search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-udp.c
blob6bb376e97f49def9b257f852bf41cf4fa6a83040
1 /* packet-udp.c
2 * Routines for UDP/UDP-Lite packet disassembly
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * Richard Sharpe, 13-Feb-1999, added dispatch table support and
9 * support for tftp.
10 *
11 * SPDX-License-Identifier: GPL-2.0-or-later
12 */
13 #include "config.h"
14 #include "packet-udp.h"
15
16 #include <epan/packet.h>
17 #include <epan/capture_dissectors.h>
18 #include <epan/addr_resolv.h>
19 #include <epan/ipproto.h>
20 #include <epan/in_cksum.h>
21 #include <epan/prefs.h>
22 #include <epan/follow.h>
23 #include <epan/expert.h>
24 #include <epan/exceptions.h>
25 #include <epan/show_exception.h>
26 #include <epan/proto_data.h>
27
28 #include <wsutil/utf8_entities.h>
29 #include <wsutil/pint.h>
30 #include <wsutil/str_util.h>
31
32 #include <epan/conversation.h>
33 #include <epan/conversation_table.h>
34 #include <epan/conversation_filter.h>
35 #include <epan/exported_pdu.h>
36 #include <epan/decode_as.h>
37
38 void proto_register_udp(void);
39 void proto_reg_handoff_udp(void);
40
41 static dissector_handle_t udp_handle;
42 static dissector_handle_t udplite_handle;
43 static capture_dissector_handle_t udp_cap_handle;
44 static capture_dissector_handle_t udplite_cap_handle;
45
46 static int udp_tap;
47 static int udp_follow_tap;
48 static int exported_pdu_tap;
49
50 static int proto_udp;
51 static int proto_udplite;
52
53 static int hf_udp_checksum;
54 static int hf_udp_checksum_calculated;
55 static int hf_udp_checksum_status;
56 static int hf_udp_dstport;
57 static int hf_udp_length;
58 static int hf_udp_payload;
59 static int hf_udp_pdu_size;
60 static int hf_udp_port;
61 static int hf_udp_proc_dst_cmd;
62 static int hf_udp_proc_dst_pid;
63 static int hf_udp_proc_dst_uid;
64 static int hf_udp_proc_dst_uname;
65 static int hf_udp_proc_src_cmd;
66 static int hf_udp_proc_src_pid;
67 static int hf_udp_proc_src_uid;
68 static int hf_udp_proc_src_uname;
69 static int hf_udp_srcport;
70 static int hf_udp_stream;
71 static int hf_udp_stream_pnum;
72 static int hf_udp_ts_delta;
73 static int hf_udp_ts_relative;
74 static int hf_udplite_checksum_coverage;
75
76 static int ett_udp;
77 static int ett_udp_checksum;
78 static int ett_udp_process_info;
79 static int ett_udp_timestamps;
80
81 static expert_field ei_udp_possible_traceroute;
82 static expert_field ei_udp_length_bad;
83 static expert_field ei_udplite_checksum_coverage_bad;
84 static expert_field ei_udp_checksum_zero;
85 static expert_field ei_udp_checksum_partial;
86 static expert_field ei_udp_checksum_bad;
87 static expert_field ei_udp_length_bad_zero;
88
89 /* Preferences */
90
91 /* Place UDP summary in proto tree */
92 static bool udp_summary_in_tree = true;
93
94 /* Check UDP checksums */
95 static bool udp_check_checksum;
96
97 /* Ignore zero-value UDP checksums over IPv6 */
98 static bool udp_ignore_ipv6_zero_checksum;
99
100 /* Collect IPFIX process flow information */
101 static bool udp_process_info;
102
103 /* Ignore an invalid checksum coverage field for UDP-Lite */
104 static bool udplite_ignore_checksum_coverage = true;
105
106 /* Check UDP-Lite checksums */
107 static bool udplite_check_checksum;
108
109 static dissector_table_t udp_dissector_table;
110 static heur_dissector_list_t heur_subdissector_list;
111 static uint32_t udp_stream_count;
112
113 /* Determine if there is a sub-dissector and call it. This has been */
114 /* separated into a stand alone routine so other protocol dissectors */
115 /* can call to it, ie. socks */
116
117 static bool try_heuristic_first;
118
119 static bool udp_calculate_ts = true;
120 static bool udplite_calculate_ts = true;
121
122 /* Per-packet-info for UDP */
123 typedef struct {
124 heur_dtbl_entry_t *heur_dtbl_entry;
125 nstime_t ts_delta;
126 bool ts_delta_valid;
127 uint32_t pnum;
128 } udp_p_info_t;
129
130 static void
131 udp_src_prompt(packet_info *pinfo, char *result)
132 {
133 uint32_t port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo,
134 hf_udp_srcport, pinfo->curr_layer_num));
135
136 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "source (%u%s)", port, UTF8_RIGHTWARDS_ARROW);
137 }
138
139 static void *
140 udp_src_value(packet_info *pinfo)
141 {
142 return p_get_proto_data(pinfo->pool, pinfo, hf_udp_srcport, pinfo->curr_layer_num);
143 }
144
145 static void
146 udp_dst_prompt(packet_info *pinfo, char *result)
147 {
148 uint32_t port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo,
149 hf_udp_dstport, pinfo->curr_layer_num));
150
151 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, port);
152 }
153
154 static void *
155 udp_dst_value(packet_info *pinfo)
156 {
157 return p_get_proto_data(pinfo->pool, pinfo, hf_udp_dstport, pinfo->curr_layer_num);
158 }
159
160 static void
161 udp_both_prompt(packet_info *pinfo, char *result)
162 {
163 uint32_t srcport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo,
164 hf_udp_srcport, pinfo->curr_layer_num));
165 uint32_t dstport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo,
166 hf_udp_dstport, pinfo->curr_layer_num));
167 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "Both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, dstport);
168 }
169
170 /* Conversation and process code originally copied from packet-tcp.c */
171 static struct udp_analysis *
172 init_udp_conversation_data(packet_info *pinfo)
173 {
174 struct udp_analysis *udpd;
175
176 /* Initialize the udp protocol data structure to add to the udp conversation */
177 udpd = wmem_new0(wmem_file_scope(), struct udp_analysis);
178 /*
179 udpd->flow1.username = NULL;
180 udpd->flow1.command = NULL;
181 udpd->flow2.username = NULL;
182 udpd->flow2.command = NULL;
183 */
184
185 udpd->stream = udp_stream_count++;
186 udpd->ts_first = pinfo->abs_ts;
187 udpd->ts_prev = pinfo->abs_ts;
188
189 return udpd;
190 }
191
192 struct udp_analysis *
193 get_udp_conversation_data(conversation_t *conv, packet_info *pinfo)
194 {
195 int direction;
196 struct udp_analysis *udpd = NULL;
197
198 /* Did the caller supply the conversation pointer? */
199 if (conv == NULL)
200 conv = find_or_create_conversation(pinfo);
201
202 /* Get the data for this conversation */
203 udpd = conversation_get_proto_data(conv, proto_udp);
204
205 /* If the conversation was just created or it matched a
206 * conversation with template options, udpd will not
207 * have been initialized. So, initialize
208 * a new udpd structure for the conversation.
