| blob | a71a98d6e7865702091fc850fc30997a74d5e4cf |
1 /* packet-tcp.c
2 * Routines for TCP packet disassembly
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
13 #include <epan/packet.h>
14 #include <epan/capture_dissectors.h>
15 #include <epan/exceptions.h>
16 #include <epan/addr_resolv.h>
17 #include <epan/ipproto.h>
18 #include <epan/expert.h>
19 #include <epan/ip_opts.h>
20 #include <epan/follow.h>
21 #include <epan/prefs.h>
22 #include <epan/show_exception.h>
23 #include <epan/conversation_table.h>
24 #include <epan/conversation_filter.h>
25 #include <epan/sequence_analysis.h>
26 #include <epan/reassemble.h>
27 #include <epan/decode_as.h>
28 #include <epan/exported_pdu.h>
29 #include <epan/in_cksum.h>
30 #include <epan/proto_data.h>
31 #include <epan/tfs.h>
32 #include <epan/unit_strings.h>
34 #include <wsutil/array.h>
35 #include <wsutil/utf8_entities.h>
36 #include <wsutil/str_util.h>
37 #include <wsutil/wsgcrypt.h>
38 #include <wsutil/pint.h>
39 #include <wsutil/ws_assert.h>
52 /* Place TCP summary in proto tree */
60 }
62 #define MPTCP_DSS_FLAG_DATA_ACK_PRESENT 0x01
63 #define MPTCP_DSS_FLAG_DATA_ACK_8BYTES 0x02
64 #define MPTCP_DSS_FLAG_MAPPING_PRESENT 0x04
65 #define MPTCP_DSS_FLAG_DSN_8BYTES 0x08
66 #define MPTCP_DSS_FLAG_DATA_FIN_PRESENT 0x10
68 /*
69 * Flag to control whether to check the TCP checksum.
70 *
71 * In at least some Solaris network traces, there are packets with bad
72 * TCP checksums, but the traffic appears to indicate that the packets
73 * *were* received; the packets were probably sent by the host on which
74 * the capture was being done, on a network interface to which
75 * checksumming was offloaded, so that DLPI supplied an un-checksummed
76 * packet to the capture program but a checksummed packet got put onto
77 * the wire.
78 */
81 /*
82 * Window scaling values to be used when not known (set as a preference) */
86 WindowScaling_1,
87 WindowScaling_2,
88 WindowScaling_3,
89 WindowScaling_4,
90 WindowScaling_5,
91 WindowScaling_6,
92 WindowScaling_7,
93 WindowScaling_8,
94 WindowScaling_9,
95 WindowScaling_10,
96 WindowScaling_11,
97 WindowScaling_12,
98 WindowScaling_13,
99 WindowScaling_14
100 };
102 /*
103 * Analysis overriding values to be used when not satisfied by the automatic
104 * result. (Accessed through preferences but not stored as a preference)
105 */
108 OverrideAnalysis_1,
109 OverrideAnalysis_2,
110 OverrideAnalysis_3,
111 OverrideAnalysis_4
112 };
114 /*
115 * Using enum instead of boolean make API easier
116 */
118 DSN_CONV_64_TO_32,
119 DSN_CONV_32_TO_64,
120 DSN_CONV_NONE
121 } ;
123 #define MPTCP_TCPRST_FLAG_T_PRESENT 0x1
124 #define MPTCP_TCPRST_FLAG_W_PRESENT 0x2
125 #define MPTCP_TCPRST_FLAG_V_PRESENT 0x4
126 #define MPTCP_TCPRST_FLAG_U_PRESENT 0x8
137 };
492 /* static expert_field ei_mptcp_analysis_unexpected_idsn; */
498 /* static expert_field ei_mptcp_stream_incomplete; */
499 /* static expert_field ei_mptcp_analysis_dsn_out_of_order; */
501 /* Some protocols such as encrypted DCE/RPCoverHTTP have dependencies
502 * from one PDU to the next PDU and require that they are called in sequence.
503 * These protocols would not be able to handle PDUs coming out of order
504 * or for example when a PDU is seen twice, like for retransmissions.
505 * This preference can be set for such protocols to make sure that we don't
506 * invoke the subdissectors for retransmitted or out-of-order segments.
507 */
510 /* Enable buffering of out-of-order TCP segments before passing it to a
511 * subdissector (depends on "tcp_desegment"). */
514 /*
515 * FF: https://www.rfc-editor.org/rfc/rfc6994.html
516 * With this flag set we assume the option structure for experimental
517 * codepoints (253, 254) has an Experiment Identifier (ExID), which is
518 * the first 16-bit field after the Kind and Length.
519 * The ExID is used to differentiate different experiments and thus will
520 * be used in data dissection.
521 */
524 /*
525 * This flag indicates which of Fast Retransmission or Out-of-Order
526 * interpretation should supersede when analyzing an ambiguous packet as
527 * things are not always clear. The user is authorized to change this
528 * behavior.
529 * When set, we keep the historical interpretation (Fast RT > OOO)
530 */
533 /* Process info, currently discovered via IPFIX */
536 /* Read the sequence number as syn cookie */
539 /*
540 * TCP option
541 */
548 #define TCPOPT_ECHO 6
549 #define TCPOPT_ECHOREPLY 7
551 #define TCPOPT_CC 11
552 #define TCPOPT_CCNEW 12
553 #define TCPOPT_CCECHO 13
568 /* Non IANA registered option numbers */
572 /*
573 * TCP option lengths
574 */
575 #define TCPOLEN_MSS 4
576 #define TCPOLEN_WINDOW 3
577 #define TCPOLEN_SACK_PERM 2
578 #define TCPOLEN_SACK_MIN 2
579 #define TCPOLEN_ECHO 6
580 #define TCPOLEN_ECHOREPLY 6
581 #define TCPOLEN_TIMESTAMP 10
582 #define TCPOLEN_CC 6
583 #define TCPOLEN_CCNEW 6
584 #define TCPOLEN_CCECHO 6
585 #define TCPOLEN_MD5 18
586 #define TCPOLEN_SCPS 4
587 #define TCPOLEN_SNACK 6
588 #define TCPOLEN_RECBOUND 2
589 #define TCPOLEN_CORREXP 2
590 #define TCPOLEN_QS 8
591 #define TCPOLEN_USER_TO 4
592 #define TCPOLEN_MPTCP_MIN 3
593 #define TCPOLEN_TFO_MIN 2
594 #define TCPOLEN_RVBD_PROBE_MIN 3
595 #define TCPOLEN_RVBD_TRPY_MIN 16
596 #define TCPOLEN_EXP_MIN 4
598 /*
599 * TCP Experimental Option Experiment Identifiers (TCP ExIDs)
600 * See: https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-exids
601 * Wireshark only supports 16-bit ExIDs
602 */
604 #define TCPEXID_TARR 0x00ac
605 #define TCPEXID_HOST_ID 0x0348
606 #define TCPEXID_ASC 0x0a0d
607 #define TCPEXID_CAPABILITY 0x0ca0
608 #define TCPEXID_EDO 0x0ed0
609 #define TCPEXID_ENO 0x454e
610 #define TCPEXID_SNO 0x5323
612 #define TCPEXID_ACC_ECN_0 0xacc0
613 #define TCPEXID_ACC_ECN_1 0xacc1
614 #define TCPEXID_ACC_ECN 0xacce
616 #define TCPEXID_FO 0xf989
617 #define TCPEXID_LOW_LATENCY 0xf990
619 /*
620 * Multipath TCP subtypes
621 */
632 /*
633 * Conversation Completeness values
634 */
644 };
686 };
705 };
707 /* not all of the hf_fields below make sense for TCP but we have to provide
708 them anyways to comply with the API (which was aimed for IP fragment
709 reassembly) */
724 "Segments"
725 };
739 };
741 /* Source https://support.citrix.com/article/CTX200852/citrix-adc-netscaler-reset-codes-reference
742 Dates of source: Created: 31 Mar 2015 | Modified: 21 Jan 2023
743 Date of last dictionary update: 2024/07/11
744 NOTE: When updating don't just overwrite the dictionary, the definitions below are more polished than the ones in the CTX. */
747 { 8201, "NSDBG_RST_SSTRAY: This reset code is triggered when packets are received on a socket that has already been closed. For example, if a client computer continues transmitting after receiving a RST code for other reasons, then it receives this RST code for the subsequent packets." },
748 { 8202, "NSDBG_RST_CSTRAY: This code is triggered when the NetScaler appliance receives data through a connection, which does not have a PCB, and its SYN cookie has expired." },
751 { 8206, "Received a bad packet in TCPS_SYN_SENT state (non RST packet). Usually happens if the 4 tuples are reused and you receive packet from the old connection." },
752 { 8207, "Received SYN on established connection which is within the window. Protects from spoofing attacks." },
753 { 8208, "Resets the connection when you receive more than the configured value of duplicate retransmissions." },
756 { 8211, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
757 { 8212, "Stray packet (no listening service or listening service is present but SYN cookie does not match or there is no corresponding connection information). 8212 is specifically for SYN stray packets." },
760 { 9100, "NSDBG_RST_ORP: This code refers to an orphan HTTP connection. Probably, a connection where data is initially seen either from the server or client, but stopped because of some reason, without closing the TCP session. It indicates that the client request was not properly terminated. Therefore, the NetScaler appliance waits for the request to be completed. After a timeout, the NetScaler appliance resets the connection with the code 9100." },
761 { 9201, "HTTP connection multiplexing error. Server sent response packets belonging to previous transaction." },
762 { 9202, "NSDBG_RST_LERRCDM: CDM refers to Check Data Mixing. This reset code is set when there is a TCP sequence mismatch in the first data packet, arriving from a recently reused server connection." },
763 { 9203, "NSDBG_RST_CLT_CHK_MIX: This code refers to the server sending a FIN for a previous client over a reused connection." },
764 { 9205, "NSDBG_RST_CHUNK_FAIL: This code indicates that the NetScaler appliance experienced issues with the chunked encoding in the HTTP response from the server." },
778 { 9222, "This is sent when the response is RFC non-compliant. The issue is caused by both Content-Length and Transfer-Encoding in response being invalid, which may lead to a variety of attacks and leads to the reset." },
779 { 9300, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
780 { 9301, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
781 { 9302, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
782 { 9303, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
783 { 9304, "NSDBG_RST_LINK_GIVEUPS: This reset code might be part of a backend-persistence mechanism, which is used to free resources on the NetScaler. By default, the NetScaler uses a zero window probe 7 times before giving up and resetting the connection. By disabling this mechanism, the appliance holds the sessions without this limit. The following is the command to disable the persistence probe limit: root@ns# nsapimgr -ys limited_persistprobe=0 The default value is 1, which limits to 7 probes, which is around 2 minutes. Setting the value to zero disables it and keeps the session open as long as the server sends an ACK signal in response to the probes." },
791 { 9400, "Reset server connection which are in reusepool and are not reusable because of TCP or Session level properties. Usually this is done when we need to open new connections but there is limit on connection we can open to the server and there are some already built up connections which are not reusable." },
792 { 9401, "When you reach maximum system capacity flushing existing connections based time order to accommodate new connections. Or when we remove an configured entity which as associated connections those connection will be reset." },
805 { 9601, "Reset when Number of data packets with Sequence ACK mismatch > nscfg_max_orphan_pkts." },
807 { 9700, "NSDBG_RST_PASS: This code indicates that the NetScaler appliance receives a TCP RST code from either the client or the server, and is transferring it. For example, the back end server sends a RST code, and the NetScaler appliance forwards it to the client with this code." },
808 { 9701, "NSDBG_RST_NEST / NSDBG_RST_ACK_PASS: The NetScaler software release 9.1 and the later versions, this code indicates #define NSBE_DBG_RST_ACK_PASS. It indicates that a RST code was forwarded as in the preceding RST code 9700, and the ACK flag was also set." },
811 { 9800, "NSDBG_RST_PROBE: This connections used for monitoring the service are reset due to timeout." },
813 { 9811, "NSDBG_RST_ERRHANDLER: This reset code is used with SSL. After sending a Fatal Alert, the NetScaler sends a RST packet with this error code. If the client does not display any supported ciphers to the NetScaler appliance, the appliance sends a Fatal Alert and then this RST packet." },
816 { 9814, "NSDBG_RST_PETRIGGER: This reset code is used when a request or response matches a Policy Engine policy, whose action is RESET." },
818 { 9817, "SSL connection received at the time of bound certificate changing (configuration change)." },
824 { 9823, "Reset when the NSC_AAAC cookie is malformed in a request or /vpn/apilogin.html request does not have a query part, memory allocation failures in certificate processing." },
826 { 9825, "DBG_WRONG_GSLBRECDLEN: This code is a GSLB MEP error reset code, typically between mixed versions." },
838 { 9838, "NSBE_DBG_RST_SSL_BAD_RECORD: This code refers to error looking up SSL record when handling a request or a response." },
859 { 9860, "The pcb->link of this connection was cleaned for some reason, so resetting this PCB." },
862 { 9863, "Reset to old connection when new connection is established and old one is still not freed." },
891 { 9903, "GSLB feature is disabled. Do not accept any connections and close any existing ones." },
920 { 9973, "Reset on rest of SF after fallback to infinite map as only one SF should be present." },
962 };
978 /*
979 * Maps an MPTCP token to a mptcp_analysis structure
980 * Collisions are not handled
981 */
989 NULL
990 };
998 NULL
999 };
1003 NULL
1004 };
1012 NULL
1013 };
1020 NULL
1021 };
1025 static uint8_t
1027 {
1033 }
1036 }
1039 }
1041 }
1045 {
1046 static const char flags[][4] = { "FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECE", "CWR", "AE" };
1048 const int maxlength = 64; /* upper bounds, max 53B: 8 * 3 + 2 + strlen("Reserved") + 9 * 2 + 1 */
1063 }
1064 }
1069 }
1075 }
1081 }
1085 {
1092 /* upper three bytes are marked as reserved ('R'). */
1099 }
1105 }
1106 }
1107 }
1110 }
1112 /*
1113 * Print the first letter of each flag set, or the dot character otherwise
1114 */
1117 {
1122 else
1127 else
1132 else
1137 else
1142 else
1147 else
1151 }
1153 static void
1155 {
1156 uint32_t port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num));
1159 }
1163 {
1165 }
1167 static void
1169 {
1170 uint32_t port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
1173 }
1177 {
1179 }
1181 static void
1183 {
1184 uint32_t srcport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num)),
1185 destport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
1186 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport);
1187 }
1190 {
1203 }
1210 }
1217 }
1224 }
1227 }
1231 /*
1232 * callback function for conversation stats
1233 */
1235 {
1240 else
1242 }
1244 static tap_packet_status
1245 tcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
1246 {
1252 add_conversation_table_data_extended(hash, &tcphdr->ip_src, &tcphdr->ip_dst, tcphdr->th_sport, tcphdr->th_dport, (conv_id_t) tcphdr->th_stream, 1, pinfo->fd->pkt_len,
1253 &pinfo->rel_ts, &pinfo->abs_ts, &tcp_ct_dissector_info, CONVERSATION_TCP, (uint32_t)pinfo->num, tcp_conv_cb_update);
1257 }
1259 static tap_packet_status
1260 mptcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
1261 {
1273 }
1275 static const char* tcp_endpoint_get_filter_type(endpoint_item_t* endpoint, conv_filter_type_e filter)
1276 {
1288 }
1295 }
1302 }
1309 }
1312 }
1316 static tap_packet_status
1317 tcpip_endpoint_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
1318 {
1324 /* Take two "add" passes per packet, adding for each direction, ensures that all
1325 packets are counted properly (even if address is sending to itself)
1326 XXX - this could probably be done more efficiently inside endpoint_table */
1327 add_endpoint_table_data(hash, &tcphdr->ip_src, tcphdr->th_sport, true, 1, pinfo->fd->pkt_len, &tcp_endpoint_dissector_info, ENDPOINT_TCP);
1328 add_endpoint_table_data(hash, &tcphdr->ip_dst, tcphdr->th_dport, false, 1, pinfo->fd->pkt_len, &tcp_endpoint_dissector_info, ENDPOINT_TCP);
1331 }
1333 static bool
1335 {
1337 }
1341 {
1343 }
1346 /****************************************************************************/
1347 /* whenever a TCP packet is seen by the tap listener */
1348 /* Add a new tcp frame into the graph */
1349 static tap_packet_status
1350 tcp_seq_analysis_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U_, const void *tcp_info, tap_flags_t tapflags _U_)
1351 {
1369 }
1372 }
1378 else
1388 }
1391 char *tcp_follow_conv_filter(epan_dissect_t *edt _U_, packet_info *pinfo, unsigned *stream, unsigned *sub_stream _U_)
1392 {
1396 /* XXX: Since TCP doesn't use the endpoint API, we can only look
1397 * up using the current pinfo addresses and ports. We don't want
1398 * to create a new conversation or new TCP stream.
1399 * Eventually the endpoint API should support storing multiple
1400 * endpoints and TCP should be changed to use the endpoint API.
1401 */
1407 {
1408 /* TCP over IPv4/6 */
1415 }
1418 }
1421 {
1423 }
1425 char *tcp_follow_address_filter(address *src_addr, address *dst_addr, int src_port, int dst_port)
1426 {
1435 "(ip%s.dst eq %s and tcp.dstport eq %d))"
1436 " or "
1437 "((ip%s.src eq %s and tcp.srcport eq %d) and "
1444 }
1447 {
1454 /*
1455 * Tries to apply segments from fragments list to the reconstructed payload.
1456 * Fragments that can be appended to the end of the payload will be applied (and
1457 * removed from the list). Fragments that should have been received (according
1458 * to the ack number) will also be appended to the payload (preceded by some
1459 * dummy data to mark packet loss if any).
1460 *
1461 * Returns true if one fragment has been applied or false if no more fragments
1462 * can be added to the payload (there might still be unacked fragments with
1463 * missing segments before them).
1464 */
1465 static bool
1466 check_follow_fragments(follow_info_t *follow_info, bool is_server, uint32_t acknowledged, uint32_t packet_num, bool use_ack)
1467 {
1481 {
1486 }
1490 /* this sequence number seems dated, but
1491 check the end to make sure it has no more
1492 info than we have already seen */
1497 /* this one has more than we have seen. let's get the
1498 payload that we have not seen. This happens when
1499 part of this frame has been retransmitted */
1515 new_frag_size);
1518 }
1521 }
1523 /* Remove the fragment from the list as the "new" part of it
1524 * has been processed or its data has been seen already in
1525 * another packet. */
1528 follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
1530 }
1533 /* this fragment fits the stream */
1536 }
1539 follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
1541 }
1542 }
1545 /* There are frames missing in the capture file that were seen
1546 * by the receiving host. Add dummy stream chunk with the data
1547 * "[xxx bytes missing in capture file]".
1548 */
1551 // XXX the dummy replacement could be larger than the actual missing bytes.
1566 }
1569 }
1571 static tap_packet_status
1574 {
1587 sequence++;
1588 }
1595 }
1597 is_server = !(addresses_equal(&follow_info->client_ip, &pinfo->src) && follow_info->client_port == pinfo->srcport);
1599 /* Check whether this frame ACKs fragments in flow from the other direction.
1600 * This happens when frames are not in the capture file, but were actually
1601 * seen by the receiving host (Fixes bug 592).
1602 */
1604 while (check_follow_fragments(follow_info, !is_server, follow_data->tcph->th_ack, pinfo->fd->num, true));
1605 }
1607 /*
1608 * If this is the first segment of this stream, initialize the next expected
1609 * sequence number. If there is any data, it will be added below.
1610 */
1613 }
1615 /* We have already seen this src (and received some segments), let's figure
1616 * out whether this segment extends the stream or overlaps a previous gap. */
1618 /* This sequence number seems dated, but check the end in case it was a
1619 * retransmission with more data. */
1622 /* The begin of the segment was already seen, try to add the
1623 * remaining data that we have not seen to the payload. */
1629 }
1633 }
1634 }
1635 /*
1636 * Ignore segments that have no new data (either because it was empty, or
1637 * because it was fully overlapping with previously received data).
1638 */
1641 }
1650 data_length);
1653 /* The segment overlaps or extends the previous end of stream. */
1658 /* done with the packet, see if it caused a fragment to fit */
1661 /* Out of order packet (more preceding segments are expected). */
1662 follow_info->fragments[is_server] = g_list_append(follow_info->fragments[is_server], follow_record);
1663 }
1665 }
1667 #define EXP_PDU_TCP_INFO_DATA_LEN 20
1668 #define EXP_PDU_TCP_INFO_VERSION 1
1669 #define EXP_PDU_TAG_TCP_STREAM_ID_LEN 4
1672 {
1674 }
1676 static int exp_pdu_tcp_dissector_data_populate_data(packet_info *pinfo _U_, void* data, uint8_t *tlv_buffer, uint32_t buffer_size _U_)
1677 {
1691 }
1695 {
1696 /* Check to see if the tvb we're planning on exporting PDUs from was
1697 * dissected fully, or whether it requested further desegmentation.
1698 * This should only matter on the first pass (so in one-pass tshark.)
1699 */
1701 /* Desegmentation was requested. How much did we desegment here?
1702 * The rest, presumably, will be handled in another frame.
1703 */
1705 /* We couldn't, in fact, dissect any of it. */
1707 }
1709 }
1711 }
1713 static void
1714 handle_export_pdu_dissection_table(packet_info *pinfo, tvbuff_t *tvb, uint32_t port, struct tcpinfo *tcpinfo)
1715 {
1720 }
1721 exp_pdu_data_item_t exp_pdu_data_table_value = {exp_pdu_data_dissector_table_num_value_size, exp_pdu_data_dissector_table_num_value_populate_data, NULL};
1722 exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
1733 NULL
1734 };
1741 exp_pdu_data = export_pdu_create_tags(pinfo, "tcp.port", EXP_PDU_TAG_DISSECTOR_TABLE_NAME, tcp_exp_pdu_items);
1746 /* match uint is restored after calling dissector, so in order to have the right value in exported PDU
1747 * we need to set it here.
