| blob | 97522a86c65323df1adbf99082387a06549bb631 |
1 /* packet-tcp.c
2 * Routines for TCP packet disassembly
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
13 #include <epan/packet.h>
14 #include <epan/capture_dissectors.h>
15 #include <epan/exceptions.h>
16 #include <epan/addr_resolv.h>
17 #include <epan/ipproto.h>
18 #include <epan/expert.h>
19 #include <epan/ip_opts.h>
20 #include <epan/follow.h>
21 #include <epan/prefs.h>
22 #include <epan/show_exception.h>
23 #include <epan/conversation_table.h>
24 #include <epan/conversation_filter.h>
25 #include <epan/sequence_analysis.h>
26 #include <epan/reassemble.h>
27 #include <epan/decode_as.h>
28 #include <epan/exported_pdu.h>
29 #include <epan/in_cksum.h>
30 #include <epan/proto_data.h>
31 #include <epan/tfs.h>
32 #include <epan/unit_strings.h>
34 #include <wsutil/array.h>
35 #include <wsutil/utf8_entities.h>
36 #include <wsutil/str_util.h>
37 #include <wsutil/wsgcrypt.h>
38 #include <wsutil/pint.h>
39 #include <wsutil/ws_assert.h>
52 /* Place TCP summary in proto tree */
60 }
62 #define MPTCP_DSS_FLAG_DATA_ACK_PRESENT 0x01
63 #define MPTCP_DSS_FLAG_DATA_ACK_8BYTES 0x02
64 #define MPTCP_DSS_FLAG_MAPPING_PRESENT 0x04
65 #define MPTCP_DSS_FLAG_DSN_8BYTES 0x08
66 #define MPTCP_DSS_FLAG_DATA_FIN_PRESENT 0x10
68 /*
69 * Flag to control whether to check the TCP checksum.
70 *
71 * In at least some Solaris network traces, there are packets with bad
72 * TCP checksums, but the traffic appears to indicate that the packets
73 * *were* received; the packets were probably sent by the host on which
74 * the capture was being done, on a network interface to which
75 * checksumming was offloaded, so that DLPI supplied an un-checksummed
76 * packet to the capture program but a checksummed packet got put onto
77 * the wire.
78 */
81 /*
82 * Window scaling values to be used when not known (set as a preference) */
86 WindowScaling_1,
87 WindowScaling_2,
88 WindowScaling_3,
89 WindowScaling_4,
90 WindowScaling_5,
91 WindowScaling_6,
92 WindowScaling_7,
93 WindowScaling_8,
94 WindowScaling_9,
95 WindowScaling_10,
96 WindowScaling_11,
97 WindowScaling_12,
98 WindowScaling_13,
99 WindowScaling_14
100 };
102 /*
103 * Analysis overriding values to be used when not satisfied by the automatic
104 * result. (Accessed through preferences but not stored as a preference)
105 */
108 OverrideAnalysis_1,
109 OverrideAnalysis_2,
110 OverrideAnalysis_3,
111 OverrideAnalysis_4
112 };
114 /*
115 * Using enum instead of boolean make API easier
116 */
118 DSN_CONV_64_TO_32,
119 DSN_CONV_32_TO_64,
120 DSN_CONV_NONE
121 } ;
123 #define MPTCP_TCPRST_FLAG_T_PRESENT 0x1
124 #define MPTCP_TCPRST_FLAG_W_PRESENT 0x2
125 #define MPTCP_TCPRST_FLAG_V_PRESENT 0x4
126 #define MPTCP_TCPRST_FLAG_U_PRESENT 0x8
137 };
490 /* static expert_field ei_mptcp_analysis_unexpected_idsn; */
496 /* static expert_field ei_mptcp_stream_incomplete; */
497 /* static expert_field ei_mptcp_analysis_dsn_out_of_order; */
499 /* Some protocols such as encrypted DCE/RPCoverHTTP have dependencies
500 * from one PDU to the next PDU and require that they are called in sequence.
501 * These protocols would not be able to handle PDUs coming out of order
502 * or for example when a PDU is seen twice, like for retransmissions.
503 * This preference can be set for such protocols to make sure that we don't
504 * invoke the subdissectors for retransmitted or out-of-order segments.
505 */
508 /* Enable buffering of out-of-order TCP segments before passing it to a
509 * subdissector (depends on "tcp_desegment"). */
512 /*
513 * FF: https://www.rfc-editor.org/rfc/rfc6994.html
514 * With this flag set we assume the option structure for experimental
515 * codepoints (253, 254) has an Experiment Identifier (ExID), which is
516 * the first 16-bit field after the Kind and Length.
517 * The ExID is used to differentiate different experiments and thus will
518 * be used in data dissection.
519 */
522 /*
523 * This flag indicates which of Fast Retransmission or Out-of-Order
524 * interpretation should supersede when analyzing an ambiguous packet as
525 * things are not always clear. The user is authorized to change this
526 * behavior.
527 * When set, we keep the historical interpretation (Fast RT > OOO)
528 */
531 /* Process info, currently discovered via IPFIX */
534 /* Read the sequence number as syn cookie */
537 /*
538 * TCP option
539 */
546 #define TCPOPT_ECHO 6
547 #define TCPOPT_ECHOREPLY 7
549 #define TCPOPT_CC 11
550 #define TCPOPT_CCNEW 12
551 #define TCPOPT_CCECHO 13
566 /* Non IANA registered option numbers */
570 /*
571 * TCP option lengths
572 */
573 #define TCPOLEN_MSS 4
574 #define TCPOLEN_WINDOW 3
575 #define TCPOLEN_SACK_PERM 2
576 #define TCPOLEN_SACK_MIN 2
577 #define TCPOLEN_ECHO 6
578 #define TCPOLEN_ECHOREPLY 6
579 #define TCPOLEN_TIMESTAMP 10
580 #define TCPOLEN_CC 6
581 #define TCPOLEN_CCNEW 6
582 #define TCPOLEN_CCECHO 6
583 #define TCPOLEN_MD5 18
584 #define TCPOLEN_SCPS 4
585 #define TCPOLEN_SNACK 6
586 #define TCPOLEN_RECBOUND 2
587 #define TCPOLEN_CORREXP 2
588 #define TCPOLEN_QS 8
589 #define TCPOLEN_USER_TO 4
590 #define TCPOLEN_MPTCP_MIN 3
591 #define TCPOLEN_TFO_MIN 2
592 #define TCPOLEN_RVBD_PROBE_MIN 3
593 #define TCPOLEN_RVBD_TRPY_MIN 16
594 #define TCPOLEN_EXP_MIN 4
596 /*
597 * TCP Experimental Option Experiment Identifiers (TCP ExIDs)
598 * See: https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-exids
599 * Wireshark only supports 16-bit ExIDs
600 */
602 #define TCPEXID_TARR 0x00ac
603 #define TCPEXID_HOST_ID 0x0348
604 #define TCPEXID_ASC 0x0a0d
605 #define TCPEXID_CAPABILITY 0x0ca0
606 #define TCPEXID_EDO 0x0ed0
607 #define TCPEXID_ENO 0x454e
608 #define TCPEXID_SNO 0x5323
610 #define TCPEXID_ACC_ECN_0 0xacc0
611 #define TCPEXID_ACC_ECN_1 0xacc1
612 #define TCPEXID_ACC_ECN 0xacce
614 #define TCPEXID_FO 0xf989
615 #define TCPEXID_LOW_LATENCY 0xf990
617 /*
618 * Multipath TCP subtypes
619 */
630 /*
631 * Conversation Completeness values
632 */
642 };
684 };
703 };
705 /* not all of the hf_fields below make sense for TCP but we have to provide
706 them anyways to comply with the API (which was aimed for IP fragment
707 reassembly) */
722 "Segments"
723 };
737 };
739 /* Source https://support.citrix.com/article/CTX200852/citrix-adc-netscaler-reset-codes-reference
740 Dates of source: Created: 31 Mar 2015 | Modified: 21 Jan 2023
741 Date of last dictionary update: 2024/07/11
742 NOTE: When updating don't just overwrite the dictionary, the definitions below are more polished than the ones in the CTX. */
745 { 8201, "NSDBG_RST_SSTRAY: This reset code is triggered when packets are received on a socket that has already been closed. For example, if a client computer continues transmitting after receiving a RST code for other reasons, then it receives this RST code for the subsequent packets." },
746 { 8202, "NSDBG_RST_CSTRAY: This code is triggered when the NetScaler appliance receives data through a connection, which does not have a PCB, and its SYN cookie has expired." },
749 { 8206, "Received a bad packet in TCPS_SYN_SENT state (non RST packet). Usually happens if the 4 tuples are reused and you receive packet from the old connection." },
750 { 8207, "Received SYN on established connection which is within the window. Protects from spoofing attacks." },
751 { 8208, "Resets the connection when you receive more than the configured value of duplicate retransmissions." },
754 { 8211, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
755 { 8212, "Stray packet (no listening service or listening service is present but SYN cookie does not match or there is no corresponding connection information). 8212 is specifically for SYN stray packets." },
758 { 9100, "NSDBG_RST_ORP: This code refers to an orphan HTTP connection. Probably, a connection where data is initially seen either from the server or client, but stopped because of some reason, without closing the TCP session. It indicates that the client request was not properly terminated. Therefore, the NetScaler appliance waits for the request to be completed. After a timeout, the NetScaler appliance resets the connection with the code 9100." },
759 { 9201, "HTTP connection multiplexing error. Server sent response packets belonging to previous transaction." },
760 { 9202, "NSDBG_RST_LERRCDM: CDM refers to Check Data Mixing. This reset code is set when there is a TCP sequence mismatch in the first data packet, arriving from a recently reused server connection." },
761 { 9203, "NSDBG_RST_CLT_CHK_MIX: This code refers to the server sending a FIN for a previous client over a reused connection." },
762 { 9205, "NSDBG_RST_CHUNK_FAIL: This code indicates that the NetScaler appliance experienced issues with the chunked encoding in the HTTP response from the server." },
776 { 9222, "This is sent when the response is RFC non-compliant. The issue is caused by both Content-Length and Transfer-Encoding in response being invalid, which may lead to a variety of attacks and leads to the reset." },
777 { 9300, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
778 { 9301, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
779 { 9302, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
780 { 9303, "NSDBG_RST_ZSSSR: This code refers to an idle timeout or a zombie timeout. This code is set by the zombie connection cleanup routine, a connection has timed out. When the status of a service is down, existing TCP connections to that service are reset with this code (TCP window size 9300/9301, zombie timer). If the NetScaler appliance receives a segment from one of these connections, which is already reset, send another reset (TCP window size 8201, stray packet)." },
781 { 9304, "NSDBG_RST_LINK_GIVEUPS: This reset code might be part of a backend-persistence mechanism, which is used to free resources on the NetScaler. By default, the NetScaler uses a zero window probe 7 times before giving up and resetting the connection. By disabling this mechanism, the appliance holds the sessions without this limit. The following is the command to disable the persistence probe limit: root@ns# nsapimgr -ys limited_persistprobe=0 The default value is 1, which limits to 7 probes, which is around 2 minutes. Setting the value to zero disables it and keeps the session open as long as the server sends an ACK signal in response to the probes." },
789 { 9400, "Reset server connection which are in reusepool and are not reusable because of TCP or Session level properties. Usually this is done when we need to open new connections but there is limit on connection we can open to the server and there are some already built up connections which are not reusable." },
790 { 9401, "When you reach maximum system capacity flushing existing connections based time order to accommodate new connections. Or when we remove an configured entity which as associated connections those connection will be reset." },
803 { 9601, "Reset when Number of data packets with Sequence ACK mismatch > nscfg_max_orphan_pkts." },
805 { 9700, "NSDBG_RST_PASS: This code indicates that the NetScaler appliance receives a TCP RST code from either the client or the server, and is transferring it. For example, the back end server sends a RST code, and the NetScaler appliance forwards it to the client with this code." },
806 { 9701, "NSDBG_RST_NEST / NSDBG_RST_ACK_PASS: The NetScaler software release 9.1 and the later versions, this code indicates #define NSBE_DBG_RST_ACK_PASS. It indicates that a RST code was forwarded as in the preceding RST code 9700, and the ACK flag was also set." },
809 { 9800, "NSDBG_RST_PROBE: This connections used for monitoring the service are reset due to timeout." },
811 { 9811, "NSDBG_RST_ERRHANDLER: This reset code is used with SSL. After sending a Fatal Alert, the NetScaler sends a RST packet with this error code. If the client does not display any supported ciphers to the NetScaler appliance, the appliance sends a Fatal Alert and then this RST packet." },
814 { 9814, "NSDBG_RST_PETRIGGER: This reset code is used when a request or response matches a Policy Engine policy, whose action is RESET." },
816 { 9817, "SSL connection received at the time of bound certificate changing (configuration change)." },
822 { 9823, "Reset when the NSC_AAAC cookie is malformed in a request or /vpn/apilogin.html request does not have a query part, memory allocation failures in certificate processing." },
824 { 9825, "DBG_WRONG_GSLBRECDLEN: This code is a GSLB MEP error reset code, typically between mixed versions." },
836 { 9838, "NSBE_DBG_RST_SSL_BAD_RECORD: This code refers to error looking up SSL record when handling a request or a response." },
857 { 9860, "The pcb->link of this connection was cleaned for some reason, so resetting this PCB." },
860 { 9863, "Reset to old connection when new connection is established and old one is still not freed." },
889 { 9903, "GSLB feature is disabled. Donot accept any connections and close any existing ones." },
918 { 9973, "Reset on rest of SF after fallback to infinite map as only one SF should be present." },
960 };
976 /*
977 * Maps an MPTCP token to a mptcp_analysis structure
978 * Collisions are not handled
979 */
987 NULL
988 };
996 NULL
997 };
1001 NULL
1002 };
1010 NULL
1011 };
1018 NULL
1019 };
1023 static uint8_t
1025 {
1031 }
1034 }
1037 }
1039 }
1043 {
1044 static const char flags[][4] = { "FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECE", "CWR", "AE" };
1046 const int maxlength = 64; /* upper bounds, max 53B: 8 * 3 + 2 + strlen("Reserved") + 9 * 2 + 1 */
1061 }
1062 }
1067 }
1073 }
1079 }
1083 {
1090 /* upper three bytes are marked as reserved ('R'). */
1097 }
1103 }
1104 }
1105 }
1108 }
1110 /*
1111 * Print the first letter of each flag set, or the dot character otherwise
1112 */
1115 {
1120 else
1125 else
1130 else
1135 else
1140 else
1145 else
1149 }
1151 static void
1153 {
1154 uint32_t port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num));
1157 }
1161 {
1163 }
1165 static void
1167 {
1168 uint32_t port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
1171 }
1175 {
1177 }
1179 static void
1181 {
1182 uint32_t srcport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num)),
1183 destport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));
1184 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport);
1185 }
1188 {
1201 }
1208 }
1215 }
1222 }
1225 }
1229 /*
1230 * callback function for conversation stats
1231 */
1233 {
1238 else
1240 }
1242 static tap_packet_status
1243 tcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
1244 {
1250 add_conversation_table_data_extended(hash, &tcphdr->ip_src, &tcphdr->ip_dst, tcphdr->th_sport, tcphdr->th_dport, (conv_id_t) tcphdr->th_stream, 1, pinfo->fd->pkt_len,
1251 &pinfo->rel_ts, &pinfo->abs_ts, &tcp_ct_dissector_info, CONVERSATION_TCP, (uint32_t)pinfo->num, tcp_conv_cb_update);
1255 }
1257 static tap_packet_status
1258 mptcpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
1259 {
1271 }
1273 static const char* tcp_endpoint_get_filter_type(endpoint_item_t* endpoint, conv_filter_type_e filter)
1274 {
1286 }
1293 }
1300 }
1307 }
1310 }
1314 static tap_packet_status
1315 tcpip_endpoint_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
1316 {
1322 /* Take two "add" passes per packet, adding for each direction, ensures that all
1323 packets are counted properly (even if address is sending to itself)
1324 XXX - this could probably be done more efficiently inside endpoint_table */
1325 add_endpoint_table_data(hash, &tcphdr->ip_src, tcphdr->th_sport, true, 1, pinfo->fd->pkt_len, &tcp_endpoint_dissector_info, ENDPOINT_TCP);
1326 add_endpoint_table_data(hash, &tcphdr->ip_dst, tcphdr->th_dport, false, 1, pinfo->fd->pkt_len, &tcp_endpoint_dissector_info, ENDPOINT_TCP);
1329 }
1331 static bool
1333 {
1335 }
1339 {
1341 }
1344 /****************************************************************************/
1345 /* whenever a TCP packet is seen by the tap listener */
1346 /* Add a new tcp frame into the graph */
1347 static tap_packet_status
1348 tcp_seq_analysis_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U_, const void *tcp_info, tap_flags_t tapflags _U_)
1349 {
1367 }
1370 }
1376 else
1386 }
1389 char *tcp_follow_conv_filter(epan_dissect_t *edt _U_, packet_info *pinfo, unsigned *stream, unsigned *sub_stream _U_)
1390 {
1394 /* XXX: Since TCP doesn't use the endpoint API, we can only look
1395 * up using the current pinfo addresses and ports. We don't want
1396 * to create a new conversation or new TCP stream.