209 */
210 if (!udpd) {
211 udpd = init_udp_conversation_data(pinfo);
212 conversation_add_proto_data(conv, proto_udp, udpd);
213 }
214
215 if (!udpd) {
216 return NULL;
217 }
218
219 /* check direction and get ua lists */
220 direction = cmp_address(&pinfo->src, &pinfo->dst);
221 /* if the addresses are equal, match the ports instead */
222 if (direction == 0) {
223 direction = (pinfo->srcport > pinfo->destport) ? 1 : -1;
224 }
225 if (direction >= 0) {
226 udpd->fwd = &(udpd->flow1);
227 udpd->rev = &(udpd->flow2);
228 }
229 else {
230 udpd->fwd = &(udpd->flow2);
231 udpd->rev = &(udpd->flow1);
232 }
233
234 return udpd;
235 }
236
237 static const char* udp_conv_get_filter_type(conv_item_t* conv, conv_filter_type_e filter)
238 {
239 if (filter == CONV_FT_SRC_PORT)
240 return "udp.srcport";
241
242 if (filter == CONV_FT_DST_PORT)
243 return "udp.dstport";
244
245 if (filter == CONV_FT_ANY_PORT)
246 return "udp.port";
247
248 if(!conv) {
249 return CONV_FILTER_INVALID;
250 }
251
252 if (filter == CONV_FT_SRC_ADDRESS) {
253 if (conv->src_address.type == AT_IPv4)
254 return "ip.src";
255 if (conv->src_address.type == AT_IPv6)
256 return "ipv6.src";
257 }
258
259 if (filter == CONV_FT_DST_ADDRESS) {
260 if (conv->dst_address.type == AT_IPv4)
261 return "ip.dst";
262 if (conv->dst_address.type == AT_IPv6)
263 return "ipv6.dst";
264 }
265
266 if (filter == CONV_FT_ANY_ADDRESS) {
267 if (conv->src_address.type == AT_IPv4)
268 return "ip.addr";
269 if (conv->src_address.type == AT_IPv6)
270 return "ipv6.addr";
271 }
272
273 return CONV_FILTER_INVALID;
274 }
275
276 static ct_dissector_info_t udp_ct_dissector_info = {&udp_conv_get_filter_type};
277
278 static tap_packet_status
279 udpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
280 {
281 conv_hash_t *hash = (conv_hash_t*) pct;
282 hash->flags = flags;
283
284 const e_udphdr *udphdr=(const e_udphdr *)vip;
285
286 add_conversation_table_data_with_conv_id(hash,
287 &udphdr->ip_src, &udphdr->ip_dst, udphdr->uh_sport, udphdr->uh_dport,
288 (conv_id_t) udphdr->uh_stream, 1, pinfo->fd->pkt_len, &pinfo->rel_ts, &pinfo->abs_ts,
289 &udp_ct_dissector_info, CONVERSATION_UDP);
290
291 return TAP_PACKET_REDRAW;
292 }
293
294 static const char* udp_endpoint_get_filter_type(endpoint_item_t* endpoint, conv_filter_type_e filter)
295 {
296
297 if (filter == CONV_FT_SRC_PORT)
298 return "udp.srcport";
299
300 if (filter == CONV_FT_DST_PORT)
301 return "udp.dstport";
302
303 if (filter == CONV_FT_ANY_PORT)
304 return "udp.port";
305
306 if(!endpoint) {
307 return CONV_FILTER_INVALID;
308 }
309
310
311 if (filter == CONV_FT_SRC_ADDRESS) {
312 if (endpoint->myaddress.type == AT_IPv4)
313 return "ip.src";
314 if (endpoint->myaddress.type == AT_IPv6)
315 return "ipv6.src";
316 }
317
318 if (filter == CONV_FT_DST_ADDRESS) {
319 if (endpoint->myaddress.type == AT_IPv4)
320 return "ip.dst";
321 if (endpoint->myaddress.type == AT_IPv6)
322 return "ipv6.dst";
323 }
324
325 if (filter == CONV_FT_ANY_ADDRESS) {
326 if (endpoint->myaddress.type == AT_IPv4)
327 return "ip.addr";
328 if (endpoint->myaddress.type == AT_IPv6)
329 return "ipv6.addr";
330 }
331
332 return CONV_FILTER_INVALID;
333 }
334
335 static et_dissector_info_t udp_endpoint_dissector_info = {&udp_endpoint_get_filter_type};
336
337 static tap_packet_status
338 udpip_endpoint_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
339 {
340 conv_hash_t *hash = (conv_hash_t*) pit;
341 hash->flags = flags;
342
343 const e_udphdr *udphdr=(const e_udphdr *)vip;
344
345 /* Take two "add" passes per packet, adding for each direction, ensures that all
346 packets are counted properly (even if address is sending to itself)
347 XXX - this could probably be done more efficiently inside endpoint_table */
348 add_endpoint_table_data(hash, &udphdr->ip_src, udphdr->uh_sport, true, 1, pinfo->fd->pkt_len, &udp_endpoint_dissector_info, ENDPOINT_UDP);
349 add_endpoint_table_data(hash, &udphdr->ip_dst, udphdr->uh_dport, false, 1, pinfo->fd->pkt_len, &udp_endpoint_dissector_info, ENDPOINT_UDP);
350
351 return TAP_PACKET_REDRAW;
352 }
353
354 static bool
355 udp_filter_valid(packet_info *pinfo, void *user_data _U_)
356 {
357 return proto_is_frame_protocol(pinfo->layers, "udp");
358 }
359
360 static char*
361 udp_build_filter_by_id(packet_info *pinfo, void *user_data _U_)
362 {
363 return ws_strdup_printf("udp.stream eq %d", pinfo->stream_id);
364 }
365
366
367 static char *udp_follow_conv_filter(epan_dissect_t *edt _U_, packet_info *pinfo, unsigned *stream, unsigned *sub_stream _U_)
368 {
369 conversation_t *conv;
370 struct udp_analysis *udpd;
371
372 /* XXX: Since UDP doesn't use the endpoint API, we can only look
373 * up using the current pinfo addresses and ports. We don't want
374 * to create a new conversation or new UDP stream.
375 * Eventually the endpoint API should support storing multiple
376 * endpoints and UDP should be changed to use the endpoint API.
377 */
378 conv = find_conversation_strat(pinfo, CONVERSATION_UDP, 0);
379 if (((pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4) ||
380 (pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6))
381 && (pinfo->ptype == PT_UDP) &&
382 conv != NULL)
383 {
384 /* UDP over IPv4/6 */
385 udpd=get_udp_conversation_data(conv, pinfo);
386 if (udpd == NULL)
387 return NULL;
388
389 *stream = udpd->stream;
390 return ws_strdup_printf("udp.stream eq %u", udpd->stream);
391 }
392
393 return NULL;
394 }
395
396 static char *udp_follow_index_filter(unsigned stream, unsigned sub_stream _U_)
397 {
398 return ws_strdup_printf("udp.stream eq %u", stream);
399 }
400
401 char *udp_follow_address_filter(address *src_addr, address *dst_addr, int src_port, int dst_port)
402 {
403 const char *ip_version = src_addr->type == AT_IPv6 ? "v6" : "";
404 char src_addr_str[WS_INET6_ADDRSTRLEN];
405 char dst_addr_str[WS_INET6_ADDRSTRLEN];
406
407 address_to_str_buf(src_addr, src_addr_str, sizeof(src_addr_str));
408 address_to_str_buf(dst_addr, dst_addr_str, sizeof(dst_addr_str));
409
410 return ws_strdup_printf("((ip%s.src eq %s and udp.srcport eq %d) and "
411 "(ip%s.dst eq %s and udp.dstport eq %d))"
412 " or "
413 "((ip%s.src eq %s and udp.srcport eq %d) and "
414 "(ip%s.dst eq %s and udp.dstport eq %d))",
415 ip_version, src_addr_str, src_port,
416 ip_version, dst_addr_str, dst_port,
417 ip_version, dst_addr_str, dst_port,
418 ip_version, src_addr_str, src_port);
419 }
420
421
422 /* Attach process info to a flow */
423 /* XXX - We depend on the UDP dissector finding the conversation first */
424 void
425 add_udp_process_info(uint32_t frame_num, address *local_addr, address *remote_addr,
426 uint16_t local_port, uint16_t remote_port, uint32_t uid, uint32_t pid,
427 char *username, char *command)
428 {
429 conversation_t *conv;
430 struct udp_analysis *udpd;
431 udp_flow_t *flow = NULL;
432
433 if (!udp_process_info) {
434 return;
435 }
436
437 conv = find_conversation(frame_num, local_addr, remote_addr, CONVERSATION_UDP, local_port, remote_port, 0);
438 if (!conv) {
439 return;
440 }
441
442 udpd = (struct udp_analysis *)conversation_get_proto_data(conv, proto_udp);
443 if (!udpd) {
444 return;
445 }
446
447 if ((cmp_address(local_addr, conversation_key_addr1(conv->key_ptr)) == 0) && (local_port == conversation_key_port1(conv->key_ptr))) {
448 flow = &udpd->flow1;
449 }
450 else if ((cmp_address(remote_addr, conversation_key_addr1(conv->key_ptr)) == 0) && (remote_port == conversation_key_port1(conv->key_ptr))) {
451 flow = &udpd->flow2;
452 }
453 if (!flow || flow->command) {
454 return;
455 }
456
457 flow->process_uid = uid;
458 flow->process_pid = pid;