1748 */
1750 }
1751 }
1753 static void
1754 handle_export_pdu_heuristic(packet_info *pinfo, tvbuff_t *tvb, heur_dtbl_entry_t *hdtbl_entry, struct tcpinfo *tcpinfo)
1755 {
1762 }
1767 exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
1776 NULL
1777 };
1781 exp_pdu_data = export_pdu_create_tags(pinfo, hdtbl_entry->short_name, EXP_PDU_TAG_HEUR_DISSECTOR_NAME, tcp_exp_pdu_items);
1782 }
1790 }
1791 }
1792 }
1794 static void
1795 handle_export_pdu_conversation(packet_info *pinfo, tvbuff_t *tvb, int src_port, int dst_port, struct tcpinfo *tcpinfo)
1796 {
1801 }
1802 conversation_t *conversation = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_TCP, src_port, dst_port, 0);
1804 {
1805 dissector_handle_t handle = (dissector_handle_t)wmem_tree_lookup32_le(conversation->dissector_tree, pinfo->num);
1807 {
1808 exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
1817 NULL
1818 };
1824 exp_pdu_data = export_pdu_create_tags(pinfo, dissector_handle_get_dissector_name(handle), EXP_PDU_TAG_DISSECTOR_NAME, tcp_exp_pdu_items);
1830 }
1831 }
1832 }
1833 }
1835 /*
1836 * display the TCP Conversation Completeness
1837 * we of course pay much attention on complete conversations but also incomplete ones which
1838 * have a regular start, as in practice we are often looking for such thing
1839 */
1841 {
1847 TCP_COMPLETENESS_SYNACK):
1851 TCP_COMPLETENESS_SYNACK|
1852 TCP_COMPLETENESS_ACK):
1856 TCP_COMPLETENESS_SYNACK|
1857 TCP_COMPLETENESS_ACK|
1858 TCP_COMPLETENESS_DATA):
1862 TCP_COMPLETENESS_SYNACK|
1863 TCP_COMPLETENESS_ACK|
1864 TCP_COMPLETENESS_DATA|
1865 TCP_COMPLETENESS_FIN):
1867 TCP_COMPLETENESS_SYNACK|
1868 TCP_COMPLETENESS_ACK|
1869 TCP_COMPLETENESS_DATA|
1870 TCP_COMPLETENESS_RST):
1872 TCP_COMPLETENESS_SYNACK|
1873 TCP_COMPLETENESS_ACK|
1874 TCP_COMPLETENESS_DATA|
1875 TCP_COMPLETENESS_FIN|
1876 TCP_COMPLETENESS_RST):
1880 TCP_COMPLETENESS_SYNACK|
1881 TCP_COMPLETENESS_ACK|
1882 TCP_COMPLETENESS_FIN):
1884 TCP_COMPLETENESS_SYNACK|
1885 TCP_COMPLETENESS_ACK|
1886 TCP_COMPLETENESS_RST):
1888 TCP_COMPLETENESS_SYNACK|
1889 TCP_COMPLETENESS_ACK|
1890 TCP_COMPLETENESS_FIN|
1891 TCP_COMPLETENESS_RST):
1897 }
1898 }
1900 /* TCP structs and definitions */
1902 /* **************************************************************************
1903 * RTT, relative sequence numbers, window scaling & etc.
1904 * **************************************************************************/
1917 #define TCP_A_RETRANSMISSION 0x0001
1918 #define TCP_A_LOST_PACKET 0x0002
1919 #define TCP_A_ACK_LOST_PACKET 0x0004
1920 #define TCP_A_KEEP_ALIVE 0x0008
1921 #define TCP_A_DUPLICATE_ACK 0x0010
1922 #define TCP_A_ZERO_WINDOW 0x0020
1923 #define TCP_A_ZERO_WINDOW_PROBE 0x0040
1924 #define TCP_A_ZERO_WINDOW_PROBE_ACK 0x0080
1925 #define TCP_A_KEEP_ALIVE_ACK 0x0100
1926 #define TCP_A_OUT_OF_ORDER 0x0200
1927 #define TCP_A_FAST_RETRANSMISSION 0x0400
1928 #define TCP_A_WINDOW_UPDATE 0x0800
1929 #define TCP_A_WINDOW_FULL 0x1000
1930 #define TCP_A_REUSED_PORTS 0x2000
1931 #define TCP_A_SPURIOUS_RETRANSMISSION 0x4000
1933 /* This flag for desegment_tcp to exclude segments with previously
1934 * seen sequence numbers.
1935 * It is from the perspective of Wireshark's reassembler, whereas
1936 * the other flags above are from the perspective of the sender.
1937 * (E.g., TCP_A_RETRANSMISSION or TCP_A_SPURIOUS_RETRANSMISSION
1938 * can be set even when first appearance in the capture file.)
1939 */
1940 #define TCP_A_OLD_DATA 0x8000
1942 /* Static TCP flags. Set in tcp_flow_t:static_flags */
1943 #define TCP_S_BASE_SEQ_SET 0x01
1944 #define TCP_S_SAW_SYN 0x03
1945 #define TCP_S_SAW_SYNACK 0x05
1948 /* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
1949 #define MPTCP_META_HAS_BASE_DSN_MSB 0x01
1950 #define MPTCP_META_HAS_KEY 0x03
1951 #define MPTCP_META_HAS_TOKEN 0x04
1952 #define MPTCP_META_HAS_ADDRESSES 0x08
1954 /* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
1955 #define MPTCP_SUBFLOW_HAS_NONCE 0x01
1956 #define MPTCP_SUBFLOW_HAS_ADDRESS_ID 0x02
1958 /* MPTCP meta analysis related */
1959 #define MPTCP_META_CHECKSUM_REQUIRED 0x0002
1961 /* if we have no key for this connection, some conversion become impossible,
1962 * thus return false
1963 */
1964 static
1965 bool
1966 mptcp_convert_dsn(uint64_t dsn, mptcp_meta_flow_t *meta, enum mptcp_dsn_conversion conv, bool relative, uint64_t *result ) {
1970 /* if relative is set then we need the 64 bits version anyway
1971 * we assume no wrapping was done on the 32 lsb so this may be wrong for elephant flows
1972 */
1976 /* can't do those without the expected_idsn based on the key */
1978 }
1979 }
1983 }
1987 }
1991 }
1994 }
1997 static void
2006 {
2009 /* Initialize the tcp protocol data structure to add to the tcp conversation */
2022 }
2024 /* Only allocate the data if its actually going to be analyzed */
2026 {
2027 tcpd->flow1.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
2028 tcpd->flow2.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
2029 }
2030 /* Only allocate the data if its actually going to be displayed */
2032 {
2035 }
2056 }
2058 /* setup meta as well */
2059 static void
2061 {
2068 }
2071 /* add a new subflow to an mptcp connection */
2072 static void
2077 }
2079 /* in case we merge 2 mptcp connections */
2081 }
2085 {
2088 /* Get the data for this conversation */
2092 }
2096 {
2101 /* Did the caller supply the conversation pointer? */
2103 /* If the caller didn't supply a conversation, don't
2104 * clear the analysis, it may be needed */
2107 }
2109 /* Get the data for this conversation */
2113 /* if the addresses are equal, match the ports instead */
2116 }
2117 /* If the conversation was just created or it matched a
2118 * conversation with template options, tcpd will not
2119 * have been initialized. So, initialize
2120 * a new tcpd structure for the conversation.
2121 */
2125 }
2129 }
2131 /* check direction and get ua lists */
2138 }
2142 }
2144 }
2146 /* Attach process info to a flow */
2147 /* XXX - We depend on the TCP dissector finding the conversation first */
2148 void
2149 add_tcp_process_info(uint32_t frame_num, address *local_addr, address *remote_addr, uint16_t local_port, uint16_t remote_port, uint32_t uid, uint32_t pid, char *username, char *command) {
2157 conv = find_conversation(frame_num, local_addr, remote_addr, CONVERSATION_TCP, local_port, remote_port, 0);
2160 }
2165 }
2167 if (cmp_address(local_addr, conversation_key_addr1(conv->key_ptr)) == 0 && local_port == conversation_key_port1(conv->key_ptr)) {
2169 } else if (cmp_address(remote_addr, conversation_key_addr1(conv->key_ptr)) == 0 && remote_port == conversation_key_port1(conv->key_ptr)) {
2171 }
2174 }
2183 }
2185 /* Return the current stream count */
2187 {
2189 }
2191 /* Return the mptcp current stream count */
2193 {
2195 }
2197 /* Calculate the timestamps relative to this conversation */
2198 static void
2201 {
2205 }
2210 /* pre-increment so packet numbers start at 1 */
2218 }
2220 /* Add a subtree with the timestamps relative to this conversation */
2221 static void
2222 tcp_print_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree, struct tcp_analysis *tcpd, struct tcp_per_packet_data_t *tcppd)
2223 {
2226 nstime_t ts;
2239 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
2245 }
2246 }
2248 static void
2249 print_pdu_tracking_data(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tcp_tree, struct tcp_multisegment_pdu *msp)
2250 {
2257 }
2259 /* if we know that a PDU starts inside this segment, return the adjusted
2260 offset to where that PDU starts or just return offset back
2261 and let TCP try to find out what it can about this segment
2262 */
2263 static int
2264 scan_for_next_pdu(tvbuff_t *tvb, proto_tree *tcp_tree, packet_info *pinfo, int offset, uint32_t seq, uint32_t nxtseq, wmem_tree_t *multisegment_pdus)
2265 {
2271 /* If this is a continuation of a PDU started in a
2272 * previous segment we need to update the last_frame
2273 * variables.
2274 */
2279 }
2281 /* If this segment is completely within a previous PDU
2282 * then we just skip this packet
2283 */
2286 }
2290 }
2292 }
2294 /* First we try to find the start and transfer time for a PDU.
2295 * We only print this for the very first segment of a PDU
2296 * and only for PDUs spanning multiple segments.
2297 * Se we look for if there was any multisegment PDU started
2298 * just BEFORE the end of this segment. I.e. either inside this
2299 * segment or in a previous segment.
2300 * Since this might also match PDUs that are completely within
2301 * this segment we also verify that the found PDU does span
2302 * beyond the end of this segment.
2303 */
2308 nstime_t ns;
2317 }
2318 }
2320 /* Second we check if this segment is part of a PDU started
2321 * prior to the segment (seq-1)
2322 */
2325 /* If this segment is completely within a previous PDU
2326 * then we just skip this packet
2327 */
2331 }
2336 }
2337 }
2339 }
2341 }
2343 /* if we saw a PDU that extended beyond the end of the segment,
2344 use this function to remember where the next pdu starts
2345 */
2347 pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, uint32_t seq, uint32_t nxtpdu, wmem_tree_t *multisegment_pdus)
2348 {
2360 /*ws_warning("pdu_store_sequencenumber_of_next_pdu: seq %u", seq);*/
2362 }
2364 /* This is called for SYN and SYN+ACK packets and the purpose is to verify
2365 * that we have seen window scaling in both directions.
2366 * If we can't find window scaling being set in both directions
2367 * that means it was present in the SYN but not in the SYN+ACK
2368 * (or the SYN was missing) and then we disable the window scaling
2369 * for this tcp session.
2370 */
2371 static void
2373 {
2375 /* We know window scaling will not be used as:
2376 * a) this is the SYN and it does not have the WS option
2377 * (we set the reverse win_scale also in case we miss
2378 * the SYN/ACK)
2379 * b) this is the SYN/ACK and either the SYN packet has not
2380 * been seen or it did have the WS option. As the SYN/ACK
2381 * does not have the WS option, window scaling will not be used.
2382 *
2383 * Setting win_scale to -2 to indicate that we can
2384 * trust the window_size value in the TCP header.
2385 */
2390 /* The SYN/ACK has the WS option, while the SYN did not,
2391 * this should not happen, but the endpoints will not
2392 * have used window scaling, so we will neither
2393 */
2395 }
2396 }
2398 /* given a tcpd, returns the mptcp_subflow that sides with meta */
2401 {
2402 /* select the tcp_flow with appropriate direction */
2405 }
2408 }
2409 }
2411 /* if we saw a window scaling option, store it for future reference
2412 */
2413 static void
2415 {
2418 }
2420 /* when this function returns, it will (if createflag) populate the ta pointer.
2421 */
2422 static void
2423 tcp_analyze_get_acked_struct(uint32_t frame, uint32_t seq, uint32_t ack, bool createflag, struct tcp_analysis *tcpd)
2424 {
2442 }
2448 }
2449 }
2453 /* fwd contains a list of all segments processed but not yet ACKed in the
2454 * same direction as the current segment.
2455 * rev contains a list of all segments received but not yet ACKed in the
2456 * opposite direction to the current segment.
2457 *
2458 * New segments are always added to the head of the fwd/rev lists.
2459 *
2460 * Changes below should be synced with ChAdvTCPAnalysis in the User's
2461 * Guide: doc/wsug_src/WSUG_chapter_advanced.adoc
2462 */
2463 static void
2464 tcp_analyze_sequence_number(packet_info *pinfo, uint32_t seq, uint32_t ack, uint32_t seglen, uint16_t flags, uint32_t window, struct tcp_analysis *tcpd, struct tcp_per_packet_data_t *tcppd)
2465 {
2470 #if 0
2472 printf("FWD list lastflags:0x%04x base_seq:%u: nextseq:%u lastack:%u\n",tcpd->fwd->lastsegmentflags,tcpd->fwd->base_seq,tcpd->fwd->tcp_analyze_seq_info->nextseq,tcpd->rev->tcp_analyze_seq_info->lastack);
2475 printf("REV list lastflags:0x%04x base_seq:%u nextseq:%u lastack:%u\n",tcpd->rev->lastsegmentflags,tcpd->rev->base_seq,tcpd->rev->tcp_analyze_seq_info->nextseq,tcpd->fwd->tcp_analyze_seq_info->lastack);
2478 #endif
2482 }
2486 }
2488 /* ZERO WINDOW PROBE
2489 * it is a zero window probe if
2490 * the sequence number is the next expected one
2491 * the window in the other direction is 0
2492 * the segment is exactly 1 byte
2493 */
2499 }
2502 }
2505 /* ZERO WINDOW
2506 * a zero window packet has window == 0 but none of the SYN/FIN/RST set
2507 */
2512 }
2514 }
2517 /* LOST PACKET
2518 * If this segment is beyond the last seen nextseq we must
2519 * have missed some previous segment
2520 *
2521 * We only check for this if we have actually seen segments prior to this
2522 * one.
2523 * RST packets are not checked for this.
2524 */
2530 }
2533 /* Disable BiF until an ACK is seen in the other direction */
2535 }
2538 /* KEEP ALIVE
2539 * a keepalive contains 0 or 1 bytes of data and starts one byte prior
2540 * to what should be the next sequence number.
2541 * SYN/FIN/RST segments are never keepalives
2542 */
2548 }
2550 }
2552 /* WINDOW UPDATE
2553 * A window update is a 0 byte segment with the same SEQ/ACK numbers as
2554 * the previous seen segment and with a new window value
2555 */
2557 && window
2564 }
2566 }
2569 /* WINDOW FULL
2570 * If we know the window scaling
2571 * and if this segment contains data and goes all the way to the
2572 * edge of the advertised window
2573 * then we mark it as WINDOW FULL
2574 * SYN/RST/FIN packets are never WINDOW FULL
2575 */
2578 && (seq+seglen)==(tcpd->rev->tcp_analyze_seq_info->lastack+(tcpd->rev->window<<(tcpd->rev->is_first_ack?0:(tcpd->rev->win_scale==-2?0:tcpd->rev->win_scale))))
2582 }
2584 }
2587 /* KEEP ALIVE ACK
2588 * It is a keepalive ack if it repeats the previous ACK and if
2589 * the last segment in the reverse direction was a keepalive
2590 */
2592 && window
2600 }
2603 }
2606 /* ZERO WINDOW PROBE ACK
2607 * It is a zerowindowprobe ack if it repeats the previous ACK and if
2608 * the last segment in the reverse direction was a zerowindowprobe
2609 * It also repeats the previous zero window indication
2610 */
2615 && (ack==tcpd->fwd->tcp_analyze_seq_info->lastack || EQ_SEQ(ack,tcpd->fwd->tcp_analyze_seq_info->lastack+1))
2620 }
2623 /* Some receivers consume that extra byte brought in the PROBE,
2624 * but it was too early to know that during the WINDOW PROBE analysis.
2625 * Do it now by moving the rev nextseq & maxseqtobeacked.
2626 * See issue 10745.
2627 */
2631 }
2633 }
2636 /* DUPLICATE ACK
2637 * It is a duplicate ack if window/seq/ack is the same as the previous
2638 * segment and if the segment length is 0
2639 */
2641 && window
2647 /* MPTCP tolerates duplicate acks in some circumstances, see RFC 8684 4. */
2649 /* just ignore this DUPLICATE ACK */
2655 }
2659 }
2660 }
2664 finished_fwd:
2665 /* If the ack number changed we must reset the dupack counters */
2669 }
2672 /* ACKED LOST PACKET
2673 * If this segment acks beyond the 'max seq to be acked' in the other direction
2674 * then that means we have missed packets going in the
2675 * other direction.
2676 * It might also indicate we are resuming from a Zero Window,
2677 * where a Probe is just followed by an ACK opening again the window.
2678 * See issue 8404.
2679 *
2680 * We only check this if we have actually seen some seq numbers
2681 * in the other direction.
2682 */
2688 }
2690 /* resuming from a Zero Window Probe which re-opens the window,
2691 * mark it as a Window Update
2692 */
2699 }
2700 /* real ACKED LOST PACKET */
2702 /* We ensure there is no matching packet waiting in the unacked list,
2703 * and take this opportunity to push the tail further than this single packet
2704 */
2712 }
2714 /* Only look at what happens above the current ACK value,
2715 * as what happened before is definetely ACKed here and can be
2716 * safely ignored. */
2719 /* if the left edge is contiguous, move the tail leftward */
2722 }
2724 /* otherwise, we have isolated segments above what is being ACKed here,
2725 * and we reinit the tails with the current values */
2729 }
2730 }
2731 }
2733 /* a tail was found and we can push the maxseqtobeacked further */
2736 }
2738 /* otherwise, just take into account the value being ACKed now */
2741 }
2744 }
2745 }
2748 /* RETRANSMISSION/FAST RETRANSMISSION/OUT-OF-ORDER
2749 * If the segment contains data (or is a SYN or a FIN) and
2750 * if it does not advance the sequence number, it must be one
2751 * of these three.
2752 * Only test for this if we know what the seq number should be
2753 * (tcpd->fwd->nextseq)
2754 *
2755 * Note that a simple KeepAlive is not a retransmission
2756 */
2767 }
2769 /* This segment is *not* considered a retransmission/out-of-order if
2770 * the segment length is larger than one (it really adds new data)
2771 * the sequence number is one less than the previous nextseq and
2772 * (the previous segment is possibly a zero window probe)
2773 *
2774 * We should still try to flag Spurious Retransmissions though.
2775 */
2778 }
2780 /* Check for spurious retransmission. If the current seq + segment length
2781 * is less than or equal to the current lastack, the packet contains
2782 * duplicate data and may be considered spurious.
2783 */
2789 }
2792 }
2799 /* Some OOO vs Retrans interpretations can be wrong when the capture needs a reorder.
2800 * Avoid such cases by enforcing the delta to 0 when the order seems bad, instead of
2801 * calculating an absurd value.
2802 */
2804 /* regular case */
2807 }
2811 }
2814 }
2819 /* If there were >=2 duplicate ACKs in the reverse direction
2820 * (there might be duplicate acks missing from the trace)
2821 * and if this sequence number matches those ACKs
2822 * and if the packet occurs within 20ms of the last
2823 * duplicate ack
2824 * then this is a fast retransmission
2825 */
2831 }
2834 }
2836 /* Look for this segment in reported SACK ranges,
2837 * if not present this might very well be a FAST Retrans,
2838 * when the conditions above (timing, number of retrans) are still true */
2848 i++;
2849 }
2851 /* fine, it's probably a Fast Retrans triggered by the SACK sender algo */
2857 }
2858 }
2862 /* If the segment came relatively close since the segment with the highest
2863 * seen sequence number and it doesn't look like a retransmission
2864 * then it is an OUT-OF-ORDER segment.
2865 */
2870 }
2872 /* If the segment is already seen and waiting to be acknowledged, ignore the
2873 * Fast-Retrans/OOO debate and go ahead, as it only can be an ordinary Retrans.
2874 * Fast-Retrans/Retrans are never ambiguous in the context of packets seen but
2875 * this code could be moved above.
2876 * See Issues 13284, 13843
2877 * XXX: if compared packets have different sizes, it's not handled yet
2878 */
2884 /* As we know this packet has retransmissions, we are marking it
2885 * as eligible to Karn's algo.
2886 */
2890 }
2892 }
2894 }
2897 /* ordinary OOO with SEQ numbers and lengths clearly stating the situation */
2898 if( tcpd->fwd->tcp_analyze_seq_info->nextseq != (seq + seglen + (flags&(TH_SYN|TH_FIN) ? 1 : 0))) {
2901 }
2905 }
2907 /* facing an OOO closing a series of disordered packets,
2908 all preceded by a pure ACK. See issue 17214 */
2912 }
2916 }
2917 }
2918 }
2920 }
2923 /* Then it has to be a generic retransmission */
2926 }
2929 /*
2930 * worst case scenario: if we don't have better than a recent packet,
2931 * use it as the reference for RTO
2932 */
2933 nstime_delta(&tcpd->ta->rto_ts, &pinfo->abs_ts, &tcpd->fwd->tcp_analyze_seq_info->nextseqtime);
2936 /*
2937 * better case scenario: if we have a list of the previous unacked packets,
2938 * go back to the eldest one, which in theory is likely to be the one retransmitted here.
