339 },
1340 { &hf_socks_ping_end_command,
1341 { "Ping: End command", "socks.ping_end_command", FT_NONE,
1342 BASE_NONE, NULL, 0x0, NULL, HFILL
1343 }
1344 },
1345 { &hf_socks_ping_results,
1346 { "Ping Results", "socks.ping_results", FT_NONE,
1347 BASE_NONE, NULL, 0x0, NULL, HFILL
1348 }
1349 },
1350 { &hf_socks_traceroute_end_command,
1351 { "Traceroute: End command", "socks.traceroute_end_command", FT_NONE,
1352 BASE_NONE, NULL, 0x0, NULL, HFILL
1353 }
1354 },
1355 { &hf_socks_traceroute_results,
1356 { "Traceroute Results", "socks.traceroute_results", FT_NONE,
1357 BASE_NONE, NULL, 0x0, NULL, HFILL
1358 }
1359 },
1360 };
1361
1362 proto_socks = proto_register_protocol ( "Socks Protocol", "Socks", "socks");
1363
1364 proto_register_field_array(proto_socks, hf, array_length(hf));
1365 proto_register_subtree_array(ett, array_length(ett));
1366
1367 socks_udp_handle = register_dissector_with_description("socks_udp", "SOCKS over UDP", socks_udp_dissector, proto_socks);
1368 socks_handle = register_dissector_with_description("socks_tcp", "SOCKS over TCP", dissect_socks, proto_socks);
1369 socks_handle_tls = register_dissector_with_description("socks_tls", "SOCKS over TLS", dissect_socks_tls, proto_socks);
1370 }
1371
1372
1373 void
1374 proto_reg_handoff_socks(void) {
1375
1376 /* dissector install routine */
1377
1378 dissector_add_uint_with_preference("tcp.port", TCP_PORT_SOCKS, socks_handle);
1379
1380 ssl_dissector_add(0, socks_handle_tls);
1381 }
1382
1383 /*
1384 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1385 *
1386 * Local variables:
1387 * c-basic-offset: 4
1388 * tab-width: 8
1389 * indent-tabs-mode: nil
1390 * End:
1391 *
1392 * vi: set shiftwidth=4 tabstop=8 expandtab:
1393 * :indentSize=4:tabSize=8:noTabs=true:
1394 */
Metzes wireshark repo