459 flow->username = wmem_strdup(wmem_file_scope(), username);
460 flow->command = wmem_strdup(wmem_file_scope(), command);
461 }
462
463
464 /* Return the current stream count */
465 uint32_t get_udp_stream_count(void)
466 {
467 return udp_stream_count;
468 }
469
470 static void
471 handle_export_pdu_dissection_table(packet_info *pinfo, tvbuff_t *tvb, uint32_t port)
472 {
473 if (have_tap_listener(exported_pdu_tap)) {
474 exp_pdu_data_item_t exp_pdu_data_table_value = {exp_pdu_data_dissector_table_num_value_size, exp_pdu_data_dissector_table_num_value_populate_data, NULL};
475
476 const exp_pdu_data_item_t *udp_exp_pdu_items[] = {
477 &exp_pdu_data_src_ip,
478 &exp_pdu_data_dst_ip,
479 &exp_pdu_data_port_type,
480 &exp_pdu_data_src_port,
481 &exp_pdu_data_dst_port,
482 &exp_pdu_data_orig_frame_num,
483 &exp_pdu_data_table_value,
484 NULL
485 };
486
487 exp_pdu_data_t *exp_pdu_data;
488
489 exp_pdu_data_table_value.data = GUINT_TO_POINTER(port);
490
491 exp_pdu_data = export_pdu_create_tags(pinfo, "udp.port", EXP_PDU_TAG_DISSECTOR_TABLE_NAME, udp_exp_pdu_items);
492 exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
493 exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
494 exp_pdu_data->pdu_tvb = tvb;
495
496 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
497 }
498 }
499
500 static void
501 handle_export_pdu_heuristic(packet_info *pinfo, tvbuff_t *tvb, heur_dtbl_entry_t *hdtbl_entry)
502 {
503 exp_pdu_data_t *exp_pdu_data = NULL;
504
505 if (have_tap_listener(exported_pdu_tap)) {
506 if ((!hdtbl_entry->enabled) ||
507 (hdtbl_entry->protocol != NULL && !proto_is_protocol_enabled(hdtbl_entry->protocol))) {
508 exp_pdu_data = export_pdu_create_common_tags(pinfo, "data", EXP_PDU_TAG_DISSECTOR_NAME);
509 }
510 else if (hdtbl_entry->protocol != NULL) {
511 exp_pdu_data = export_pdu_create_common_tags(pinfo, hdtbl_entry->short_name, EXP_PDU_TAG_HEUR_DISSECTOR_NAME);
512 }
513
514 if (exp_pdu_data != NULL) {
515 exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
516 exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
517 exp_pdu_data->pdu_tvb = tvb;
518
519 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
520 }
521 }
522 }
523
524 static void
525 handle_export_pdu_conversation(packet_info *pinfo, tvbuff_t *tvb, int uh_dport, int uh_sport)
526 {
527 if (have_tap_listener(exported_pdu_tap)) {
528 conversation_t *conversation = find_conversation(pinfo->num, &pinfo->dst, &pinfo->src, CONVERSATION_UDP, uh_dport, uh_sport, 0);
529 if (conversation != NULL) {
530 dissector_handle_t handle = (dissector_handle_t)wmem_tree_lookup32_le(conversation->dissector_tree, pinfo->num);
531 if (handle != NULL) {
532 exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, dissector_handle_get_dissector_name(handle), EXP_PDU_TAG_DISSECTOR_NAME);
533 exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
534 exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
535 exp_pdu_data->pdu_tvb = tvb;
536
537 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
538 }
539 }
540 }
541 }
542
543 void
544 decode_udp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
545 proto_tree *udp_tree, int uh_sport, int uh_dport, int uh_ulen)
546 {
547 tvbuff_t *next_tvb;
548 int low_port, high_port;
549 bool try_low_port, try_high_port;
550 int len, reported_len;
551 udp_p_info_t *udp_p_info;
552 /* Save curr_layer_num as it might be changed by subdissector */
553 uint8_t curr_layer_num = pinfo->curr_layer_num;
554 heur_dtbl_entry_t *hdtbl_entry;
555 exp_pdu_data_t *exp_pdu_data;
556 proto_tree* tree = proto_tree_get_parent_tree(udp_tree);
557
558 /* populate per packet data variable */
559 udp_p_info = (udp_p_info_t*)p_get_proto_data(wmem_file_scope(), pinfo, proto_udp, pinfo->curr_layer_num);
560
561 len = tvb_captured_length_remaining(tvb, offset);
562 reported_len = tvb_reported_length_remaining(tvb, offset);
563 if (uh_ulen != -1) {
564 /* This is the length from the UDP header; the payload should be cut
565 off at that length. (If our caller passed a value here, they
566 are assumed to have checked that it's >= 8, and hence >= offset.)
567
568 XXX - what if it's *greater* than the reported length? */
569 if ((uh_ulen - offset) < reported_len)
570 reported_len = uh_ulen - offset;
571 if (len > reported_len)
572 len = reported_len;
573 }
574
575 proto_tree_add_bytes_format(udp_tree, hf_udp_payload, tvb, offset,
576 -1, NULL, "UDP payload (%u byte%s)", len,
577 plurality(len, "", "s"));
578
579 next_tvb = tvb_new_subset_length_caplen(tvb, offset, len, reported_len);
580
581 /* If the user has a "Follow UDP Stream" window loading, pass a pointer
582 * to the payload tvb through the tap system. */
583 if (have_tap_listener(udp_follow_tap))
584 tap_queue_packet(udp_follow_tap, pinfo, next_tvb);
585
586 if (PINFO_FD_VISITED(pinfo)) {
587 if (udp_p_info && udp_p_info->heur_dtbl_entry != NULL) {
588 call_heur_dissector_direct(udp_p_info->heur_dtbl_entry, next_tvb, pinfo, tree, NULL);
589 handle_export_pdu_heuristic(pinfo, next_tvb, udp_p_info->heur_dtbl_entry);
590 return;
591 }
592 }
593
594 /* determine if this packet is part of a conversation and call dissector */
595 /* for the conversation if available */
596 if (try_conversation_dissector(&pinfo->dst, &pinfo->src, CONVERSATION_UDP,
597 uh_dport, uh_sport, next_tvb, pinfo, tree, NULL, NO_ADDR_B|NO_PORT_B)) {
598 handle_export_pdu_conversation(pinfo, next_tvb, uh_dport, uh_sport);
599 return;
600 }
601
602 /* XXX - we ignore port numbers of 0, as some dissectors use a port
603 number of 0 to disable the port, and as RFC 768 says that the source
604 port in UDP datagrams is optional and is 0 if not used. */
605
606 if (uh_sport > uh_dport) {
607 low_port = uh_dport;
608 high_port = uh_sport;
609 }
610 else {
611 low_port = uh_sport;
612 high_port = uh_dport;
613 }
614
615 try_low_port = false;
616 if (low_port != 0) {
617 if (dissector_is_uint_changed(udp_dissector_table, low_port)) {
618 if (dissector_try_uint(udp_dissector_table, low_port, next_tvb, pinfo, tree)) {
619 handle_export_pdu_dissection_table(pinfo, next_tvb, low_port);
620 return;
621 }
622 }
623 else {
624 /* The default; try it later */
625 try_low_port = true;
626 }
627 }
628
629 try_high_port = false;
630 if (high_port != 0) {
631 if (dissector_is_uint_changed(udp_dissector_table, high_port)) {
632 if (dissector_try_uint(udp_dissector_table, high_port, next_tvb, pinfo, tree)) {
633 handle_export_pdu_dissection_table(pinfo, next_tvb, high_port);
634 return;
635 }
636 }
637 else {
638 /* The default; try it later */
639 try_high_port = true;
640 }
641 }
642
643 if (try_heuristic_first) {
644 /* Do lookup with the heuristic subdissector table */
645 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, NULL)) {
646 if (!udp_p_info) {
647 udp_p_info = wmem_new0(wmem_file_scope(), udp_p_info_t);
648 p_add_proto_data(wmem_file_scope(), pinfo, proto_udp, curr_layer_num, udp_p_info);
649 }
650
651 udp_p_info->heur_dtbl_entry = hdtbl_entry;
652
653 handle_export_pdu_heuristic(pinfo, next_tvb, udp_p_info->heur_dtbl_entry);
654 return;
655 }
656 }
657
658 /* Do lookups with the subdissector table.
659 We try the port number with the lower value first, followed by the
660 port number with the higher value. This means that, for packets
661 where a dissector is registered for *both* port numbers:
662
663 1) we pick the same dissector for traffic going in both directions;
664
665 2) we prefer the port number that's more likely to be the right
666 one (as that prefers well-known ports to reserved ports);
667
668 although there is, of course, no guarantee that any such strategy
669 will always pick the right port number.