2939 * It's not always the perfect match, particularly when original captured packet used LSO
2940 * We may parse this list and try to find an obvious matching packet present in the
2941 * capture. If such packet is actually missing, we'll reach the list first entry.
2942 * See : issue #12259
2943 * See : issue #17714
2944 */
2950 }
2952 }
2953 }
2955 finished_checking_retransmission_type:
2957 /* Override the TCP sequence analysis with the value given
2958 * manually by the user. This only applies to flagged packets.
2959 */
2967 /* clean flags set during the automatic analysis */
2969 TCP_A_OUT_OF_ORDER|
2970 TCP_A_FAST_RETRANSMISSION|
2971 TCP_A_SPURIOUS_RETRANSMISSION);
2973 /* set the corresponding flag chosen by the user */
2976 /* the user asked for an empty overriding, which
2977 * means removing any previous value, thus restoring
2978 * the automatic analysis.
2979 */
2999 /* there is no expected default case */
3001 }
3002 }
3005 if ((seglen || flags&(TH_SYN|TH_FIN)) && tcpd->fwd->tcp_analyze_seq_info->segment_count < TCP_MAX_UNACKED_SEGMENTS) {
3006 /* Add this new sequence number to the fwd list. But only if there
3007 * aren't "too many" unacked segments (e.g., we're not seeing the ACKs).
3008 */
3017 /* next sequence number is seglen bytes away, plus SYN/FIN which counts as one byte */
3020 }
3022 /* All Retransmissions are marked for later Karn discovery.
3023 * It's very unlikely that we will ever meet a TCP client
3024 * that just acknowledges a Fast Retransmission segment without
3025 * jumping over and also acknowledging the ones that triggered
3026 * the fast retransmission. Or maybe under heavy load ?
3027 */
3033 }
3036 }
3039 }
3041 /* Every time we are moving the highest number seen,
3042 * we are also tracking the segment length then we will know for sure,
3043 * later, if this was a pure ACK or an ordinary data packet. */
3045 || GT_SEQ(nextseq, tcpd->fwd->tcp_analyze_seq_info->nextseq + (flags&(TH_SYN|TH_FIN) ? 1 : 0))) {
3047 }
3049 /* Store the highest number seen so far for nextseq so we can detect
3050 * when we receive segments that arrive with a "hole"
3051 * If we don't have anything since before, just store what we got.
3052 * ZeroWindowProbes are special and don't really advance the nextseq
3053 */
3054 if(GT_SEQ(nextseq, tcpd->fwd->tcp_analyze_seq_info->nextseq) || !tcpd->fwd->tcp_analyze_seq_info->nextseq) {
3061 /* Count the flows turns by checking all packets carrying real data
3062 * Packets not ordered are ignored.
3063 */
3071 /* check direction */
3075 /* if the addresses are equal, match the ports instead */
3078 }
3080 /* invert the direction and increment the counter */
3084 }
3085 /* if the direction was not reversed, maybe are we
3086 * facing the first flow ? Yes, if the counter still equals 0.
3087 */
3091 }
3092 }
3093 }
3094 }
3095 }
3096 }
3098 /* Store the highest continuous seq number seen so far for 'max seq to be acked',
3099 * so we can detect TCP_A_ACK_LOST_PACKET condition.
3100 * If this ever happens, this boundary value can "jump" further in order to
3101 * avoid duplicating multiple messages for the very same lost packet. See later
3102 * how ACKED LOST PACKET are handled.
3103 * Zero Window Probes are logically left out at this moment, but if their data
3104 * really were to be ack'ed, then it will be done later when analyzing their
3105 * Probe ACK (be it a real Probe ACK, or an ordinary ACK moving the RCV Window).
3106 */
3107 if(EQ_SEQ(seq, tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) || !tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) {
3110 }
3111 }
3114 /* remember what the ack/window is so we can track window updates and retransmissions */
3120 /* remember the MPTCP operations if any */
3123 }
3125 /* if there were any flags set for this segment we need to remember them
3126 * we only remember the flags for the very last segment though.
3127 */
3132 }
3135 /* remove all segments this ACKs and we don't need to keep around any more
3136 */
3142 /* If this ack matches the segment, process accordingly */
3147 /* mark it as a full segment ACK */
3154 }
3158 }
3159 }
3160 }
3161 /* If this acknowledges part of the segment, adjust the segment info for the acked part.
3162 * This typically happens in the context of GSO/GRO or Retransmissions with
3163 * segment repackaging (elsewhere called repacketization). For the user, looking at the
3164 * previous packets for any Retransmission or at the SYN MSS Option presence would
3165 * answer what case is precisely encountered.
3166 */
3173 /* mark it as a partial segment ACK
3174 *
3175 * XXX - This mark is used later to create an Expert Note,
3176 * but other ways of tracking these packets are possible:
3177 * for example a similar indication to ta->frame_acked
3178 * would help differentiating the SEQ/ACK analysis messages.
3179 * Also, a TCP Analysis Flag could be added, but doesn't seem
3180 * essential yet, as matching packets can be selected with
3181 * 'tcp.analysis.partial_ack'.
3182 */
3185 /* identify ambiguous ACKs following Karn's definition
3186 */
3191 }
3195 }
3196 }
3199 }
3200 /* If this acknowledges a segment prior to this one, leave this segment alone and move on */
3205 }
3207 /* This segment is old, or an exact match. Delete the segment from the list */
3211 /* Track largest segment successfully sent for SNACK analysis*/
3214 }
3215 }
3219 }
3222 }
3226 }
3228 /* how many bytes of data are there in flight after this frame
3229 * was sent
3230 * The historical evaluation is done from the payload seen in the
3231 * segments captured. Another method deduced from the SEQ numbers
3232 * is introduced with issue 7703, but not used by default now. The
3233 * method is chosen by the user preference tcp_bif_seq_based.
3234 */
3237 /*
3238 * "don't repeat yourself" boolean, for the shared part
3239 * between both methods
3240 */
3243 /*
3244 * historical calculation method based on payloads, which is
3245 * by now still the default.
3246 */
3260 }
3263 }
3265 }
3267 }
3269 if (seglen!=0 && tcpd->fwd->tcp_analyze_seq_info && tcpd->fwd->tcp_analyze_seq_info->valid_bif) {
3275 }
3276 }
3278 /* subtract any SACK block */
3284 }
3286 }
3291 }
3293 /* Decrement in_flight bytes by one when we have a SYN or FIN bit
3294 * flag set as it is only virtual.
3295 */
3298 }
3299 }
3312 }
3315 }
3317 }
3318 }
3320 }
3322 /*
3323 * Prints results of the sequence number analysis concerning tcp segments
3324 * retransmitted or out-of-order
3325 */
3326 static void
3331 )
3332 {
3333 /* TCP Retransmission */
3346 }
3347 }
3348 /* TCP Fast Retransmission */
3354 }
3355 /* TCP Spurious Retransmission */
3361 }
3363 /* TCP Out-Of-Order */
3367 }
3368 }
3370 /* Prints results of the sequence number analysis concerning reused ports */
3371 static void
3375 )
3376 {
3377 /* TCP Ports Reused */
3382 }
3383 }
3385 /* Prints results of the sequence number analysis concerning lost tcp segments */
3386 static void
3390 )
3391 {
3392 /* TCP Lost Segment */
3397 }
3398 /* TCP Ack lost segment */
3403 }
3404 }
3406 /* Prints results of the sequence number analysis concerning tcp window */
3407 static void
3411 )
3412 {
3413 /* TCP Window Update */
3417 }
3418 /* TCP Full Window */
3422 }
3423 }
3425 /* Prints results of the sequence number analysis concerning tcp keepalive */
3426 static void
3430 )
3431 {
3432 /*TCP Keep Alive */
3436 }
3437 /* TCP Ack Keep Alive */
3441 }
3442 }
3444 /* Prints results of the sequence number analysis concerning tcp duplicate ack */
3445 static void
3450 proto_tree * tree
3451 )
3452 {
3455 /* TCP Duplicate ACK */
3459 hf_tcp_analysis_duplicate_ack,
3461 "This is a TCP duplicate ack"
3462 );
3467 ta->dupack_num
3468 );
3470 }
3477 expert_add_info_format(pinfo, flags_item, &ei_tcp_analysis_duplicate_ack, "Duplicate ACK (#%u)", ta->dupack_num);
3478 }
3479 }
3481 /* Prints results of the sequence number analysis concerning tcp zero window */
3482 static void
3486 )
3487 {
3488 /* TCP Zero Window Probe */
3492 }
3493 /* TCP Zero Window */
3497 }
3498 /* TCP Zero Window Probe Ack */
3503 }
3504 }
3507 /* Prints results of the sequence number analysis concerning how many bytes of data are in flight */
3508 static void
3513 )
3514 {
3519 hf_tcp_analysis_bytes_in_flight,
3523 }
3524 }
3526 /* Generate the initial data sequence number and MPTCP connection token from the key. */
3527 static void
3529 {
3537 /* memcpy to prevent -Wstrict-aliasing errors with GCC 4 */
3542 }
3544 /* Generate the initial data sequence number and MPTCP connection token from the key. */
3545 static void
3547 {
3555 /* memcpy to prevent -Wstrict-aliasing errors with GCC 4 */
3560 }
3563 /* Print formatted list of tcp stream ids that are part of the connection */
3564 static void
3567 {
3573 /* for the analysis, we set each subflow tcp stream id */
3577 }
3579 item = proto_tree_add_string(parent_tree, hf_mptcp_analysis_subflows, tvb, 0, 0, wmem_strbuf_get_str(val));
3581 }
3583 /* Compute raw dsn if relative tcp seq covered by DSS mapping */
3584 static bool
3586 {
3589 }
3593 }
3596 /* Add duplicated data */
3598 mptcp_add_duplicated_dsn(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, struct mptcp_subflow *subflow,
3600 )
3601 {
3609 rawdsn64low,
3610 rawdsn64high
3611 );
3616 {
3623 }
3626 }
3628 }
3631 }
3634 /* Lookup mappings that describe the packet and then converts the tcp seq number
3635 * into the MPTCP Data Sequence Number (DSN)
3636 */
3637 static void
3639 proto_tree *parent_tree, struct tcp_analysis* tcpd, struct tcpheader * tcph, mptcp_per_packet_data_t *mptcppd)
3640 {
3649 {
3650 /* abort analysis */
3652 }
3654 /* for this to work, we need to know the original seq number from the SYN, not from a subsequent packet
3655 * hence, we abort if we didn't capture the SYN
3656 */
3659 }
3661 /* if seq not relative yet, we compute it */
3667 /* in case of a SYN, there is no mapping covering the DSN */
3672 }
3673 /* if it's a non-syn packet without data (just used to convey TCP options)
3674 * then there would be no mappings */
3678 }
3688 ssn_low,
3690 );
3694 }
3698 }
3701 }
3705 /* Finds mappings that cover the sent data and adds them to the dissection tree */
3709 {
3715 }
3716 }
3720 }
3722 /* Make sure we have the 64bit raw DSN */
3726 /* always display the rawdsn64 (helpful for debug) */
3727 item = proto_tree_add_uint64(parent_tree, hf_mptcp_rawdsn64, tvb, 0, 0, tcph->th_mptcp->mh_rawdsn64);
3729 /* converts to relative if required */
3731 && mptcp_convert_dsn(tcph->th_mptcp->mh_rawdsn64, tcpd->fwd->mptcp_subflow->meta, DSN_CONV_NONE, true, &tcph->th_mptcp->mh_dsn)) {
3734 }
3736 /* register dsn->packet mapping */
3740 ) {
3749 packet
3750 );
3751 }
3754 /* We can do this only if rawdsn64 is valid !
3755 if enabled, look for overlapping mappings on other subflows */
3762 /* results should be some kind of list in case 2 DSS are needed to cover this packet */
3763 for(subflow_it = wmem_list_head(mptcpd->subflows); subflow_it != NULL; subflow_it = wmem_list_frame_next(subflow_it)) {
3765 struct mptcp_subflow *sf = mptcp_select_subflow_from_meta(sf_tcpd, tcpd->fwd->mptcp_subflow->meta);
3767 /* for current subflow */
3769 /* skip, this is the current subflow */
3770 }
3771 /* in case there were retransmissions on other subflows */
3776 }
3777 }
3778 }
3779 }
3781 /* could not get the rawdsn64, ignore and continue */
3782 }
3784 }
3787 /* Print subflow list */
3788 static void
3791 {
3799 }
3806 /* set field with mptcp stream */
3812 );
3814 }
3818 }
3823 /* store the TCP Options related to MPTCP then we will avoid false DUP ACKs later */
3827 nbOptionsChanged++;
3828 }
3831 nbOptionsChanged++;
3832 }
3835 nbOptionsChanged++;
3836 }
3839 nbOptionsChanged++;
3840 }
3843 nbOptionsChanged++;
3844 }
3847 nbOptionsChanged++;
3848 }
3851 nbOptionsChanged++;
3852 }
3855 nbOptionsChanged++;
3856 }
3857 /* we could track MPTCP option changes here, with nbOptionsChanged */
3858 #endif
3863 /* retrieve saved analysis of packets, else create it */
3864 mptcppd = (mptcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_mptcp, pinfo->curr_layer_num);
3868 }
3870 /* Print formatted list of tcp stream ids that are part of the connection */
3873 /* Converts TCP seq number into its MPTCP DSN */
3876 }
3879 static void
3884 )
3885 {
3890 hf_tcp_analysis_push_bytes_sent,
3894 }
3895 }
3897 static void
3900 {
3908 }
3911 }
3915 }
3921 /* encapsulate all proto_tree_add_xxx in ifs so we only print what
3922 data we actually have */
3932 }
3936 }
3938 /* only display RTT if we actually have something we are acking */
3943 }
3944 }
3949 }
3952 /* print results for amount of data in flight */
3955 }
3962 /* print results for reused tcp ports */
3965 /* print results for retransmission and out-of-order segments */
3968 /* print results for lost tcp segments */
3971 /* print results for tcp window information */
3974 /* print results for tcp keep alive information */
3977 /* print results for tcp duplicate acks */
3980 /* print results for tcp zero window */
3983 }
3985 }
3987 static void
3988 print_tcp_fragment_tree(fragment_head *ipfd_head, proto_tree *tree, proto_tree *tcp_tree, packet_info *pinfo, tvbuff_t *next_tvb)
3989 {
3992 /*
3993 * The subdissector thought it was completely
3994 * desegmented (although the stuff at the
3995 * end may, in turn, require desegmentation),
3996 * so we show a tree with all segments.
3997 */
4000 /*
4001 * The toplevel fragment subtree is now
4002 * behind all desegmented data; move it
4003 * right behind the TCP tree.
4004 */
4008 }
4009 }
4011 /* **************************************************************************
4012 * End of tcp sequence number analysis
4013 * **************************************************************************/
4016 /* Minimum TCP header length. */
4017 #define TCPH_MIN_LEN 20
4019 /* Desegmentation of TCP streams */
4021 /* The primary ID is the first frame of a multisegment PDU, which is
4022 * most likely unique in the capture (unlike sequence numbers which
4023 * can be re-used, especially when relative sequence numbers are enabled).
4024 * However, frames can have multiple PDUs with certain encapsulations like
4025 * GSE or MPE over DVB BaseBand Frames.
4026 */
4030 address src_addr;
4031 address dst_addr;
4032 port_type ptype;
4037 static void
4039 {
4045 }
4047 static void
4049 {
4055 }
4058 address src_addr;
4059 address dst_addr;
4066 static unsigned
4068 {
4074 /* In most captures there is only one fragment per id / first_frame,
4075 so we only use it in the hash as an optimization.
4077 int i;
4078 for (i = 0; i < key->src.len; i++)
4079 hash_val += key->src_addr.data[i];
4080 for (i = 0; i < key->dst.len; i++)
4081 hash_val += key->dst_addr.data[i];
4082 hash_val += key->src_port;
4083 hash_val += key->dst_port;
4084 hash_val += key->seq;
4085 */
4088 }
4090 static int
4092 {
4096 /*
4097 * key.id is the first item to compare since it's the item most
4098 * likely to differ between sessions, thus short-circuiting
4099 * the comparison of addresses and ports.
4100 */
4107 }
4109 /*
4110 * Create a fragment key for temporary use; it can point to non-
4111 * persistent data, and so must only be used to look up and
4112 * delete entries, not to add them.
4113 */
4117 {
4122 /*
4123 * Do a shallow copy of the addresses.
4124 */
4133 }
4135 /*
4136 * Create a fragment key for permanent use; it must point to persistent
4137 * data, so that it can be used to add entries.
4138 */
4142 {
4147 /*
4148 * Do a deep copy of the addresses.
4149 */
4158 }
4160 static void
4162 {
4165 }
4167 static void
4169 {
4173 /*
4174 * Free up the copies of the addresses from the old key.
4175 */
4180 }
4181 }
4183 const reassembly_table_functions
4184 tcp_reassembly_table_functions = {
4185 tcp_segment_hash,
4186 tcp_segment_equal,
4187 tcp_segment_temporary_key,
4188 tcp_segment_persistent_key,
4189 tcp_segment_free_temporary_key,
4190 tcp_segment_free_persistent_key
4191 };
4195 /* functions to trace tcp segments */
4196 /* Enable desegmenting of TCP streams */
4199 /* Returns the maximum contiguous sequence number of the reassembly associated
4200 * with the msp *if* a new fragment were added ending in the given maxnextseq.
4201 * The new fragment is from the current frame and may not have been added yet.
4202 */
4203 static uint32_t
4205 {
4211 /* msp implies existence of fragments, this should never be NULL. */
4214 /* Find length of contiguous fragments.
4215 * Start with the first gap, but the new fragment is allowed to
4216 * fill that gap. */
4221 }
4224 }
4228 {
4235 /* This is for splitting defragmented MSPs, so fd_head should exist
4236 * and be defragmented. This also ensures that fd_i->tvb_data exists.
4237 */
4242 /* The fragment list is sorted in offset order, but not nec. frame order
4243 * or end offset order due to out of order reassembly and possible overlap.
4244 * fd_i->offset < split_offset - some bytes are before the split
4245 * fd_i->offset + fd_i->len >= split_offset - some bytes are after split
4246 * Look through all the fragments that have some data before the split point.
4247 */
4251 }
4258 }
4259 }
4260 };
4262 /* Now look through all the remaining fragments that only have bytes after
4263 * the split.
4264 */
4269 }
4270 }
4272 /* We only call this when the frame the fragments were reassembled in
4273 * (which is the current frame) includes some data before the split
4274 * point, so that it won't change and we can be consistent dissecting
4275 * between passes. We also should have at least some data after the
4276 * split point (because the subdissector claimed there was undissected
4277 * data.)
4278 */
4289 /* XXX: Could do the adding the new fragments in fragment_truncate */
4293 /* Check for some unusual out of order overlapping segment situations. */
4298 }
4302 }
4303 }
4308 /* The newmsp nxtpdu will be adjusted after leaving this function. */
4310 }
4319 static int
4321 {
4325 /* We only insert segments into this list that satisfy
4326 * LT_SEQ(tcpd->fwd->maxnextseq, seq), for the current value
4327 * of maxnextseq (removing segments when maxnextseq is advanced)
4328 * so these rollover-aware comparisons are transitive over the
4329 * domain (never greater than 2^31).
4330 */
4344 }
4346 /* Search through our list of out of order segments and add the ones that are
4347 * now contiguous onto a MSP until we use them all or reach another gap.
4348 *
4349 * If the MSP parameter is a incomplete, returns it with any OOO segments added.
4350 * If the MSP parameter is NULL or complete, returns a newly created MSP with
4351 * OOO segments added, or NULL if there were no segments to add.
4352 */
4354 msp_add_out_of_order(packet_info *pinfo, struct tcp_multisegment_pdu *msp, struct tcp_analysis *tcpd, uint32_t seq)
4355 {
4357 /* Whether a previous MSP exists with missing segments. */
4365 }
4367 }
4375 /* There might be segments already added to the msp that now extend
4376 * the maximum contiguous sequence number. Check for them. */
4380 }
4383 }
4384 }
4385 /* We have filled in the gap, so this out of order
4386 * segment is now contiguous and can be processed along
4387 * with the segment we just received.
4388 */
4393 /* Increase the expected MSP size if necessary. Yes, the
4394 * subdissector may have told us that a PDU ended here, but we
4395 * might have enough newly contiguous data to dissect another
4396 * PDU past that, and we should send that to the subdissector
4397 * too. */
4400 }
4401 /* Add this OOO segment to the unfinished MSP */
4408 /* No MSP in progress, so create one starting
4409 * at the sequence number of segment received
4410 * in this frame. Note that we will be adding
4411 * the first segment below, and this is the frame
4412 * of the first segment, so first_frame_with_seq
4413 * is already correct (and unnecessary) and
4414 * we don't need MSP_FLAGS_MISSING_FIRST_SEGMENT. */
4423 }
4429 }
4430 /* There might be segments already added to the msp that now extend
4431 * the maximum contiguous sequence number. Check for them. */
4434 }
4436 }
4438 static void
4444 {
4458 const bool reassemble_ooo = tcp_analyze_seq && tcp_desegment && tcp_reassemble_out_of_order && tcpd && tcpd->fwd->ooo_segments;
4465 again:
4474 /*
4475 * Initialize these to assume no desegmentation.
4476 * If that's not the case, these will be set appropriately
4477 * by the subdissector.
4478 */
4482 /*
4483 * Initialize this to assume that this segment will just be
4484 * added to the middle of a desegmented chunk of data, so
4485 * that we should show it all as data.
4486 * If that's not the case, it will be set appropriately.
4487 */
4490 /*
4491 * TODO: Some notes on current limitations with TCP desegmentation:
4492 *
4493 * This function can be called with either relative or absolute sequence
4494 * numbers; the ??_SEQ macros are called for comparisons to deal with
4495 * with sequence number rollover. (With relative sequence numbers, if
4496 * early TCP segments are received out of order before the SYN it can be
4497 * possible for rollover to occur at the very beginning of a connection.)