1397 * Eventually the endpoint API should support storing multiple
1398 * endpoints and TCP should be changed to use the endpoint API.
1399 */
1405 {
1406 /* TCP over IPv4/6 */
1413 }
1416 }
1419 {
1421 }
1423 char *tcp_follow_address_filter(address *src_addr, address *dst_addr, int src_port, int dst_port)
1424 {
1433 "(ip%s.dst eq %s and tcp.dstport eq %d))"
1434 " or "
1435 "((ip%s.src eq %s and tcp.srcport eq %d) and "
1442 }
1445 {
1452 /*
1453 * Tries to apply segments from fragments list to the reconstructed payload.
1454 * Fragments that can be appended to the end of the payload will be applied (and
1455 * removed from the list). Fragments that should have been received (according
1456 * to the ack number) will also be appended to the payload (preceded by some
1457 * dummy data to mark packet loss if any).
1458 *
1459 * Returns true if one fragment has been applied or false if no more fragments
1460 * can be added to the payload (there might still be unacked fragments with
1461 * missing segments before them).
1462 */
1463 static bool
1464 check_follow_fragments(follow_info_t *follow_info, bool is_server, uint32_t acknowledged, uint32_t packet_num, bool use_ack)
1465 {
1479 {
1484 }
1488 /* this sequence number seems dated, but
1489 check the end to make sure it has no more
1490 info than we have already seen */
1495 /* this one has more than we have seen. let's get the
1496 payload that we have not seen. This happens when
1497 part of this frame has been retransmitted */
1513 new_frag_size);
1516 }
1519 }
1521 /* Remove the fragment from the list as the "new" part of it
1522 * has been processed or its data has been seen already in
1523 * another packet. */
1526 follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
1528 }
1531 /* this fragment fits the stream */
1534 }
1537 follow_info->fragments[is_server] = g_list_delete_link(follow_info->fragments[is_server], fragment_entry);
1539 }
1540 }
1543 /* There are frames missing in the capture file that were seen
1544 * by the receiving host. Add dummy stream chunk with the data
1545 * "[xxx bytes missing in capture file]".
1546 */
1549 // XXX the dummy replacement could be larger than the actual missing bytes.
1564 }
1567 }
1569 static tap_packet_status
1572 {
1585 sequence++;
1586 }
1593 }
1595 is_server = !(addresses_equal(&follow_info->client_ip, &pinfo->src) && follow_info->client_port == pinfo->srcport);
1597 /* Check whether this frame ACKs fragments in flow from the other direction.
1598 * This happens when frames are not in the capture file, but were actually
1599 * seen by the receiving host (Fixes bug 592).
1600 */
1602 while (check_follow_fragments(follow_info, !is_server, follow_data->tcph->th_ack, pinfo->fd->num, true));
1603 }
1605 /*
1606 * If this is the first segment of this stream, initialize the next expected
1607 * sequence number. If there is any data, it will be added below.
1608 */
1611 }
1613 /* We have already seen this src (and received some segments), let's figure
1614 * out whether this segment extends the stream or overlaps a previous gap. */
1616 /* This sequence number seems dated, but check the end in case it was a
1617 * retransmission with more data. */
1620 /* The begin of the segment was already seen, try to add the
1621 * remaining data that we have not seen to the payload. */
1627 }
1631 }
1632 }
1633 /*
1634 * Ignore segments that have no new data (either because it was empty, or
1635 * because it was fully overlapping with previously received data).
1636 */
1639 }
1648 data_length);
1651 /* The segment overlaps or extends the previous end of stream. */
1656 /* done with the packet, see if it caused a fragment to fit */
1659 /* Out of order packet (more preceding segments are expected). */
1660 follow_info->fragments[is_server] = g_list_append(follow_info->fragments[is_server], follow_record);
1661 }
1663 }
1665 #define EXP_PDU_TCP_INFO_DATA_LEN 20
1666 #define EXP_PDU_TCP_INFO_VERSION 1
1667 #define EXP_PDU_TAG_TCP_STREAM_ID_LEN 4
1670 {
1672 }
1674 static int exp_pdu_tcp_dissector_data_populate_data(packet_info *pinfo _U_, void* data, uint8_t *tlv_buffer, uint32_t buffer_size _U_)
1675 {
1689 }
1693 {
1694 /* Check to see if the tvb we're planning on exporting PDUs from was
1695 * dissected fully, or whether it requested further desegmentation.
1696 * This should only matter on the first pass (so in one-pass tshark.)
1697 */
1699 /* Desegmentation was requested. How much did we desegment here?
1700 * The rest, presumably, will be handled in another frame.
1701 */
1703 /* We couldn't, in fact, dissect any of it. */
1705 }
1707 }
1709 }
1711 static void
1712 handle_export_pdu_dissection_table(packet_info *pinfo, tvbuff_t *tvb, uint32_t port, struct tcpinfo *tcpinfo)
1713 {
1718 }
1719 exp_pdu_data_item_t exp_pdu_data_table_value = {exp_pdu_data_dissector_table_num_value_size, exp_pdu_data_dissector_table_num_value_populate_data, NULL};
1720 exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
1731 NULL
1732 };
1739 exp_pdu_data = export_pdu_create_tags(pinfo, "tcp.port", EXP_PDU_TAG_DISSECTOR_TABLE_NAME, tcp_exp_pdu_items);
1744 /* match uint is restored after calling dissector, so in order to have the right value in exported PDU
1745 * we need to set it here.
1746 */
1748 }
1749 }
1751 static void
1752 handle_export_pdu_heuristic(packet_info *pinfo, tvbuff_t *tvb, heur_dtbl_entry_t *hdtbl_entry, struct tcpinfo *tcpinfo)
1753 {
1760 }
1765 exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
1774 NULL
1775 };
1779 exp_pdu_data = export_pdu_create_tags(pinfo, hdtbl_entry->short_name, EXP_PDU_TAG_HEUR_DISSECTOR_NAME, tcp_exp_pdu_items);
1780 }
1788 }
1789 }
1790 }
1792 static void
1793 handle_export_pdu_conversation(packet_info *pinfo, tvbuff_t *tvb, int src_port, int dst_port, struct tcpinfo *tcpinfo)
1794 {
1799 }
1800 conversation_t *conversation = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, CONVERSATION_TCP, src_port, dst_port, 0);
1802 {
1803 dissector_handle_t handle = (dissector_handle_t)wmem_tree_lookup32_le(conversation->dissector_tree, pinfo->num);
1805 {
1806 exp_pdu_data_item_t exp_pdu_data_dissector_data = {exp_pdu_tcp_dissector_data_size, exp_pdu_tcp_dissector_data_populate_data, NULL};
1815 NULL
1816 };
1822 exp_pdu_data = export_pdu_create_tags(pinfo, dissector_handle_get_dissector_name(handle), EXP_PDU_TAG_DISSECTOR_NAME, tcp_exp_pdu_items);
1828 }
1829 }
1830 }
1831 }
1833 /*
1834 * display the TCP Conversation Completeness
1835 * we of course pay much attention on complete conversations but also incomplete ones which
1836 * have a regular start, as in practice we are often looking for such thing
1837 */
1839 {
1845 TCP_COMPLETENESS_SYNACK):
1849 TCP_COMPLETENESS_SYNACK|
1850 TCP_COMPLETENESS_ACK):
1854 TCP_COMPLETENESS_SYNACK|
1855 TCP_COMPLETENESS_ACK|
1856 TCP_COMPLETENESS_DATA):
1860 TCP_COMPLETENESS_SYNACK|
1861 TCP_COMPLETENESS_ACK|
1862 TCP_COMPLETENESS_DATA|
1863 TCP_COMPLETENESS_FIN):
1865 TCP_COMPLETENESS_SYNACK|
1866 TCP_COMPLETENESS_ACK|
1867 TCP_COMPLETENESS_DATA|
1868 TCP_COMPLETENESS_RST):
1870 TCP_COMPLETENESS_SYNACK|
1871 TCP_COMPLETENESS_ACK|
1872 TCP_COMPLETENESS_DATA|
1873 TCP_COMPLETENESS_FIN|
1874 TCP_COMPLETENESS_RST):
1878 TCP_COMPLETENESS_SYNACK|
1879 TCP_COMPLETENESS_ACK|
1880 TCP_COMPLETENESS_FIN):
1882 TCP_COMPLETENESS_SYNACK|
1883 TCP_COMPLETENESS_ACK|
1884 TCP_COMPLETENESS_RST):
1886 TCP_COMPLETENESS_SYNACK|
1887 TCP_COMPLETENESS_ACK|
1888 TCP_COMPLETENESS_FIN|
1889 TCP_COMPLETENESS_RST):
1895 }
1896 }
1898 /* TCP structs and definitions */
1900 /* **************************************************************************
1901 * RTT, relative sequence numbers, window scaling & etc.
1902 * **************************************************************************/
1915 #define TCP_A_RETRANSMISSION 0x0001
1916 #define TCP_A_LOST_PACKET 0x0002
1917 #define TCP_A_ACK_LOST_PACKET 0x0004
1918 #define TCP_A_KEEP_ALIVE 0x0008
1919 #define TCP_A_DUPLICATE_ACK 0x0010
1920 #define TCP_A_ZERO_WINDOW 0x0020
1921 #define TCP_A_ZERO_WINDOW_PROBE 0x0040
1922 #define TCP_A_ZERO_WINDOW_PROBE_ACK 0x0080
1923 #define TCP_A_KEEP_ALIVE_ACK 0x0100
1924 #define TCP_A_OUT_OF_ORDER 0x0200
1925 #define TCP_A_FAST_RETRANSMISSION 0x0400
1926 #define TCP_A_WINDOW_UPDATE 0x0800
1927 #define TCP_A_WINDOW_FULL 0x1000
1928 #define TCP_A_REUSED_PORTS 0x2000
1929 #define TCP_A_SPURIOUS_RETRANSMISSION 0x4000
1931 /* This flag for desegment_tcp to exclude segments with previously
1932 * seen sequence numbers.
1933 * It is from the perspective of Wireshark's reassembler, whereas
1934 * the other flags above are from the perspective of the sender.
1935 * (E.g., TCP_A_RETRANSMISSION or TCP_A_SPURIOUS_RETRANSMISSION
1936 * can be set even when first appearance in the capture file.)
1937 */
1938 #define TCP_A_OLD_DATA 0x8000
1940 /* Static TCP flags. Set in tcp_flow_t:static_flags */
1941 #define TCP_S_BASE_SEQ_SET 0x01
1942 #define TCP_S_SAW_SYN 0x03
1943 #define TCP_S_SAW_SYNACK 0x05
1946 /* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
1947 #define MPTCP_META_HAS_BASE_DSN_MSB 0x01
1948 #define MPTCP_META_HAS_KEY 0x03
1949 #define MPTCP_META_HAS_TOKEN 0x04
1950 #define MPTCP_META_HAS_ADDRESSES 0x08
1952 /* Describe the fields sniffed and set in mptcp_meta_flow_t:static_flags */
1953 #define MPTCP_SUBFLOW_HAS_NONCE 0x01
1954 #define MPTCP_SUBFLOW_HAS_ADDRESS_ID 0x02
1956 /* MPTCP meta analysis related */
1957 #define MPTCP_META_CHECKSUM_REQUIRED 0x0002
1959 /* if we have no key for this connection, some conversion become impossible,
1960 * thus return false
1961 */
1962 static
1963 bool
1964 mptcp_convert_dsn(uint64_t dsn, mptcp_meta_flow_t *meta, enum mptcp_dsn_conversion conv, bool relative, uint64_t *result ) {
1968 /* if relative is set then we need the 64 bits version anyway
1969 * we assume no wrapping was done on the 32 lsb so this may be wrong for elephant flows
1970 */
1974 /* can't do those without the expected_idsn based on the key */
1976 }
1977 }
1981 }
1985 }
1989 }
1992 }
1995 static void
2004 {
2007 /* Initialize the tcp protocol data structure to add to the tcp conversation */
2020 }
2022 /* Only allocate the data if its actually going to be analyzed */
2024 {
2025 tcpd->flow1.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
2026 tcpd->flow2.tcp_analyze_seq_info = wmem_new0(wmem_file_scope(), struct tcp_analyze_seq_flow_info_t);
2027 }
2028 /* Only allocate the data if its actually going to be displayed */
2030 {
2033 }
2058 }
2060 /* setup meta as well */
2061 static void
2063 {
2070 }
2073 /* add a new subflow to an mptcp connection */
2074 static void
2079 }
2081 /* in case we merge 2 mptcp connections */
2083 }
2087 {
2090 /* Get the data for this conversation */
2094 }
2098 {
2103 /* Did the caller supply the conversation pointer? */
2105 /* If the caller didn't supply a conversation, don't
2106 * clear the analysis, it may be needed */
2109 }
2111 /* Get the data for this conversation */
2115 /* if the addresses are equal, match the ports instead */
2118 }
2119 /* If the conversation was just created or it matched a
2120 * conversation with template options, tcpd will not
2121 * have been initialized. So, initialize
2122 * a new tcpd structure for the conversation.
2123 */
2127 }
2131 }
2133 /* check direction and get ua lists */
2140 }
2144 }
2146 }
2148 /* Attach process info to a flow */
2149 /* XXX - We depend on the TCP dissector finding the conversation first */
2150 void
2151 add_tcp_process_info(uint32_t frame_num, address *local_addr, address *remote_addr, uint16_t local_port, uint16_t remote_port, uint32_t uid, uint32_t pid, char *username, char *command) {
2159 conv = find_conversation(frame_num, local_addr, remote_addr, CONVERSATION_TCP, local_port, remote_port, 0);
2162 }
2167 }
2169 if (cmp_address(local_addr, conversation_key_addr1(conv->key_ptr)) == 0 && local_port == conversation_key_port1(conv->key_ptr)) {
2171 } else if (cmp_address(remote_addr, conversation_key_addr1(conv->key_ptr)) == 0 && remote_port == conversation_key_port1(conv->key_ptr)) {
2173 }
2176 }
2185 }
2187 /* Return the current stream count */
2189 {
2191 }
2193 /* Return the mptcp current stream count */
2195 {
2197 }
2199 /* Calculate the timestamps relative to this conversation */
2200 static void
2203 {
2207 }
2212 /* pre-increment so packet numbers start at 1 */
2220 }
2222 /* Add a subtree with the timestamps relative to this conversation */
2223 static void
2224 tcp_print_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree, struct tcp_analysis *tcpd, struct tcp_per_packet_data_t *tcppd)
2225 {
2228 nstime_t ts;
2241 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
2247 }
2248 }
2250 static void
2251 print_pdu_tracking_data(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tcp_tree, struct tcp_multisegment_pdu *msp)
2252 {
2259 }
2261 /* if we know that a PDU starts inside this segment, return the adjusted
2262 offset to where that PDU starts or just return offset back
2263 and let TCP try to find out what it can about this segment
2264 */
2265 static int
2266 scan_for_next_pdu(tvbuff_t *tvb, proto_tree *tcp_tree, packet_info *pinfo, int offset, uint32_t seq, uint32_t nxtseq, wmem_tree_t *multisegment_pdus)
2267 {
2273 /* If this is a continuation of a PDU started in a
2274 * previous segment we need to update the last_frame
2275 * variables.
2276 */
2281 }
2283 /* If this segment is completely within a previous PDU
2284 * then we just skip this packet
2285 */
2288 }
2292 }
2294 }
2296 /* First we try to find the start and transfer time for a PDU.
2297 * We only print this for the very first segment of a PDU
2298 * and only for PDUs spanning multiple segments.
2299 * Se we look for if there was any multisegment PDU started
2300 * just BEFORE the end of this segment. I.e. either inside this
2301 * segment or in a previous segment.
2302 * Since this might also match PDUs that are completely within
2303 * this segment we also verify that the found PDU does span
2304 * beyond the end of this segment.
2305 */
2310 nstime_t ns;
2319 }
2320 }
2322 /* Second we check if this segment is part of a PDU started
2323 * prior to the segment (seq-1)
2324 */
2327 /* If this segment is completely within a previous PDU
2328 * then we just skip this packet
2329 */
2333 }
2338 }
2339 }
2341 }
2343 }
2345 /* if we saw a PDU that extended beyond the end of the segment,
2346 use this function to remember where the next pdu starts
2347 */
2349 pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, uint32_t seq, uint32_t nxtpdu, wmem_tree_t *multisegment_pdus)
2350 {
2362 /*ws_warning("pdu_store_sequencenumber_of_next_pdu: seq %u", seq);*/
2364 }
2366 /* This is called for SYN and SYN+ACK packets and the purpose is to verify
2367 * that we have seen window scaling in both directions.