670 */
671
672 if ((try_low_port) && dissector_try_uint(udp_dissector_table, low_port, next_tvb, pinfo, tree)) {
673 handle_export_pdu_dissection_table(pinfo, next_tvb, low_port);
674 return;
675 }
676 if ((try_high_port) && dissector_try_uint(udp_dissector_table, high_port, next_tvb, pinfo, tree)) {
677 handle_export_pdu_dissection_table(pinfo, next_tvb, high_port);
678 return;
679 }
680
681 if (!try_heuristic_first) {
682 /* Do lookup with the heuristic subdissector table */
683 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, NULL)) {
684 if (!udp_p_info) {
685 udp_p_info = wmem_new0(wmem_file_scope(), udp_p_info_t);
686 p_add_proto_data(wmem_file_scope(), pinfo, proto_udp, curr_layer_num, udp_p_info);
687 }
688
689 udp_p_info->heur_dtbl_entry = hdtbl_entry;
690
691 handle_export_pdu_heuristic(pinfo, next_tvb, udp_p_info->heur_dtbl_entry);
692 return;
693 }
694 }
695
696 call_data_dissector(next_tvb, pinfo, tree);
697
698 if (have_tap_listener(exported_pdu_tap)) {
699 exp_pdu_data = export_pdu_create_common_tags(pinfo, "data", EXP_PDU_TAG_DISSECTOR_NAME);
700 exp_pdu_data->tvb_captured_length = tvb_captured_length(next_tvb);
701 exp_pdu_data->tvb_reported_length = tvb_reported_length(next_tvb);
702 exp_pdu_data->pdu_tvb = next_tvb;
703
704 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
705 }
706 }
707
708 int
709 udp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
710 unsigned fixed_len, bool (*heuristic_check)(packet_info *, tvbuff_t *, int, void*),
711 unsigned (*get_pdu_len)(packet_info *, tvbuff_t *, int, void*),
712 dissector_t dissect_pdu, void* dissector_data)
713 {
714 volatile int offset = 0;
715 int offset_before;
716 unsigned captured_length_remaining;
717 volatile unsigned plen;
718 unsigned length;
719 tvbuff_t *next_tvb;
720 proto_item *item=NULL;
721 const char *saved_proto;
722 uint8_t curr_layer_num;
723 wmem_list_frame_t *frame;
724
725 while (tvb_reported_length_remaining(tvb, offset) > 0) {
726 /*
727 * We use "tvb_ensure_captured_length_remaining()" to make
728 * sure there actually *is* data remaining. The protocol
729 * we're handling could conceivably consists of a sequence of
730 * fixed-length PDUs, and therefore the "get_pdu_len" routine
731 * might not actually fetch anything from the tvbuff, and thus
732 * might not cause an exception to be thrown if we've run past
733 * the end of the tvbuff.
734 *
735 * This means we're guaranteed that "captured_length_remaining" is positive.
736 */
737 captured_length_remaining = tvb_ensure_captured_length_remaining(tvb, offset);
738
739 /*
740 * If there is a heuristic function, check it
741 */
742 if ((heuristic_check != NULL) &&
743 ((*heuristic_check)(pinfo, tvb, offset, dissector_data) == false)) {
744 return offset;
745 }
746
747 /*
748 * Get the length of the PDU.
749 */
750 plen = (*get_pdu_len)(pinfo, tvb, offset, dissector_data);
751 if (plen == 0) {
752 /*
753 * Either protocol has variable length (which isn't supposed by UDP)
754 * or packet doesn't belong to protocol
755 */
756 return offset;
757 }
758
759 if (plen < fixed_len) {
760 /*
761 * Either:
762 *
763 * 1) the length value extracted from the fixed-length portion
764 * doesn't include the fixed-length portion's length, and
765 * was so large that, when the fixed-length portion's
766 * length was added to it, the total length overflowed;
767 *
768 * 2) the length value extracted from the fixed-length portion
769 * includes the fixed-length portion's length, and the value
770 * was less than the fixed-length portion's length, i.e. it
771 * was bogus.
772 *
773 * Report this as a bounds error.
774 */
775 show_reported_bounds_error(tvb, pinfo, tree);
776 return offset;
777 }
778
779 curr_layer_num = pinfo->curr_layer_num-1;
780 frame = wmem_list_frame_prev(wmem_list_tail(pinfo->layers));
781 while (frame && (proto_udp != (int) GPOINTER_TO_UINT(wmem_list_frame_data(frame)))) {
782 frame = wmem_list_frame_prev(frame);
783 curr_layer_num--;
784 }
785
786 /*
787 * Display the PDU length as a field
788 */
789 item = proto_tree_add_uint((proto_tree *)p_get_proto_data(pinfo->pool, pinfo, proto_udp, curr_layer_num),
790 hf_udp_pdu_size, tvb, offset, plen, plen);
791 proto_item_set_generated(item);
792
793 /*
794 * Construct a tvbuff containing the amount of the payload we have
795 * available. Make its reported length the amount of data in the PDU.
796 */
797 length = captured_length_remaining;
798 if (length > plen)
799 length = plen;
800 next_tvb = tvb_new_subset_length_caplen(tvb, offset, length, plen);
801
802 /*
803 * Dissect the PDU.
804 *
805 * If it gets an error that means there's no point in
806 * dissecting any more PDUs, rethrow the exception in
807 * question.
808 *
809 * If it gets any other error, report it and continue, as that
810 * means that PDU got an error, but that doesn't mean we should
811 * stop dissecting PDUs within this frame or chunk of reassembled
812 * data.
813 */
814 saved_proto = pinfo->current_proto;
815 TRY {
816 (*dissect_pdu)(next_tvb, pinfo, tree, dissector_data);
817 }
818 CATCH_NONFATAL_ERRORS {
819 /* Restore the private_data structure in case one of the
820 * called dissectors modified it (and, due to the exception,
821 * was unable to restore it).
822 */
823 show_exception(tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
824
825 /*
826 * Restore the saved protocol as well; we do this after
827 * show_exception(), so that the "Malformed packet" indication
828 * shows the protocol for which dissection failed.
829 */
830 pinfo->current_proto = saved_proto;
831 }
832 ENDTRY;
833
834 /*
835 * Step to the next PDU.
836 * Make sure we don't overflow.
837 */
838 offset_before = offset;
839 offset += plen;
840 if (offset <= offset_before)
841 break;
842 }
843
844 return offset;
845 }
846
847 static bool
848 capture_udp(const unsigned char *pd _U_, int offset _U_, int len _U_, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header _U_)
849 {
850 uint16_t src_port, dst_port, low_port, high_port;
851
852 if (!BYTES_ARE_IN_FRAME(offset, len, 4))
853 return false;
854
855 capture_dissector_increment_count(cpinfo, proto_udp);
856
857 src_port = pntoh16(&pd[offset]);
858 dst_port = pntoh16(&pd[offset+2]);
859
860 if (src_port > dst_port) {
861 low_port = dst_port;
862 high_port = src_port;
863 }
864 else {
865 low_port = src_port;
866 high_port = dst_port;
867 }
868
869 if (low_port != 0 && try_capture_dissector("udp.port", low_port, pd, offset+20, len, cpinfo, pseudo_header))
870 return true;
871
872 if (high_port != 0 && try_capture_dissector("udp.port", high_port, pd, offset+20, len, cpinfo, pseudo_header))
873 return true;
874
875 /* We've at least identified one type of packet, so this shouldn't be "other" */
876 return true;
877 }
878
879 /* Calculate the timestamps relative to this conversation */
880 static void
881 udp_compute_timestamps(packet_info *pinfo, struct udp_analysis *udp_data, int proto)
882 {
883 if (!udp_data)
884 return;
885
886 /* get per packet date for UDP/UDP-Lite based on protocol id */
887 udp_p_info_t *udp_per_packet_data = (udp_p_info_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto, pinfo->curr_layer_num);
888
889 if(!udp_per_packet_data) {
890 udp_per_packet_data = wmem_new0(wmem_file_scope(), udp_p_info_t);
891 p_add_proto_data(wmem_file_scope(), pinfo, proto, pinfo->curr_layer_num, udp_per_packet_data);
892 }
893
894 /* pre-increment so packet numbers start at 1 */
895 udp_per_packet_data->pnum = ++udp_data->pnum;
896
897 nstime_delta(&udp_per_packet_data->ts_delta, &pinfo->abs_ts, &udp_data->ts_prev);
898 udp_per_packet_data->ts_delta_valid = true;
899
900 udp_data->ts_prev = pinfo->abs_ts;
901 }
902
903 /* Add a subtree with the timestamps relative to this conversation */
904 static void
905 udp_print_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree, struct udp_analysis *udp_data, int proto)
906 {
907 proto_item *item;
908 proto_tree *tree;
909 nstime_t ts;
910
911 if (!udp_data)
912 return;
913
914 /* get per packet date for UDP/UDP-Lite based on protocol id */
915 udp_p_info_t *udp_per_packet_data = (udp_p_info_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto, pinfo->curr_layer_num);
916
917 if (udp_per_packet_data) {
918 item = proto_tree_add_uint(parent_tree, hf_udp_stream_pnum, tvb, 0, 0,
919 udp_per_packet_data->pnum);
920 proto_item_set_generated(item);
921 }
922
923 tree = proto_tree_add_subtree(parent_tree, tvb, 0, 0, ett_udp_timestamps, &item, "Timestamps");