4498 *
4499 * However, multi-segment PDU lookup does not work for MSPs that span
4500 * TCP sequence number rollover, and desegmentation fails.
4501 *
4502 * When there is a single TCP connection that is longer than 4 GiB and
4503 * thus sequence numbers are reused, multi-segment PDU lookup and
4504 * retransmission identification does not work. (Bug 10503).
4505 *
4506 * Distinguishing between sequence number reuse on a very long connection
4507 * and sequence number reuse due to retransmission is difficult. Right
4508 * now very long connections are just not handled as the rarer case.
4509 * Perhaps retransmission identification could be entirely left up to TCP
4510 * analysis (if enabled, not done at all if disabled), instead of TCP
4511 * analysis results only used to supplement work here?
4512 *
4513 * TCP sequence analysis can set TCP_A_RETRANSMISSION in cases where
4514 * we still need to process the segment anyway because something other
4515 * than the sequence number is different from the prior segment. That
4516 * includes "retransmitted but with additional data" (Bug 13523) and
4517 * "retransmitted due to bad checksum" (especially if checksum verification
4518 * is enabled.)
4519 *
4520 * "Reassemble out-of-order segments" uses its own method of detecting
4521 * retranmission, but uses more memory and CPU, and when used, a TCP stream
4522 * that has missing segments that are never retransmitted stop processing
4523 * after the missing segment.
4524 *
4525 * If multiple TCP/IP packets are encapsulated in the same frame (such
4526 * as with GSE, which has very long Baseband Frames) this causes issues:
4527 *
4528 * If a subdissector reports that it can handle a payload, but needs
4529 * more data (pinfo->desegment_len > 0) and did not actually dissect
4530 * any of it (pinfo->desegment_offset == 0), on the first pass it
4531 * still adds layers to the frame. On subsequent passes, the MSP created
4532 * (or extended) in the first pass means that the subdissector won't be
4533 * called at all. If there are other protocols contained in the frame
4534 * that are dissected on the second pass they will have different
4535 * layer numbers than in the first pass, which can disturb proto_data
4536 * lookup, reassembly, etc. (Bug 16109 describes this for TLS.)
4537 */
4542 /* If we are reassembling out of order, we can do this retransmission
4543 * check. Anything before the latest consecutive sequence number we've
4544 * already processed is a retransmission (from the perspective of has
4545 * been passed to subdissectors; the judgment of TCP Sequence Analysis
4546 * may be different, because it considers RTO and ACKs and so forth).
4547 *
4548 * XXX: If these segments are part of incomplete MSPs, we pass them
4549 * to the reassembly code which tests for overlap conflicts.
4550 * For those which are part of completed reassemblies or not part
4551 * of MSPs, we just don't process them. The former would throw a
4552 * ReassemblyError, which is likely acceptable in the case of
4553 * retransmission of the same segment but not if retransmitted with
4554 * additional data, where we'd need to catch the exception to
4555 * process the extra data. For ones that were not added to MSPs at
4556 * all, we can't do much. (Bug #13061)
4557 *
4558 * Retransmissions of out of order segments after our latest
4559 * consecutive sequence number will all be stored and then eventually
4560 * put on multisegment PDUs and go to the reassembler, which should
4561 * be able to handle retransmission, as those are still incomplete.
4562 */
4567 if (msp && LE_SEQ(msp->seq, seq) && GT_SEQ(msp->nxtpdu, seq) && !(msp->flags & MSP_FLAGS_GOT_ALL_SEGMENTS)) {
4569 }
4575 }
4581 }
4582 }
4583 }
4587 /* RFC 9293 3.8.4. TCP Keep-Alives
4588 * Keep-alive packets MUST only be sent when no sent data
4589 * is outstanding (no new or unacknowledged data.)
4590 * A multisegment PDU boundary can never span a keep-alive
4591 * (unlike a Zero Window Probe or retransmission); if
4592 * a MSP started at the same sequence number as this, then
4593 * most likely the first packet of the TCP stream seen was
4594 * also a keep-alive, couldn't be identified as one, and
4595 * was passed to the next dissector which treated it as
4596 * starting a MSP. (#20287)
4597 *
4598 * This unfortunately doesn't help if this is somehow
4599 * a one-octet retransmission instead of a keep-alive.
4600 */
4602 /* This MUST be only 1 (we don't get here for zero). */
4608 /* MSPs cannot span this (probably not an MSP at
4609 * all but another garbage octet) */
4611 }
4613 }
4629 }
4630 }
4633 /* Have we seen this PDU before (and is it the start of a multi-
4634 * segment PDU)?
4635 *
4636 * If the sequence number was seen before, it is part of a
4637 * retransmission if the whole segment fits within the MSP.
4638 * (But if this is this frame was already visited and the first frame of
4639 * the MSP matches the current frame, then it is not a retransmission,
4640 * but the start of a new MSP.)
4641 *
4642 * If only part of the segment fits in the MSP, then either:
4643 * - The previous segment included with the MSP was a Zero Window Probe
4644 * with one byte of data and the subdissector just asked for one more
4645 * byte. Do not mark it as retransmission (Bug 15427).
4646 * - Data was actually being retransmitted, but with additional data
4647 * (Bug 13523). Do not mark it as retransmission to handle the extra
4648 * bytes. (NOTE Due to the TCP_A_RETRANSMISSION check below, such
4649 * extra data will still be ignored.)
4650 * - The MSP contains multiple segments, but the subdissector finished
4651 * reassembly using a subset of the final segment (thus "msp->nxtpdu"
4652 * is smaller than the nxtseq of the previous segment). If that final
4653 * segment was retransmitted, then "nxtseq > msp->nxtpdu".
4654 * Unfortunately that will *not* be marked as retransmission here.
4655 * The next TCP_A_RETRANSMISSION hopefully takes care of it though.
4656 *
4657 * Only shortcircuit here when the first segment of the MSP is known,
4658 * and when this first segment is not one to complete the MSP.
4659 */
4660 if ((msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(tcpd->fwd->multisegment_pdus, seq)) &&
4667 /* Same logic as in the OOO processing case. */
4669 /* This MUST be only 1 (we don't get here for zero). */
4676 }
4678 /* Yes. This could be because we've dissected this frame before
4679 * or because this is a retransmission of a previously-seen
4680 * segment. Either way, we don't need to hand it off to the
4681 * subdissector and we certainly don't want to re-add it to the
4682 * multisegment_pdus list: if we did, subsequent lookups would
4683 * find this retransmission instead of the original transmission
4684 * (breaking desegmentation if we'd already linked other segments
4685 * to the original transmission's entry).
4686 *
4687 * Cases to handle here:
4688 * - In-order stream, pinfo->num matches begin of MSP.
4689 * - In-order stream, but pinfo->num does not match the begin of the
4690 * MSP. Must be a retransmission.
4691 * - OoO stream where this segment fills the gap in the begin of the
4692 * MSP. msp->first_frame is the start where the gap was detected
4693 * (and does NOT match pinfo->num).
4694 */
4701 /* TCP analysis already flags this (in COL_INFO) as a retransmission--if it's enabled */
4702 }
4704 /* Fix for bug 3264: look up ipfd for this (first) segment,
4705 so can add tcp.reassembled_in generated field on this code path. */
4717 }
4718 }
4719 }
4720 }
4728 }
4730 /* Else, find the most previous PDU starting before this sequence number */
4732 msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(tcpd->fwd->multisegment_pdus, seq-1);
4733 }
4736 if (msp && LE_SEQ(msp->seq, seq) && GT_SEQ(msp->nxtpdu, seq) && !(msp->flags & MSP_FLAGS_GOT_ALL_SEGMENTS)) {
4738 }
4740 /* The above code only finds retransmission if the PDU boundaries and the seq coincide
4741 * If we have sequence analysis active use the TCP_A_RETRANSMISSION flag.
4742 * XXXX Could the above code be improved?
4743 */
4745 /* If we have an unfinished MSP that this segment belongs to
4746 * or if the sequence number is newer than anything we've seen,
4747 * then this is Out of Order from the reassembly perspective
4748 * and we want to process it anyway.
4749 */
4750 if (!PINFO_FD_VISITED(pinfo) && tcpd->fwd->maxnextseq && LE_SEQ(seq, tcpd->fwd->maxnextseq) && !has_unfinished_msp) {
4751 /* Otherwise, if TCP Analysis calls the segment a
4752 * Spurious Retransmission or Retransmission, ignore it
4753 * here and on future passes.
4754 * See issue 10289
4755 * XXX: There are still some cases where TCP Analysis
4756 * marks segments as Retransmissions when they are
4757 * Out of Order from this perspective (#10725, #13843)
4758 */
4763 }
4764 }
4772 }
4773 }
4774 }
4775 }
4779 /* If there is a gap between this segment and any previous ones
4780 * (that is, seqno is larger than the maximum expected seqno), then
4781 * it is possibly an out-of-order segment. The very first segment
4782 * is expected to be in-order though (otherwise captures starting
4783 * in midst of a connection would never be reassembled).
4784 * (maxnextseq is 0 if we have not seen a SYN packet, even with
4785 * absolute sequence numbers.)
4786 *
4787 * Do not bother checking for OoO segments for streams that are
4788 * reassembled at FIN, the order of segments before FIN does not
4789 * matter as reordering and reassembly occurs at FIN.
4790 */
4793 /* Segments may be missing due to packet loss (assume later
4794 * retransmission) or out-of-order (assume it appears later).
4795 *
4796 * XXX: It would be nice to handle captures that have both
4797 * out-of-order packets and some lost packets that are
4798 * never retransmitted. But using the reverse flow ACK
4799 * (like follow_tcp_tap_listener) or using a known end of
4800 * a MSP (that we haven't fully received yet) to process a
4801 * segment that starts right afterwards would both break the
4802 * promise of in-order delivery, if a missing packet did arrive
4803 * later, which is a problem for any state-based dissector
4804 * (including TLS.)
4805 */
4807 /* Whether the new segment has a gap from our latest contiguous
4808 * sequence number. */
4810 }
4813 /* Update the maximum expected seqno if no SYN packet was seen
4814 * before, or if the new segment succeeds previous segments. */
4817 /* If there is no gap, look for any OOO packets that are now
4818 * contiguous. */
4820 }
4822 /* If we have visited this frame before, look for the frame in the
4823 * list of unused out of order segments. Since we know the gap will
4824 * never be filled, we could pass it to the subdissector, but
4825 * we want to be consistent between passes.
4826 */
4834 }
4835 }
4836 }
4838 /* If we are not processing out of order, update the max nextseq value if
4839 * is later than our current value (or our first value.)
4840 */
4845 }
4846 }
4847 }
4855 }
4857 /* OK, this PDU was found, which means the segment continues
4858 * a higher-level PDU and that we must desegment it.
4859 */
4861 /* The dissector asked for the entire segment */
4864 /* Wraparound is possible, so subtraction does not
4865 * distribute across MIN(x, y)
4866 */
4868 }
4873 /*
4874 * If the previous segment requested more data (setting
4875 * FD_PARTIAL_REASSEMBLY as the next segment length is unknown), but
4876 * subsequently an OoO segment was received (for an earlier hole),
4877 * then "fragment_add" would truncate the reassembled PDU to the end
4878 * of this OoO segment. To prevent that, explicitly specify the MSP
4879 * length before calling "fragment_add".
4880 *
4881 * When a subdissector requests reassembly at the end of the
4882 * connection (DESEGMENT_UNTIL_FIN), then it is not
4883 * possible for an earlier segment to complete reassembly
4884 * (more_frags for fragment_add is always true). Thus we do not
4885 * have to worry about increasing the fragment length here.
4886 */
4890 }
4901 /* If we consumed the entire segment there is no
4902 * other pdu starting anywhere inside this segment.
4903 * So update nxtpdu to point at least to the start
4904 * of the next segment.
4905 * (If the subdissector asks for even more data we
4906 * will advance nxtpdu even further later down in
4907 * the code.)
4908 */
4911 }
4912 }
4915 /* Remember when all segments are ready to avoid subsequent
4916 * out-of-order packets from extending this MSP. If a subsdissector
4917 * needs more segments, the flag will be cleared below. */
4920 }
4921 }
4927 }
4929 /* This is an OOO segment with a gap and past the known end of
4930 * the current MSP, if any. We don't know for certain which MSP
4931 * it belongs to, and the reassembly functions don't let us remove
4932 * fragment items added by mistake. Keep it around in a separate
4933 * structure, and add it later.
4934 *
4935 * On the second and later passes, we know that this gap will
4936 * never be filled in, so we could hand the segment to the
4937 * subdissector anyway. However, we want dissection to be
4938 * consistent between passes.
4939 */
4946 /* We only enter here if dissect_tcp set can_desegment,
4947 * which means that these bytes exist. */
4950 }
4953 /* This segment was not found in our table, so it doesn't
4954 * contain a continuation of a higher-level PDU.
4955 * Call the normal subdissector.
4956 */
4958 /*
4959 * Supply the sequence number of this segment. We set this here
4960 * because this segment could be after another in the same packet,
4961 * in which case seq was incremented at the end of the loop.
4962 */
4968 /* Unless it failed to dissect any data at all, the subdissector
4969 * might have changed the addresses and/or ports. Save them, and
4970 * set them back to the original values temporarily so that the
4971 * fragment functions work correctly (including in any later PDU.)
4972 *
4973 * (If we didn't dissect any data, the subdissector *shouldn't*
4974 * have changed the addresses or ports, so don't save them, but
4975 * restore them just in case.)
4976 */
4979 }
4983 /* Did the subdissector ask us to desegment some more data
4984 * before it could handle the packet?
4985 * If so we'll have to handle that later.
4986 */
4990 /*
4991 * Set "deseg_offset" to the offset in "tvb"
4992 * of the first byte of data that the
4993 * subdissector didn't process.
4994 */
4996 }
4998 /* Either no desegmentation is necessary, or this is
4999 * segment contains the beginning but not the end of
5000 * a higher-level PDU and thus isn't completely
5001 * desegmented.
5002 */
5004 }
5007 /* is it completely desegmented? */
5009 /*
5010 * Yes, we think it is.
5011 * We only call subdissector for the last segment.
5012 * Note that the last segment may include more than what
5013 * we needed.
5014 */
5015 if (ipfd_head->reassembled_in == pinfo->num && ipfd_head->reas_in_layer_num == pinfo->curr_layer_num) {
5016 /*
5017 * OK, this is the last segment.
5018 * Let's call the subdissector with the desegmented
5019 * data.
5020 */
5023 /* create a new TVB structure for desegmented data */
5026 /* add desegmented data to the data source list */
5029 /*
5030 * Supply the sequence number of the first of the
5031 * reassembled bytes.
5032 */
5035 /* indicate that this is reassembled data */
5038 /* call subdissector */
5042 /* Unless it failed to dissect any data at all, the subdissector
5043 * might have changed the addresses and/or ports. Save them, and
5044 * set them back to the original values temporarily so that the
5045 * fragment functions work correctly (including in any later PDU.)
5046 *
5047 * (If we didn't dissect any data, the subdissector *shouldn't*
5048 * have changed the addresses or ports, so don't save them, but
5049 * restore them just in case.)
5050 */
5053 }
5057 /*
5058 * OK, did the subdissector think it was completely
5059 * desegmented, or does it think we need even more
5060 * data?
5061 */
5063 /*
5064 * "desegment_len" isn't 0, so it needs more data
5065 * to fully dissect the current MSP. msp->nxtpdu was
5066 * not accurate and needs to be updated.
5067 *
5068 * This can happen if a dissector asked for one
5069 * more segment (but didn't know exactly how much data)
5070 * or if segments were added out of order.
5071 *
5072 * This is opposed to the current MSP being completely
5073 * desegmented, but the stuff at the end of the
5074 * current frame past last_fragment_len starting a new
5075 * higher-level PDU that may also need desegmentation.
5076 * That case is handled on the next loop.
5077 *
5078 * We want to keep the same dissection and protocol layer
5079 * numbers on subsequent passes.
5080 *
5081 * If "desegment_offset" is 0, then nothing in the reassembled
5082 * TCP segments was dissected, so remove the data source.
5083 */
5087 }
5091 msp);
5093 /* If "desegment_offset" is not 0, then a PDU in the
5094 * reassembled segments was dissected, but some stuff
5095 * that was added previously is part of a later PDU.
5096 */
5098 /* If we don't use anything from the current frame's
5099 * segment, then we can't split the msp. The frames of
5100 * the earlier PDU weren't reassembled until now, so
5101 * they need to point to a reassembled_in frame here
5102 * or later.
5103 *
5104 * Since this segment is the first of newly contiguous
5105 * segments, this means the subdissector is asking for
5106 * fewer bytes than it did before.
5107 * XXX: Report this as a dissector bug?
5108 */
5111 }
5114 msp);
5116 /* If we did use bytes from the current segment, then
5117 * we want to split the MSP; the earlier part is
5118 * dissected in this frame on the first pass, so for
5119 * consistency we want to do so on future passes, but
5120 * the latter part we cannot dissect until later.
5121 * We only need to do this on the first pass; split_msp
5122 * truncates the msp so we don't get here a second
5123 * time.
5124 */
5125 /* nxtpdu adjustment for the new msp is the same. */
5127 /* We don't need to clear MSP_FLAGS_GOT_ALL_SEGMENTS
5128 * since we are spliting the MSP.
5129 */
5131 }
5133 }
5134 }
5137 /* Update msp->nxtpdu to point to the new next
5138 * pdu boundary.
5139 * We only do this on the first pass, though we shouldn't
5140 * get here on a second pass (since we truncated the msp.)
5141 */
5143 /* We want reassembly of at least one
5144 * more segment so set the nxtpdu
5145 * boundary to one byte into the next
5146 * segment.
5147 * This means that the next segment
5148 * will complete reassembly even if it
5149 * is only one single byte in length.
5150 * If this is an OoO segment, then increment
5151 * the MSP end.
5152 */
5157 /* This is not the first segment, and we thought the
5158 * reassembly would be done now, but now know we must
5159 * desgment until FIN. (E.g., HTTP Response with headers
5160 * split across segments, and no Content-Length or
5161 * Transfer-Encoding (RFC 7230, Section 3.3.3, case 7.)
5162 * For the same reasons as below when we encounter
5163 * DESEGMENT_UNTIL_FIN on the first segment, give
5164 * msp->nxtpdu a big (but not too big) offset so
5165 * reassembly will pick up the segments later.
5166 */
5170 /* This is the segment (overlapping) the end of
5171 * the MSP.
5172 */
5175 /* This is a segment before the end of the MSP, so
5176 * it must be an out-of-order segment that completed
5177 * the MSP. The requested additional data is
5178 * relative to that end.
5179 */
5181 }
5182 }
5183 }
5185 /* Since we need at least some more data
5186 * there can be no pdu following in the
5187 * tail of this segment.
5188 */
5195 /*
5196 * Show the stuff in this TCP segment as
5197 * just raw TCP segment data.
5198 */
5200 ? another_pdu_follows
5207 }
5208 }
5209 }
5212 /*
5213 * The sequence number at which the stuff to be desegmented
5214 * starts is the sequence number of the byte at an offset
5215 * of "deseg_offset" into "tvb".
5216 *
5217 * The sequence number of the byte at an offset of "offset"
5218 * is "seq", i.e. the starting sequence number of this
5219 * segment, so the sequence number of the byte at
5220 * "deseg_offset" is "seq + (deseg_offset - offset)".
5221 */
5224 /* We have to create some structures in our table but
5225 * this is something we only do the first time we see this
5226 * packet. */
5228 /* If the dissector requested "reassemble until FIN"
5229 * just set this flag for the flow and let reassembly
5230 * proceed at normal. We will check/pick up these
5231 * reassembled PDUs later down in dissect_tcp() when checking
5232 * for the FIN flag.
5233 */
5236 }
5239 /* The subdissector asked to reassemble using the
5240 * entire next segment.
5241 * Just ask reassembly for one more byte
5242 * but set this msp flag so we can pick it up
5243 * above.
5244 */
5249 /*
5250 * The subdissector asked to reassemble at the end of the
5251 * connection. That will be done in dissect_tcp, but here we
5252 * have to ask reassembly to collect all future segments.
5253 * Note that TCP_FLOW_REASSEMBLE_UNTIL_FIN was set before,
5254 * this ensures that OoO detection is skipped.
5255 * The exact nxtpdu offset does not matter, but it should be
5256 * smaller than half of the maximum 32-bit unsigned integer
5257 * to allow detection of sequence number wraparound, and
5258 * larger than the largest possible stream size. Hopefully
5259 * 1GiB (0x40000000 bytes) should be enough.
5260 */
5266 }
5268 /* add this segment as the first one for this new pdu */
5273 }
5275 /* If this is not the first time we have seen the packet, then
5276 * the MSP should already be created. Retrieve it to see if we
5277 * know what later frame the PDU is reassembled in.
5278 */
5279 if (tcpd && (msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(tcpd->fwd->multisegment_pdus, deseg_seq))) {
5281 }
5282 }
5283 }
5289 /*
5290 * We know what other frame this PDU is reassembled in;
5291 * let the user know.
5292 */
5296 }
5298 /*
5299 * Either we didn't call the subdissector at all (i.e.,
5300 * this is a segment that contains the middle of a
5301 * higher-level PDU, but contains neither the beginning
5302 * nor the end), or the subdissector couldn't dissect it
5303 * all, as some data was missing (i.e., it set
5304 * "pinfo->desegment_len" to the amount of additional
5305 * data it needs).
5306 */
5308 /*
5309 * It couldn't, in fact, dissect any of it (the
5310 * first byte it couldn't dissect is at an offset
5311 * of "pinfo->desegment_offset" from the beginning
5312 * of the payload, and that's 0).
5313 * Just mark this as TCP.
5314 */
5318 }
5319 }
5321 /*
5322 * Show what's left in the packet as just raw TCP segment
5323 * data. (It's possible that another PDU follows in the case
5324 * of an out of order frame that is part of two MSPs.)