2368 * If we can't find window scaling being set in both directions
2369 * that means it was present in the SYN but not in the SYN+ACK
2370 * (or the SYN was missing) and then we disable the window scaling
2371 * for this tcp session.
2372 */
2373 static void
2375 {
2377 /* We know window scaling will not be used as:
2378 * a) this is the SYN and it does not have the WS option
2379 * (we set the reverse win_scale also in case we miss
2380 * the SYN/ACK)
2381 * b) this is the SYN/ACK and either the SYN packet has not
2382 * been seen or it did have the WS option. As the SYN/ACK
2383 * does not have the WS option, window scaling will not be used.
2384 *
2385 * Setting win_scale to -2 to indicate that we can
2386 * trust the window_size value in the TCP header.
2387 */
2392 /* The SYN/ACK has the WS option, while the SYN did not,
2393 * this should not happen, but the endpoints will not
2394 * have used window scaling, so we will neither
2395 */
2397 }
2398 }
2400 /* given a tcpd, returns the mptcp_subflow that sides with meta */
2403 {
2404 /* select the tcp_flow with appropriate direction */
2407 }
2410 }
2411 }
2413 /* if we saw a window scaling option, store it for future reference
2414 */
2415 static void
2417 {
2420 }
2422 /* when this function returns, it will (if createflag) populate the ta pointer.
2423 */
2424 static void
2425 tcp_analyze_get_acked_struct(uint32_t frame, uint32_t seq, uint32_t ack, bool createflag, struct tcp_analysis *tcpd)
2426 {
2444 }
2450 }
2451 }
2455 /* fwd contains a list of all segments processed but not yet ACKed in the
2456 * same direction as the current segment.
2457 * rev contains a list of all segments received but not yet ACKed in the
2458 * opposite direction to the current segment.
2459 *
2460 * New segments are always added to the head of the fwd/rev lists.
2461 *
2462 * Changes below should be synced with ChAdvTCPAnalysis in the User's
2463 * Guide: doc/wsug_src/WSUG_chapter_advanced.adoc
2464 */
2465 static void
2466 tcp_analyze_sequence_number(packet_info *pinfo, uint32_t seq, uint32_t ack, uint32_t seglen, uint16_t flags, uint32_t window, struct tcp_analysis *tcpd, struct tcp_per_packet_data_t *tcppd)
2467 {
2472 #if 0
2474 printf("FWD list lastflags:0x%04x base_seq:%u: nextseq:%u lastack:%u\n",tcpd->fwd->lastsegmentflags,tcpd->fwd->base_seq,tcpd->fwd->tcp_analyze_seq_info->nextseq,tcpd->rev->tcp_analyze_seq_info->lastack);
2477 printf("REV list lastflags:0x%04x base_seq:%u nextseq:%u lastack:%u\n",tcpd->rev->lastsegmentflags,tcpd->rev->base_seq,tcpd->rev->tcp_analyze_seq_info->nextseq,tcpd->fwd->tcp_analyze_seq_info->lastack);
2480 #endif
2484 }
2488 }
2490 /* ZERO WINDOW PROBE
2491 * it is a zero window probe if
2492 * the sequence number is the next expected one
2493 * the window in the other direction is 0
2494 * the segment is exactly 1 byte
2495 */
2501 }
2504 }
2507 /* ZERO WINDOW
2508 * a zero window packet has window == 0 but none of the SYN/FIN/RST set
2509 */
2514 }
2516 }
2519 /* LOST PACKET
2520 * If this segment is beyond the last seen nextseq we must
2521 * have missed some previous segment
2522 *
2523 * We only check for this if we have actually seen segments prior to this
2524 * one.
2525 * RST packets are not checked for this.
2526 */
2532 }
2535 /* Disable BiF until an ACK is seen in the other direction */
2537 }
2540 /* KEEP ALIVE
2541 * a keepalive contains 0 or 1 bytes of data and starts one byte prior
2542 * to what should be the next sequence number.
2543 * SYN/FIN/RST segments are never keepalives
2544 */
2550 }
2552 }
2554 /* WINDOW UPDATE
2555 * A window update is a 0 byte segment with the same SEQ/ACK numbers as
2556 * the previous seen segment and with a new window value
2557 */
2559 && window
2566 }
2568 }
2571 /* WINDOW FULL
2572 * If we know the window scaling
2573 * and if this segment contains data and goes all the way to the
2574 * edge of the advertised window
2575 * then we mark it as WINDOW FULL
2576 * SYN/RST/FIN packets are never WINDOW FULL
2577 */
2580 && (seq+seglen)==(tcpd->rev->tcp_analyze_seq_info->lastack+(tcpd->rev->window<<(tcpd->rev->is_first_ack?0:(tcpd->rev->win_scale==-2?0:tcpd->rev->win_scale))))
2584 }
2586 }
2589 /* KEEP ALIVE ACK
2590 * It is a keepalive ack if it repeats the previous ACK and if
2591 * the last segment in the reverse direction was a keepalive
2592 */
2594 && window
2602 }
2605 }
2608 /* ZERO WINDOW PROBE ACK
2609 * It is a zerowindowprobe ack if it repeats the previous ACK and if
2610 * the last segment in the reverse direction was a zerowindowprobe
2611 * It also repeats the previous zero window indication
2612 */
2617 && (ack==tcpd->fwd->tcp_analyze_seq_info->lastack || EQ_SEQ(ack,tcpd->fwd->tcp_analyze_seq_info->lastack+1))
2622 }
2625 /* Some receivers consume that extra byte brought in the PROBE,
2626 * but it was too early to know that during the WINDOW PROBE analysis.
2627 * Do it now by moving the rev nextseq & maxseqtobeacked.
2628 * See issue 10745.
2629 */
2633 }
2635 }
2638 /* DUPLICATE ACK
2639 * It is a duplicate ack if window/seq/ack is the same as the previous
2640 * segment and if the segment length is 0
2641 */
2643 && window
2649 /* MPTCP tolerates duplicate acks in some circumstances, see RFC 8684 4. */
2651 /* just ignore this DUPLICATE ACK */
2657 }
2661 }
2662 }
2666 finished_fwd:
2667 /* If the ack number changed we must reset the dupack counters */
2671 }
2674 /* ACKED LOST PACKET
2675 * If this segment acks beyond the 'max seq to be acked' in the other direction
2676 * then that means we have missed packets going in the
2677 * other direction.
2678 * It might also indicate we are resuming from a Zero Window,
2679 * where a Probe is just followed by an ACK opening again the window.
2680 * See issue 8404.
2681 *
2682 * We only check this if we have actually seen some seq numbers
2683 * in the other direction.
2684 */
2690 }
2692 /* resuming from a Zero Window Probe which re-opens the window,
2693 * mark it as a Window Update
2694 */
2701 }
2702 /* real ACKED LOST PACKET */
2704 /* We ensure there is no matching packet waiting in the unacked list,
2705 * and take this opportunity to push the tail further than this single packet
2706 */
2714 }
2716 /* Only look at what happens above the current ACK value,
2717 * as what happened before is definetely ACKed here and can be
2718 * safely ignored. */
2721 /* if the left edge is contiguous, move the tail leftward */
2724 }
2726 /* otherwise, we have isolated segments above what is being ACKed here,
2727 * and we reinit the tails with the current values */
2731 }
2732 }
2733 }
2735 /* a tail was found and we can push the maxseqtobeacked further */
2738 }
2740 /* otherwise, just take into account the value being ACKed now */
2743 }
2746 }
2747 }
2750 /* RETRANSMISSION/FAST RETRANSMISSION/OUT-OF-ORDER
2751 * If the segment contains data (or is a SYN or a FIN) and
2752 * if it does not advance the sequence number, it must be one
2753 * of these three.
2754 * Only test for this if we know what the seq number should be
2755 * (tcpd->fwd->nextseq)
2756 *
2757 * Note that a simple KeepAlive is not a retransmission
2758 */
2769 }
2771 /* This segment is *not* considered a retransmission/out-of-order if
2772 * the segment length is larger than one (it really adds new data)
2773 * the sequence number is one less than the previous nextseq and
2774 * (the previous segment is possibly a zero window probe)
2775 *
2776 * We should still try to flag Spurious Retransmissions though.
2777 */
2780 }
2782 /* Check for spurious retransmission. If the current seq + segment length
2783 * is less than or equal to the current lastack, the packet contains
2784 * duplicate data and may be considered spurious.
2785 */
2791 }
2794 }
2801 /* Some OOO vs Retrans interpretations can be wrong when the capture needs a reorder.
2802 * Avoid such cases by enforcing the delta to 0 when the order seems bad, instead of
2803 * calculating an absurd value.
2804 */
2806 /* regular case */
2809 }
2813 }
2816 }
2821 /* If there were >=2 duplicate ACKs in the reverse direction
2822 * (there might be duplicate acks missing from the trace)
2823 * and if this sequence number matches those ACKs
2824 * and if the packet occurs within 20ms of the last
2825 * duplicate ack
2826 * then this is a fast retransmission
2827 */
2833 }
2836 }
2838 /* Look for this segment in reported SACK ranges,
2839 * if not present this might very well be a FAST Retrans,
2840 * when the conditions above (timing, number of retrans) are still true */
2850 i++;
2851 }
2853 /* fine, it's probably a Fast Retrans triggered by the SACK sender algo */
2859 }
2860 }
2864 /* If the segment came relatively close since the segment with the highest
2865 * seen sequence number and it doesn't look like a retransmission
2866 * then it is an OUT-OF-ORDER segment.
2867 */
2872 }
2874 /* If the segment is already seen and waiting to be acknowledged, ignore the
2875 * Fast-Retrans/OOO debate and go ahead, as it only can be an ordinary Retrans.
2876 * Fast-Retrans/Retrans are never ambiguous in the context of packets seen but
2877 * this code could be moved above.
2878 * See Issues 13284, 13843
2879 * XXX: if compared packets have different sizes, it's not handled yet
2880 */
2887 }
2889 }
2892 /* ordinary OOO with SEQ numbers and lengths clearly stating the situation */
2893 if( tcpd->fwd->tcp_analyze_seq_info->nextseq != (seq + seglen + (flags&(TH_SYN|TH_FIN) ? 1 : 0))) {
2896 }
2900 }
2902 /* facing an OOO closing a series of disordered packets,
2903 all preceded by a pure ACK. See issue 17214 */
2907 }
2911 }
2912 }
2913 }
2915 }
2918 /* Then it has to be a generic retransmission */
2921 }
2924 /*
2925 * worst case scenario: if we don't have better than a recent packet,
2926 * use it as the reference for RTO
2927 */
2928 nstime_delta(&tcpd->ta->rto_ts, &pinfo->abs_ts, &tcpd->fwd->tcp_analyze_seq_info->nextseqtime);
2931 /*
2932 * better case scenario: if we have a list of the previous unacked packets,
2933 * go back to the eldest one, which in theory is likely to be the one retransmitted here.
2934 * It's not always the perfect match, particularly when original captured packet used LSO
2935 * We may parse this list and try to find an obvious matching packet present in the
2936 * capture. If such packet is actually missing, we'll reach the list first entry.
2937 * See : issue #12259
2938 * See : issue #17714
2939 */
2945 }
2947 }
2948 }
2950 finished_checking_retransmission_type:
2952 /* Override the TCP sequence analysis with the value given
2953 * manually by the user. This only applies to flagged packets.
2954 */
2962 /* clean flags set during the automatic analysis */
2964 TCP_A_OUT_OF_ORDER|
2965 TCP_A_FAST_RETRANSMISSION|
2966 TCP_A_SPURIOUS_RETRANSMISSION);
2968 /* set the corresponding flag chosen by the user */
2971 /* the user asked for an empty overriding, which
2972 * means removing any previous value, thus restoring
2973 * the automatic analysis.
2974 */
2994 /* there is no expected default case */
2996 }
2997 }
3000 if ((seglen || flags&(TH_SYN|TH_FIN)) && tcpd->fwd->tcp_analyze_seq_info->segment_count < TCP_MAX_UNACKED_SEGMENTS) {
3001 /* Add this new sequence number to the fwd list. But only if there
3002 * aren't "too many" unacked segments (e.g., we're not seeing the ACKs).
3003 */
3012 /* next sequence number is seglen bytes away, plus SYN/FIN which counts as one byte */
3015 }
3017 }
3019 /* Every time we are moving the highest number seen,
3020 * we are also tracking the segment length then we will know for sure,
3021 * later, if this was a pure ACK or an ordinary data packet. */
3023 || GT_SEQ(nextseq, tcpd->fwd->tcp_analyze_seq_info->nextseq + (flags&(TH_SYN|TH_FIN) ? 1 : 0))) {
3025 }
3027 /* Store the highest number seen so far for nextseq so we can detect
3028 * when we receive segments that arrive with a "hole"
3029 * If we don't have anything since before, just store what we got.
3030 * ZeroWindowProbes are special and don't really advance the nextseq
3031 */
3032 if(GT_SEQ(nextseq, tcpd->fwd->tcp_analyze_seq_info->nextseq) || !tcpd->fwd->tcp_analyze_seq_info->nextseq) {
3039 /* Count the flows turns by checking all packets carrying real data
3040 * Packets not ordered are ignored.
3041 */
3049 /* check direction */
3053 /* if the addresses are equal, match the ports instead */
3056 }
3058 /* invert the direction and increment the counter */
3062 }
3063 /* if the direction was not reversed, maybe are we
3064 * facing the first flow ? Yes, if the counter still equals 0.
3065 */
3069 }
3070 }
3071 }
3072 }
3073 }
3074 }
3076 /* Store the highest continuous seq number seen so far for 'max seq to be acked',
3077 * so we can detect TCP_A_ACK_LOST_PACKET condition.
3078 * If this ever happens, this boundary value can "jump" further in order to
3079 * avoid duplicating multiple messages for the very same lost packet. See later
3080 * how ACKED LOST PACKET are handled.
3081 * Zero Window Probes are logically left out at this moment, but if their data
3082 * really were to be ack'ed, then it will be done later when analyzing their
3083 * Probe ACK (be it a real Probe ACK, or an ordinary ACK moving the RCV Window).
3084 */
3085 if(EQ_SEQ(seq, tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) || !tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked) {
3088 }
3089 }
3092 /* remember what the ack/window is so we can track window updates and retransmissions */
3098 /* remember the MPTCP operations if any */
3101 }
3103 /* if there were any flags set for this segment we need to remember them
3104 * we only remember the flags for the very last segment though.
3105 */
3110 }
3113 /* remove all segments this ACKs and we don't need to keep around any more
3114 */
3120 /* If this ack matches the segment, process accordingly */
3125 /* mark it as a full segment ACK */
3127 }
3128 /* If this acknowledges part of the segment, adjust the segment info for the acked part.
3129 * This typically happens in the context of GSO/GRO or Retransmissions with
3130 * segment repackaging (elsewhere called repacketization). For the user, looking at the
3131 * previous packets for any Retransmission or at the SYN MSS Option presence would
3132 * answer what case is precisely encountered.
3133 */
3140 /* mark it as a partial segment ACK
3141 *
3142 * XXX - This mark is used later to create an Expert Note,
3143 * but other ways of tracking these packets are possible:
3144 * for example a similar indication to ta->frame_acked
3145 * would help differentiating the SEQ/ACK analysis messages.
3146 * Also, a TCP Analysis Flag could be added, but doesn't seem
3147 * essential yet, as matching packets can be selected with
3148 * 'tcp.analysis.partial_ack'.
3149 */
3152 }
3153 /* If this acknowledges a segment prior to this one, leave this segment alone and move on */
3158 }
3160 /* This segment is old, or an exact match. Delete the segment from the list */
3164 /* Track largest segment successfully sent for SNACK analysis*/
3167 }
3168 }
3172 }
3175 }
3179 }
3181 /* how many bytes of data are there in flight after this frame
3182 * was sent
3183 * The historical evaluation is done from the payload seen in the
3184 * segments captured. Another method deduced from the SEQ numbers
3185 * is introduced with issue 7703, but not used by default now. The
3186 * method is chosen by the user preference tcp_bif_seq_based.
3187 */
3190 /*
3191 * "don't repeat yourself" boolean, for the shared part
3192 * between both methods
3193 */
3196 /*
3197 * historical calculation method based on payloads, which is
3198 * by now still the default.
3199 */
3213 }
3216 }
3218 }
3220 }
3228 }
3229 }
3231 /* subtract any SACK block */
3237 }
3239 }
3244 }
3246 /* Decrement in_flight bytes by one when we have a SYN or FIN bit
3247 * flag set as it is only virtual.