924 proto_item_set_generated(item);
925
926 nstime_delta(&ts, &pinfo->abs_ts, &udp_data->ts_first);
927 item = proto_tree_add_time(tree, hf_udp_ts_relative, tvb, 0, 0, &ts);
928 proto_item_set_generated(item);
929
930 if (udp_per_packet_data && udp_per_packet_data->ts_delta_valid) {
931 item = proto_tree_add_time(tree, hf_udp_ts_delta, tvb, 0, 0,
932 &udp_per_packet_data->ts_delta);
933 proto_item_set_generated(item);
934 }
935 }
936
937 static void
938 udp_handle_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, struct udp_analysis *udp_data, uint32_t ip_proto)
939 {
940 int proto_id = (ip_proto == IP_PROTO_UDP ? proto_udp : proto_udplite);
941
942 /*
943 * Calculate the timestamps relative to this conversation (but only on the
944 * first run when frames are accessed sequentially)
945 */
946 if (!PINFO_FD_VISITED(pinfo))
947 udp_compute_timestamps(pinfo, udp_data, proto_id);
948
949 /* handle conversation timestamps */
950 udp_print_timestamps(pinfo, tvb, tree, udp_data, proto_id);
951 }
952
953 static void
954 dissect(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t ip_proto)
955 {
956 proto_tree *udp_tree = NULL;
957 proto_item *ti, *item, *hidden_item, *calc_item;
958 proto_item *src_port_item, *dst_port_item, *len_cov_item;
959 unsigned len;
960 unsigned reported_len;
961 vec_t cksum_vec[4];
962 uint32_t phdr[2];
963 uint16_t computed_cksum;
964 int offset = 0;
965 e_udphdr *udph;
966 proto_tree *checksum_tree;
967 conversation_t *conv = NULL;
968 struct udp_analysis *udpd = NULL;
969 proto_tree *process_tree;
970 bool udp_jumbogram = false;
971
972 udph = wmem_new0(pinfo->pool, e_udphdr);
973 udph->uh_sport = tvb_get_ntohs(tvb, offset);
974 udph->uh_dport = tvb_get_ntohs(tvb, offset + 2);
975 copy_address_shallow(&udph->ip_src, &pinfo->src);
976 copy_address_shallow(&udph->ip_dst, &pinfo->dst);
977
978 col_set_str(pinfo->cinfo, COL_PROTOCOL, (ip_proto == IP_PROTO_UDP) ? "UDP" : "UDP-Lite");
979 col_clear(pinfo->cinfo, COL_INFO);
980 col_append_ports(pinfo->cinfo, COL_INFO, PT_UDP, udph->uh_sport, udph->uh_dport);
981
982 reported_len = tvb_reported_length(tvb);
983 len = tvb_captured_length(tvb);
984
985 ti = proto_tree_add_item(tree, (ip_proto == IP_PROTO_UDP) ? proto_udp : proto_udplite, tvb, offset, 8, ENC_NA);
986 if (udp_summary_in_tree && tree) {
987 proto_item_append_text(ti, ", Src Port: %s, Dst Port: %s",
988 port_with_resolution_to_str(pinfo->pool, PT_UDP, udph->uh_sport),
989 port_with_resolution_to_str(pinfo->pool, PT_UDP, udph->uh_dport));
990 }
991 udp_tree = proto_item_add_subtree(ti, ett_udp);
992 p_add_proto_data(pinfo->pool, pinfo, proto_udp, pinfo->curr_layer_num, udp_tree);
993
994 src_port_item = proto_tree_add_item(udp_tree, hf_udp_srcport, tvb, offset, 2, ENC_BIG_ENDIAN);
995 dst_port_item = proto_tree_add_item(udp_tree, hf_udp_dstport, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
996
997 p_add_proto_data(pinfo->pool, pinfo, hf_udp_srcport, pinfo->curr_layer_num, GUINT_TO_POINTER(udph->uh_sport));
998 p_add_proto_data(pinfo->pool, pinfo, hf_udp_dstport, pinfo->curr_layer_num, GUINT_TO_POINTER(udph->uh_dport));
999
1000 hidden_item = proto_tree_add_item(udp_tree, hf_udp_port, tvb, offset, 2, ENC_BIG_ENDIAN);
1001 proto_item_set_hidden(hidden_item);
1002 hidden_item = proto_tree_add_item(udp_tree, hf_udp_port, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1003 proto_item_set_hidden(hidden_item);
1004
1005 /* The beginning port number, 32768 + 666 (33434), is from LBL's traceroute.c source code and this code
1006 * further assumes that 3 attempts are made per hop */
1007 if ((udph->uh_sport > (32768 + 666)) && (udph->uh_sport <= (32768 + 666 + 30))) {
1008 expert_add_info_format(pinfo, src_port_item, &ei_udp_possible_traceroute, "Possible traceroute: hop #%u, attempt #%u",
1009 ((udph->uh_sport - 32768 - 666 - 1) / 3) + 1,
1010 ((udph->uh_sport - 32768 - 666 - 1) % 3) + 1);
1011 }
1012 if ((udph->uh_dport > (32768 + 666)) && (udph->uh_dport <= (32768 + 666 + 30))) {
1013 expert_add_info_format(pinfo, dst_port_item, &ei_udp_possible_traceroute, "Possible traceroute: hop #%u, attempt #%u",
1014 ((udph->uh_dport - 32768 - 666 - 1) / 3) + 1,
1015 ((udph->uh_dport - 32768 - 666 - 1) % 3) + 1);
1016 }
1017
1018 udph->uh_ulen = udph->uh_sum_cov = tvb_get_ntohs(tvb, offset + 4);
1019 if (ip_proto == IP_PROTO_UDP) {
1020 len_cov_item = proto_tree_add_item(udp_tree, hf_udp_length, tvb, offset + 4, 2, ENC_BIG_ENDIAN);
1021 if (udph->uh_ulen == 0 && pinfo->src.type == AT_IPv6) {
1022 /* RFC 2675 (section 4) - UDP Jumbograms */
1023 udph->uh_ulen = udph->uh_sum_cov = reported_len;
1024 udp_jumbogram = true;
1025 }
1026 if (udph->uh_ulen < 8) {
1027 /* Bogus length - it includes the header, so it must be >= 8. */
1028 proto_item_append_text(len_cov_item, " (bogus, must be >= 8)");
1029 expert_add_info_format(pinfo, len_cov_item, &ei_udp_length_bad, "Bad length value %u < 8", udph->uh_ulen);
1030 col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD UDP LENGTH %u < 8]", udph->uh_ulen);
1031 return;
1032 }
1033 if ((udph->uh_ulen > reported_len) && (!pinfo->fragmented) && (!pinfo->flags.in_error_pkt)) {
1034 /* Bogus length - it goes past the end of the IP payload */
1035 proto_item_append_text(len_cov_item, " (bogus, payload length %u)", reported_len);
1036 expert_add_info_format(pinfo, len_cov_item, &ei_udp_length_bad, "Bad length value %u > IP payload length", udph->uh_ulen);
1037 col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD UDP LENGTH %u > IP PAYLOAD LENGTH]", udph->uh_ulen);
1038 /*return;*/
1039 }
1040 if (udp_jumbogram && (udph->uh_ulen < 65536)) {
1041 expert_add_info(pinfo, len_cov_item, &ei_udp_length_bad_zero);
1042 }
1043 }
1044 else {
1045 len_cov_item = proto_tree_add_item(udp_tree, hf_udplite_checksum_coverage, tvb, offset + 4, 2, ENC_BIG_ENDIAN);
1046 udph->uh_ulen = reported_len;
1047 if (udph->uh_sum_cov == 0) {
1048 udph->uh_sum_cov = reported_len;
1049 }
1050 item = proto_tree_add_uint(udp_tree, hf_udp_length, tvb, offset + 4, 0, udph->uh_ulen);
1051 proto_item_set_generated(item);
1052 if ((udph->uh_sum_cov < 8) || (udph->uh_sum_cov > udph->uh_ulen)) {
1053 /* Bogus coverage - it includes the header, so it must be >= 8, and no larger then the IP payload size. */
1054 proto_item_append_text(len_cov_item, " (bogus, must be >= 8 and <= %u)", udph->uh_ulen);
1055 expert_add_info_format(pinfo, len_cov_item, &ei_udplite_checksum_coverage_bad, "Bad checksum coverage length value %u < 8 or > %u",
1056 udph->uh_sum_cov, udph->uh_ulen);
1057 col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD LIGHTWEIGHT UDP CHECKSUM COVERAGE LENGTH %u < 8 or > %u]",
1058 udph->uh_sum_cov, udph->uh_ulen);
1059 if (!udplite_ignore_checksum_coverage) {
1060 return;
1061 }
1062 }
1063 }
1064
1065 col_append_str_uint(pinfo->cinfo, COL_INFO, "Len", udph->uh_ulen - 8, " "); /* Payload length */
1066 if (udp_jumbogram)
1067 col_append_str(pinfo->cinfo, COL_INFO, " [Jumbogram]");
1068
1069 udph->uh_sum = tvb_get_ntohs(tvb, offset + 6);
1070 if (udph->uh_sum == 0) {
1071 /* No checksum supplied in the packet. */
1072
1073 bool ignore_zero_checksum = (ip_proto == IP_PROTO_UDP) &&
1074 ((pinfo->src.type == AT_IPv4) ||
1075 (pinfo->src.type == AT_NONE) ||
1076 ((pinfo->src.type == AT_IPv6) && udp_ignore_ipv6_zero_checksum));
1077 proto_checksum_enum_e checksum_status;
1078
1079 item = proto_tree_add_item(udp_tree, hf_udp_checksum, tvb, offset + 6, 2, ENC_BIG_ENDIAN);
1080 if (ignore_zero_checksum || pinfo->flags.in_error_pkt) {
1081 proto_item_append_text(item, " [zero-value ignored]");
1082 checksum_status = PROTO_CHECKSUM_E_NOT_PRESENT;
1083 }
1084 else {
1085 proto_item_append_text(item, " [zero-value illegal]");
1086 checksum_status = PROTO_CHECKSUM_E_ILLEGAL;
1087 expert_add_info(pinfo, item, &ei_udp_checksum_zero);
1088 col_append_str(pinfo->cinfo, COL_INFO, " [ILLEGAL CHECKSUM (0)]");
1089 }
1090 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
1091 item = proto_tree_add_uint(checksum_tree, hf_udp_checksum_status, tvb, offset + 6, 2, checksum_status);
1092 proto_item_set_generated(item);
1093 }
1094 else if (!pinfo->fragmented && (len >= reported_len) &&
1095 (len >= udph->uh_sum_cov) && (reported_len >= udph->uh_sum_cov) &&
1096 (udph->uh_sum_cov >= 8)) {
1097 /* The packet isn't part of a fragmented datagram and isn't
1098 truncated, so we can checksum it.