5325 * XXX - remember what protocol the last subdissector
5326 * was, and report it as a continuation of that, instead?
5327 */
5328 nbytes = another_pdu_follows ? another_pdu_follows : tvb_reported_length_remaining(tvb, deseg_offset);
5333 }
5339 /* there was another pdu following this one. */
5341 /* we also have to prevent the dissector from changing the
5342 * PROTOCOL and INFO columns since what follows may be an
5343 * incomplete PDU and we don't want it be changed back from
5344 * <Protocol> to <TCP>
5345 */
5354 /* remove any blocking set above otherwise the
5355 * proto,colinfo tap will break
5356 */
5359 }
5360 }
5362 clean_exit:
5363 /* Restore the addresses and ports to whatever they were after
5364 * the last segment that successfully dissected some data, if any.
5365 */
5367 }
5369 void
5374 {
5386 tcp_endpoint_t orig_endpoint;
5391 /*
5392 * We use "tvb_ensure_captured_length_remaining()" to make
5393 * sure there actually *is* data remaining. The protocol
5394 * we're handling could conceivably consists of a sequence of
5395 * fixed-length PDUs, and therefore the "get_pdu_len" routine
5396 * might not actually fetch anything from the tvbuff, and thus
5397 * might not cause an exception to be thrown if we've run past
5398 * the end of the tvbuff.
5399 *
5400 * This means we're guaranteed that "captured_length_remaining" is positive.
5401 */
5404 /*
5405 * Can we do reassembly?
5406 */
5408 /*
5409 * Yes - is the fixed-length part of the PDU split across segment
5410 * boundaries?
5411 */
5413 /*
5414 * Yes. Tell the TCP dissector where the data for this message
5415 * starts in the data it handed us and that we need "some more
5416 * data." Don't tell it exactly how many bytes we need because
5417 * if/when we ask for even more (after the header) that will
5418 * break reassembly.
5419 */
5423 }
5424 }
5426 /*
5427 * Get the length of the PDU.
5428 */
5431 /*
5432 * Support protocols which have a variable length which cannot
5433 * always be determined within the given fixed_len.
5434 */
5435 /*
5436 * If another segment was requested but we can't do reassembly,
5437 * abort and warn about the unreassembled packet.
5438 */
5440 /*
5441 * Tell the TCP dissector where the data for this message
5442 * starts in the data it handed us, and that we need one
5443 * more segment, and return.
5444 */
5448 }
5450 /*
5451 * Either:
5452 *
5453 * 1) the length value extracted from the fixed-length portion
5454 * doesn't include the fixed-length portion's length, and
5455 * was so large that, when the fixed-length portion's
5456 * length was added to it, the total length overflowed;
5457 *
5458 * 2) the length value extracted from the fixed-length portion
5459 * includes the fixed-length portion's length, and the value
5460 * was less than the fixed-length portion's length, i.e. it
5461 * was bogus.
5462 *
5463 * Report this as a bounds error.
5464 */
5467 }
5469 /* give a hint to TCP where the next PDU starts
5470 * so that it can attempt to find it in case it starts
5471 * somewhere in the middle of a segment.
5472 */
5479 }
5480 }
5482 /*
5483 * Can we do reassembly?
5484 */
5486 /*
5487 * Yes - is the PDU split across segment boundaries?
5488 */
5490 /*
5491 * Yes. Tell the TCP dissector where the data for this message
5492 * starts in the data it handed us, and how many more bytes we
5493 * need, and return.
5494 */
5498 }
5499 }
5505 curr_layer_num--;
5506 }
5507 #if 0
5509 {
5510 #endif
5511 /*
5512 * Display the PDU length as a field
5513 */
5514 item=proto_tree_add_uint((proto_tree *)p_get_proto_data(pinfo->pool, pinfo, proto_tcp, curr_layer_num),
5515 hf_tcp_pdu_size,
5518 #if 0
5520 item = proto_tree_add_expert_format((proto_tree *)p_get_proto_data(pinfo->pool, pinfo, proto_tcp, curr_layer_num),
5524 }
5525 #endif
5527 /*
5528 * Construct a tvbuff containing the amount of the payload we have
5529 * available. Make its reported length the amount of data in the PDU.
5530 */
5537 /* If we can't do reassembly but the PDU is split across
5538 * segment boundaries, mark the tvbuff as a fragment so
5539 * we throw FragmentBoundsError instead of malformed
5540 * errors.
5541 */
5543 }
5544 }
5547 /*
5548 * Dissect the PDU.
5549 *
5550 * If it gets an error that means there's no point in
5551 * dissecting any more PDUs, rethrow the exception in
5552 * question.
5553 *
5554 * If it gets any other error, report it and continue, as that
5555 * means that PDU got an error, but that doesn't mean we should
5556 * stop dissecting PDUs within this frame or chunk of reassembled
5557 * data.
5558 */
5561 TRY {
5563 }
5564 CATCH_NONFATAL_ERRORS {
5567 /*
5568 * Restore the saved protocol as well; we do this after
5569 * show_exception(), so that the "Malformed packet" indication
5570 * shows the protocol for which dissection failed.
5571 */
5573 }
5574 ENDTRY;
5576 /*
5577 * Step to the next PDU.
5578 * Make sure we don't overflow.
5579 */
5584 }
5585 }
5587 static void
5589 {
5590 /* fstr(" %s=%u", abbrev, val) */
5592 }
5594 static void
5596 {
5598 }
5600 static bool
5601 tcp_option_len_check(proto_item* length_item, packet_info *pinfo, unsigned len, unsigned optlen)
5602 {
5604 /* Bogus - option length isn't what it's supposed to be for this option. */
5608 }
5611 }
5613 static int
5614 dissect_tcpopt_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
5615 {
5626 proto_tree_add_item(exp_tree, hf_tcp_option_unknown_payload, tvb, offset + 2, optlen - 2, ENC_NA);
5629 }
5631 static int
5632 dissect_tcpopt_default_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto, int ett)
5633 {
5643 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5649 }
5651 static int
5653 {
5654 return dissect_tcpopt_default_option(tvb, pinfo, tree, proto_tcp_option_scpsrec, ett_tcp_opt_recbound);
5655 }
5657 static int
5659 {
5660 return dissect_tcpopt_default_option(tvb, pinfo, tree, proto_tcp_option_scpscor, ett_tcp_opt_scpscor);
5661 }
5663 static void
5666 {
5672 /* Fast Open Cookie Request */
5677 /* Fast Open Cookie */
5684 /* Is this a SYN with data and the cookie? */
5689 }
5690 }
5691 }
5692 }
5693 }
5695 static int
5697 {
5709 }
5711 /*
5712 * TCP ACK Rate Request option is based on
5713 * https://datatracker.ietf.org/doc/html/draft-gomez-tcpm-ack-rate-request-06
5714 */
5716 #define TCPOPT_TARR_RATE_MASK 0xfe
5717 #define TCPOPT_TARR_RESERVED_MASK 0x01
5718 #define TCPOPT_TARR_RATE_SHIFT 1
5720 static void
5723 {
5737 }
5738 }
5740 static void
5743 {
5762 }
5773 }
5775 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_eceb, tvb, data_offset + 3, 3, ENC_BIG_ENDIAN);
5781 }
5792 }
5794 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_eceb, tvb, data_offset + 3, 3, ENC_BIG_ENDIAN);
5798 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_ee1b, tvb, data_offset + 6, 3, ENC_BIG_ENDIAN);
5803 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_ee0b, tvb, data_offset + 6, 3, ENC_BIG_ENDIAN);
5806 }
5808 }
5812 }
5813 }
5815 static int
5817 {
5830 length_item = proto_tree_add_item(acc_ecn_tree, hf_tcp_option_len, tvb, offset, 1, ENC_BIG_ENDIAN);
5836 dissect_tcpopt_acc_ecn_data(tvb, offset, length - 2, kind == TCPOPT_ACC_ECN_0, pinfo, acc_ecn_tree, item, data);
5837 }
5839 }
5841 static int
5843 {
5854 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5866 optlen);
5870 }
5877 optlen);
5883 }
5893 }
5896 }
5900 }
5905 }
5907 }
5909 static int
5911 {
5922 {
5924 }
5927 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5935 }
5937 static int
5939 {
5948 /* find the conversation for this TCP session and its stored data */
5956 {
5958 }
5961 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5966 proto_tree_add_item_ret_uint(exp_tree, hf_tcp_option_mss_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN, &mss);
5970 /* Only SYN packets are supposed to have this option
5971 * XXX - we could restrict a bit more with seq_analyze */
5974 }
5977 }
5979 /* The window scale extension is defined in RFC 1323 */
5980 static int
5982 {
5991 /* find the conversation for this TCP session and its stored data */
6001 length_item = proto_tree_add_item(wscale_tree, hf_tcp_option_len, tvb, offset, 1, ENC_BIG_ENDIAN);
6007 shift_pi = proto_tree_add_item_ret_uint(wscale_tree, hf_tcp_option_wscale_shift, tvb, offset, 1, ENC_BIG_ENDIAN, &shift);
6009 /* RFC 1323: "If a Window Scale option is received with a shift.cnt
6010 * value exceeding 14, the TCP should log the error but use 14 instead
6011 * of the specified value." */
6014 }
6027 }
6030 }
6032 static int
6034 {
6046 /*
6047 * SEQ analysis is the condition for both relative analysis obviously,
6048 * and SACK handling for the in-flight update
6049 */
6051 /* find the conversation for this TCP session and its stored data */
6058 }
6060 /*
6061 * initialize the number of SACK blocks to 0, it will be
6062 * updated some lines later
6063 */
6066 }
6067 }
6068 }
6070 /* Late discovery of a 'false' Window Update in presence of SACK option,
6071 * which means we are dealing with a Dup ACK rather than a Window Update.
6072 * Classify accordingly by removing the UPDATE and adding the DUP flags.
6073 * Mostly a copy/paste from tcp_analyze_sequence_number(), ensure consistency
6074 * whenever the latter changes.
6075 * see Issue #14937
6076 */
6079 /* MPTCP tolerates duplicate acks in some circumstances, see RFC 8684 4. */
6081 /* just ignore this DUPLICATE ACK */
6083 /* no initialization required of the tcpd->ta as this code would
6084 * be unreachable otherwise
6085 */
6094 }
6095 }
6096 }
6114 }
6124 }
6125 /* XXX - check whether it goes past end of packet */
6135 /* Store blocks for BiF analysis */
6136 if (tcp_analyze_seq && tcpd && tcpd->fwd->tcp_analyze_seq_info && tcp_track_bytes_in_flight && num_sack_ranges < MAX_TCP_SACK_RANGES) {
6140 }
6142 /* Update tap info */
6147 }
6151 }
6154 /* Show number of SACK ranges in this option as a generated field */
6159 /* RFC 2883 "An Extension to the Selective Acknowledgement (SACK) Option for TCP" aka "D-SACK"
6160 * Section 4
6161 * Conditions: Either the first sack-block is inside the already acknowledged range or
6162 * the first sack block is inside the second sack block.
6163 *
6164 * Maybe add later:
6165 * (1) A D-SACK block is only used to report a duplicate contiguous sequence of data received by
6166 * the receiver in the most recent packet.
6167 */
6173 )) {
6175 tf = proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_dsack_le, tvb, sackoffset, 4, leftedge,
6176 "D-SACK Left Edge = %u%s", leftedge, (tcp_analyze_seq && tcp_relative_seq) ? " (relative)" : "");
6179 tf = proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_dsack_re, tvb, sackoffset+4, 4, rightedge,
6180 "D-SACK Right Edge = %u%s", rightedge, (tcp_analyze_seq && tcp_relative_seq) ? " (relative)" : "");
6183 }
6186 }
6188 static int
6190 {
6215 }
6217 /* If set, do not put the TCP timestamp information on the summary line */
6220 static int
6222 {
6252 }
6258 proto_tree_add_uint_bits_format_value(syncookie_ti, hf_tcp_syncookie_option_timestamp, tvb, offset * 8,
6259 26, timestamp, ENC_TIME_SECS, "%s", abs_time_secs_to_str(pinfo->pool, timestamp, ABSOLUTE_TIME_LOCAL, true));
6260 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_option_ecn, tvb, offset * 8 + 26, 1, ENC_NA);
6261 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_option_sack, tvb, offset * 8 + 27, 1, ENC_NA);
6262 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_option_wscale, tvb, offset * 8 + 28, 4, ENC_NA);
6263 }
6266 }
6283 /* arbitrary assignment. Callers may override this */
6288 }
6291 /* will create necessary structure if fails to find a match on the token */
6303 /* if token already set for this meta */
6304 if( tcp_flow->mptcp_subflow->meta && (tcp_flow->mptcp_subflow->meta->static_flags & MPTCP_META_HAS_TOKEN)) {
6306 }
6308 /* else look for a registered meta with this token */
6311 /* if token already registered than just share it across TCP connections */
6315 }
6317 /* we create it if this connection */
6319 /* don't care which meta to choose assign each meta to a direction */
6322 }
6325 /* already exists, thus some meta may already have been configured */
6328 }
6331 }
6334 }
6336 }
6343 }
6348 /* compute the meta id assigned to tcp_flow */
6351 /* computes the metaId tcpd->fwd should be assigned to */
6358 }
6360 /* setup from_key */
6361 static
6363 get_or_create_mptcpd_from_key(struct tcp_analysis* tcpd, tcp_flow_t *fwd, uint8_t version, uint64_t key, uint8_t hmac_algo _U_) {
6369 if(fwd->mptcp_subflow->meta && (fwd->mptcp_subflow->meta->static_flags & MPTCP_META_HAS_KEY)) {
6371 }
6373 /* MPTCP v0 only standardizes SHA1, and v1 SHA256. */
6388 }
6390 /* record this mapping */
6391 static
6392 void analyze_mapping(struct tcp_analysis *tcpd, packet_info *pinfo, uint16_t len, uint64_t dsn, bool extended, uint32_t ssn) {
6394 /* store mapping only if analysis is enabled and mapping is not unlimited */
6397 }
6401 }
6403 /* register SSN range described by the mapping into a subflow interval_tree */
6416 mapping
6417 );
6418 }
6420 /*
6421 * The TCP Extensions for Multipath Operation with Multiple Addresses
6422 * are defined in RFC 6824
6423 *
6424 * https://tools.ietf.org/html/rfc6824
6425 *
6426 * Author: Andrei Maruseac <andrei.maruseac@intel.com>
6427 * Matthieu Coudron <matthieu.coudron@lip6.fr>
6428 *
6429 * This function just generates the mptcpheader, i.e. the generation of
6430 * datastructures is delayed/delegated to mptcp_analyze
6431 */
6432 static int
6434 {
6448 /* There may be several MPTCP options per packet, don't duplicate the structure */
6454 }
6459 /* seeing an MPTCP packet on the subflow automatically qualifies it as an mptcp subflow */
6462 }
6465 }
6481 proto_item_append_text(main_item, ": %s", val_to_str(subtype, mptcp_subtype_vs, "Unknown (%d)"));
6483 /** preemptively allocate mptcpd when subtype won't allow to find a meta */
6486 }
6497 ett_tcp_option_mptcp,
6499 ENC_BIG_ENDIAN);
6503 }
6506 }
6509 /* optlen == 12 => SYN or SYN/ACK; optlen == 20 => ACK;
6510 * optlen == 22 => ACK + data (v1 only);
6511 * optlen == 24 => ACK + data + csum (v1 only)
6512 */
6516 proto_tree_add_uint64(mptcp_tree, hf_tcp_option_mptcp_sender_key, tvb, offset, 8, mph->mh_key);
6519 mptcpd = get_or_create_mptcpd_from_key(tcpd, tcpd->fwd, version, mph->mh_key, mph->mh_capable_flags & MPTCP_CAPABLE_CRYPTO_MASK);
6530 /* last ACK of 3WHS, repeats both keys */
6539 /* compare the echoed key with the server key */
6542 }
6543 }
6545 mptcpd = get_or_create_mptcpd_from_key(tcpd, tcpd->rev, version, recv_key, mph->mh_capable_flags & MPTCP_CAPABLE_CRYPTO_MASK);
6546 }
6547 }
6549 /* MPTCP v1 ACK + data, contains data_len and optional checksum */
6551 proto_tree_add_item(mptcp_tree, hf_tcp_option_mptcp_data_lvl_len, tvb, offset, 2, ENC_BIG_ENDIAN);
6557 }
6559 /* when data len is present, this MP_CAPABLE also carries an implicit mapping ... */
6560 analyze_mapping(tcpd, pinfo, mph->mh_dss_length, tcpd->fwd->mptcp_subflow->meta->base_dsn + 1, true, tcph->th_seq);
6562 /* ... with optional checksum */
6564 {
6565 proto_tree_add_checksum(mptcp_tree, tvb, offset, hf_tcp_option_mptcp_checksum, -1, NULL, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
6566 }
6567 }
6568 }
6575 }
6577 /* Syn */
6579 {
6582 ENC_BIG_ENDIAN);
6597 /* if the negotiated version is v1 the first key was exchanged on SYN/ACK packet: we must swap the meta */
6600 }
6605 }
6612 ENC_BIG_ENDIAN);
6638 }
6641 /* display only *raw* values since it is harder to guess a correct value than for TCP.
6642 One needs to enable mptcp_analysis to get more interesting data
6643 */
6652 ENC_BIG_ENDIAN);
6655 /* displays "raw" DataAck , ie does not convert it to its 64 bits form
6656 to do so you need to enable
6657 */
6662 /* 64bits ack */
6666 proto_tree_add_uint64_format_value(mptcp_tree, hf_tcp_option_mptcp_data_ack_raw, tvb, offset, 8, mph->mh_dss_rawack, "%" PRIu64 " (64bits)", mph->mh_dss_rawack);
6668 }
6669 /* 32bits ack */
6672 proto_tree_add_item(mptcp_tree, hf_tcp_option_mptcp_data_ack_raw, tvb, offset, 4, ENC_BIG_ENDIAN);
6674 }
6677 (mph->mh_dss_flags & MPTCP_DSS_FLAG_DATA_ACK_8BYTES) ? DSN_CONV_NONE : DSN_CONV_32_TO_64, mptcp_relative_seq, &dack64)) {
6681 }
6684 }
6686 /* ignore and continue */
6687 }
6689 }
6691 /* Mapping present */
6699 proto_tree_add_uint64_format_value(mptcp_tree, hf_tcp_option_mptcp_data_seq_no_raw, tvb, offset, 8, dsn, "%" PRIu64 " (64bits version)", dsn);
6701 /* if we have the opportunity to complete the 32 Most Significant Bits of the
6702 *
6703 */
6707 }
6711 proto_tree_add_uint64_format_value(mptcp_tree, hf_tcp_option_mptcp_data_seq_no_raw, tvb, offset, 4, dsn, "%" PRIu64 " (32bits version)", dsn);
6713 }
6716 proto_tree_add_item_ret_uint(mptcp_tree, hf_tcp_option_mptcp_subflow_seq_no, tvb, offset, 4, ENC_BIG_ENDIAN, &mph->mh_dss_ssn);
6719 proto_tree_add_item(mptcp_tree, hf_tcp_option_mptcp_data_lvl_len, tvb, offset, 2, ENC_BIG_ENDIAN);
6725 }
6727 /* print head & tail dsn */
6729 (mph->mh_dss_flags & MPTCP_DSS_FLAG_DATA_ACK_8BYTES) ? DSN_CONV_NONE : DSN_CONV_32_TO_64, mptcp_relative_seq, &dsn)) {
6733 }
6736 }
6738 /* ignore and continue */
6739 }
6741 analyze_mapping(tcpd, pinfo, mph->mh_dss_length, mph->mh_dss_rawdsn, mph->mh_dss_flags & MPTCP_DSS_FLAG_DATA_ACK_8BYTES, mph->mh_dss_ssn);
6744 {
6745 proto_tree_add_checksum(mptcp_tree, tvb, offset, hf_tcp_option_mptcp_checksum, -1, NULL, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
6746 }
6747 }
6756 else
6769 }
6775 }
6781 }
6786 }
6791 item = proto_tree_add_uint(mptcp_tree, hf_mptcp_number_of_removed_addresses, tvb, start_offset+2,
6799 }
6806 ENC_BIG_ENDIAN);
6812 }
6840 ENC_BIG_ENDIAN);
6843 ENC_BIG_ENDIAN);
6848 }
6852 /* if mptcpd just got allocated, remember the initial addresses
6853 * which will serve as identifiers for the conversation filter
6854 */
6860 copy_address_shallow(&tcpd->rev->mptcp_subflow->meta->ip_src, &tcpd->fwd->mptcp_subflow->meta->ip_dst);
6861 copy_address_shallow(&tcpd->rev->mptcp_subflow->meta->ip_dst, &tcpd->fwd->mptcp_subflow->meta->ip_src);
6865 }
6868 }
6871 }
6873 static int
6875 {
6898 }
6900 static int
6902 {
6924 }
6926 static int
6928 {
6947 }
6960 }
6962 static int
6964 {
6985 COL_ADD_LSTR_TERMINATOR);
6992 }
6994 static int
6996 {
7010 /* check direction and get ua lists */
7013 /* if the addresses are equal, match the ports instead */
7016 }
7020 else
7032 /* If the option length == 4, this is a real SCPS capability option
7033 * See "CCSDS 714.0-B-2 (CCSDS Recommended Standard for SCPS Transport Protocol
7034 * (SCPS-TP)" Section 3.2.3 for definition.
7035 */
7055 struct capvec
7056 {
7066 };
7078 COL_ADD_LSTR_TERMINATOR);
7080 }
7081 }
7084 }
7094 /* The option length != 4, so this is an infamous "extended capabilities
7095 * option. See "CCSDS 714.0-B-2 (CCSDS Recommended Standard for SCPS
7096 * Transport Protocol (SCPS-TP)" Section 3.2.5 for definition.
7097 *
7098 * As the format of this option is only partially defined (it is
7099 * a community (or more likely vendor) defined format beyond that, so
7100 * at least for now, we only parse the standardized portion of the option.