3248 */
3251 }
3252 }
3265 }
3268 }
3270 }
3271 }
3273 }
3275 /*
3276 * Prints results of the sequence number analysis concerning tcp segments
3277 * retransmitted or out-of-order
3278 */
3279 static void
3284 )
3285 {
3286 /* TCP Retransmission */
3299 }
3300 }
3301 /* TCP Fast Retransmission */
3307 }
3308 /* TCP Spurious Retransmission */
3314 }
3316 /* TCP Out-Of-Order */
3320 }
3321 }
3323 /* Prints results of the sequence number analysis concerning reused ports */
3324 static void
3328 )
3329 {
3330 /* TCP Ports Reused */
3335 }
3336 }
3338 /* Prints results of the sequence number analysis concerning lost tcp segments */
3339 static void
3343 )
3344 {
3345 /* TCP Lost Segment */
3350 }
3351 /* TCP Ack lost segment */
3356 }
3357 }
3359 /* Prints results of the sequence number analysis concerning tcp window */
3360 static void
3364 )
3365 {
3366 /* TCP Window Update */
3370 }
3371 /* TCP Full Window */
3375 }
3376 }
3378 /* Prints results of the sequence number analysis concerning tcp keepalive */
3379 static void
3383 )
3384 {
3385 /*TCP Keep Alive */
3389 }
3390 /* TCP Ack Keep Alive */
3394 }
3395 }
3397 /* Prints results of the sequence number analysis concerning tcp duplicate ack */
3398 static void
3403 proto_tree * tree
3404 )
3405 {
3408 /* TCP Duplicate ACK */
3412 hf_tcp_analysis_duplicate_ack,
3414 "This is a TCP duplicate ack"
3415 );
3420 ta->dupack_num
3421 );
3423 }
3430 expert_add_info_format(pinfo, flags_item, &ei_tcp_analysis_duplicate_ack, "Duplicate ACK (#%u)", ta->dupack_num);
3431 }
3432 }
3434 /* Prints results of the sequence number analysis concerning tcp zero window */
3435 static void
3439 )
3440 {
3441 /* TCP Zero Window Probe */
3445 }
3446 /* TCP Zero Window */
3450 }
3451 /* TCP Zero Window Probe Ack */
3456 }
3457 }
3460 /* Prints results of the sequence number analysis concerning how many bytes of data are in flight */
3461 static void
3466 )
3467 {
3472 hf_tcp_analysis_bytes_in_flight,
3476 }
3477 }
3479 /* Generate the initial data sequence number and MPTCP connection token from the key. */
3480 static void
3482 {
3490 /* memcpy to prevent -Wstrict-aliasing errors with GCC 4 */
3495 }
3497 /* Generate the initial data sequence number and MPTCP connection token from the key. */
3498 static void
3500 {
3508 /* memcpy to prevent -Wstrict-aliasing errors with GCC 4 */
3513 }
3516 /* Print formatted list of tcp stream ids that are part of the connection */
3517 static void
3520 {
3526 /* for the analysis, we set each subflow tcp stream id */
3530 }
3532 item = proto_tree_add_string(parent_tree, hf_mptcp_analysis_subflows, tvb, 0, 0, wmem_strbuf_get_str(val));
3534 }
3536 /* Compute raw dsn if relative tcp seq covered by DSS mapping */
3537 static bool
3539 {
3542 }
3546 }
3549 /* Add duplicated data */
3551 mptcp_add_duplicated_dsn(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, struct mptcp_subflow *subflow,
3553 )
3554 {
3562 rawdsn64low,
3563 rawdsn64high
3564 );
3569 {
3576 }
3579 }
3581 }
3584 }
3587 /* Lookup mappings that describe the packet and then converts the tcp seq number
3588 * into the MPTCP Data Sequence Number (DSN)
3589 */
3590 static void
3592 proto_tree *parent_tree, struct tcp_analysis* tcpd, struct tcpheader * tcph, mptcp_per_packet_data_t *mptcppd)
3593 {
3602 {
3603 /* abort analysis */
3605 }
3607 /* for this to work, we need to know the original seq number from the SYN, not from a subsequent packet
3608 * hence, we abort if we didn't capture the SYN
3609 */
3612 }
3614 /* if seq not relative yet, we compute it */
3620 /* in case of a SYN, there is no mapping covering the DSN */
3625 }
3626 /* if it's a non-syn packet without data (just used to convey TCP options)
3627 * then there would be no mappings */
3631 }
3641 ssn_low,
3643 );
3647 }
3651 }
3654 }
3658 /* Finds mappings that cover the sent data and adds them to the dissection tree */
3662 {
3668 }
3669 }
3673 }
3675 /* Make sure we have the 64bit raw DSN */
3679 /* always display the rawdsn64 (helpful for debug) */
3680 item = proto_tree_add_uint64(parent_tree, hf_mptcp_rawdsn64, tvb, 0, 0, tcph->th_mptcp->mh_rawdsn64);
3682 /* converts to relative if required */
3684 && mptcp_convert_dsn(tcph->th_mptcp->mh_rawdsn64, tcpd->fwd->mptcp_subflow->meta, DSN_CONV_NONE, true, &tcph->th_mptcp->mh_dsn)) {
3687 }
3689 /* register dsn->packet mapping */
3693 ) {
3702 packet
3703 );
3704 }
3707 /* We can do this only if rawdsn64 is valid !
3708 if enabled, look for overlapping mappings on other subflows */
3715 /* results should be some kind of list in case 2 DSS are needed to cover this packet */
3716 for(subflow_it = wmem_list_head(mptcpd->subflows); subflow_it != NULL; subflow_it = wmem_list_frame_next(subflow_it)) {
3718 struct mptcp_subflow *sf = mptcp_select_subflow_from_meta(sf_tcpd, tcpd->fwd->mptcp_subflow->meta);
3720 /* for current subflow */
3722 /* skip, this is the current subflow */
3723 }
3724 /* in case there were retransmissions on other subflows */
3729 }
3730 }
3731 }
3732 }
3734 /* could not get the rawdsn64, ignore and continue */
3735 }
3737 }
3740 /* Print subflow list */
3741 static void
3744 {
3752 }
3759 /* set field with mptcp stream */
3765 );
3767 }
3771 }
3776 /* store the TCP Options related to MPTCP then we will avoid false DUP ACKs later */
3780 nbOptionsChanged++;
3781 }
3784 nbOptionsChanged++;
3785 }
3788 nbOptionsChanged++;
3789 }
3792 nbOptionsChanged++;
3793 }
3796 nbOptionsChanged++;
3797 }
3800 nbOptionsChanged++;
3801 }
3804 nbOptionsChanged++;
3805 }
3808 nbOptionsChanged++;
3809 }
3810 /* we could track MPTCP option changes here, with nbOptionsChanged */
3811 #endif
3816 /* retrieve saved analysis of packets, else create it */
3817 mptcppd = (mptcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_mptcp, pinfo->curr_layer_num);
3821 }
3823 /* Print formatted list of tcp stream ids that are part of the connection */
3826 /* Converts TCP seq number into its MPTCP DSN */
3829 }
3832 static void
3837 )
3838 {
3843 hf_tcp_analysis_push_bytes_sent,
3847 }
3848 }
3850 static void
3853 {
3861 }
3864 }
3868 }
3874 /* encapsulate all proto_tree_add_xxx in ifs so we only print what
3875 data we actually have */
3883 }
3885 /* only display RTT if we actually have something we are acking */
3890 }
3891 }
3896 }
3899 /* print results for amount of data in flight */
3902 }
3909 /* print results for reused tcp ports */
3912 /* print results for retransmission and out-of-order segments */
3915 /* print results for lost tcp segments */
3918 /* print results for tcp window information */
3921 /* print results for tcp keep alive information */
3924 /* print results for tcp duplicate acks */
3927 /* print results for tcp zero window */
3930 }
3932 }
3934 static void
3935 print_tcp_fragment_tree(fragment_head *ipfd_head, proto_tree *tree, proto_tree *tcp_tree, packet_info *pinfo, tvbuff_t *next_tvb)
3936 {
3939 /*
3940 * The subdissector thought it was completely
3941 * desegmented (although the stuff at the
3942 * end may, in turn, require desegmentation),
3943 * so we show a tree with all segments.
3944 */
3947 /*
3948 * The toplevel fragment subtree is now
3949 * behind all desegmented data; move it
3950 * right behind the TCP tree.
3951 */
3955 }
3956 }
3958 /* **************************************************************************
3959 * End of tcp sequence number analysis
3960 * **************************************************************************/
3963 /* Minimum TCP header length. */
3964 #define TCPH_MIN_LEN 20
3966 /* Desegmentation of TCP streams */
3968 /* The primary ID is the first frame of a multisegment PDU, which is
3969 * most likely unique in the capture (unlike sequence numbers which
3970 * can be re-used, especially when relative sequence numbers are enabled).
3971 * However, frames can have multiple PDUs with certain encapsulations like
3972 * GSE or MPE over DVB BaseBand Frames.
3973 */
3977 address src_addr;
3978 address dst_addr;
3979 port_type ptype;
3984 static void
3986 {
3992 }
3994 static void
3996 {
4002 }
4005 address src_addr;
4006 address dst_addr;
4013 static unsigned
4015 {
4021 /* In most captures there is only one fragment per id / first_frame,
4022 so we only use it in the hash as an optimization.
4024 int i;
4025 for (i = 0; i < key->src.len; i++)
4026 hash_val += key->src_addr.data[i];
4027 for (i = 0; i < key->dst.len; i++)
4028 hash_val += key->dst_addr.data[i];
4029 hash_val += key->src_port;
4030 hash_val += key->dst_port;
4031 hash_val += key->seq;
4032 */
4035 }
4037 static int
4039 {
4043 /*
4044 * key.id is the first item to compare since it's the item most
4045 * likely to differ between sessions, thus short-circuiting
4046 * the comparison of addresses and ports.
4047 */
4054 }
4056 /*
4057 * Create a fragment key for temporary use; it can point to non-
4058 * persistent data, and so must only be used to look up and
4059 * delete entries, not to add them.
4060 */
4064 {
4069 /*
4070 * Do a shallow copy of the addresses.
4071 */
4080 }
4082 /*
4083 * Create a fragment key for permanent use; it must point to persistent
4084 * data, so that it can be used to add entries.
4085 */
4089 {
4094 /*
4095 * Do a deep copy of the addresses.
4096 */
4105 }
4107 static void
4109 {
4112 }
4114 static void
4116 {
4120 /*
4121 * Free up the copies of the addresses from the old key.
4122 */
4127 }
4128 }
4130 const reassembly_table_functions
4131 tcp_reassembly_table_functions = {
4132 tcp_segment_hash,
4133 tcp_segment_equal,
4134 tcp_segment_temporary_key,
4135 tcp_segment_persistent_key,
4136 tcp_segment_free_temporary_key,
4137 tcp_segment_free_persistent_key
4138 };
4142 /* functions to trace tcp segments */
4143 /* Enable desegmenting of TCP streams */
4146 /* Returns the maximum contiguous sequence number of the reassembly associated
4147 * with the msp *if* a new fragment were added ending in the given maxnextseq.
4148 * The new fragment is from the current frame and may not have been added yet.
4149 */
4150 static uint32_t
4152 {
4158 /* msp implies existence of fragments, this should never be NULL. */
4161 /* Find length of contiguous fragments.
4162 * Start with the first gap, but the new fragment is allowed to
4163 * fill that gap. */
4168 }
4171 }
4175 {
4182 /* This is for splitting defragmented MSPs, so fd_head should exist
4183 * and be defragmented. This also ensures that fd_i->tvb_data exists.
4184 */
4189 /* The fragment list is sorted in offset order, but not nec. frame order
4190 * or end offset order due to out of order reassembly and possible overlap.
4191 * fd_i->offset < split_offset - some bytes are before the split
4192 * fd_i->offset + fd_i->len >= split_offset - some bytes are after split
4193 * Look through all the fragments that have some data before the split point.
4194 */
4198 }
4205 }
4206 }
4207 };
4209 /* Now look through all the remaining fragments that only have bytes after
4210 * the split.
4211 */
4216 }
4217 }
4219 /* We only call this when the frame the fragments were reassembled in
4220 * (which is the current frame) includes some data before the split
4221 * point, so that it won't change and we can be consistent dissecting
4222 * between passes. We also should have at least some data after the
4223 * split point (because the subdissector claimed there was undissected
4224 * data.)
4225 */
4236 /* XXX: Could do the adding the new fragments in fragment_truncate */
4240 /* Check for some unusual out of order overlapping segment situations. */
4245 }
4249 }
4250 }
4255 /* The newmsp nxtpdu will be adjusted after leaving this function. */
4257 }
4266 static int
4268 {
4272 /* We only insert segments into this list that satisfy
4273 * LT_SEQ(tcpd->fwd->maxnextseq, seq), for the current value
4274 * of maxnextseq (removing segments when maxnextseq is advanced)
4275 * so these rollover-aware comparisons are transitive over the
4276 * domain (never greater than 2^31).
4277 */
4291 }
4293 /* Search through our list of out of order segments and add the ones that are
4294 * now contiguous onto a MSP until we use them all or reach another gap.
4295 *
4296 * If the MSP parameter is a incomplete, returns it with any OOO segments added.
4297 * If the MSP parameter is NULL or complete, returns a newly created MSP with
4298 * OOO segments added, or NULL if there were no segments to add.
4299 */
4301 msp_add_out_of_order(packet_info *pinfo, struct tcp_multisegment_pdu *msp, struct tcp_analysis *tcpd, uint32_t seq)
4302 {
4304 /* Whether a previous MSP exists with missing segments. */
4312 }
4314 }
4322 /* There might be segments already added to the msp that now extend
4323 * the maximum contiguous sequence number. Check for them. */
4327 }
4330 }
4331 }
4332 /* We have filled in the gap, so this out of order
4333 * segment is now contiguous and can be processed along
4334 * with the segment we just received.
4335 */
4340 /* Increase the expected MSP size if necessary. Yes, the
4341 * subdissector may have told us that a PDU ended here, but we
4342 * might have enough newly contiguous data to dissect another
4343 * PDU past that, and we should send that to the subdissector
4344 * too. */
4347 }
4348 /* Add this OOO segment to the unfinished MSP */
4355 /* No MSP in progress, so create one starting
4356 * at the sequence number of segment received
4357 * in this frame. Note that we will be adding
4358 * the first segment below, and this is the frame
4359 * of the first segment, so first_frame_with_seq
4360 * is already correct (and unnecessary) and
4361 * we don't need MSP_FLAGS_MISSING_FIRST_SEGMENT. */
4370 }
4376 }
4377 /* There might be segments already added to the msp that now extend
4378 * the maximum contiguous sequence number. Check for them. */
4381 }
4383 }
4385 static void
4391 {
4405 const bool reassemble_ooo = tcp_analyze_seq && tcp_desegment && tcp_reassemble_out_of_order && tcpd && tcpd->fwd->ooo_segments;
4412 again:
4421 /*
4422 * Initialize these to assume no desegmentation.
4423 * If that's not the case, these will be set appropriately
4424 * by the subdissector.
4425 */
4429 /*
4430 * Initialize this to assume that this segment will just be
4431 * added to the middle of a desegmented chunk of data, so
4432 * that we should show it all as data.
4433 * If that's not the case, it will be set appropriately.
4434 */
4437 /*
4438 * TODO: Some notes on current limitations with TCP desegmentation:
4439 *
4440 * This function can be called with either relative or absolute sequence
4441 * numbers; the ??_SEQ macros are called for comparisons to deal with
4442 * with sequence number rollover. (With relative sequence numbers, if
4443 * early TCP segments are received out of order before the SYN it can be
4444 * possible for rollover to occur at the very beginning of a connection.)
4445 *
4446 * However, multi-segment PDU lookup does not work for MSPs that span
4447 * TCP sequence number rollover, and desegmentation fails.
4448 *
4449 * When there is a single TCP connection that is longer than 4 GiB and
4450 * thus sequence numbers are reused, multi-segment PDU lookup and
4451 * retransmission identification does not work. (Bug 10503).
4452 *
4453 * Distinguishing between sequence number reuse on a very long connection
4454 * and sequence number reuse due to retransmission is difficult. Right
4455 * now very long connections are just not handled as the rarer case.
4456 * Perhaps retransmission identification could be entirely left up to TCP
4457 * analysis (if enabled, not done at all if disabled), instead of TCP
4458 * analysis results only used to supplement work here?
4459 *
4460 * TCP sequence analysis can set TCP_A_RETRANSMISSION in cases where
4461 * we still need to process the segment anyway because something other
4462 * than the sequence number is different from the prior segment. That
4463 * includes "retransmitted but with additional data" (Bug 13523) and
4464 * "retransmitted due to bad checksum" (especially if checksum verification
4465 * is enabled.)
4466 *
4467 * "Reassemble out-of-order segments" uses its own method of detecting
4468 * retranmission, but uses more memory and CPU, and when used, a TCP stream
4469 * that has missing segments that are never retransmitted stop processing
4470 * after the missing segment.