1099 XXX - make a bigger scatter-gather list once we do fragment
1100 reassembly? */
1101
1102 if (((ip_proto == IP_PROTO_UDP) && udp_check_checksum) ||
1103 ((ip_proto == IP_PROTO_UDPLITE) && udplite_check_checksum)) {
1104 /* Set up the fields of the pseudo-header. */
1105 SET_CKSUM_VEC_PTR(cksum_vec[0], (const uint8_t *)pinfo->src.data, pinfo->src.len);
1106 SET_CKSUM_VEC_PTR(cksum_vec[1], (const uint8_t *)pinfo->dst.data, pinfo->dst.len);
1107 switch (pinfo->src.type) {
1108
1109 case AT_IPv4:
1110 if (ip_proto == IP_PROTO_UDP)
1111 phdr[0] = g_htonl((ip_proto<<16) | udph->uh_ulen);
1112 else
1113 phdr[0] = g_htonl((ip_proto<<16) | reported_len);
1114 SET_CKSUM_VEC_PTR(cksum_vec[2], (const uint8_t *)&phdr, 4);
1115 break;
1116
1117 case AT_IPv6:
1118 if (ip_proto == IP_PROTO_UDP)
1119 phdr[0] = g_htonl(udph->uh_ulen);
1120 else
1121 phdr[0] = g_htonl(reported_len);
1122 phdr[1] = g_htonl(ip_proto);
1123 SET_CKSUM_VEC_PTR(cksum_vec[2], (const uint8_t *)&phdr, 8);
1124 break;
1125
1126 default:
1127 /* UDP runs only atop IPv4 and IPv6.... */
1128 DISSECTOR_ASSERT_NOT_REACHED();
1129 break;
1130 }
1131 /*
1132 * in_cksum() should never return 0xFFFF here, because, to quote
1133 * RFC 1624 section 3 "Discussion":
1134 *
1135 * In one's complement, there are two representations of
1136 * zero: the all zero and the all one bit values, often
1137 * referred to as +0 and -0. One's complement addition
1138 * of non-zero inputs can produce -0 as a result, but
1139 * never +0. Since there is guaranteed to be at least
1140 * one non-zero field in the IP header, and the checksum
1141 * field in the protocol header is the complement of the
1142 * sum, the checksum field can never contain ~(+0), which
1143 * is -0 (0xFFFF). It can, however, contain ~(-0), which
1144 * is +0 (0x0000).
1145 *
1146 * RFC 1624 is discussing the checksum of the *IPv4* header,
1147 * where the "version" field is 4, ensuring that, in a valid
1148 * IPv4 header, there is at least one non-zero field, but it
1149 * also applies to a UDP datagram, because the length includes
1150 * the length of the UDP header, so at least one field in a UDP
1151 * datagram is non-zero.
1152 *
1153 * in_cksum() returns the negation of the one's-complement
1154 * sum of all the data handed to it, and that data won't be
1155 * all zero, so the sum won't be 0 (+0), and thus the negation
1156 * won't be -0, i.e. won't be 0xFFFF.
1157 */
1158 /*
1159 * Linux and Windows, at least, when performing Local Checksum
1160 * Offload (during Generic Segmentation Offload or at other
1161 * times), place the one's complement sum of the pseudo header
1162 * in the checksum fields initially, which provides the necessary
1163 * correction when a device (or driver) computes the one's
1164 * complement checksum of each buffer in the skbuff. Since it is
1165 * not inverted, the partial_cksum will never be 0x0000 by the
1166 * same argument as above.
1167 */
1168 uint16_t partial_cksum;
1169 SET_CKSUM_VEC_TVB(cksum_vec[3], tvb, offset, udph->uh_sum_cov);
1170 computed_cksum = in_cksum_ret_partial(&cksum_vec[0], 4, &partial_cksum);
1171 uint16_t shouldbe_cksum = in_cksum_shouldbe(udph->uh_sum, computed_cksum);
1172 if (computed_cksum != 0 && udph->uh_sum == g_htons(partial_cksum)) {
1173 /* Don't use PROTO_CHECKSUM_IN_CKSUM because we expect the value
1174 * to match what we pass in. */
1175 item = proto_tree_add_checksum(udp_tree, tvb, offset + 6, hf_udp_checksum, hf_udp_checksum_status, &ei_udp_checksum_bad,
1176 pinfo, g_htons(partial_cksum), ENC_BIG_ENDIAN, PROTO_CHECKSUM_VERIFY);
1177 proto_item_append_text(item, " (matches partial checksum, not 0x%04x, likely caused by \"UDP checksum offload\")", shouldbe_cksum);
1178 expert_add_info(pinfo, item, &ei_udp_checksum_partial);
1179 computed_cksum = 0;
1180 /* XXX: Find some way hint to QUIC (or other dissectors) that
1181 * GSO is a possibility so that extra effort can be made to
1182 * recover coalesced PDUs? E.g., by searching heuristically
1183 * through the payload for the DCID bytes if they're non-zero?
1184 * Add a new status, e.g. PROTO_CHECKSUM_E_PARTIAL?
1185 */
1186 } else {
1187 item = proto_tree_add_checksum(udp_tree, tvb, offset + 6, hf_udp_checksum, hf_udp_checksum_status, &ei_udp_checksum_bad,
1188 pinfo, computed_cksum, ENC_BIG_ENDIAN, PROTO_CHECKSUM_VERIFY|PROTO_CHECKSUM_IN_CKSUM);
1189 }
1190 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
1191
1192 if (computed_cksum != 0) {
1193 proto_item_append_text(item, " (maybe caused by \"UDP checksum offload\"?)");
1194 col_append_str(pinfo->cinfo, COL_INFO, " [UDP CHECKSUM INCORRECT]");
1195 calc_item = proto_tree_add_uint(checksum_tree, hf_udp_checksum_calculated,
1196 tvb, offset + 6, 2, in_cksum_shouldbe(udph->uh_sum, computed_cksum));
1197 }
1198 else {
1199 calc_item = proto_tree_add_uint(checksum_tree, hf_udp_checksum_calculated,
1200 tvb, offset + 6, 2, shouldbe_cksum);
1201 }
1202 proto_item_set_generated(calc_item);
1203
1204 }
1205 else {
1206 proto_tree_add_checksum(udp_tree, tvb, offset + 6, hf_udp_checksum, hf_udp_checksum_status, &ei_udp_checksum_bad, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
1207 }
1208 }
1209 else {
1210 proto_tree_add_checksum(udp_tree, tvb, offset + 6, hf_udp_checksum, hf_udp_checksum_status, &ei_udp_checksum_bad, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
1211 }
1212
1213 /* Skip over header */
1214 offset += 8;
1215
1216 pinfo->ptype = PT_UDP;
1217 pinfo->srcport = udph->uh_sport;
1218 pinfo->destport = udph->uh_dport;
1219
1220 /* find (and extend) an existing conversation, or create a new one */
1221 conv = find_conversation_strat(pinfo, CONVERSATION_UDP, 0);
1222 if(!conv) {
1223 conv=conversation_new_strat(pinfo, CONVERSATION_UDP, 0);
1224 }
1225
1226 udpd = get_udp_conversation_data(conv, pinfo);
1227 if (udpd) {
1228 item = proto_tree_add_uint(udp_tree, hf_udp_stream, tvb, offset, 0, udpd->stream);
1229 proto_item_set_generated(item);
1230
1231 /* Copy the stream index into the header as well to make it available
1232 * to tap listeners.