7101 */
7107 /* There was no SCPS capabilities option preceding this */
7110 optlen);
7114 optlen);
7116 /* There may be multiple binding spaces included in a single option,
7117 * so we will semi-parse each of the stacked binding spaces - skipping
7118 * over the octets following the binding space identifier and length.
7119 */
7122 /* 1st octet is Extended Capability Binding Space */
7125 /* 2nd octet (upper 4-bits) has binding space length in 16-bit words.
7126 * As defined by the specification, this length is exclusive of the
7127 * octets containing the extended capability type and length
7128 */
7129 extended_cap_length =
7132 /* Convert the extended capabilities length into bytes for display */
7135 proto_tree_add_item(field_tree, hf_tcp_option_scps_binding, tvb, offset + local_offset, 1, ENC_BIG_ENDIAN);
7136 proto_tree_add_uint(field_tree, hf_tcp_option_scps_binding_len, tvb, offset + local_offset + 1, 1, extended_cap_length);
7138 /* Step past the binding space and length octets */
7141 proto_tree_add_item(field_tree, hf_tcp_option_scps_binding_data, tvb, offset + local_offset, extended_cap_length, ENC_NA);
7145 /* Step past the Extended capability data
7146 * Treat the extended capability data area as opaque;
7147 * If one desires to parse the extended capability data
7148 * (say, in a vendor aware build of wireshark), it would
7149 * be triggered here.
7150 */
7152 }
7153 }
7154 }
7157 }
7159 static int
7161 {
7179 proto_tree_add_item(field_tree, hf_tcp_option_user_to_granularity, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
7181 proto_tree_add_item(field_tree, hf_tcp_option_user_to_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
7185 }
7187 /* This is called for SYN+ACK packets and the purpose is to verify that
7188 * the SCPS capabilities option has been successfully negotiated for the flow.
7189 * If the SCPS capabilities option was offered by only one party, the
7190 * proactively set scps_capable attribute of the flow (set upon seeing
7191 * the first instance of the SCPS option) is revoked.
7192 */
7193 static void
7195 {
7204 }
7205 }
7206 }
7208 /* See "CCSDS 714.0-B-2 (CCSDS Recommended Standard for SCPS
7209 * Transport Protocol (SCPS-TP)" Section 3.5 for definition of the SNACK option
7210 */
7211 static int
7213 {
7240 /* The SNACK option reports missing data with a granularity of segments. */
7251 }
7253 /* To aid analysis, we can use a simple but generally effective heuristic
7254 * to report the most likely boundaries of the missing data. If the
7255 * flow is scps_capable, we track the maximum sized segment that was
7256 * acknowledged by the receiver and use that as the reporting granularity.
7257 * This may be different from the negotiated MTU due to PMTUD or flows
7258 * that do not send max-sized segments.
7259 */
7263 /* Scale the reported offset and hole size by the largest segment acked */
7275 proto_tree_add_expert_format(field_tree, pinfo, &ei_tcp_option_snack_sequence, tvb, offset+2, 4,
7276 "SNACK Sequence %u - %u%s", hole_start, hole_end, ((tcp_analyze_seq && tcp_relative_seq) ? " (relative)" : ""));
7280 }
7283 }
7285 enum
7286 {
7290 PROBE_VERSION_MAX
7291 };
7293 /* Probe type definition. */
7294 enum
7295 {
7307 PROBE_TYPE_MAX
7308 };
7323 };
7325 #define PROBE_OPTLEN_OFFSET 1
7327 #define PROBE_VERSION_TYPE_OFFSET 2
7328 #define PROBE_V1_RESERVED_OFFSET 3
7329 #define PROBE_V1_PROBER_OFFSET 4
7330 #define PROBE_V1_APPLI_VERSION_OFFSET 8
7331 #define PROBE_V1_PROXY_ADDR_OFFSET 8
7332 #define PROBE_V1_PROXY_PORT_OFFSET 12
7333 #define PROBE_V1_SH_CLIENT_ADDR_OFFSET 8
7334 #define PROBE_V1_SH_PROXY_ADDR_OFFSET 12
7335 #define PROBE_V1_SH_PROXY_PORT_OFFSET 16
7337 #define PROBE_V2_INFO_OFFSET 3
7339 #define PROBE_V2_INFO_CLIENT_ADDR_OFFSET 4
7340 #define PROBE_V2_INFO_STOREID_OFFSET 4
7342 #define PROBE_VERSION_MASK 0x01
7344 /* Probe Query Extra Info flags */
7345 #define RVBD_FLAGS_PROBE_LAST 0x01
7346 #define RVBD_FLAGS_PROBE_NCFE 0x04
7348 /* Probe Response Extra Info flags */
7349 #define RVBD_FLAGS_PROBE_SERVER 0x01
7350 #define RVBD_FLAGS_PROBE_SSLCERT 0x02
7351 #define RVBD_FLAGS_PROBE 0x10
7354 {
7361 static void
7363 {
7370 }
7371 }
7373 static void
7374 rvbd_probe_resp_add_info(proto_item *pitem, packet_info *pinfo, tvbuff_t *tvb, int ip_offset, uint16_t port)
7375 {
7376 proto_item_append_text(pitem, ", Server Steelhead: %s:%u", tvb_ip_to_str(pinfo->pool, tvb, ip_offset), port);
7379 }
7381 static int
7383 {
7401 /* Bogus - option length is less than what it's supposed to be for
7402 this option. */
7405 TCPOLEN_RVBD_PROBE_MIN);
7407 }
7413 proto_item_append_text(pitem, ": %s", val_to_str_const(type, rvbd_probe_type_vs, "Probe Unknown"));
7429 proto_tree_add_item(field_tree, hf_tcp_option_rvbd_probe_reserved, tvb, offset + PROBE_V1_RESERVED_OFFSET, 1, ENC_BIG_ENDIAN);
7439 {
7443 ENC_BIG_ENDIAN);
7445 proto_item_append_text(pitem, ", CSH IP: %s", tvb_ip_to_str(pinfo->pool, tvb, offset + PROBE_V1_PROBER_OFFSET));
7447 option_data = (rvbd_option_data*)p_get_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num);
7449 {
7451 p_add_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num, option_data);
7452 }
7457 }
7475 ENC_BIG_ENDIAN);
7486 }
7487 }
7500 /* Use version1 for filtering purposes because version2 packet
7501 value is 0, but filtering is usually done for value 2 */
7518 hf_tcp_option_rvbd_probe_flag_not_cfe,
7521 hf_tcp_option_rvbd_probe_flag_last_notify,
7525 {
7527 {
7528 rvbd_option_data* option_data = (rvbd_option_data*)p_get_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num);
7530 {
7532 p_add_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num, option_data);
7533 }
7536 }
7550 }
7557 }
7568 hf_tcp_option_rvbd_probe_flag_probe_cache,
7571 hf_tcp_option_rvbd_probe_flag_sslcert,
7574 hf_tcp_option_rvbd_probe_flag_server_connected,
7583 }
7584 }
7587 }
7599 };
7601 /* Trpy Flags */
7602 #define RVBD_FLAGS_TRPY_MODE 0x0001
7603 #define RVBD_FLAGS_TRPY_OOB 0x0002
7604 #define RVBD_FLAGS_TRPY_CHKSUM 0x0004
7605 #define RVBD_FLAGS_TRPY_FW_RST 0x0100
7606 #define RVBD_FLAGS_TRPY_FW_RST_INNER 0x0200
7607 #define RVBD_FLAGS_TRPY_FW_RST_PROBE 0x0400
7611 "Full Transparency"
7612 };
7614 static int
7616 {
7630 NULL
7631 };
7647 proto_tree_add_bitmask_with_flags(field_tree, tvb, offset + TRPY_OPTIONS_OFFSET, hf_tcp_option_rvbd_trpy_flags,
7668 /* Client port only set on SYN: optlen == 18 */
7673 /* Despite that we have the right TCP ports for other protocols,
7674 * the data is related to the Riverbed Optimization Protocol and
7675 * not understandable by normal protocol dissectors. If the sport
7676 * protocol is available then use that, otherwise just output it
7677 * as a hex-dump.
7678 */
7684 }
7690 }
7691 }
7694 }
7696 /* Started as a copy of dissect_ip_tcp_options(), but was changed to support
7697 options as a dissector table */
7698 static void
7702 {
7707 dissector_handle_t option_dissector;
7717 proto_tree_add_expert_format(opt_tree, pinfo, &ei_tcp_non_zero_bytes_after_eol, tvb, offset, length,
7720 }
7726 /* We assume that the only options with no length are EOL and
7727 NOP options, so that we can treat unknown options as having
7728 a minimum length of 2, and at least be able to move on to
7729 the next option by using the length in the option. */
7737 /* Count number of NOP in a row within a uint32 */
7738 nop_count++;
7742 }
7745 }
7748 }
7753 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s", proto_get_protocol_short_name(find_protocol_by_id(local_proto)));
7762 }
7764 /* Option has a length. Is it in the packet? */
7766 /* Bogus - packet must at least include option code byte and
7767 length byte! */
7771 }
7777 /* Bogus - option length is too short to include option code and
7778 option length. */
7784 /* Bogus - option goes past the end of the header. */
7789 }
7792 {
7795 {
7797 }
7805 }
7806 }
7809 {
7811 {
7813 }
7815 {
7817 }
7818 }
7819 }
7821 /* Determine if there is a sub-dissector and call it; return true
7822 if there was a sub-dissector, false otherwise.
7824 This has been separated into a stand alone routine to other protocol
7825 dissectors can call to it, e.g., SOCKS. */
7830 /* this function can be called with tcpd==NULL as from the msproxy dissector */
7831 bool
7835 {
7844 /* Don't call subdissectors for keepalives. Even though they do contain
7845 * payload "data", it's just garbage. Display any data the keepalive
7846 * packet might contain though.
7847 */
7853 }
7854 }
7859 /* Don't try to dissect a retransmission high chance that it will mess
7860 * subdissectors for protocols that require in-order delivery of the
7861 * PDUs. (i.e. DCE/RPCoverHTTP and encryption)
7862 * If OoO reassembly is enabled and if this segment was previously lost,
7863 * then this retransmission could have finished reassembly, so continue.
7864 * XXX should this option be removed? "tcp_reassemble_out_of_order"
7865 * should have addressed the above in-order requirement.
7866 */
7868 }
7874 /* determine if this packet is part of a conversation and call dissector */
7875 /* for the conversation if available */
7882 }
7884 /* If the user has manually configured one of the server, low, or high
7885 * ports to a dissector other than the default (via Decode As or the
7886 * preferences associated with Decode As), try those first, in that order.
7887 */
7891 if (dissector_try_uint_with_data(subdissector_table, tcpd->server_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7895 }
7897 /* The default; try it later */
7899 }
7900 }
7902 /* Prevent the client port number being used for selecting the dissector
7903 when we have seen the SYN or SYN/ACK (and therefor tcpd->server_port
7904 is defined)
7905 Use the preference Clientport dissectors to keep dissecting certain
7906 protocols based on the client port instead of the server port
7907 Port 20 for active ftp data transfers being the default. */
7913 }
7918 }
7919 }
7920 }
7928 }
7933 if (dissector_try_uint_with_data(subdissector_table, low_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7937 }
7939 /* The default; try it later */
7941 }
7942 }
7947 if (dissector_try_uint_with_data(subdissector_table, high_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7951 }
7953 /* The default; try it later */
7955 }
7956 }
7959 /* do lookup with the heuristic subdissector table */
7960 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, tcpinfo)) {
7964 }
7965 }
7967 /* Do lookups with the subdissector table.
7968 Try the server port captured on the SYN or SYN|ACK packet. After that
7969 try the port number with the lower value first, followed by the
7970 port number with the higher value. This means that, for packets
7971 where a dissector is registered for *both* port numbers:
7973 1) we pick the same dissector for traffic going in both directions;
7975 2) we prefer the port number that's more likely to be the right
7976 one (as that prefers well-known ports to reserved ports);
7978 although there is, of course, no guarantee that any such strategy
7979 will always pick the right port number.
7981 XXX - we ignore port numbers of 0, as some dissectors use a port
7982 number of 0 to disable the port. */
7985 dissector_try_uint_with_data(subdissector_table, tcpd->server_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7989 }
7992 dissector_try_uint_with_data(subdissector_table, low_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7996 }
7998 dissector_try_uint_with_data(subdissector_table, high_port, next_tvb, pinfo, tree, true, tcpinfo)) {
8002 }
8005 /* do lookup with the heuristic subdissector table */
8006 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, tcpinfo)) {
8010 }
8011 }
8013 /*
8014 * heuristic / conversation / port registered dissectors rejected the packet;
8015 * make sure they didn't also request desegmentation (we could just override
8016 * the request, but rejecting a packet *and* requesting desegmentation is a sign
8017 * of the dissector's code needing clearer thought, so we fail so that the
8018 * problem is made more obvious).
8019 */
8023 /* Oh, well, we don't know this; dissect it as data. */
8034 }
8036 }
8038 static void
8043 {
8046 TRY {
8048 /*qqq see if it is an unaligned PDU */
8053 }
8054 }
8055 }
8056 /* if offset is -1 this means that this segment is known
8057 * to be fully inside a previously detected pdu
8058 * so we don't even need to try to dissect it either.
8059 */
8063 /*
8064 * We succeeded in handing off to a subdissector.
8065 *
8066 * Is this a TCP segment or a reassembled chunk of
8067 * TCP payload?
8068 */
8070 /* if !visited, check want_pdu_tracking and
8071 store it in table */
8076 pinfo,
8077 seq,
8080 }
8081 }
8082 }
8083 }
8084 }
8085 CATCH_ALL {
8086 /* We got an exception. At this point the dissection is
8087 * completely aborted and execution will be transferred back
8088 * to (probably) the frame dissector.
8089 * Here we have to place whatever we want the dissector
8090 * to do before aborting the tcp dissection.
8091 */
8092 /*
8093 * Is this a TCP segment or a reassembled chunk of TCP
8094 * payload?
8095 */
8097 /*
8098 * It's from a TCP segment.
8099 *
8100 * if !visited, check want_pdu_tracking and store it
8101 * in table
8102 */
8106 seq,
8109 }
8110 }
8111 }
8112 RETHROW;
8113 }
8114 ENDTRY;
8115 }
8117 void
8122 {
8131 /* Can we desegment this segment? */
8133 /* Yes. */
8137 /* No - just call the subdissector.
8138 Mark this as fragmented, so if somebody throws an exception,
8139 we don't report it as a malformed frame. */
8146 }
8147 }
8149 static bool
8150 capture_tcp(const unsigned char *pd, int offset, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header)
8151 {
8168 }
8178 /* We've at least identified one type of packet, so this shouldn't be "other" */
8180 }
8190 {
8194 }
8196 static int
8198 {
8246 }
8257 /* If we're dissecting the headers of a TCP packet in an ICMP packet
8258 * then go ahead and put the sequence numbers in the tree now (because
8259 * they won't be put in later because the ICMP packet only contains up
8260 * to the sequence number).
8261 * We should only need to do this for IPv4 since IPv6 will hopefully
8262 * carry enough TCP payload for this dissector to put the sequence
8263 * numbers in via the regular code path.
8264 */
8265 {
8273 }
8274 }
8275 }
8276 }
8278 /* Set the source and destination port numbers as soon as we get them,
8279 so that they're available to the "Follow TCP Stream" code even if
8280 we throw an exception dissecting the rest of the TCP header. */
8285 p_add_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num, GUINT_TO_POINTER(tcph->th_sport));
8286 p_add_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num, GUINT_TO_POINTER(tcph->th_dport));
8296 /* find(or create if needed) the conversation for this tcp session
8297 * This is a slight deviation from find_or_create_conversation so it's
8298 * done manually. This is done to avoid conversation overlapping when
8299 * reusing ports (see issue 15097), as find_or_create_conversation automatically
8300 * extends the conversation found. This extension is done later.
8301 */
8307 }
8312 /* If this is a SYN packet, then check if its seq-nr is different
8313 * from the base_seq of the retrieved conversation. If this is the
8314 * case, create a new conversation with the same addresses and ports
8315 * and set the TA_PORTS_REUSED flag. (XXX: There is a small chance
8316 * that this is an old duplicate SYN received after the connection
8317 * is ESTABLISHED on both sides, the other side will respond with
8318 * an appropriate ACK, and this SYN ought to be ignored rather than
8319 * create a new conversation.)
8320 *
8321 * If the seq-nr is the same as the base_seq, it might be a simple
8322 * retransmission, reattempting a handshake that was reset (due
8323 * to a half-open connection) with the same sequence number, or
8324 * (unlikely) a new connection that happens to use the same sequence
8325 * number as the previous one (#18333).
8326 *
8327 * If we have received a RST or FIN on the retrieved conversation,
8328 * we can detect that unlikely case, and create a new conversation
8329 * in order to clear out the follow info, sequence analysis,
8330 * desegmentation, etc.
8331 * If not, it's probably a retransmission, and will be marked
8332 * as one later, but restore some flow values to reduce the
8333 * sequence analysis warnings if our capture file is missing a RST
8334 * or FIN segment that was present on the network.
8335 *
8336 * XXX - Is this affected by MPTCP which can use multiple SYNs?
8337 */
8340 if(tcph->th_seq!=tcpd->fwd->base_seq || (tcpd->conversation_completeness & TCP_COMPLETENESS_RST) || (tcpd->conversation_completeness & TCP_COMPLETENESS_FIN)) {
8348 /* As above, a new conversation starting with a SYN implies conversation completeness value 1 */
8351 /*
8352 * Sometimes we need to restore the nextseq value.
8353 * As stated in RFC 793 3.4 a RST packet might be
8354 * sent with SEQ being equal to the ACK received,
8355 * thus breaking our flow monitoring. (issue 17616)
8356 */
8359 }
8363 }
8365 /*
8366 * TCP_S_BASE_SEQ_SET being not set, we are dealing with a new conversation,
8367 * either created ad hoc above (general case), or by a higher protocol such as FTP.
8368 * Track this information, as the Completeness value will be initialized later.
8369 * See issue 19092.
8370 */
8372 }
8373 tcpd->had_acc_ecn_setup_syn = (tcph->th_flags & (TH_AE|TH_CWR|TH_ECE)) == (TH_AE|TH_CWR|TH_ECE);
8374 }
8376 /* Handle cases of a SYN/ACK packet where there's evidence of a new
8377 * conversation but the capture is missing the SYN packet of the
8378 * new conversation.
8379 *
8380 * If this is a SYN/ACK packet, then check if its seq-nr is different
8381 * from the base_seq of the retrieved conversation. If this is the
8382 * case, create a new conversation as above with a SYN packet, and set
8383 * the TA_PORTS_REUSED flag and override the base seq.
8384 * If the seq-nr is the same as the base_seq, then do nothing so it
8385 * will be marked as a retransmission later, unless we have received
8386 * a RST or FIN on the conversation (in which case this is the case
8387 * of a RST followed by the same initial sequence number being picked.)
8388 *
8389 * If this is an unacceptable SYN-ACK and the other side believes that
8390 * the conversation is ESTABLISHED, it will be replied to with an
8391 * empty ACK with the current sequence number (according to the other
8392 * side.) See RFC 9293 3.5.2. This *probably* leads to a situation where
8393 * the side sending this SYN-ACK then issues a RST, because the two
8394 * sides have different ideas about the connection state. It's not clear
8395 * how to handle the annoying edge case where A sends a SYN, B responds
8396 * with a SYN-ACK that A intends to accept, but before A can finish
8397 * the handshake B responds with another SYN-ACK _with a different seq-nr_
8398 * instead of retransmitting, then A responds accepting the first SYN-ACK,
8399 * and then B goes on happily using the sequence number from the first
8400 * SYN-ACK, forgetting all about the second one it sent instead of sending
8401 * a RST. In such a case we'll have changed the seq-nr to the new one
8402 * and/or set up a new conversation instead of just ignoring that SYN-ACK.
8403 *
8404 * XXX - Is this affected by MPTCP which can use multiple SYNs?
8405 */
8411 /* the retrieved conversation might have a different base_seq (issue 16944) */
8420 /* As above, a new conversation */
8422 }
8425 }
8427 /* Do we need to calculate timestamps relative to the tcp-stream? */
8429 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
8431 /* Calculate the timestamps relative to this conversation */
8433 }
8434 }
8444 }
8446 /* Display the completeness of this TCP conversation */
8454 NULL};
8463 item = proto_tree_add_string(field_tree, hf_tcp_completeness_str, tvb, 0, 0, flags_str_first_letter);
8466 /* Copy the stream index into the header as well to make it available
8467 * to tap listeners.
8468 */
8471 /* Copy the stream index into pinfo as well to make it available
8472 * to callback functions (essentially conversation following events in GUI)
8473 */
8476 /* initialize the SACK blocks seen to 0 */
8479 }
8480 }
8482 /* is there any manual analysis waiting ? */
8484 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
8486 }
8488 /* We have have the absolute sequence numbers (we would have thrown an
8489 * exception if not) and tcpd, so set relative sequence numbers now. */
8491 /* XXX - Why not in an error packet? */
8493 /* initialize base_seq numbers if needed */
8495 /* if this is the first segment for this list we need to store the
8496 * base_seq
8497 * We use TCP_S_SAW_SYN/SYNACK to distinguish between client and server
8498 *
8499 * Start relative seq and ack numbers at 1 if this
8500 * is not a SYN packet. This makes the relative
8501 * seq/ack numbers to be displayed correctly in the
8502 * event that the SYN or SYN/ACK packet is not seen
8503 * (this solves bug 1542)
8504 */
8509 }
8512 }
8514 }
8516 /* Only store reverse sequence if this isn't the SYN
8517 * There's no guarantee that the ACK field of a SYN
8518 * contains zeros; get the ISN from the first segment
8519 * with the ACK bit set instead (usually the SYN/ACK).