4471 *
4472 * If multiple TCP/IP packets are encapsulated in the same frame (such
4473 * as with GSE, which has very long Baseband Frames) this causes issues:
4474 *
4475 * If a subdissector reports that it can handle a payload, but needs
4476 * more data (pinfo->desegment_len > 0) and did not actually dissect
4477 * any of it (pinfo->desegment_offset == 0), on the first pass it
4478 * still adds layers to the frame. On subsequent passes, the MSP created
4479 * (or extended) in the first pass means that the subdissector won't be
4480 * called at all. If there are other protocols contained in the frame
4481 * that are dissected on the second pass they will have different
4482 * layer numbers than in the first pass, which can disturb proto_data
4483 * lookup, reassembly, etc. (Bug 16109 describes this for TLS.)
4484 */
4489 /* If we are reassembling out of order, we can do this retransmission
4490 * check. Anything before the latest consecutive sequence number we've
4491 * already processed is a retransmission (from the perspective of has
4492 * been passed to subdissectors; the judgment of TCP Sequence Analysis
4493 * may be different, because it considers RTO and ACKs and so forth).
4494 *
4495 * XXX: If these segments are part of incomplete MSPs, we pass them
4496 * to the reassembly code which tests for overlap conflicts.
4497 * For those which are part of completed reassemblies or not part
4498 * of MSPs, we just don't process them. The former would throw a
4499 * ReassemblyError, which is likely acceptable in the case of
4500 * retransmission of the same segment but not if retransmitted with
4501 * additional data, where we'd need to catch the exception to
4502 * process the extra data. For ones that were not added to MSPs at
4503 * all, we can't do much. (Bug #13061)
4504 *
4505 * Retransmissions of out of order segments after our latest
4506 * consecutive sequence number will all be stored and then eventually
4507 * put on multisegment PDUs and go to the reassembler, which should
4508 * be able to handle retransmission, as those are still incomplete.
4509 */
4514 if (msp && LE_SEQ(msp->seq, seq) && GT_SEQ(msp->nxtpdu, seq) && !(msp->flags & MSP_FLAGS_GOT_ALL_SEGMENTS)) {
4516 }
4522 }
4528 }
4529 }
4530 }
4547 }
4548 }
4551 /* Have we seen this PDU before (and is it the start of a multi-
4552 * segment PDU)?
4553 *
4554 * If the sequence number was seen before, it is part of a
4555 * retransmission if the whole segment fits within the MSP.
4556 * (But if this is this frame was already visited and the first frame of
4557 * the MSP matches the current frame, then it is not a retransmission,
4558 * but the start of a new MSP.)
4559 *
4560 * If only part of the segment fits in the MSP, then either:
4561 * - The previous segment included with the MSP was a Zero Window Probe
4562 * with one byte of data and the subdissector just asked for one more
4563 * byte. Do not mark it as retransmission (Bug 15427).
4564 * - Data was actually being retransmitted, but with additional data
4565 * (Bug 13523). Do not mark it as retransmission to handle the extra
4566 * bytes. (NOTE Due to the TCP_A_RETRANSMISSION check below, such
4567 * extra data will still be ignored.)
4568 * - The MSP contains multiple segments, but the subdissector finished
4569 * reassembly using a subset of the final segment (thus "msp->nxtpdu"
4570 * is smaller than the nxtseq of the previous segment). If that final
4571 * segment was retransmitted, then "nxtseq > msp->nxtpdu".
4572 * Unfortunately that will *not* be marked as retransmission here.
4573 * The next TCP_A_RETRANSMISSION hopefully takes care of it though.
4574 *
4575 * Only shortcircuit here when the first segment of the MSP is known,
4576 * and when this first segment is not one to complete the MSP.
4577 */
4578 if ((msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(tcpd->fwd->multisegment_pdus, seq)) &&
4584 /* Yes. This could be because we've dissected this frame before
4585 * or because this is a retransmission of a previously-seen
4586 * segment. Either way, we don't need to hand it off to the
4587 * subdissector and we certainly don't want to re-add it to the
4588 * multisegment_pdus list: if we did, subsequent lookups would
4589 * find this retransmission instead of the original transmission
4590 * (breaking desegmentation if we'd already linked other segments
4591 * to the original transmission's entry).
4592 *
4593 * Cases to handle here:
4594 * - In-order stream, pinfo->num matches begin of MSP.
4595 * - In-order stream, but pinfo->num does not match the begin of the
4596 * MSP. Must be a retransmission.
4597 * - OoO stream where this segment fills the gap in the begin of the
4598 * MSP. msp->first_frame is the start where the gap was detected
4599 * (and does NOT match pinfo->num).
4600 */
4607 /* TCP analysis already flags this (in COL_INFO) as a retransmission--if it's enabled */
4608 }
4610 /* Fix for bug 3264: look up ipfd for this (first) segment,
4611 so can add tcp.reassembled_in generated field on this code path. */
4623 }
4624 }
4625 }
4626 }
4634 }
4636 /* Else, find the most previous PDU starting before this sequence number */
4638 msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(tcpd->fwd->multisegment_pdus, seq-1);
4639 }
4642 if (msp && LE_SEQ(msp->seq, seq) && GT_SEQ(msp->nxtpdu, seq) && !(msp->flags & MSP_FLAGS_GOT_ALL_SEGMENTS)) {
4644 }
4646 /* The above code only finds retransmission if the PDU boundaries and the seq coincide
4647 * If we have sequence analysis active use the TCP_A_RETRANSMISSION flag.
4648 * XXXX Could the above code be improved?
4649 */
4651 /* If we have an unfinished MSP that this segment belongs to
4652 * or if the sequence number is newer than anything we've seen,
4653 * then this is Out of Order from the reassembly perspective
4654 * and we want to process it anyway.
4655 */
4656 if (!PINFO_FD_VISITED(pinfo) && tcpd->fwd->maxnextseq && LE_SEQ(seq, tcpd->fwd->maxnextseq) && !has_unfinished_msp) {
4657 /* Otherwise, if TCP Analysis calls the segment a
4658 * Spurious Retransmission or Retransmission, ignore it
4659 * here and on future passes.
4660 * See issue 10289
4661 * XXX: There are still some cases where TCP Analysis
4662 * marks segments as Retransmissions when they are
4663 * Out of Order from this perspective (#10725, #13843)
4664 */
4669 }
4670 }
4678 }
4679 }
4680 }
4681 }
4685 /* If there is a gap between this segment and any previous ones
4686 * (that is, seqno is larger than the maximum expected seqno), then
4687 * it is possibly an out-of-order segment. The very first segment
4688 * is expected to be in-order though (otherwise captures starting
4689 * in midst of a connection would never be reassembled).
4690 * (maxnextseq is 0 if we have not seen a SYN packet, even with
4691 * absolute sequence numbers.)
4692 *
4693 * Do not bother checking for OoO segments for streams that are
4694 * reassembled at FIN, the order of segments before FIN does not
4695 * matter as reordering and reassembly occurs at FIN.
4696 */
4699 /* Segments may be missing due to packet loss (assume later
4700 * retransmission) or out-of-order (assume it appears later).
4701 *
4702 * XXX: It would be nice to handle captures that have both
4703 * out-of-order packets and some lost packets that are
4704 * never retransmitted. But using the reverse flow ACK
4705 * (like follow_tcp_tap_listener) or using a known end of
4706 * a MSP (that we haven't fully received yet) to process a
4707 * segment that starts right afterwards would both break the
4708 * promise of in-order delivery, if a missing packet did arrive
4709 * later, which is a problem for any state-based dissector
4710 * (including TLS.)
4711 */
4713 /* Whether the new segment has a gap from our latest contiguous
4714 * sequence number. */
4716 }
4719 /* Update the maximum expected seqno if no SYN packet was seen
4720 * before, or if the new segment succeeds previous segments. */
4723 /* If there is no gap, look for any OOO packets that are now
4724 * contiguous. */
4726 }
4728 /* If we have visited this frame before, look for the frame in the
4729 * list of unused out of order segments. Since we know the gap will
4730 * never be filled, we could pass it to the subdissector, but
4731 * we want to be consistent between passes.
4732 */
4740 }
4741 }
4742 }
4744 /* If we are not processing out of order, update the max nextseq value if
4745 * is later than our current value (or our first value.)
4746 */
4751 }
4752 }
4753 }
4761 }
4763 /* OK, this PDU was found, which means the segment continues
4764 * a higher-level PDU and that we must desegment it.
4765 */
4767 /* The dissector asked for the entire segment */
4770 /* Wraparound is possible, so subtraction does not
4771 * distribute across MIN(x, y)
4772 */
4774 }
4779 /*
4780 * If the previous segment requested more data (setting
4781 * FD_PARTIAL_REASSEMBLY as the next segment length is unknown), but
4782 * subsequently an OoO segment was received (for an earlier hole),
4783 * then "fragment_add" would truncate the reassembled PDU to the end
4784 * of this OoO segment. To prevent that, explicitly specify the MSP
4785 * length before calling "fragment_add".
4786 *
4787 * When a subdissector requests reassembly at the end of the
4788 * connection (DESEGMENT_UNTIL_FIN), then it is not
4789 * possible for an earlier segment to complete reassembly
4790 * (more_frags for fragment_add is always true). Thus we do not
4791 * have to worry about increasing the fragment length here.
4792 */
4796 }
4807 /* If we consumed the entire segment there is no
4808 * other pdu starting anywhere inside this segment.
4809 * So update nxtpdu to point at least to the start
4810 * of the next segment.
4811 * (If the subdissector asks for even more data we
4812 * will advance nxtpdu even further later down in
4813 * the code.)
4814 */
4817 }
4818 }
4821 /* Remember when all segments are ready to avoid subsequent
4822 * out-of-order packets from extending this MSP. If a subsdissector
4823 * needs more segments, the flag will be cleared below. */
4826 }
4827 }
4833 }
4835 /* This is an OOO segment with a gap and past the known end of
4836 * the current MSP, if any. We don't know for certain which MSP
4837 * it belongs to, and the reassembly functions don't let us remove
4838 * fragment items added by mistake. Keep it around in a separate
4839 * structure, and add it later.
4840 *
4841 * On the second and later passes, we know that this gap will
4842 * never be filled in, so we could hand the segment to the
4843 * subdissector anyway. However, we want dissection to be
4844 * consistent between passes.
4845 */
4852 /* We only enter here if dissect_tcp set can_desegment,
4853 * which means that these bytes exist. */
4856 }
4859 /* This segment was not found in our table, so it doesn't
4860 * contain a continuation of a higher-level PDU.
4861 * Call the normal subdissector.
4862 */
4864 /*
4865 * Supply the sequence number of this segment. We set this here
4866 * because this segment could be after another in the same packet,
4867 * in which case seq was incremented at the end of the loop.
4868 */
4874 /* Unless it failed to dissect any data at all, the subdissector
4875 * might have changed the addresses and/or ports. Save them, and
4876 * set them back to the original values temporarily so that the
4877 * fragment functions work correctly (including in any later PDU.)
4878 *
4879 * (If we didn't dissect any data, the subdissector *shouldn't*
4880 * have changed the addresses or ports, so don't save them, but
4881 * restore them just in case.)
4882 */
4885 }
4889 /* Did the subdissector ask us to desegment some more data
4890 * before it could handle the packet?
4891 * If so we'll have to handle that later.
4892 */
4896 /*
4897 * Set "deseg_offset" to the offset in "tvb"
4898 * of the first byte of data that the
4899 * subdissector didn't process.
4900 */
4902 }
4904 /* Either no desegmentation is necessary, or this is
4905 * segment contains the beginning but not the end of
4906 * a higher-level PDU and thus isn't completely
4907 * desegmented.
4908 */
4910 }
4913 /* is it completely desegmented? */
4915 /*
4916 * Yes, we think it is.
4917 * We only call subdissector for the last segment.
4918 * Note that the last segment may include more than what
4919 * we needed.
4920 */
4921 if (ipfd_head->reassembled_in == pinfo->num && ipfd_head->reas_in_layer_num == pinfo->curr_layer_num) {
4922 /*
4923 * OK, this is the last segment.
4924 * Let's call the subdissector with the desegmented
4925 * data.
4926 */
4929 /* create a new TVB structure for desegmented data */
4932 /* add desegmented data to the data source list */
4935 /*
4936 * Supply the sequence number of the first of the
4937 * reassembled bytes.
4938 */
4941 /* indicate that this is reassembled data */
4944 /* call subdissector */
4948 /* Unless it failed to dissect any data at all, the subdissector
4949 * might have changed the addresses and/or ports. Save them, and
4950 * set them back to the original values temporarily so that the
4951 * fragment functions work correctly (including in any later PDU.)
4952 *
4953 * (If we didn't dissect any data, the subdissector *shouldn't*
4954 * have changed the addresses or ports, so don't save them, but
4955 * restore them just in case.)
4956 */
4959 }
4963 /*
4964 * OK, did the subdissector think it was completely
4965 * desegmented, or does it think we need even more
4966 * data?
4967 */
4969 /*
4970 * "desegment_len" isn't 0, so it needs more data
4971 * to fully dissect the current MSP. msp->nxtpdu was
4972 * not accurate and needs to be updated.
4973 *
4974 * This can happen if a dissector asked for one
4975 * more segment (but didn't know exactly how much data)
4976 * or if segments were added out of order.
4977 *
4978 * This is opposed to the current MSP being completely
4979 * desegmented, but the stuff at the end of the
4980 * current frame past last_fragment_len starting a new
4981 * higher-level PDU that may also need desegmentation.
4982 * That case is handled on the next loop.
4983 *
4984 * We want to keep the same dissection and protocol layer
4985 * numbers on subsequent passes.
4986 *
4987 * If "desegment_offset" is 0, then nothing in the reassembled
4988 * TCP segments was dissected, so remove the data source.
4989 */
4993 }
4997 msp);
4999 /* If "desegment_offset" is not 0, then a PDU in the
5000 * reassembled segments was dissected, but some stuff
5001 * that was added previously is part of a later PDU.
5002 */
5004 /* If we don't use anything from the current frame's
5005 * segment, then we can't split the msp. The frames of
5006 * the earlier PDU weren't reassembled until now, so
5007 * they need to point to a reassembled_in frame here
5008 * or later.
5009 *
5010 * Since this segment is the first of newly contiguous
5011 * segments, this means the subdissector is asking for
5012 * fewer bytes than it did before.
5013 * XXX: Report this as a dissector bug?
5014 */
5017 }
5020 msp);
5022 /* If we did use bytes from the current segment, then
5023 * we want to split the MSP; the earlier part is
5024 * dissected in this frame on the first pass, so for
5025 * consistency we want to do so on future passes, but
5026 * the latter part we cannot dissect until later.
5027 * We only need to do this on the first pass; split_msp
5028 * truncates the msp so we don't get here a second
5029 * time.
5030 */
5031 /* nxtpdu adjustment for the new msp is the same. */
5033 /* We don't need to clear MSP_FLAGS_GOT_ALL_SEGMENTS
5034 * since we are spliting the MSP.
5035 */
5037 }
5039 }
5040 }
5043 /* Update msp->nxtpdu to point to the new next
5044 * pdu boundary.
5045 * We only do this on the first pass, though we shouldn't
5046 * get here on a second pass (since we truncated the msp.)
5047 */
5049 /* We want reassembly of at least one
5050 * more segment so set the nxtpdu
5051 * boundary to one byte into the next
5052 * segment.
5053 * This means that the next segment
5054 * will complete reassembly even if it
5055 * is only one single byte in length.
5056 * If this is an OoO segment, then increment
5057 * the MSP end.
5058 */
5063 /* This is not the first segment, and we thought the
5064 * reassembly would be done now, but now know we must
5065 * desgment until FIN. (E.g., HTTP Response with headers
5066 * split across segments, and no Content-Length or
5067 * Transfer-Encoding (RFC 7230, Section 3.3.3, case 7.)
5068 * For the same reasons as below when we encounter
5069 * DESEGMENT_UNTIL_FIN on the first segment, give
5070 * msp->nxtpdu a big (but not too big) offset so
5071 * reassembly will pick up the segments later.
5072 */
5076 /* This is the segment (overlapping) the end of
5077 * the MSP.
5078 */
5081 /* This is a segment before the end of the MSP, so
5082 * it must be an out-of-order segment that completed
5083 * the MSP. The requested additional data is
5084 * relative to that end.
5085 */
5087 }
5088 }
5089 }
5091 /* Since we need at least some more data
5092 * there can be no pdu following in the
5093 * tail of this segment.
5094 */
5101 /*
5102 * Show the stuff in this TCP segment as
5103 * just raw TCP segment data.
5104 */
5106 ? another_pdu_follows
5113 }
5114 }
5115 }
5118 /*
5119 * The sequence number at which the stuff to be desegmented
5120 * starts is the sequence number of the byte at an offset
5121 * of "deseg_offset" into "tvb".