1233 */
1234 udph->uh_stream = udpd->stream;
1235
1236 /* Copy the stream index into pinfo as well to make it available
1237 * to callback functions (essentially conversation following events in GUI)
1238 */
1239 pinfo->stream_id = udpd->stream;
1240
1241 }
1242
1243 tap_queue_packet(udp_tap, pinfo, udph);
1244
1245 if (udpd && ((udpd->fwd && udpd->fwd->command) || (udpd->rev && udpd->rev->command))) {
1246 process_tree = proto_tree_add_subtree(udp_tree, tvb, offset, 0, ett_udp_process_info, &ti, "Process Information");
1247 proto_item_set_generated(ti);
1248 if (udpd->fwd && udpd->fwd->command) {
1249 proto_tree_add_uint(process_tree, hf_udp_proc_dst_uid, tvb, 0, 0, udpd->fwd->process_uid);
1250 proto_tree_add_uint(process_tree, hf_udp_proc_dst_pid, tvb, 0, 0, udpd->fwd->process_pid);
1251 proto_tree_add_string(process_tree, hf_udp_proc_dst_uname, tvb, 0, 0, udpd->fwd->username);
1252 proto_tree_add_string(process_tree, hf_udp_proc_dst_cmd, tvb, 0, 0, udpd->fwd->command);
1253 }
1254 if (udpd->rev->command) {
1255 proto_tree_add_uint(process_tree, hf_udp_proc_src_uid, tvb, 0, 0, udpd->rev->process_uid);
1256 proto_tree_add_uint(process_tree, hf_udp_proc_src_pid, tvb, 0, 0, udpd->rev->process_pid);
1257 proto_tree_add_string(process_tree, hf_udp_proc_src_uname, tvb, 0, 0, udpd->rev->username);
1258 proto_tree_add_string(process_tree, hf_udp_proc_src_cmd, tvb, 0, 0, udpd->rev->command);
1259 }
1260 }
1261
1262 /* Do we need to calculate timestamps relative to the udp-stream? */
1263 /* Different boolean preferences have to be checked. */
1264 /* If the protocol is UDP then the UDP preference */
1265 if (!pinfo->flags.in_error_pkt &&
1266 ((ip_proto == IP_PROTO_UDP && udp_calculate_ts)
1267 /* Otherwise the UDP-Lite preference */
1268 || (ip_proto == IP_PROTO_UDPLITE && udplite_calculate_ts))) {
1269 udp_handle_timestamps(pinfo, tvb, udp_tree, udpd, ip_proto);
1270 }
1271
1272 if (udph->uh_ulen == 8) {
1273 /* Empty UDP payload, nothing left to do. */
1274 return;
1275 }
1276
1277 /*
1278 * Call sub-dissectors.
1279 *
1280 * XXX - should we do this if this is included in an error packet?
1281 * It might be nice to see the details of the packet that caused the
1282 * ICMP error, but it might not be nice to have the dissector update
1283 * state based on it.
1284 * Also, we probably don't want to run UDP taps on those packets.
1285 *
1286 * We definitely don't want to do it for an error packet if there's
1287 * nothing left in the packet.
1288 */
1289 if (!pinfo->flags.in_error_pkt || (tvb_captured_length_remaining(tvb, offset) > 0))
1290 decode_udp_ports(tvb, offset, pinfo, udp_tree, udph->uh_sport, udph->uh_dport, udph->uh_ulen);
1291 }
1292
1293 static int
1294 dissect_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1295 {
1296 dissect(tvb, pinfo, tree, IP_PROTO_UDP);
1297 return tvb_captured_length(tvb);
1298 }
1299
1300 static int
1301 dissect_udplite(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1302 {
1303 dissect(tvb, pinfo, tree, IP_PROTO_UDPLITE);
1304 return tvb_captured_length(tvb);
1305 }
1306
1307 static void
1308 udp_init(void)
1309 {
1310 udp_stream_count = 0;
1311 }
1312
1313 void
1314 proto_register_udp(void)
1315 {
1316 static hf_register_info hf_udp[] = {
1317 { &hf_udp_srcport,
1318 { "Source Port", "udp.srcport",
1319 FT_UINT16, BASE_PT_UDP, NULL, 0x0,
1320 NULL, HFILL }
1321 },
1322 { &hf_udp_dstport,
1323 { "Destination Port", "udp.dstport",
1324 FT_UINT16, BASE_PT_UDP, NULL, 0x0,
1325 NULL, HFILL }
1326 },
1327 { &hf_udp_port,
1328 { "Source or Destination Port", "udp.port",
1329 FT_UINT16, BASE_PT_UDP, NULL, 0x0,
1330 NULL, HFILL }
1331 },
1332 { &hf_udp_stream,
1333 { "Stream index", "udp.stream",
1334 FT_UINT32, BASE_DEC, NULL, 0x0,
1335 NULL, HFILL }
1336 },
1337 { &hf_udp_stream_pnum,
1338 { "Stream Packet Number", "udp.stream.pnum",
1339 FT_UINT32, BASE_DEC, NULL, 0x0,
1340 "Relative packet number in this UDP stream", HFILL }
1341 },
1342 { &hf_udp_length,
1343 { "Length", "udp.length",
1344 FT_UINT16, BASE_DEC, NULL, 0x0,
1345 "Length in octets including this header and the data", HFILL }
1346 },
1347 { &hf_udp_checksum,
1348 { "Checksum", "udp.checksum",
1349 FT_UINT16, BASE_HEX, NULL, 0x0,
1350 "Details at: https://www.wireshark.org/docs/wsug_html_chunked/ChAdvChecksums.html", HFILL }
1351 },
1352 { &hf_udp_checksum_calculated,
1353 { "Calculated Checksum", "udp.checksum_calculated",
1354 FT_UINT16, BASE_HEX, NULL, 0x0,
1355 "The expected UDP checksum field as calculated from the UDP packet", HFILL }
1356 },
1357 { &hf_udp_checksum_status,
1358 { "Checksum Status", "udp.checksum.status",
1359 FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,
1360 NULL, HFILL }
1361 },
1362 { &hf_udp_proc_src_uid,
1363 { "Source process user ID", "udp.proc.srcuid",
1364 FT_UINT32, BASE_DEC, NULL, 0x0,
1365 NULL, HFILL }
1366 },
1367 { &hf_udp_proc_src_pid,
1368 { "Source process ID", "udp.proc.srcpid",
1369 FT_UINT32, BASE_DEC, NULL, 0x0,
1370 NULL, HFILL }
1371 },
1372 { &hf_udp_proc_src_uname,
1373 { "Source process user name", "udp.proc.srcuname",
1374 FT_STRING, BASE_NONE, NULL, 0x0,
1375 NULL, HFILL }
1376 },
1377 { &hf_udp_proc_src_cmd,
1378 { "Source process name", "udp.proc.srccmd",
1379 FT_STRING, BASE_NONE, NULL, 0x0,
1380 "Source process command name", HFILL }
1381 },
1382 { &hf_udp_proc_dst_uid,
1383 { "Destination process user ID", "udp.proc.dstuid",
1384 FT_UINT32, BASE_DEC, NULL, 0x0,
1385 NULL, HFILL }
1386 },
1387 { &hf_udp_proc_dst_pid,
1388 { "Destination process ID", "udp.proc.dstpid",
1389 FT_UINT32, BASE_DEC, NULL, 0x0,
1390 NULL, HFILL }
1391 },
1392 { &hf_udp_proc_dst_uname,
1393 { "Destination process user name", "udp.proc.dstuname",
1394 FT_STRING, BASE_NONE, NULL, 0x0,
1395 NULL, HFILL }
1396 },
1397 { &hf_udp_proc_dst_cmd,
1398 { "Destination process name", "udp.proc.dstcmd",
1399 FT_STRING, BASE_NONE, NULL, 0x0,
1400 "Destination process command name", HFILL }
1401 },
1402 { &hf_udp_pdu_size,
1403 { "PDU Size", "udp.pdu.size",
1404 FT_UINT32, BASE_DEC, NULL, 0x0,
1405 "The size of this PDU", HFILL }
1406 },
1407 { &hf_udp_ts_relative,
1408 { "Time since first frame", "udp.time_relative",
1409 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
1410 "Time relative to first frame in this UDP stream", HFILL }
1411 },
1412 { &hf_udp_ts_delta,
1413 { "Time since previous frame", "udp.time_delta",
1414 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
1415 "Time delta from previous frame in this UDP stream", HFILL }
1416 },
1417 { &hf_udp_payload,
1418 { "Payload", "udp.payload",
1419 FT_BYTES, BASE_NONE, NULL, 0x0,
1420 NULL, HFILL }
1421 },
1422 };
1423
1424 static hf_register_info hf_udplite[] = {