8520 *
8521 * If the SYN and SYN/ACK were received out-of-order,
8522 * the ISN is ack-1. If we missed the SYN/ACK, but got
8523 * the last ACK of the 3WHS, the ISN is ack-1. For all
8524 * other packets the ISN is unknown, so ack-1 is
8525 * as good a guess as ack.
8526 */
8530 }
8531 }
8536 }
8537 }
8538 }
8540 /*
8541 * If we've been handed an IP fragment, we don't know how big the TCP
8542 * segment is, so don't do anything that requires that we know that.
8543 *
8544 * The same applies if we're part of an error packet. (XXX - if the
8545 * ICMP and ICMPv6 dissectors could set a "this is how big the IP
8546 * header says it is" length in the tvbuff, we could use that; such
8547 * a length might also be useful for handling packets where the IP
8548 * length is bigger than the actual data available in the frame; the
8549 * dissectors should trust that length, and then throw a
8550 * ReportedBoundsError exception when they go past the end of the frame.)
8551 *
8552 * We also can't determine the segment length if the reported length
8553 * of the TCP packet is less than the TCP header length.
8554 */
8560 "Short segment. Segment/fragment does not contain a full TCP header"
8566 /* Compute the length of data in this segment. */
8573 /* handle TCP seq# analysis parse all new segments we see */
8574 /* We need the window size to perform sequence analysis.
8575 * (Zero is a possible value treated specially. */
8578 /* Get it on every pass so that dissection is the same. */
8582 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
8583 tcp_analyze_sequence_number(pinfo, tcph->th_rawseq, tcph->th_rawack, tcph->th_seglen, tcph->th_flags, tcph->th_win, tcpd, tcppd);
8584 }
8585 /* load the tcppd data as it may contain 'volatile' data such as Karn's indications */
8587 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
8588 }
8589 }
8591 /* Compute the sequence number of next octet after this segment. */
8593 }
8597 /*
8598 * Decode the ECN related flags as ACE if it is not a SYN segment,
8599 * and an AccECN-setup SYN and SYN ACK have been observed, or an
8600 * AccECN option was observed (this covers the case where Wireshark
8601 * did not observe the initial handshake).
8602 */
8612 COL_ADD_LSTR_TERMINATOR);
8619 }
8623 proto_tree_add_uint_format_value(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq, "%u (relative sequence number)", tcph->th_seq);
8629 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_time, tvb, (offset + 4) * 8, 5, ENC_NA);
8630 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_mss, tvb, (offset + 4) * 8 + 5, 3, ENC_NA);
8632 }
8636 hide_seqack_abs_item = proto_tree_add_uint(tcp_tree, hf_tcp_seq_abs, tvb, offset + 4, 4, tcph->th_rawseq);
8638 }
8639 }
8642 /* Give up at this point; we put the source and destination port in
8643 the tree, before fetching the header length, so that they'll
8644 show up if this is in the failing packet in an ICMP error packet,
8645 but it's now time to give up if the header length is bogus. */
8649 tf = proto_tree_add_uint_bits_format_value(tcp_tree, hf_tcp_hdr_len, tvb, (offset + 12) << 3, 4, tcph->th_hlen,
8654 }
8658 }
8660 /* Now we certainly have enough information to be willing to send
8661 * the header information to the tap. The options can add information
8662 * about the SACKs, but the other taps don't really *require* that.
8663 * Add a CLEANUP function so that the tap_queue_packet gets called
8664 * if any exception is thrown.
8665 *
8666 * XXX - We haven't necessarily retrieved the window size yet. We'll
8667 * try to do so before sending it to the tap, but if the header is
8668 * truncated to 14 octets, the taps will receive a window size of 0.
8669 * Can they handle it with minimal problems?
8670 */
8677 /* initialize or move forward the conversation completeness */
8684 }
8685 }
8686 }
8688 /* Explicitly and immediately move forward the conversation last_frame,
8689 * although it would one way or another be changed later
8690 * in the conversation helper functions.
8691 */
8695 }
8696 }
8699 }
8701 /* SYN-ACK */
8704 }
8706 /* ACKs */
8710 }
8713 }
8714 }
8716 /* FIN-ACK */
8719 }
8721 /* RST */
8722 /* XXX: A RST segment should be validated (RFC 9293 3.5.3),
8723 * and if not valid should not change the conversation state.
8724 */
8727 }
8729 /* Store the completeness at the conversation level,
8730 * both as numerical and as Flag First Letters string, to avoid
8731 * computing many times the same thing.
8732 */
8736 tcpd->conversation_completeness_str = completeness_flags_to_str_first_letter(wmem_file_scope(), tcpd->conversation_completeness) ;
8737 }
8738 }
8741 tcpd->conversation_completeness_str = completeness_flags_to_str_first_letter(wmem_file_scope(), tcpd->conversation_completeness) ;
8742 }
8743 }
8748 }
8751 }
8756 tf=proto_tree_add_uint_format_value(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq + 1, "%u (relative sequence number)", nxtseq + 1);
8758 tf=proto_tree_add_uint_format_value(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq, "%u (relative sequence number)", nxtseq);
8759 }
8765 }
8766 }
8768 }
8771 hide_seqack_abs_item = proto_tree_add_uint(tcp_tree, hf_tcp_ack_abs, tvb, offset + 8, 4, tcph->th_rawack);
8777 }
8784 }
8785 }
8787 /* Note if the ACK field is non-zero */
8790 }
8791 }
8794 // This should be consistent with ip.hdr_len.
8795 proto_tree_add_uint_bits_format_value(tcp_tree, hf_tcp_hdr_len, tvb, (offset + 12) << 3, 4, tcph->th_hlen,
8808 ace);
8813 }
8817 tf_rst = proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, tcph->th_flags);
8818 tf_syn = proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, tcph->th_flags);
8819 tf_fin = proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, tcph->th_flags);
8821 tf = proto_tree_add_string(field_tree, hf_tcp_flags_str, tvb, offset + 12, 2, flags_str_first_letter);
8823 }
8829 /* Save the server port to help determine dissector used */
8831 }
8835 /* Save the server port to help determine dissector used */
8838 }
8839 /* Remember where the next segment will start. */
8843 }
8844 }
8845 /* Initialize the is_first_ack */
8847 }
8849 /* XXX - find a way to know the server port and output only that one */
8852 /* Track closing initiator.
8853 If it was not already closed by the reverse flow, it means we are the first */
8859 }
8860 }
8862 /* XXX - find a way to know the server port and output only that one */
8865 }
8870 /* If all of the following:
8871 * - we care (the pref is set)
8872 * - this is a pure ACK
8873 * - we have a timestamp for the most-recently-transmitted SYN
8874 * - we haven't seen a pure ACK yet (no ts_first_rtt stored)
8875 * then assume it's the last part of the handshake and store the initial
8876 * RTT time
8877 */
8879 }
8881 /*
8882 * Remember if we have already seen at least one ACK,
8883 * then we can neutralize the Window Scale side-effect at the beginning (issue 14690)
8884 */
8889 }
8890 }
8894 /* re-calculate window size based on scaling factor */
8898 }
8900 /* i.e. Unknown, but wasn't signalled with no scaling, so use preference setting instead! */
8903 }
8904 }
8905 }
8910 /* As discussed in bug 5541, it is better to use two separate
8911 * fields for the real and calculated window size.
8912 */
8915 /* Check if the window value of this reset packet is in the NetScaler error code range */
8916 const char *tcp_ns_reset_window_error_descr = try_val_to_str(real_window, netscaler_reset_window_error_code_vals);
8921 }
8922 }
8923 scaled_pi = proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, tcph->th_win);
8930 /* Unknown */
8931 {
8935 /* Use preference setting (if set) */
8939 }
8941 scaled_pi = proto_tree_add_int_format_value(tcp_tree, hf_tcp_window_size_scalefactor, tvb, offset + 14, 2,
8943 win_scale,
8946 }
8950 /* No window scaling used */
8951 scaled_pi = proto_tree_add_int_format_value(tcp_tree, hf_tcp_window_size_scalefactor, tvb, offset + 14, 2, tcpd->fwd->win_scale, "%d (no window scaling used)", tcpd->fwd->win_scale);
8956 /* Scaling from signalled value */
8957 scaled_pi = proto_tree_add_int_format_value(tcp_tree, hf_tcp_window_size_scalefactor, tvb, offset + 14, 2, 1<<tcpd->fwd->win_scale, "%d", 1<<tcpd->fwd->win_scale);
8959 }
8960 }
8961 }
8963 /* Supply the sequence number of the first byte and of the first byte
8964 after the segment. */
8969 /* Assume we'll pass un-reassembled data to subdissectors. */
8972 /*
8973 * Assume, initially, that we can't desegment.
8974 */
8978 /* The packet isn't part of an un-reassembled fragmented datagram
8979 and isn't truncated. This means we have all the data, and thus
8980 can checksum it and, unless it's being returned in an error
8981 packet, are willing to allow subdissectors to request reassembly
8982 on it. */
8985 /* We haven't turned checksum checking off; checksum it. */
8987 /* Set up the fields of the pseudo-header. */
9004 /* TCP runs only atop IPv4 and IPv6.... */
9007 }
9008 /* See discussion in packet-udp.c of partial checksums used in
9009 * checksum offloading in Linux and Windows (and possibly others.)
9010 */
9023 /* XXX - What should this special status be? */
9031 /* Checksum is treated as valid on most systems, so we're willing to desegment it. */
9037 /* Don't use PROTO_CHECKSUM_IN_CKSUM because we expect the value
9038 * to match what we pass in. */
9039 item = proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, g_htons(partial_cksum),
9041 proto_item_append_text(item, " (matches partial checksum, not 0x%04x, likely caused by \"TCP checksum offload\")", shouldbe_cksum);
9044 /* XXX Add a new status, e.g. PROTO_CHECKSUM_E_PARTIAL? */
9046 item = proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, computed_cksum,
9048 }
9054 /* Checksum is valid, so we're willing to desegment it. */
9060 /* Checksum is invalid, so we're not willing to desegment it. */
9064 }
9065 }
9067 proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, 0,
9070 /* We didn't check the checksum, and don't care if it's valid,
9071 so we're willing to desegment it. */
9073 }
9075 /* We don't have all the packet data, so we can't checksum it... */
9076 proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, 0,
9079 /* ...and aren't willing to desegment it. */
9081 }
9084 /* We're willing to desegment this. Is desegmentation enabled? */
9086 /* Yes - is this segment being returned in an error packet? */
9088 /* No - indicate that we will desegment.
9089 We do NOT want to desegment segments returned in error
9090 packets, as they're not part of a TCP connection. */
9092 }
9093 }
9094 }
9096 item = proto_tree_add_item_ret_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, ENC_BIG_ENDIAN, &th_urp);
9099 /* Export the urgent pointer, for the benefit of protocols such as
9100 rlogin. */
9105 /* Note if the urgent pointer field is non-zero */
9107 }
9108 }
9113 /* If there's more than just the fixed-length header (20 bytes), create
9114 a protocol tree item for the options. (We already know there's
9115 not less than the fixed-length header - we checked that above.)
9117 We ensure that we don't throw an exception here, so that we can
9118 do some analysis before we dissect the options and possibly
9119 throw an exception. (Trying to avoid throwing an exception when
9120 dissecting options is not something we should do.) */
9132 }
9133 }
9137 /* handle conversation timestamps */
9140 }
9142 /* Now dissect the options. */
9150 /* Do some post evaluation of some Riverbed probe options in the list */
9151 option_data = (rvbd_option_data*)p_get_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num);
9153 {
9155 {
9156 /* Distinguish S+ from S+* */
9160 }
9161 }
9163 }
9165 /* Handle default MSS values for IPv4 and IPv6
9166 * If MSS is still -1 after dissecting the options,
9167 * apply the default values (as per RFC 9293).
9168 */
9185 }
9186 }
9188 /* If SYN (and hence MSS value) for that direction is missing,
9189 * the default MSS value might not be realistic */
9192 }
9194 /* handle TCP seq# analysis, print any extra SEQ/ACK data for this segment*/
9198 /* May need to recover absolute values here... */
9203 }
9204 }
9206 }
9210 /* Check the validity of the window scale value
9211 */
9213 }
9216 /* If the SYN or the SYN+ACK offered SCPS capabilities,
9217 * validate the flow's bidirectional scps capabilities.
9218 * The or protects against broken implementations offering
9219 * SCPS capabilities on SYN+ACK even if it wasn't offered with the SYN
9220 */
9223 }
9225 }
9226 }
9232 }
9233 }
9235 /* Skip over header + options */
9238 /* Check the packet length to see if there's more data
9239 (it could be an ACK-only packet) */
9251 }
9252 }
9254 /* Nothing more to add to tcph, go ahead and send to the taps. */
9255 CLEANUP_CALL_AND_POP;
9257 /* if it is an MPTCP packet */
9260 }
9262 /* If we're reassembling something whose length isn't known
9263 * beforehand, and that runs all the way to the end of
9264 * the data stream, a FIN indicates the end of the data
9265 * stream and thus the completion of reassembly, so we
9266 * need to explicitly check for that here.
9267 */
9273 /* Is this the FIN that ended the data stream or is it a
9274 * retransmission of that FIN?
9275 */
9277 /* Either we haven't seen a FIN for this flow or we
9278 * have and it's this frame. Note that this is the FIN
9279 * for this flow, terminate reassembly and dissect the
9280 * results. */
9282 msp=(struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(tcpd->fwd->multisegment_pdus, tcph->th_seq);
9291 if(ipfd_head && ipfd_head->reassembled_in == pinfo->num && ipfd_head->reas_in_layer_num == pinfo->curr_layer_num) {
9294 /* create a new TVB structure for desegmented data
9295 * datalen-1 to strip the dummy FIN byte off
9296 */
9299 /* add desegmented data to the data source list */
9302 /* Show details of the reassembly */
9305 /* call the payload dissector
9306 * but make sure we don't offer desegmentation any more
9307 */
9310 process_tcp_payload(next_tvb, 0, pinfo, tree, tcp_tree, tcph->th_sport, tcph->th_dport, tcph->th_seq,
9314 }
9315 }
9317 /* Yes. This is a retransmission of the final FIN (or it's
9318 * the final FIN transmitted via a different path).
9319 * XXX - we need to flag retransmissions a bit better.
9320 */
9322 }
9323 }
9325 if (tcp_display_process_info && tcpd && ((tcpd->fwd && tcpd->fwd->process_info && tcpd->fwd->process_info->command) ||
9327 field_tree = proto_tree_add_subtree(tcp_tree, tvb, offset, 0, ett_tcp_process_info, &ti, "Process Information");
9330 proto_tree_add_uint(field_tree, hf_tcp_proc_dst_uid, tvb, 0, 0, tcpd->fwd->process_info->process_uid);
9331 proto_tree_add_uint(field_tree, hf_tcp_proc_dst_pid, tvb, 0, 0, tcpd->fwd->process_info->process_pid);
9332 proto_tree_add_string(field_tree, hf_tcp_proc_dst_uname, tvb, 0, 0, tcpd->fwd->process_info->username);
9333 proto_tree_add_string(field_tree, hf_tcp_proc_dst_cmd, tvb, 0, 0, tcpd->fwd->process_info->command);
9334 }
9336 proto_tree_add_uint(field_tree, hf_tcp_proc_src_uid, tvb, 0, 0, tcpd->rev->process_info->process_uid);
9337 proto_tree_add_uint(field_tree, hf_tcp_proc_src_pid, tvb, 0, 0, tcpd->rev->process_info->process_pid);
9338 proto_tree_add_string(field_tree, hf_tcp_proc_src_uname, tvb, 0, 0, tcpd->rev->process_info->username);
9339 proto_tree_add_string(field_tree, hf_tcp_proc_src_cmd, tvb, 0, 0, tcpd->rev->process_info->command);
9340 }
9341 }
9343 /*
9344 * XXX - what, if any, of this should we do if this is included in an
9345 * error packet? It might be nice to see the details of the packet
9346 * that caused the ICMP error, but it might not be nice to have the
9347 * dissector update state based on it.
9348 * Also, we probably don't want to run TCP taps on those packets.
9349 */
9352 /*
9353 * RFC1122 says:
9354 *
9355 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
9356 *
9357 * A TCP SHOULD allow a received RST segment to include data.
9358 *
9359 * DISCUSSION
9360 * It has been suggested that a RST segment could contain
9361 * ASCII text that encoded and explained the cause of the
9362 * RST. No standard has yet been established for such
9363 * data.
9364 *
9365 * so for segments with RST we just display the data as text.
9366 */
9367 proto_tree_add_item(tcp_tree, hf_tcp_reset_cause, tvb, offset, captured_length_remaining, ENC_NA|ENC_ASCII);
9369 /* When we have a frame with TCP SYN bit set and segmented TCP payload we need
9370 * to increment seq and nxtseq to detect the overlapping byte(s). This is to fix Bug 9882.