5122 *
5123 * The sequence number of the byte at an offset of "offset"
5124 * is "seq", i.e. the starting sequence number of this
5125 * segment, so the sequence number of the byte at
5126 * "deseg_offset" is "seq + (deseg_offset - offset)".
5127 */
5130 /* We have to create some structures in our table but
5131 * this is something we only do the first time we see this
5132 * packet. */
5134 /* If the dissector requested "reassemble until FIN"
5135 * just set this flag for the flow and let reassembly
5136 * proceed at normal. We will check/pick up these
5137 * reassembled PDUs later down in dissect_tcp() when checking
5138 * for the FIN flag.
5139 */
5142 }
5145 /* The subdissector asked to reassemble using the
5146 * entire next segment.
5147 * Just ask reassembly for one more byte
5148 * but set this msp flag so we can pick it up
5149 * above.
5150 */
5155 /*
5156 * The subdissector asked to reassemble at the end of the
5157 * connection. That will be done in dissect_tcp, but here we
5158 * have to ask reassembly to collect all future segments.
5159 * Note that TCP_FLOW_REASSEMBLE_UNTIL_FIN was set before,
5160 * this ensures that OoO detection is skipped.
5161 * The exact nxtpdu offset does not matter, but it should be
5162 * smaller than half of the maximum 32-bit unsigned integer
5163 * to allow detection of sequence number wraparound, and
5164 * larger than the largest possible stream size. Hopefully
5165 * 1GiB (0x40000000 bytes) should be enough.
5166 */
5172 }
5174 /* add this segment as the first one for this new pdu */
5179 }
5181 /* If this is not the first time we have seen the packet, then
5182 * the MSP should already be created. Retrieve it to see if we
5183 * know what later frame the PDU is reassembled in.
5184 */
5185 if (tcpd && (msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(tcpd->fwd->multisegment_pdus, deseg_seq))) {
5187 }
5188 }
5189 }
5195 /*
5196 * We know what other frame this PDU is reassembled in;
5197 * let the user know.
5198 */
5202 }
5204 /*
5205 * Either we didn't call the subdissector at all (i.e.,
5206 * this is a segment that contains the middle of a
5207 * higher-level PDU, but contains neither the beginning
5208 * nor the end), or the subdissector couldn't dissect it
5209 * all, as some data was missing (i.e., it set
5210 * "pinfo->desegment_len" to the amount of additional
5211 * data it needs).
5212 */
5214 /*
5215 * It couldn't, in fact, dissect any of it (the
5216 * first byte it couldn't dissect is at an offset
5217 * of "pinfo->desegment_offset" from the beginning
5218 * of the payload, and that's 0).
5219 * Just mark this as TCP.
5220 */
5224 }
5225 }
5227 /*
5228 * Show what's left in the packet as just raw TCP segment
5229 * data. (It's possible that another PDU follows in the case
5230 * of an out of order frame that is part of two MSPs.)
5231 * XXX - remember what protocol the last subdissector
5232 * was, and report it as a continuation of that, instead?
5233 */
5234 nbytes = another_pdu_follows ? another_pdu_follows : tvb_reported_length_remaining(tvb, deseg_offset);
5239 }
5245 /* there was another pdu following this one. */
5247 /* we also have to prevent the dissector from changing the
5248 * PROTOCOL and INFO columns since what follows may be an
5249 * incomplete PDU and we don't want it be changed back from
5250 * <Protocol> to <TCP>
5251 */
5260 /* remove any blocking set above otherwise the
5261 * proto,colinfo tap will break
5262 */
5265 }
5266 }
5268 clean_exit:
5269 /* Restore the addresses and ports to whatever they were after
5270 * the last segment that successfully dissected some data, if any.
5271 */
5273 }
5275 void
5280 {
5292 tcp_endpoint_t orig_endpoint;
5297 /*
5298 * We use "tvb_ensure_captured_length_remaining()" to make
5299 * sure there actually *is* data remaining. The protocol
5300 * we're handling could conceivably consists of a sequence of
5301 * fixed-length PDUs, and therefore the "get_pdu_len" routine
5302 * might not actually fetch anything from the tvbuff, and thus
5303 * might not cause an exception to be thrown if we've run past
5304 * the end of the tvbuff.
5305 *
5306 * This means we're guaranteed that "captured_length_remaining" is positive.
5307 */
5310 /*
5311 * Can we do reassembly?
5312 */
5314 /*
5315 * Yes - is the fixed-length part of the PDU split across segment
5316 * boundaries?
5317 */
5319 /*
5320 * Yes. Tell the TCP dissector where the data for this message
5321 * starts in the data it handed us and that we need "some more
5322 * data." Don't tell it exactly how many bytes we need because
5323 * if/when we ask for even more (after the header) that will
5324 * break reassembly.
5325 */
5329 }
5330 }
5332 /*
5333 * Get the length of the PDU.
5334 */
5337 /*
5338 * Support protocols which have a variable length which cannot
5339 * always be determined within the given fixed_len.
5340 */
5341 /*
5342 * If another segment was requested but we can't do reassembly,
5343 * abort and warn about the unreassembled packet.
5344 */
5346 /*
5347 * Tell the TCP dissector where the data for this message
5348 * starts in the data it handed us, and that we need one
5349 * more segment, and return.
5350 */
5354 }
5356 /*
5357 * Either:
5358 *
5359 * 1) the length value extracted from the fixed-length portion
5360 * doesn't include the fixed-length portion's length, and
5361 * was so large that, when the fixed-length portion's
5362 * length was added to it, the total length overflowed;
5363 *
5364 * 2) the length value extracted from the fixed-length portion
5365 * includes the fixed-length portion's length, and the value
5366 * was less than the fixed-length portion's length, i.e. it
5367 * was bogus.
5368 *
5369 * Report this as a bounds error.
5370 */
5373 }
5375 /* give a hint to TCP where the next PDU starts
5376 * so that it can attempt to find it in case it starts
5377 * somewhere in the middle of a segment.
5378 */
5385 }
5386 }
5388 /*
5389 * Can we do reassembly?
5390 */
5392 /*
5393 * Yes - is the PDU split across segment boundaries?
5394 */
5396 /*
5397 * Yes. Tell the TCP dissector where the data for this message
5398 * starts in the data it handed us, and how many more bytes we
5399 * need, and return.
5400 */
5404 }
5405 }
5411 curr_layer_num--;
5412 }
5413 #if 0
5415 {
5416 #endif
5417 /*
5418 * Display the PDU length as a field
5419 */
5420 item=proto_tree_add_uint((proto_tree *)p_get_proto_data(pinfo->pool, pinfo, proto_tcp, curr_layer_num),
5421 hf_tcp_pdu_size,
5424 #if 0
5426 item = proto_tree_add_expert_format((proto_tree *)p_get_proto_data(pinfo->pool, pinfo, proto_tcp, curr_layer_num),
5430 }
5431 #endif
5433 /*
5434 * Construct a tvbuff containing the amount of the payload we have
5435 * available. Make its reported length the amount of data in the PDU.
5436 */
5443 /* If we can't do reassembly but the PDU is split across
5444 * segment boundaries, mark the tvbuff as a fragment so
5445 * we throw FragmentBoundsError instead of malformed
5446 * errors.
5447 */
5449 }
5450 }
5453 /*
5454 * Dissect the PDU.
5455 *
5456 * If it gets an error that means there's no point in
5457 * dissecting any more PDUs, rethrow the exception in
5458 * question.
5459 *
5460 * If it gets any other error, report it and continue, as that
5461 * means that PDU got an error, but that doesn't mean we should
5462 * stop dissecting PDUs within this frame or chunk of reassembled
5463 * data.
5464 */
5467 TRY {
5469 }
5470 CATCH_NONFATAL_ERRORS {
5473 /*
5474 * Restore the saved protocol as well; we do this after
5475 * show_exception(), so that the "Malformed packet" indication
5476 * shows the protocol for which dissection failed.
5477 */
5479 }
5480 ENDTRY;
5482 /*
5483 * Step to the next PDU.
5484 * Make sure we don't overflow.
5485 */
5490 }
5491 }
5493 static void
5495 {
5496 /* fstr(" %s=%u", abbrev, val) */
5498 }
5500 static void
5502 {
5504 }
5506 static bool
5507 tcp_option_len_check(proto_item* length_item, packet_info *pinfo, unsigned len, unsigned optlen)
5508 {
5510 /* Bogus - option length isn't what it's supposed to be for this option. */
5514 }
5517 }
5519 static int
5520 dissect_tcpopt_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
5521 {
5532 proto_tree_add_item(exp_tree, hf_tcp_option_unknown_payload, tvb, offset + 2, optlen - 2, ENC_NA);
5535 }
5537 static int
5538 dissect_tcpopt_default_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto, int ett)
5539 {
5549 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5555 }
5557 static int
5559 {
5560 return dissect_tcpopt_default_option(tvb, pinfo, tree, proto_tcp_option_scpsrec, ett_tcp_opt_recbound);
5561 }
5563 static int
5565 {
5566 return dissect_tcpopt_default_option(tvb, pinfo, tree, proto_tcp_option_scpscor, ett_tcp_opt_scpscor);
5567 }
5569 static void
5572 {
5578 /* Fast Open Cookie Request */
5583 /* Fast Open Cookie */
5590 /* Is this a SYN with data and the cookie? */
5595 }
5596 }
5597 }
5598 }
5599 }
5601 static int
5603 {
5615 }
5617 /*
5618 * TCP ACK Rate Request option is based on
5619 * https://datatracker.ietf.org/doc/html/draft-gomez-tcpm-ack-rate-request-06
5620 */
5622 #define TCPOPT_TARR_RATE_MASK 0xfe
5623 #define TCPOPT_TARR_RESERVED_MASK 0x01
5624 #define TCPOPT_TARR_RATE_SHIFT 1
5626 static void
5629 {
5643 }
5644 }
5646 static void
5649 {
5668 }
5679 }
5681 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_eceb, tvb, data_offset + 3, 3, ENC_BIG_ENDIAN);
5687 }
5698 }
5700 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_eceb, tvb, data_offset + 3, 3, ENC_BIG_ENDIAN);
5704 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_ee1b, tvb, data_offset + 6, 3, ENC_BIG_ENDIAN);
5709 proto_tree_add_item(tree, hf_tcp_option_acc_ecn_ee0b, tvb, data_offset + 6, 3, ENC_BIG_ENDIAN);
5712 }
5714 }
5718 }
5719 }
5721 static int
5723 {
5736 length_item = proto_tree_add_item(acc_ecn_tree, hf_tcp_option_len, tvb, offset, 1, ENC_BIG_ENDIAN);
5742 dissect_tcpopt_acc_ecn_data(tvb, offset, length - 2, kind == TCPOPT_ACC_ECN_0, pinfo, acc_ecn_tree, item, data);
5743 }
5745 }
5747 static int
5749 {
5760 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5772 optlen);
5776 }
5783 optlen);
5789 }
5799 }
5802 }
5806 }
5811 }
5813 }
5815 static int
5817 {
5828 {
5830 }
5833 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5841 }
5843 static int
5845 {
5857 {
5859 }
5862 length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);
5867 proto_tree_add_item_ret_uint(exp_tree, hf_tcp_option_mss_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN, &mss);
5872 }
5874 /* The window scale extension is defined in RFC 1323 */
5875 static int
5877 {
5886 /* find the conversation for this TCP session and its stored data */
5896 length_item = proto_tree_add_item(wscale_tree, hf_tcp_option_len, tvb, offset, 1, ENC_BIG_ENDIAN);
5902 shift_pi = proto_tree_add_item_ret_uint(wscale_tree, hf_tcp_option_wscale_shift, tvb, offset, 1, ENC_BIG_ENDIAN, &shift);
5904 /* RFC 1323: "If a Window Scale option is received with a shift.cnt
5905 * value exceeding 14, the TCP should log the error but use 14 instead
5906 * of the specified value." */
5909 }
5922 }
5925 }
5927 static int
5929 {
5941 /*
5942 * SEQ analysis is the condition for both relative analysis obviously,
5943 * and SACK handling for the in-flight update
5944 */
5946 /* find the conversation for this TCP session and its stored data */
5953 }
5955 /*
5956 * initialize the number of SACK blocks to 0, it will be
5957 * updated some lines later
5958 */
5961 }
5962 }
5963 }
5965 /* Late discovery of a 'false' Window Update in presence of SACK option,
5966 * which means we are dealing with a Dup ACK rather than a Window Update.
5967 * Classify accordingly by removing the UPDATE and adding the DUP flags.
5968 * Mostly a copy/paste from tcp_analyze_sequence_number(), ensure consistency
5969 * whenever the latter changes.
5970 * see Issue #14937
5971 */
5974 /* MPTCP tolerates duplicate acks in some circumstances, see RFC 8684 4. */
5976 /* just ignore this DUPLICATE ACK */
5978 /* no initialization required of the tcpd->ta as this code would
5979 * be unreachable otherwise
5980 */
5989 }
5990 }
5991 }
6009 }
6019 }
6020 /* XXX - check whether it goes past end of packet */
6030 /* Store blocks for BiF analysis */
6031 if (tcp_analyze_seq && tcpd && tcpd->fwd->tcp_analyze_seq_info && tcp_track_bytes_in_flight && num_sack_ranges < MAX_TCP_SACK_RANGES) {
6035 }
6037 /* Update tap info */
6042 }
6046 }
6049 /* Show number of SACK ranges in this option as a generated field */
6054 /* RFC 2883 "An Extension to the Selective Acknowledgement (SACK) Option for TCP" aka "D-SACK"
6055 * Section 4
6056 * Conditions: Either the first sack-block is inside the already acknowledged range or
6057 * the first sack block is inside the second sack block.
6058 *
6059 * Maybe add later:
6060 * (1) A D-SACK block is only used to report a duplicate contiguous sequence of data received by
6061 * the receiver in the most recent packet.