1425 { &hf_udplite_checksum_coverage,
1426 { "Checksum coverage", "udp.checksum_coverage",
1427 FT_UINT16, BASE_DEC, NULL, 0x0,
1428 NULL, HFILL }
1429 },
1430 };
1431
1432 static int *ett[] = {
1433 &ett_udp,
1434 &ett_udp_checksum,
1435 &ett_udp_process_info,
1436 &ett_udp_timestamps
1437 };
1438
1439 static ei_register_info ei[] = {
1440 { &ei_udp_possible_traceroute, { "udp.possible_traceroute", PI_SEQUENCE, PI_CHAT, "Possible traceroute", EXPFILL }},
1441 { &ei_udp_length_bad, { "udp.length.bad", PI_MALFORMED, PI_ERROR, "Bad length value", EXPFILL }},
1442 { &ei_udplite_checksum_coverage_bad, { "udplite.checksum_coverage.bad", PI_MALFORMED, PI_ERROR, "Bad checksum coverage length value", EXPFILL }},
1443 { &ei_udp_checksum_zero, { "udp.checksum.zero", PI_CHECKSUM, PI_ERROR, "Illegal checksum value (0)", EXPFILL }},
1444 { &ei_udp_checksum_partial, { "udp.checksum.partial", PI_CHECKSUM, PI_NOTE, "Partial (pseudo header) checksum (likely caused by \"UDP checksum offload\")", EXPFILL }},
1445 { &ei_udp_checksum_bad, { "udp.checksum.bad", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
1446 { &ei_udp_length_bad_zero, { "udp.length.bad_zero", PI_PROTOCOL, PI_WARN, "Length is zero but payload < 65536", EXPFILL }},
1447 };
1448
1449 static build_valid_func udp_da_src_values[1] = {udp_src_value};
1450 static build_valid_func udp_da_dst_values[1] = {udp_dst_value};
1451 static build_valid_func udp_da_both_values[2] = {udp_src_value, udp_dst_value};
1452 static decode_as_value_t udp_da_values[3] = {{udp_src_prompt, 1, udp_da_src_values}, {udp_dst_prompt, 1, udp_da_dst_values}, {udp_both_prompt, 2, udp_da_both_values}};
1453 static decode_as_t udp_da = {"udp", "udp.port", 3, 2, udp_da_values, "UDP", "port(s) as",
1454 decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL};
1455
1456 module_t *udp_module;
1457 module_t *udplite_module;
1458 expert_module_t* expert_udp;
1459
1460 proto_udp = proto_register_protocol("User Datagram Protocol", "UDP", "udp");
1461 proto_register_field_array(proto_udp, hf_udp, array_length(hf_udp));
1462 udp_handle = register_dissector("udp", dissect_udp, proto_udp);
1463 udp_cap_handle = register_capture_dissector("udp", capture_udp, proto_udp);
1464 expert_udp = expert_register_protocol(proto_udp);
1465
1466 proto_udplite = proto_register_protocol("Lightweight User Datagram Protocol", "UDP-Lite", "udplite");
1467 proto_register_field_array(proto_udplite, hf_udplite, array_length(hf_udplite));
1468 udplite_handle = register_dissector("udplite", dissect_udplite, proto_udplite);
1469 udplite_cap_handle = register_capture_dissector("udplite", capture_udp, proto_udplite);
1470
1471 proto_register_subtree_array(ett, array_length(ett));
1472 expert_register_field_array(expert_udp, ei, array_length(ei));
1473
1474 /* subdissector code */
1475 udp_dissector_table = register_dissector_table("udp.port", "UDP port", proto_udp, FT_UINT16, BASE_DEC);
1476 heur_subdissector_list = register_heur_dissector_list_with_description("udp", "UDP heuristic", proto_udp);
1477
1478 register_capture_dissector_table("udp.port", "UDP");
1479
1480 /* Register configuration preferences */
1481 udp_module = prefs_register_protocol(proto_udp, NULL);
1482 prefs_register_bool_preference(udp_module, "summary_in_tree",
1483 "Show UDP summary in protocol tree",
1484 "Whether the UDP summary line should be shown in the protocol tree",
1485 &udp_summary_in_tree);
1486 prefs_register_bool_preference(udp_module, "try_heuristic_first",
1487 "Try heuristic sub-dissectors first",
1488 "Try to decode a packet using an heuristic sub-dissector"
1489 " before using a sub-dissector registered to a specific port",
1490 &try_heuristic_first);
1491 prefs_register_bool_preference(udp_module, "check_checksum",
1492 "Validate the UDP checksum if possible",
1493 "Whether to validate the UDP checksum",
1494 &udp_check_checksum);
1495 prefs_register_bool_preference(udp_module, "ignore_ipv6_zero_checksum",
1496 "Ignore zero-value UDP checksums over IPv6",
1497 "Whether to ignore zero-value UDP checksums over IPv6",
1498 &udp_ignore_ipv6_zero_checksum);
1499 prefs_register_bool_preference(udp_module, "process_info",
1500 "Collect process flow information",
1501 "Collect process flow information from IPFIX",
1502 &udp_process_info);
1503 prefs_register_bool_preference(udp_module, "calculate_timestamps",
1504 "Calculate stream packet number and timestamps",
1505 "Calculate relative packet number and timestamps relative to the first frame and the previous frame in the udp conversation",
1506 &udp_calculate_ts);
1507
1508 udplite_module = prefs_register_protocol(proto_udplite, NULL);
1509 prefs_register_bool_preference(udplite_module, "ignore_checksum_coverage",
1510 "Ignore UDP-Lite checksum coverage",
1511 "Ignore an invalid checksum coverage field and continue dissection",
1512 &udplite_ignore_checksum_coverage);
1513 prefs_register_bool_preference(udplite_module, "check_checksum",
1514 "Validate the UDP-Lite checksum if possible",
1515 "Whether to validate the UDP-Lite checksum",
1516 &udplite_check_checksum);
1517 prefs_register_bool_preference(udplite_module, "calculate_timestamps",
1518 "Calculate stream packet number and timestamps",
1519 "Calculate relative packet number and timestamps relative to the first frame and the previous frame in the udp-lite conversation",
1520 &udplite_calculate_ts);
1521
1522 register_decode_as(&udp_da);
1523 register_conversation_table(proto_udp, false, udpip_conversation_packet, udpip_endpoint_packet);
1524 register_conversation_filter("udp", "UDP", udp_filter_valid, udp_build_filter_by_id, NULL);
1525 register_follow_stream(proto_udp, "udp_follow", udp_follow_conv_filter, udp_follow_index_filter, udp_follow_address_filter,
1526 udp_port_to_display, follow_tvb_tap_listener, get_udp_stream_count, NULL);
1527
1528 register_init_routine(udp_init);
1529
1530 udp_tap = register_tap("udp");
1531 udp_follow_tap = register_tap("udp_follow");
1532 }
1533
1534 void
1535 proto_reg_handoff_udp(void)
1536 {
1537
1538 dissector_add_uint("ip.proto", IP_PROTO_UDP, udp_handle);
1539 dissector_add_uint("ip.proto", IP_PROTO_UDPLITE, udplite_handle);
1540
1541 capture_dissector_add_uint("ip.proto", IP_PROTO_UDP, udp_cap_handle);
1542 capture_dissector_add_uint("ip.proto", IP_PROTO_UDPLITE, udplite_cap_handle);
1543
1544 exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_4);
1545 }
1546
1547 /*
1548 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1549 *
1550 * Local variables:
1551 * c-basic-offset: 4
1552 * tab-width: 8
1553 * indent-tabs-mode: nil
1554 * End:
1555 *
1556 * vi: set shiftwidth=4 tabstop=8 expandtab:
1557 * :indentSize=4:tabSize=8:noTabs=true:
1558 */
Metzes wireshark repo