9371 */
9378 }
9379 }
9380 }
9382 }
9384 static void
9386 {
9389 /* MPTCP init */
9392 }
9394 void
9396 {
9479 // "Data Offset" in https://tools.ietf.org/html/rfc793#section-3.1 and
9480 // "Data offset" in https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
9541 /* 32 bits so we can present some values adjusted to window scaling */
9555 { "Checksum Status", "tcp.checksum.status", FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,
9579 { "Duplicate to the ACK in frame", "tcp.analysis.duplicate_ack_frame", FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_DUP_ACK), 0x0,
9583 { "This is a continuation to the PDU in frame", "tcp.continuation_to", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
9591 { "This is an ACK to the segment in frame", "tcp.analysis.acks_frame", FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_ACK), 0x0,
9599 { "Bytes sent since last PSH flag", "tcp.analysis.push_bytes_sent", FT_UINT32, BASE_DEC, NULL, 0x0,
9603 { "The RTT to ACK the segment was", "tcp.analysis.ack_rtt", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
9615 { "RTO based on delta from frame", "tcp.analysis.rto_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
9627 { "Conflicting data in segment overlap", "tcp.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
9631 { "Multiple tail segments found", "tcp.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
9672 BASE_DEC, NULL, 0x0, "Length of this TCP option in bytes (including kind and length fields)", HFILL }},
9763 { "Do not attempt to establish new subflows to this address and port", "tcp.options.mptcp.nomoresubflows.flag", FT_UINT8,
9783 { "Data Sequence Number, Subflow Sequence Number, Data-level Length, Checksum present", "tcp.options.mptcp.dseqnpresent.flag", FT_UINT8,
10102 RVBD_FLAGS_TRPY_FW_RST_PROBE,
10104 HFILL }},
10109 RVBD_FLAGS_TRPY_FW_RST_INNER,
10110 "Reset state created by transparent inner on all firewalls"
10112 HFILL }},
10117 RVBD_FLAGS_TRPY_FW_RST,
10118 "Reset state created by probe on all firewalls before "
10165 { "Time until the last segment of this PDU", "tcp.pdu.time", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
10177 { "Time since first frame in this TCP stream", "tcp.time_relative", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
10181 { "Time since previous frame in this TCP stream", "tcp.time_delta", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
10233 { "Retransmission of FIN from frame", "tcp.fin_retransmission", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
10253 { "SYN Cookie Timestamp", "tcp.options.timestamp.tsval.syncookie.timestamp", FT_UINT32, BASE_DEC, NULL, 0x0,
10257 { "SYN Cookie ECN", "tcp.options.timestamp.tsval.syncookie.ecn", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
10261 { "SYN Cookie SACK", "tcp.options.timestamp.tsval.syncookie.sack", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
10265 { "SYN Cookie WScale", "tcp.options.timestamp.tsval.syncookie.wscale", FT_UINT8, BASE_DEC, NULL, 0x0,
10269 { "NetScaler TCP Reset Window Error Code", "tcp.nstrace.rst.window_error_code", FT_STRING, BASE_NONE, NULL, 0x0,
10271 };
10312 &ett_tcp_syncookie_option
10313 };
10317 &ett_mptcp_analysis_subflows
10318 };
10338 };
10347 };
10350 { &ei_tcp_opt_len_invalid, { "tcp.option.len.invalid", PI_SEQUENCE, PI_NOTE, "Invalid length for option", EXPFILL }},
10351 { &ei_tcp_analysis_retransmission, { "tcp.analysis.retransmission", PI_SEQUENCE, PI_NOTE, "This frame is a (suspected) retransmission", EXPFILL }},
10352 { &ei_tcp_analysis_fast_retransmission, { "tcp.analysis.fast_retransmission", PI_SEQUENCE, PI_NOTE, "This frame is a (suspected) fast retransmission", EXPFILL }},
10353 { &ei_tcp_analysis_spurious_retransmission, { "tcp.analysis.spurious_retransmission", PI_SEQUENCE, PI_NOTE, "This frame is a (suspected) spurious retransmission", EXPFILL }},
10354 { &ei_tcp_analysis_out_of_order, { "tcp.analysis.out_of_order", PI_SEQUENCE, PI_WARN, "This frame is a (suspected) out-of-order segment", EXPFILL }},
10355 { &ei_tcp_analysis_reused_ports, { "tcp.analysis.reused_ports", PI_SEQUENCE, PI_NOTE, "A new tcp session is started with the same ports as an earlier session in this trace", EXPFILL }},
10356 { &ei_tcp_analysis_lost_packet, { "tcp.analysis.lost_segment", PI_SEQUENCE, PI_WARN, "Previous segment(s) not captured (common at capture start)", EXPFILL }},
10357 { &ei_tcp_analysis_ack_lost_packet, { "tcp.analysis.ack_lost_segment", PI_SEQUENCE, PI_WARN, "ACKed segment that wasn't captured (common at capture start)", EXPFILL }},
10358 { &ei_tcp_analysis_window_update, { "tcp.analysis.window_update", PI_SEQUENCE, PI_CHAT, "TCP window update", EXPFILL }},
10359 { &ei_tcp_analysis_window_full, { "tcp.analysis.window_full", PI_SEQUENCE, PI_WARN, "TCP window specified by the receiver is now completely full", EXPFILL }},
10360 { &ei_tcp_analysis_keep_alive, { "tcp.analysis.keep_alive", PI_SEQUENCE, PI_NOTE, "TCP keep-alive segment", EXPFILL }},
10361 { &ei_tcp_analysis_keep_alive_ack, { "tcp.analysis.keep_alive_ack", PI_SEQUENCE, PI_NOTE, "ACK to a TCP keep-alive segment", EXPFILL }},
10362 { &ei_tcp_analysis_duplicate_ack, { "tcp.analysis.duplicate_ack", PI_SEQUENCE, PI_NOTE, "Duplicate ACK", EXPFILL }},
10363 { &ei_tcp_analysis_zero_window_probe, { "tcp.analysis.zero_window_probe", PI_SEQUENCE, PI_NOTE, "TCP Zero Window Probe", EXPFILL }},
10364 { &ei_tcp_analysis_zero_window, { "tcp.analysis.zero_window", PI_SEQUENCE, PI_WARN, "TCP Zero Window segment", EXPFILL }},
10365 { &ei_tcp_analysis_zero_window_probe_ack, { "tcp.analysis.zero_window_probe_ack", PI_SEQUENCE, PI_NOTE, "ACK to a TCP Zero Window Probe", EXPFILL }},
10366 { &ei_tcp_analysis_tfo_syn, { "tcp.analysis.tfo_syn", PI_SEQUENCE, PI_NOTE, "TCP SYN with TFO Cookie", EXPFILL }},
10367 { &ei_tcp_analysis_tfo_ack, { "tcp.analysis.tfo_ack", PI_SEQUENCE, PI_NOTE, "TCP SYN-ACK accepting TFO data", EXPFILL }},
10368 { &ei_tcp_analysis_tfo_ignored, { "tcp.analysis.tfo_ignored", PI_SEQUENCE, PI_NOTE, "TCP SYN-ACK ignoring TFO data", EXPFILL }},
10369 { &ei_tcp_analysis_partial_ack, { "tcp.analysis.partial_ack", PI_SEQUENCE, PI_NOTE, "Partial Acknowledgement of a segment", EXPFILL }},
10370 { &ei_tcp_analysis_ambiguous_ack, { "tcp.analysis.ambiguous_ack", PI_SEQUENCE, PI_NOTE, "Ambiguous ACK following Karn's definition", EXPFILL }},
10371 { &ei_tcp_connection_fin_active, { "tcp.connection.fin_active", PI_SEQUENCE, PI_NOTE, "This frame initiates the connection closing", EXPFILL }},
10372 { &ei_tcp_connection_fin_passive, { "tcp.connection.fin_passive", PI_SEQUENCE, PI_NOTE, "This frame undergoes the connection closing", EXPFILL }},
10373 { &ei_tcp_scps_capable, { "tcp.analysis.scps_capable", PI_SEQUENCE, PI_NOTE, "Connection establish request (SYN-ACK): SCPS Capabilities Negotiated", EXPFILL }},
10374 { &ei_tcp_option_sack_dsack, { "tcp.options.sack.dsack", PI_SEQUENCE, PI_WARN, "D-SACK Sequence", EXPFILL }},
10375 { &ei_tcp_option_snack_sequence, { "tcp.options.snack.sequence", PI_SEQUENCE, PI_NOTE, "SNACK Sequence", EXPFILL }},
10376 { &ei_tcp_option_wscale_shift_invalid, { "tcp.options.wscale.shift.invalid", PI_PROTOCOL, PI_WARN, "Window scale shift exceeds 14", EXPFILL }},
10377 { &ei_tcp_option_mss_absent, { "tcp.options.mss.absent", PI_PROTOCOL, PI_NOTE, "The SYN packet does not contain a MSS option", EXPFILL }},
10378 { &ei_tcp_option_mss_present, { "tcp.options.mss.present", PI_PROTOCOL, PI_WARN, "The non-SYN packet does contain a MSS option", EXPFILL }},
10379 { &ei_tcp_option_mss_exceeded, { "tcp.options.mss.exceeded", PI_PROTOCOL, PI_NOTE, "This packet's length exceeds MSS (common with TSO or incomplete conversations)", EXPFILL }},
10380 { &ei_tcp_option_sack_perm_absent, { "tcp.options.sack_perm.absent", PI_PROTOCOL, PI_NOTE, "The SYN packet does not contain a SACK PERM option", EXPFILL }},
10381 { &ei_tcp_option_sack_perm_present, { "tcp.options.sack_perm.present", PI_PROTOCOL, PI_WARN, "The non-SYN packet does contain a SACK PERM option", EXPFILL }},
10382 { &ei_tcp_short_segment, { "tcp.short_segment", PI_MALFORMED, PI_WARN, "Short segment", EXPFILL }},
10383 { &ei_tcp_ack_nonzero, { "tcp.ack.nonzero", PI_PROTOCOL, PI_NOTE, "The acknowledgment number field is nonzero while the ACK flag is not set", EXPFILL }},
10384 { &ei_tcp_connection_synack, { "tcp.connection.synack", PI_SEQUENCE, PI_CHAT, "Connection establish acknowledge (SYN+ACK)", EXPFILL }},
10385 { &ei_tcp_connection_syn, { "tcp.connection.syn", PI_SEQUENCE, PI_CHAT, "Connection establish request (SYN)", EXPFILL }},
10386 { &ei_tcp_connection_fin, { "tcp.connection.fin", PI_SEQUENCE, PI_CHAT, "Connection finish (FIN)", EXPFILL }},
10387 /* According to RFCs, RST is an indication of an error. Some applications use it
10388 * to terminate a connection as well, which is a misbehavior (see e.g. rfc3360)
10389 */
10390 { &ei_tcp_connection_rst, { "tcp.connection.rst", PI_SEQUENCE, PI_WARN, "Connection reset (RST)", EXPFILL }},
10391 { &ei_tcp_checksum_ffff, { "tcp.checksum.ffff", PI_CHECKSUM, PI_WARN, "TCP Checksum 0xffff instead of 0x0000 (see RFC 1624)", EXPFILL }},
10392 { &ei_tcp_checksum_partial, { "tcp.checksum.partial", PI_CHECKSUM, PI_NOTE, "Partial (pseudo header) checksum (likely caused by \"TCP checksum offload\")", EXPFILL }},
10393 { &ei_tcp_checksum_bad, { "tcp.checksum_bad.expert", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
10394 { &ei_tcp_urgent_pointer_non_zero, { "tcp.urgent_pointer.non_zero", PI_PROTOCOL, PI_NOTE, "The urgent pointer field is nonzero while the URG flag is not set", EXPFILL }},
10395 { &ei_tcp_suboption_malformed, { "tcp.suboption_malformed", PI_MALFORMED, PI_ERROR, "suboption would go past end of option", EXPFILL }},
10396 { &ei_tcp_nop, { "tcp.nop", PI_PROTOCOL, PI_WARN, "4 NOP in a row - a router may have removed some options", EXPFILL }},
10397 { &ei_tcp_non_zero_bytes_after_eol, { "tcp.non_zero_bytes_after_eol", PI_PROTOCOL, PI_ERROR, "Non zero bytes in option space after EOL option", EXPFILL }},
10398 { &ei_tcp_bogus_header_length, { "tcp.bogus_header_length", PI_PROTOCOL, PI_ERROR, "Bogus TCP Header length", EXPFILL }},
10399 };
10402 #if 0
10403 { &ei_mptcp_analysis_unexpected_idsn, { "mptcp.connection.unexpected_idsn", PI_PROTOCOL, PI_NOTE, "Unexpected initial sequence number", EXPFILL }},
10404 #endif
10405 { &ei_mptcp_analysis_echoed_key_mismatch, { "mptcp.connection.echoed_key_mismatch", PI_PROTOCOL, PI_WARN, "The echoed key in the ACK of the MPTCP handshake does not match the key of the SYN/ACK", EXPFILL }},
10406 { &ei_mptcp_analysis_missing_algorithm, { "mptcp.connection.missing_algorithm", PI_PROTOCOL, PI_WARN, "No crypto algorithm specified", EXPFILL }},
10407 { &ei_mptcp_analysis_unsupported_algorithm, { "mptcp.connection.unsupported_algorithm", PI_PROTOCOL, PI_WARN, "Unsupported algorithm", EXPFILL }},
10408 { &ei_mptcp_infinite_mapping, { "mptcp.dss.infinite_mapping", PI_PROTOCOL, PI_WARN, "Fallback to infinite mapping", EXPFILL }},
10409 { &ei_mptcp_mapping_missing, { "mptcp.dss.missing_mapping", PI_PROTOCOL, PI_WARN, "No mapping available", EXPFILL }},
10410 #if 0
10411 { &ei_mptcp_stream_incomplete, { "mptcp.incomplete", PI_PROTOCOL, PI_WARN, "Everything was not captured", EXPFILL }},
10412 { &ei_mptcp_analysis_dsn_out_of_order, { "mptcp.analysis.dsn.out_of_order", PI_PROTOCOL, PI_WARN, "Out of order dsn", EXPFILL }},
10413 #endif
10414 };
10473 };
10478 static decode_as_value_t tcp_da_values[3] = {{tcp_src_prompt, 1, tcp_da_src_values}, {tcp_dst_prompt, 1, tcp_da_dst_values}, {tcp_both_prompt, 2, tcp_da_both_values}};
10495 /* subdissector code */
10498 heur_subdissector_list = register_heur_dissector_list_with_description("tcp", "TCP heuristic", proto_tcp);
10502 /* Register TCP options as their own protocols so we can get the name of the option */
10503 proto_tcp_option_nop = proto_register_protocol_in_name_only("TCP Option - No-Operation (NOP)", "No-Operation (NOP)", "tcp.options.nop", proto_tcp, FT_BYTES);
10504 proto_tcp_option_eol = proto_register_protocol_in_name_only("TCP Option - End of Option List (EOL)", "End of Option List (EOL)", "tcp.options.eol", proto_tcp, FT_BYTES);
10505 proto_tcp_option_timestamp = proto_register_protocol_in_name_only("TCP Option - Timestamps", "Timestamps", "tcp.options.timestamp", proto_tcp, FT_BYTES);
10506 proto_tcp_option_mss = proto_register_protocol_in_name_only("TCP Option - Maximum segment size", "Maximum segment size", "tcp.options.mss", proto_tcp, FT_BYTES);
10507 proto_tcp_option_wscale = proto_register_protocol_in_name_only("TCP Option - Window scale", "Window scale", "tcp.options.wscale", proto_tcp, FT_BYTES);
10508 proto_tcp_option_sack_perm = proto_register_protocol_in_name_only("TCP Option - SACK permitted", "SACK permitted", "tcp.options.sack_perm", proto_tcp, FT_BYTES);
10509 proto_tcp_option_sack = proto_register_protocol_in_name_only("TCP Option - SACK", "SACK", "tcp.options.sack", proto_tcp, FT_BYTES);
10510 proto_tcp_option_echo = proto_register_protocol_in_name_only("TCP Option - Echo", "Echo", "tcp.options.echo", proto_tcp, FT_BYTES);
10511 proto_tcp_option_echoreply = proto_register_protocol_in_name_only("TCP Option - Echo reply", "Echo reply", "tcp.options.echoreply", proto_tcp, FT_BYTES);
10512 proto_tcp_option_cc = proto_register_protocol_in_name_only("TCP Option - CC", "CC", "tcp.options.cc", proto_tcp, FT_BYTES);
10513 proto_tcp_option_cc_new = proto_register_protocol_in_name_only("TCP Option - CC.NEW", "CC.NEW", "tcp.options.ccnew", proto_tcp, FT_BYTES);
10514 proto_tcp_option_cc_echo = proto_register_protocol_in_name_only("TCP Option - CC.ECHO", "CC.ECHO", "tcp.options.ccecho", proto_tcp, FT_BYTES);
10515 proto_tcp_option_ao = proto_register_protocol_in_name_only("TCP Option - TCP AO", "TCP AO", "tcp.options.ao", proto_tcp, FT_BYTES);
10516 proto_tcp_option_md5 = proto_register_protocol_in_name_only("TCP Option - TCP MD5 signature", "TCP MD5 signature", "tcp.options.md5", proto_tcp, FT_BYTES);
10517 proto_tcp_option_scps = proto_register_protocol_in_name_only("TCP Option - SCPS capabilities", "SCPS capabilities", "tcp.options.scps", proto_tcp, FT_BYTES);
10518 proto_tcp_option_snack = proto_register_protocol_in_name_only("TCP Option - Selective Negative Acknowledgment", "Selective Negative Acknowledgment", "tcp.options.snack", proto_tcp, FT_BYTES);
10519 proto_tcp_option_scpsrec = proto_register_protocol_in_name_only("TCP Option - SCPS record boundary", "SCPS record boundary", "tcp.options.scpsrec", proto_tcp, FT_BYTES);
10520 proto_tcp_option_scpscor = proto_register_protocol_in_name_only("TCP Option - SCPS corruption experienced", "SCPS corruption experienced", "tcp.options.scpscor", proto_tcp, FT_BYTES);
10521 proto_tcp_option_qs = proto_register_protocol_in_name_only("TCP Option - Quick-Start", "Quick-Start", "tcp.options.qs", proto_tcp, FT_BYTES);
10522 proto_tcp_option_user_to = proto_register_protocol_in_name_only("TCP Option - User Timeout", "User Timeout", "tcp.options.user_to", proto_tcp, FT_BYTES);
10523 proto_tcp_option_tfo = proto_register_protocol_in_name_only("TCP Option - TCP Fast Open", "TCP Fast Open", "tcp.options.tfo", proto_tcp, FT_BYTES);
10524 proto_tcp_option_acc_ecn = proto_register_protocol_in_name_only("TCP Option - Accurate ECN", "Accurate ECN", "tcp.options.acc_ecn", proto_tcp, FT_BYTES);
10525 proto_tcp_option_rvbd_probe = proto_register_protocol_in_name_only("TCP Option - Riverbed Probe", "Riverbed Probe", "tcp.options.rvbd.probe", proto_tcp, FT_BYTES);
10526 proto_tcp_option_rvbd_trpy = proto_register_protocol_in_name_only("TCP Option - Riverbed Transparency", "Riverbed Transparency", "tcp.options.rvbd.trpy", proto_tcp, FT_BYTES);
10527 proto_tcp_option_exp = proto_register_protocol_in_name_only("TCP Option - Experimental", "Experimental", "tcp.options.experimental", proto_tcp, FT_BYTES);
10528 proto_tcp_option_unknown = proto_register_protocol_in_name_only("TCP Option - Unknown", "Unknown", "tcp.options.unknown", proto_tcp, FT_BYTES);
10532 /* Register configuration preferences */
10540 "Whether to validate the TCP checksum or not. "
10549 "Whether out-of-order segments should be buffered and reordered before passing it to a subdissector. "
10554 "Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT",
10558 "Make the TCP dissector use relative sequence numbers instead of absolute ones. "
10569 "Make the TCP dissector use this scaling factor for streams where the signalled scaling factor "
10573 /* Presumably a retired, unconditional version of what has been added back with the preference above... */
10578 "Make the TCP dissector track the number on un-ACKed bytes of data are in flight per packet. "
10580 "This takes a lot of memory but allows you to track how much data are in flight at a time and graphing it in io-graphs",
10584 "Evaluate BiF on actual sequence numbers or use the historical method based on payloads (default). "
10589 "Calculate relative packet number and timestamps relative to the first frame and the previous frame in the tcp conversation",
10593 "Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",
10611 "Assume TCP Experimental Options (253, 254) have an Experiment Identifier and use it for dissection",
10630 register_conversation_table(proto_tcp, false, tcpip_conversation_packet, tcpip_endpoint_packet);
10633 register_seq_analysis("tcp", "TCP Flows", proto_tcp, NULL, TL_REQUIRES_NOTHING, tcp_seq_analysis_packet);
10635 /* considers MPTCP as a distinct protocol (even if it's a TCP option) */
10636 proto_mptcp = proto_register_protocol("Multipath Transmission Control Protocol", "MPTCP", "mptcp");
10641 /* Register configuration preferences */
10658 "Scales logarithmically with the number of packets"
10659 "You need to capture the handshake for this to work."
10665 "(Greedy algorithm: Scales linearly with number of subflows and"
10666 " logarithmic scaling with number of packets)"
10670 range_convert_str(wmem_epan_scope(), &tcp_clientport_dissectors_range, TCP_DEFAULT_CLIENTPORT_DISSECTORS, 65535);
10671 prefs_register_range_preference(tcp_module, "clientport_dissectors", "Client port dissectors",
10672 "Ports for which the dissector will to be chosen based on the client port instead of the server port",
10675 register_conversation_table(proto_mptcp, false, mptcpip_conversation_packet, tcpip_endpoint_packet);
10676 register_follow_stream(proto_tcp, "tcp_follow", tcp_follow_conv_filter, tcp_follow_index_filter, tcp_follow_address_filter,
10682 }
10684 void
10686 {
10694 /* Create dissection function handles for all TCP options */
10695 dissector_add_uint("tcp.option", TCPOPT_TIMESTAMP, create_dissector_handle( dissect_tcpopt_timestamp, proto_tcp_option_timestamp ));
10696 dissector_add_uint("tcp.option", TCPOPT_MSS, create_dissector_handle( dissect_tcpopt_mss, proto_tcp_option_mss ));
10697 dissector_add_uint("tcp.option", TCPOPT_WINDOW, create_dissector_handle( dissect_tcpopt_wscale, proto_tcp_option_wscale ));
10698 dissector_add_uint("tcp.option", TCPOPT_SACK_PERM, create_dissector_handle( dissect_tcpopt_sack_perm, proto_tcp_option_sack_perm ));
10699 dissector_add_uint("tcp.option", TCPOPT_SACK, create_dissector_handle( dissect_tcpopt_sack, proto_tcp_option_sack ));
10700 dissector_add_uint("tcp.option", TCPOPT_ECHO, create_dissector_handle( dissect_tcpopt_echo, proto_tcp_option_echo ));
10701 dissector_add_uint("tcp.option", TCPOPT_ECHOREPLY, create_dissector_handle( dissect_tcpopt_echo, proto_tcp_option_echoreply ));
10702 dissector_add_uint("tcp.option", TCPOPT_CC, create_dissector_handle( dissect_tcpopt_cc, proto_tcp_option_cc ));
10703 dissector_add_uint("tcp.option", TCPOPT_CCNEW, create_dissector_handle( dissect_tcpopt_cc, proto_tcp_option_cc_new ));
10704 dissector_add_uint("tcp.option", TCPOPT_CCECHO, create_dissector_handle( dissect_tcpopt_cc, proto_tcp_option_cc_echo ));
10705 dissector_add_uint("tcp.option", TCPOPT_MD5, create_dissector_handle( dissect_tcpopt_md5, proto_tcp_option_md5 ));
10706 dissector_add_uint("tcp.option", TCPOPT_AO, create_dissector_handle( dissect_tcpopt_ao, proto_tcp_option_ao ));
10707 dissector_add_uint("tcp.option", TCPOPT_SCPS, create_dissector_handle( dissect_tcpopt_scps, proto_tcp_option_scps ));
10708 dissector_add_uint("tcp.option", TCPOPT_SNACK, create_dissector_handle( dissect_tcpopt_snack, proto_tcp_option_snack ));
10709 dissector_add_uint("tcp.option", TCPOPT_RECBOUND, create_dissector_handle( dissect_tcpopt_recbound, proto_tcp_option_scpsrec ));
10710 dissector_add_uint("tcp.option", TCPOPT_CORREXP, create_dissector_handle( dissect_tcpopt_correxp, proto_tcp_option_scpscor ));
10711 dissector_add_uint("tcp.option", TCPOPT_QS, create_dissector_handle( dissect_tcpopt_qs, proto_tcp_option_qs ));
10712 dissector_add_uint("tcp.option", TCPOPT_USER_TO, create_dissector_handle( dissect_tcpopt_user_to, proto_tcp_option_user_to ));
10713 dissector_add_uint("tcp.option", TCPOPT_TFO, create_dissector_handle( dissect_tcpopt_tfo, proto_tcp_option_tfo ));
10714 dissector_add_uint("tcp.option", TCPOPT_RVBD_PROBE, create_dissector_handle( dissect_tcpopt_rvbd_probe, proto_tcp_option_rvbd_probe ));
10715 dissector_add_uint("tcp.option", TCPOPT_RVBD_TRPY, create_dissector_handle( dissect_tcpopt_rvbd_trpy, proto_tcp_option_rvbd_trpy ));
10716 dissector_add_uint("tcp.option", TCPOPT_ACC_ECN_0, create_dissector_handle( dissect_tcpopt_acc_ecn, proto_tcp_option_acc_ecn ));
10717 dissector_add_uint("tcp.option", TCPOPT_ACC_ECN_1, create_dissector_handle( dissect_tcpopt_acc_ecn, proto_tcp_option_acc_ecn ));
10718 dissector_add_uint("tcp.option", TCPOPT_EXP_FD, create_dissector_handle( dissect_tcpopt_exp, proto_tcp_option_exp ));
10719 dissector_add_uint("tcp.option", TCPOPT_EXP_FE, create_dissector_handle( dissect_tcpopt_exp, proto_tcp_option_exp ));
10720 dissector_add_uint("tcp.option", TCPOPT_MPTCP, create_dissector_handle( dissect_tcpopt_mptcp, proto_mptcp ));
10721 /* Common handle for all the unknown/unsupported TCP options */
10722 tcp_opt_unknown_handle = create_dissector_handle( dissect_tcpopt_unknown, proto_tcp_option_unknown );
10728 }
10730 /*
10731 * Editor modelines
10732 *
10733 * Local Variables:
10734 * c-basic-offset: 4
10735 * tab-width: 8
10736 * indent-tabs-mode: nil
10737 * End:
10738 *
10739 * ex: set shiftwidth=4 tabstop=8 expandtab:
10740 * :indentSize=4:tabSize=8:noTabs=true:
10741 */