6062 */
6068 )) {
6070 tf = proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_dsack_le, tvb, sackoffset, 4, leftedge,
6071 "D-SACK Left Edge = %u%s", leftedge, (tcp_analyze_seq && tcp_relative_seq) ? " (relative)" : "");
6074 tf = proto_tree_add_uint_format(field_tree, hf_tcp_option_sack_dsack_re, tvb, sackoffset+4, 4, rightedge,
6075 "D-SACK Right Edge = %u%s", rightedge, (tcp_analyze_seq && tcp_relative_seq) ? " (relative)" : "");
6078 }
6081 }
6083 static int
6085 {
6110 }
6112 /* If set, do not put the TCP timestamp information on the summary line */
6115 static int
6117 {
6147 }
6153 proto_tree_add_uint_bits_format_value(syncookie_ti, hf_tcp_syncookie_option_timestamp, tvb, offset * 8,
6154 26, timestamp, ENC_TIME_SECS, "%s", abs_time_secs_to_str(pinfo->pool, timestamp, ABSOLUTE_TIME_LOCAL, true));
6155 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_option_ecn, tvb, offset * 8 + 26, 1, ENC_NA);
6156 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_option_sack, tvb, offset * 8 + 27, 1, ENC_NA);
6157 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_option_wscale, tvb, offset * 8 + 28, 4, ENC_NA);
6158 }
6161 }
6178 /* arbitrary assignment. Callers may override this */
6183 }
6186 /* will create necessary structure if fails to find a match on the token */
6198 /* if token already set for this meta */
6199 if( tcp_flow->mptcp_subflow->meta && (tcp_flow->mptcp_subflow->meta->static_flags & MPTCP_META_HAS_TOKEN)) {
6201 }
6203 /* else look for a registered meta with this token */
6206 /* if token already registered than just share it across TCP connections */
6210 }
6212 /* we create it if this connection */
6214 /* don't care which meta to choose assign each meta to a direction */
6217 }
6220 /* already exists, thus some meta may already have been configured */
6223 }
6226 }
6229 }
6231 }
6238 }
6243 /* compute the meta id assigned to tcp_flow */
6246 /* computes the metaId tcpd->fwd should be assigned to */
6253 }
6255 /* setup from_key */
6256 static
6258 get_or_create_mptcpd_from_key(struct tcp_analysis* tcpd, tcp_flow_t *fwd, uint8_t version, uint64_t key, uint8_t hmac_algo _U_) {
6264 if(fwd->mptcp_subflow->meta && (fwd->mptcp_subflow->meta->static_flags & MPTCP_META_HAS_KEY)) {
6266 }
6268 /* MPTCP v0 only standardizes SHA1, and v1 SHA256. */
6283 }
6285 /* record this mapping */
6286 static
6287 void analyze_mapping(struct tcp_analysis *tcpd, packet_info *pinfo, uint16_t len, uint64_t dsn, bool extended, uint32_t ssn) {
6289 /* store mapping only if analysis is enabled and mapping is not unlimited */
6292 }
6296 }
6298 /* register SSN range described by the mapping into a subflow interval_tree */
6311 mapping
6312 );
6313 }
6315 /*
6316 * The TCP Extensions for Multipath Operation with Multiple Addresses
6317 * are defined in RFC 6824
6318 *
6319 * https://tools.ietf.org/html/rfc6824
6320 *
6321 * Author: Andrei Maruseac <andrei.maruseac@intel.com>
6322 * Matthieu Coudron <matthieu.coudron@lip6.fr>
6323 *
6324 * This function just generates the mptcpheader, i.e. the generation of
6325 * datastructures is delayed/delegated to mptcp_analyze
6326 */
6327 static int
6329 {
6343 /* There may be several MPTCP options per packet, don't duplicate the structure */
6349 }
6354 /* seeing an MPTCP packet on the subflow automatically qualifies it as an mptcp subflow */
6357 }
6360 }
6376 proto_item_append_text(main_item, ": %s", val_to_str(subtype, mptcp_subtype_vs, "Unknown (%d)"));
6378 /** preemptively allocate mptcpd when subtype won't allow to find a meta */
6381 }
6392 ett_tcp_option_mptcp,
6394 ENC_BIG_ENDIAN);
6398 }
6401 }
6404 /* optlen == 12 => SYN or SYN/ACK; optlen == 20 => ACK;
6405 * optlen == 22 => ACK + data (v1 only);
6406 * optlen == 24 => ACK + data + csum (v1 only)
6407 */
6411 proto_tree_add_uint64(mptcp_tree, hf_tcp_option_mptcp_sender_key, tvb, offset, 8, mph->mh_key);
6414 mptcpd = get_or_create_mptcpd_from_key(tcpd, tcpd->fwd, version, mph->mh_key, mph->mh_capable_flags & MPTCP_CAPABLE_CRYPTO_MASK);
6425 /* last ACK of 3WHS, repeats both keys */
6434 /* compare the echoed key with the server key */
6437 }
6438 }
6440 mptcpd = get_or_create_mptcpd_from_key(tcpd, tcpd->rev, version, recv_key, mph->mh_capable_flags & MPTCP_CAPABLE_CRYPTO_MASK);
6441 }
6442 }
6444 /* MPTCP v1 ACK + data, contains data_len and optional checksum */
6446 proto_tree_add_item(mptcp_tree, hf_tcp_option_mptcp_data_lvl_len, tvb, offset, 2, ENC_BIG_ENDIAN);
6452 }
6454 /* when data len is present, this MP_CAPABLE also carries an implicit mapping ... */
6455 analyze_mapping(tcpd, pinfo, mph->mh_dss_length, tcpd->fwd->mptcp_subflow->meta->base_dsn + 1, true, tcph->th_seq);
6457 /* ... with optional checksum */
6459 {
6460 proto_tree_add_checksum(mptcp_tree, tvb, offset, hf_tcp_option_mptcp_checksum, -1, NULL, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
6461 }
6462 }
6463 }
6470 }
6472 /* Syn */
6474 {
6477 ENC_BIG_ENDIAN);
6492 /* if the negotiated version is v1 the first key was exchanged on SYN/ACK packet: we must swap the meta */
6495 }
6500 }
6507 ENC_BIG_ENDIAN);
6533 }
6536 /* display only *raw* values since it is harder to guess a correct value than for TCP.
6537 One needs to enable mptcp_analysis to get more interesting data
6538 */
6547 ENC_BIG_ENDIAN);
6550 /* displays "raw" DataAck , ie does not convert it to its 64 bits form
6551 to do so you need to enable
6552 */
6557 /* 64bits ack */
6561 proto_tree_add_uint64_format_value(mptcp_tree, hf_tcp_option_mptcp_data_ack_raw, tvb, offset, 8, mph->mh_dss_rawack, "%" PRIu64 " (64bits)", mph->mh_dss_rawack);
6563 }
6564 /* 32bits ack */
6567 proto_tree_add_item(mptcp_tree, hf_tcp_option_mptcp_data_ack_raw, tvb, offset, 4, ENC_BIG_ENDIAN);
6569 }
6572 (mph->mh_dss_flags & MPTCP_DSS_FLAG_DATA_ACK_8BYTES) ? DSN_CONV_NONE : DSN_CONV_32_TO_64, mptcp_relative_seq, &dack64)) {
6576 }
6579 }
6581 /* ignore and continue */
6582 }
6584 }
6586 /* Mapping present */
6594 proto_tree_add_uint64_format_value(mptcp_tree, hf_tcp_option_mptcp_data_seq_no_raw, tvb, offset, 8, dsn, "%" PRIu64 " (64bits version)", dsn);
6596 /* if we have the opportunity to complete the 32 Most Significant Bits of the
6597 *
6598 */
6602 }
6606 proto_tree_add_uint64_format_value(mptcp_tree, hf_tcp_option_mptcp_data_seq_no_raw, tvb, offset, 4, dsn, "%" PRIu64 " (32bits version)", dsn);
6608 }
6611 proto_tree_add_item_ret_uint(mptcp_tree, hf_tcp_option_mptcp_subflow_seq_no, tvb, offset, 4, ENC_BIG_ENDIAN, &mph->mh_dss_ssn);
6614 proto_tree_add_item(mptcp_tree, hf_tcp_option_mptcp_data_lvl_len, tvb, offset, 2, ENC_BIG_ENDIAN);
6620 }
6622 /* print head & tail dsn */
6624 (mph->mh_dss_flags & MPTCP_DSS_FLAG_DATA_ACK_8BYTES) ? DSN_CONV_NONE : DSN_CONV_32_TO_64, mptcp_relative_seq, &dsn)) {
6628 }
6631 }
6633 /* ignore and continue */
6634 }
6636 analyze_mapping(tcpd, pinfo, mph->mh_dss_length, mph->mh_dss_rawdsn, mph->mh_dss_flags & MPTCP_DSS_FLAG_DATA_ACK_8BYTES, mph->mh_dss_ssn);
6639 {
6640 proto_tree_add_checksum(mptcp_tree, tvb, offset, hf_tcp_option_mptcp_checksum, -1, NULL, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
6641 }
6642 }
6651 else
6664 }
6670 }
6676 }
6681 }
6686 item = proto_tree_add_uint(mptcp_tree, hf_mptcp_number_of_removed_addresses, tvb, start_offset+2,
6694 }
6701 ENC_BIG_ENDIAN);
6707 }
6735 ENC_BIG_ENDIAN);
6738 ENC_BIG_ENDIAN);
6743 }
6747 /* if mptcpd just got allocated, remember the initial addresses
6748 * which will serve as identifiers for the conversation filter
6749 */
6755 copy_address_shallow(&tcpd->rev->mptcp_subflow->meta->ip_src, &tcpd->fwd->mptcp_subflow->meta->ip_dst);
6756 copy_address_shallow(&tcpd->rev->mptcp_subflow->meta->ip_dst, &tcpd->fwd->mptcp_subflow->meta->ip_src);
6760 }
6763 }
6766 }
6768 static int
6770 {
6793 }
6795 static int
6797 {
6819 }
6821 static int
6823 {
6842 }
6855 }
6857 static int
6859 {
6880 COL_ADD_LSTR_TERMINATOR);
6887 }
6889 static int
6891 {
6905 /* check direction and get ua lists */
6908 /* if the addresses are equal, match the ports instead */
6911 }
6915 else
6927 /* If the option length == 4, this is a real SCPS capability option
6928 * See "CCSDS 714.0-B-2 (CCSDS Recommended Standard for SCPS Transport Protocol
6929 * (SCPS-TP)" Section 3.2.3 for definition.
6930 */
6950 struct capvec
6951 {
6961 };
6973 COL_ADD_LSTR_TERMINATOR);
6975 }
6976 }
6979 }
6989 /* The option length != 4, so this is an infamous "extended capabilities
6990 * option. See "CCSDS 714.0-B-2 (CCSDS Recommended Standard for SCPS
6991 * Transport Protocol (SCPS-TP)" Section 3.2.5 for definition.
6992 *
6993 * As the format of this option is only partially defined (it is
6994 * a community (or more likely vendor) defined format beyond that, so
6995 * at least for now, we only parse the standardized portion of the option.
6996 */
7002 /* There was no SCPS capabilities option preceding this */
7005 optlen);
7009 optlen);
7011 /* There may be multiple binding spaces included in a single option,
7012 * so we will semi-parse each of the stacked binding spaces - skipping
7013 * over the octets following the binding space identifier and length.
7014 */
7017 /* 1st octet is Extended Capability Binding Space */
7020 /* 2nd octet (upper 4-bits) has binding space length in 16-bit words.
7021 * As defined by the specification, this length is exclusive of the
7022 * octets containing the extended capability type and length
7023 */
7024 extended_cap_length =
7027 /* Convert the extended capabilities length into bytes for display */
7030 proto_tree_add_item(field_tree, hf_tcp_option_scps_binding, tvb, offset + local_offset, 1, ENC_BIG_ENDIAN);
7031 proto_tree_add_uint(field_tree, hf_tcp_option_scps_binding_len, tvb, offset + local_offset + 1, 1, extended_cap_length);
7033 /* Step past the binding space and length octets */
7036 proto_tree_add_item(field_tree, hf_tcp_option_scps_binding_data, tvb, offset + local_offset, extended_cap_length, ENC_NA);
7040 /* Step past the Extended capability data
7041 * Treat the extended capability data area as opaque;
7042 * If one desires to parse the extended capability data
7043 * (say, in a vendor aware build of wireshark), it would
7044 * be triggered here.
7045 */
7047 }
7048 }
7049 }
7052 }
7054 static int
7056 {
7074 proto_tree_add_item(field_tree, hf_tcp_option_user_to_granularity, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
7076 proto_tree_add_item(field_tree, hf_tcp_option_user_to_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
7080 }
7082 /* This is called for SYN+ACK packets and the purpose is to verify that
7083 * the SCPS capabilities option has been successfully negotiated for the flow.
7084 * If the SCPS capabilities option was offered by only one party, the
7085 * proactively set scps_capable attribute of the flow (set upon seeing
7086 * the first instance of the SCPS option) is revoked.
7087 */
7088 static void
7090 {
7099 }
7100 }
7101 }
7103 /* See "CCSDS 714.0-B-2 (CCSDS Recommended Standard for SCPS
7104 * Transport Protocol (SCPS-TP)" Section 3.5 for definition of the SNACK option
7105 */
7106 static int
7108 {
7135 /* The SNACK option reports missing data with a granularity of segments. */
7146 }
7148 /* To aid analysis, we can use a simple but generally effective heuristic
7149 * to report the most likely boundaries of the missing data. If the
7150 * flow is scps_capable, we track the maximum sized segment that was
7151 * acknowledged by the receiver and use that as the reporting granularity.
7152 * This may be different from the negotiated MTU due to PMTUD or flows
7153 * that do not send max-sized segments.
7154 */
7158 /* Scale the reported offset and hole size by the largest segment acked */
7170 proto_tree_add_expert_format(field_tree, pinfo, &ei_tcp_option_snack_sequence, tvb, offset+2, 4,
7171 "SNACK Sequence %u - %u%s", hole_start, hole_end, ((tcp_analyze_seq && tcp_relative_seq) ? " (relative)" : ""));
7175 }
7178 }
7180 enum
7181 {
7185 PROBE_VERSION_MAX
7186 };
7188 /* Probe type definition. */
7189 enum
7190 {
7202 PROBE_TYPE_MAX
7203 };
7218 };
7220 #define PROBE_OPTLEN_OFFSET 1
7222 #define PROBE_VERSION_TYPE_OFFSET 2
7223 #define PROBE_V1_RESERVED_OFFSET 3
7224 #define PROBE_V1_PROBER_OFFSET 4
7225 #define PROBE_V1_APPLI_VERSION_OFFSET 8
7226 #define PROBE_V1_PROXY_ADDR_OFFSET 8
7227 #define PROBE_V1_PROXY_PORT_OFFSET 12
7228 #define PROBE_V1_SH_CLIENT_ADDR_OFFSET 8
7229 #define PROBE_V1_SH_PROXY_ADDR_OFFSET 12
7230 #define PROBE_V1_SH_PROXY_PORT_OFFSET 16
7232 #define PROBE_V2_INFO_OFFSET 3
7234 #define PROBE_V2_INFO_CLIENT_ADDR_OFFSET 4
7235 #define PROBE_V2_INFO_STOREID_OFFSET 4
7237 #define PROBE_VERSION_MASK 0x01
7239 /* Probe Query Extra Info flags */
7240 #define RVBD_FLAGS_PROBE_LAST 0x01
7241 #define RVBD_FLAGS_PROBE_NCFE 0x04
7243 /* Probe Response Extra Info flags */
7244 #define RVBD_FLAGS_PROBE_SERVER 0x01
7245 #define RVBD_FLAGS_PROBE_SSLCERT 0x02
7246 #define RVBD_FLAGS_PROBE 0x10
7249 {
7256 static void
7258 {
7265 }
7266 }
7268 static void
7269 rvbd_probe_resp_add_info(proto_item *pitem, packet_info *pinfo, tvbuff_t *tvb, int ip_offset, uint16_t port)
7270 {
7271 proto_item_append_text(pitem, ", Server Steelhead: %s:%u", tvb_ip_to_str(pinfo->pool, tvb, ip_offset), port);
7274 }
7276 static int
7278 {
7296 /* Bogus - option length is less than what it's supposed to be for
7297 this option. */
7300 TCPOLEN_RVBD_PROBE_MIN);
7302 }
7308 proto_item_append_text(pitem, ": %s", val_to_str_const(type, rvbd_probe_type_vs, "Probe Unknown"));
7324 proto_tree_add_item(field_tree, hf_tcp_option_rvbd_probe_reserved, tvb, offset + PROBE_V1_RESERVED_OFFSET, 1, ENC_BIG_ENDIAN);
7334 {
7338 ENC_BIG_ENDIAN);
7340 proto_item_append_text(pitem, ", CSH IP: %s", tvb_ip_to_str(pinfo->pool, tvb, offset + PROBE_V1_PROBER_OFFSET));
7342 option_data = (rvbd_option_data*)p_get_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num);
7344 {
7346 p_add_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num, option_data);
7347 }
7352 }
7370 ENC_BIG_ENDIAN);
7381 }
7382 }
7395 /* Use version1 for filtering purposes because version2 packet
7396 value is 0, but filtering is usually done for value 2 */
7413 hf_tcp_option_rvbd_probe_flag_not_cfe,
7416 hf_tcp_option_rvbd_probe_flag_last_notify,
7420 {
7422 {
7423 rvbd_option_data* option_data = (rvbd_option_data*)p_get_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num);
7425 {
7427 p_add_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num, option_data);
7428 }
7431 }
7445 }
7452 }
7463 hf_tcp_option_rvbd_probe_flag_probe_cache,
7466 hf_tcp_option_rvbd_probe_flag_sslcert,
7469 hf_tcp_option_rvbd_probe_flag_server_connected,
7478 }
7479 }
7482 }
7494 };
7496 /* Trpy Flags */
7497 #define RVBD_FLAGS_TRPY_MODE 0x0001
7498 #define RVBD_FLAGS_TRPY_OOB 0x0002
7499 #define RVBD_FLAGS_TRPY_CHKSUM 0x0004
7500 #define RVBD_FLAGS_TRPY_FW_RST 0x0100
7501 #define RVBD_FLAGS_TRPY_FW_RST_INNER 0x0200
7502 #define RVBD_FLAGS_TRPY_FW_RST_PROBE 0x0400
7506 "Full Transparency"
7507 };
7509 static int
7511 {
7525 NULL
7526 };
7542 proto_tree_add_bitmask_with_flags(field_tree, tvb, offset + TRPY_OPTIONS_OFFSET, hf_tcp_option_rvbd_trpy_flags,
7563 /* Client port only set on SYN: optlen == 18 */
7568 /* Despite that we have the right TCP ports for other protocols,
7569 * the data is related to the Riverbed Optimization Protocol and
7570 * not understandable by normal protocol dissectors. If the sport
7571 * protocol is available then use that, otherwise just output it
7572 * as a hex-dump.
7573 */
7579 }
7585 }
7586 }
7589 }
7591 /* Started as a copy of dissect_ip_tcp_options(), but was changed to support
7592 options as a dissector table */
7593 static void
7597 {
7602 dissector_handle_t option_dissector;
7612 proto_tree_add_expert_format(opt_tree, pinfo, &ei_tcp_non_zero_bytes_after_eol, tvb, offset, length,
7615 }
7621 /* We assume that the only options with no length are EOL and
7622 NOP options, so that we can treat unknown options as having
7623 a minimum length of 2, and at least be able to move on to
7624 the next option by using the length in the option. */
7632 /* Count number of NOP in a row within a uint32 */
7633 nop_count++;
7637 }
7640 }
7643 }
7648 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s", proto_get_protocol_short_name(find_protocol_by_id(local_proto)));
7657 }
7659 /* Option has a length. Is it in the packet? */
7661 /* Bogus - packet must at least include option code byte and
7662 length byte! */
7666 }
7672 /* Bogus - option length is too short to include option code and
7673 option length. */
7679 /* Bogus - option goes past the end of the header. */
7684 }
7687 {
7690 {
7692 }
7700 }
7701 }
7704 {
7706 {
7708 }
7710 {
7712 }
7713 }
7714 }
7716 /* Determine if there is a sub-dissector and call it; return true
7717 if there was a sub-dissector, false otherwise.
7719 This has been separated into a stand alone routine to other protocol
7720 dissectors can call to it, e.g., SOCKS. */
7725 /* this function can be called with tcpd==NULL as from the msproxy dissector */
7726 bool
7730 {
7739 /* Don't call subdissectors for keepalives. Even though they do contain
7740 * payload "data", it's just garbage. Display any data the keepalive
7741 * packet might contain though.
7742 */
7748 }
7749 }
7754 /* Don't try to dissect a retransmission high chance that it will mess
7755 * subdissectors for protocols that require in-order delivery of the
7756 * PDUs. (i.e. DCE/RPCoverHTTP and encryption)
7757 * If OoO reassembly is enabled and if this segment was previously lost,
7758 * then this retransmission could have finished reassembly, so continue.
7759 * XXX should this option be removed? "tcp_reassemble_out_of_order"
7760 * should have addressed the above in-order requirement.
7761 */
7763 }
7769 /* determine if this packet is part of a conversation and call dissector */
7770 /* for the conversation if available */
7777 }
7779 /* If the user has manually configured one of the server, low, or high
7780 * ports to a dissector other than the default (via Decode As or the
7781 * preferences associated with Decode As), try those first, in that order.
7782 */
7786 if (dissector_try_uint_with_data(subdissector_table, tcpd->server_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7790 }
7792 /* The default; try it later */
7794 }
7795 }
7797 /* Prevent the client port number being used for selecting the dissector
7798 when we have seen the SYN or SYN/ACK (and therefor tcpd->server_port
7799 is defined)
7800 Use the preference Clientport dissectors to keep dissecting certain
7801 protocols based on the client port instead of the server port
7802 Port 20 for active ftp data transfers being the default. */
7808 }
7813 }
7814 }
7815 }
7823 }
7828 if (dissector_try_uint_with_data(subdissector_table, low_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7832 }
7834 /* The default; try it later */
7836 }
7837 }
7842 if (dissector_try_uint_with_data(subdissector_table, high_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7846 }
7848 /* The default; try it later */
7850 }
7851 }
7854 /* do lookup with the heuristic subdissector table */
7855 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, tcpinfo)) {
7859 }
7860 }
7862 /* Do lookups with the subdissector table.
7863 Try the server port captured on the SYN or SYN|ACK packet. After that
7864 try the port number with the lower value first, followed by the
7865 port number with the higher value. This means that, for packets
7866 where a dissector is registered for *both* port numbers:
7868 1) we pick the same dissector for traffic going in both directions;
7870 2) we prefer the port number that's more likely to be the right
7871 one (as that prefers well-known ports to reserved ports);
7873 although there is, of course, no guarantee that any such strategy
7874 will always pick the right port number.
7876 XXX - we ignore port numbers of 0, as some dissectors use a port
7877 number of 0 to disable the port. */
7880 dissector_try_uint_with_data(subdissector_table, tcpd->server_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7884 }
7887 dissector_try_uint_with_data(subdissector_table, low_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7891 }
7893 dissector_try_uint_with_data(subdissector_table, high_port, next_tvb, pinfo, tree, true, tcpinfo)) {
7897 }
7900 /* do lookup with the heuristic subdissector table */
7901 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, tcpinfo)) {
7905 }
7906 }
7908 /*
7909 * heuristic / conversation / port registered dissectors rejected the packet;
7910 * make sure they didn't also request desegmentation (we could just override
7911 * the request, but rejecting a packet *and* requesting desegmentation is a sign
7912 * of the dissector's code needing clearer thought, so we fail so that the
7913 * problem is made more obvious).
7914 */
7918 /* Oh, well, we don't know this; dissect it as data. */
7929 }
7931 }
7933 static void
7938 {
7941 TRY {
7943 /*qqq see if it is an unaligned PDU */
7948 }
7949 }
7950 }
7951 /* if offset is -1 this means that this segment is known
7952 * to be fully inside a previously detected pdu
7953 * so we don't even need to try to dissect it either.
7954 */
7958 /*
7959 * We succeeded in handing off to a subdissector.
7960 *
7961 * Is this a TCP segment or a reassembled chunk of
7962 * TCP payload?
7963 */
7965 /* if !visited, check want_pdu_tracking and
7966 store it in table */
7971 pinfo,
7972 seq,
7975 }
7976 }
7977 }
7978 }
7979 }
7980 CATCH_ALL {
7981 /* We got an exception. At this point the dissection is
7982 * completely aborted and execution will be transferred back
7983 * to (probably) the frame dissector.
7984 * Here we have to place whatever we want the dissector
7985 * to do before aborting the tcp dissection.
7986 */
7987 /*
7988 * Is this a TCP segment or a reassembled chunk of TCP
7989 * payload?
7990 */
7992 /*
7993 * It's from a TCP segment.
7994 *
7995 * if !visited, check want_pdu_tracking and store it
7996 * in table
7997 */
8001 seq,
8004 }
8005 }
8006 }
8007 RETHROW;
8008 }
8009 ENDTRY;
8010 }
8012 void
8017 {
8026 /* Can we desegment this segment? */
8028 /* Yes. */
8032 /* No - just call the subdissector.
8033 Mark this as fragmented, so if somebody throws an exception,
8034 we don't report it as a malformed frame. */
8041 }
8042 }
8044 static bool
8045 capture_tcp(const unsigned char *pd, int offset, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header)
8046 {
8063 }
8073 /* We've at least identified one type of packet, so this shouldn't be "other" */
8075 }
8085 {
8089 }
8091 static int
8093 {
8141 }
8152 /* If we're dissecting the headers of a TCP packet in an ICMP packet
8153 * then go ahead and put the sequence numbers in the tree now (because
8154 * they won't be put in later because the ICMP packet only contains up
8155 * to the sequence number).
8156 * We should only need to do this for IPv4 since IPv6 will hopefully
8157 * carry enough TCP payload for this dissector to put the sequence
8158 * numbers in via the regular code path.
8159 */
8160 {
8168 }
8169 }
8170 }
8171 }
8173 /* Set the source and destination port numbers as soon as we get them,
8174 so that they're available to the "Follow TCP Stream" code even if
8175 we throw an exception dissecting the rest of the TCP header. */
8180 p_add_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num, GUINT_TO_POINTER(tcph->th_sport));
8181 p_add_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num, GUINT_TO_POINTER(tcph->th_dport));
8191 /* find(or create if needed) the conversation for this tcp session
8192 * This is a slight deviation from find_or_create_conversation so it's
8193 * done manually. This is done to avoid conversation overlapping when
8194 * reusing ports (see issue 15097), as find_or_create_conversation automatically
8195 * extends the conversation found. This extension is done later.
8196 */
8202 }
8207 /* If this is a SYN packet, then check if its seq-nr is different
8208 * from the base_seq of the retrieved conversation. If this is the
8209 * case, create a new conversation with the same addresses and ports
8210 * and set the TA_PORTS_REUSED flag. (XXX: There is a small chance
8211 * that this is an old duplicate SYN received after the connection
8212 * is ESTABLISHED on both sides, the other side will respond with
8213 * an appropriate ACK, and this SYN ought to be ignored rather than
8214 * create a new conversation.)
8215 *
8216 * If the seq-nr is the same as the base_seq, it might be a simple
8217 * retransmission, reattempting a handshake that was reset (due
8218 * to a half-open connection) with the same sequence number, or
8219 * (unlikely) a new connection that happens to use the same sequence
8220 * number as the previous one (#18333).
8221 *
8222 * If we have received a RST or FIN on the retrieved conversation,
8223 * we can detect that unlikely case, and create a new conversation
8224 * in order to clear out the follow info, sequence analysis,
8225 * desegmentation, etc.
8226 * If not, it's probably a retransmission, and will be marked
8227 * as one later, but restore some flow values to reduce the
8228 * sequence analysis warnings if our capture file is missing a RST
8229 * or FIN segment that was present on the network.
8230 *
8231 * XXX - Is this affected by MPTCP which can use multiple SYNs?
8232 */
8235 if(tcph->th_seq!=tcpd->fwd->base_seq || (tcpd->conversation_completeness & TCP_COMPLETENESS_RST) || (tcpd->conversation_completeness & TCP_COMPLETENESS_FIN)) {
8243 /* As above, a new conversation starting with a SYN implies conversation completeness value 1 */
8246 /*
8247 * Sometimes we need to restore the nextseq value.
8248 * As stated in RFC 793 3.4 a RST packet might be
8249 * sent with SEQ being equal to the ACK received,
8250 * thus breaking our flow monitoring. (issue 17616)
8251 */
8254 }
8258 }
8260 /*
8261 * TCP_S_BASE_SEQ_SET being not set, we are dealing with a new conversation,
8262 * either created ad hoc above (general case), or by a higher protocol such as FTP.
8263 * Track this information, as the Completeness value will be initialized later.
8264 * See issue 19092.
8265 */
8267 }
8268 tcpd->had_acc_ecn_setup_syn = (tcph->th_flags & (TH_AE|TH_CWR|TH_ECE)) == (TH_AE|TH_CWR|TH_ECE);
8269 }
8271 /* Handle cases of a SYN/ACK packet where there's evidence of a new
8272 * conversation but the capture is missing the SYN packet of the
8273 * new conversation.
8274 *
8275 * If this is a SYN/ACK packet, then check if its seq-nr is different
8276 * from the base_seq of the retrieved conversation. If this is the
8277 * case, create a new conversation as above with a SYN packet, and set
8278 * the TA_PORTS_REUSED flag and override the base seq.
8279 * If the seq-nr is the same as the base_seq, then do nothing so it
8280 * will be marked as a retransmission later, unless we have received
8281 * a RST or FIN on the conversation (in which case this is the case
8282 * of a RST followed by the same initial sequence number being picked.)
8283 *
8284 * If this is an unacceptable SYN-ACK and the other side believes that
8285 * the conversation is ESTABLISHED, it will be replied to with an
8286 * empty ACK with the current sequence number (according to the other
8287 * side.) See RFC 9293 3.5.2. This *probably* leads to a situation where
8288 * the side sending this SYN-ACK then issues a RST, because the two
8289 * sides have different ideas about the connection state. It's not clear
8290 * how to handle the annoying edge case where A sends a SYN, B responds
8291 * with a SYN-ACK that A intends to accept, but before A can finish
8292 * the handshake B responds with another SYN-ACK _with a different seq-nr_
8293 * instead of retransmitting, then A responds accepting the first SYN-ACK,
8294 * and then B goes on happily using the sequence number from the first
8295 * SYN-ACK, forgetting all about the second one it sent instead of sending
8296 * a RST. In such a case we'll have changed the seq-nr to the new one
8297 * and/or set up a new conversation instead of just ignoring that SYN-ACK.
8298 *
8299 * XXX - Is this affected by MPTCP which can use multiple SYNs?
8300 */
8306 /* the retrieved conversation might have a different base_seq (issue 16944) */
8315 /* As above, a new conversation */
8317 }
8320 }
8322 /* Do we need to calculate timestamps relative to the tcp-stream? */
8324 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
8326 /* Calculate the timestamps relative to this conversation */
8328 }
8329 }
8339 }
8341 /* Display the completeness of this TCP conversation */
8349 NULL};
8358 item = proto_tree_add_string(field_tree, hf_tcp_completeness_str, tvb, 0, 0, flags_str_first_letter);
8361 /* Copy the stream index into the header as well to make it available
8362 * to tap listeners.
8363 */
8366 /* Copy the stream index into pinfo as well to make it available
8367 * to callback functions (essentially conversation following events in GUI)
8368 */
8371 /* initialize the SACK blocks seen to 0 */
8374 }
8375 }
8377 /* is there any manual analysis waiting ? */
8379 tcppd = (struct tcp_per_packet_data_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tcp, pinfo->curr_layer_num);
8381 }
8383 /* We have have the absolute sequence numbers (we would have thrown an
8384 * exception if not) and tcpd, so set relative sequence numbers now. */
8386 /* XXX - Why not in an error packet? */
8388 /* initialize base_seq numbers if needed */
8390 /* if this is the first segment for this list we need to store the
8391 * base_seq
8392 * We use TCP_S_SAW_SYN/SYNACK to distinguish between client and server
8393 *
8394 * Start relative seq and ack numbers at 1 if this
8395 * is not a SYN packet. This makes the relative
8396 * seq/ack numbers to be displayed correctly in the
8397 * event that the SYN or SYN/ACK packet is not seen
8398 * (this solves bug 1542)
8399 */
8404 }
8407 }
8409 }
8411 /* Only store reverse sequence if this isn't the SYN
8412 * There's no guarantee that the ACK field of a SYN
8413 * contains zeros; get the ISN from the first segment
8414 * with the ACK bit set instead (usually the SYN/ACK).
8415 *
8416 * If the SYN and SYN/ACK were received out-of-order,
8417 * the ISN is ack-1. If we missed the SYN/ACK, but got
8418 * the last ACK of the 3WHS, the ISN is ack-1. For all
8419 * other packets the ISN is unknown, so ack-1 is
8420 * as good a guess as ack.
8421 */
8425 }
8426 }
8431 }
8432 }
8433 }
8435 /*
8436 * If we've been handed an IP fragment, we don't know how big the TCP
8437 * segment is, so don't do anything that requires that we know that.
8438 *
8439 * The same applies if we're part of an error packet. (XXX - if the
8440 * ICMP and ICMPv6 dissectors could set a "this is how big the IP
8441 * header says it is" length in the tvbuff, we could use that; such
8442 * a length might also be useful for handling packets where the IP
8443 * length is bigger than the actual data available in the frame; the
8444 * dissectors should trust that length, and then throw a
8445 * ReportedBoundsError exception when they go past the end of the frame.)
8446 *
8447 * We also can't determine the segment length if the reported length
8448 * of the TCP packet is less than the TCP header length.
8449 */
8455 "Short segment. Segment/fragment does not contain a full TCP header"
8461 /* Compute the length of data in this segment. */
8468 /* handle TCP seq# analysis parse all new segments we see */
8469 /* We need the window size to perform sequence analysis.
8470 * (Zero is a possible value treated specially. */
8473 /* Get it on every pass so that dissection is the same. */
8477 tcp_analyze_sequence_number(pinfo, tcph->th_rawseq, tcph->th_rawack, tcph->th_seglen, tcph->th_flags, tcph->th_win, tcpd, tcppd);
8478 }
8479 }
8481 /* Compute the sequence number of next octet after this segment. */
8483 }
8487 /*
8488 * Decode the ECN related flags as ACE if it is not a SYN segment,
8489 * and an AccECN-setup SYN and SYN ACK have been observed, or an
8490 * AccECN option was observed (this covers the case where Wireshark
8491 * did not observe the initial handshake).
8492 */
8502 COL_ADD_LSTR_TERMINATOR);
8509 }
8513 proto_tree_add_uint_format_value(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq, "%u (relative sequence number)", tcph->th_seq);
8519 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_time, tvb, (offset + 4) * 8, 5, ENC_NA);
8520 proto_tree_add_bits_item(syncookie_ti, hf_tcp_syncookie_mss, tvb, (offset + 4) * 8 + 5, 3, ENC_NA);
8522 }
8526 hide_seqack_abs_item = proto_tree_add_uint(tcp_tree, hf_tcp_seq_abs, tvb, offset + 4, 4, tcph->th_rawseq);
8528 }
8529 }
8532 /* Give up at this point; we put the source and destination port in
8533 the tree, before fetching the header length, so that they'll
8534 show up if this is in the failing packet in an ICMP error packet,
8535 but it's now time to give up if the header length is bogus. */
8539 tf = proto_tree_add_uint_bits_format_value(tcp_tree, hf_tcp_hdr_len, tvb, (offset + 12) << 3, 4, tcph->th_hlen,
8544 }
8546 /* Now we certainly have enough information to be willing to send
8547 * the header information to the tap. The options can add information
8548 * about the SACKs, but the other taps don't really *require* that.
8549 * Add a CLEANUP function so that the tap_queue_packet gets called
8550 * if any exception is thrown.
8551 *
8552 * XXX - We haven't necessarily retrieved the window size yet. We'll
8553 * try to do so before sending it to the tap, but if the header is
8554 * truncated to 14 octets, the taps will receive a window size of 0.
8555 * Can they handle it with minimal problems?
8556 */
8563 /* initialize or move forward the conversation completeness */
8570 }
8571 }
8572 }
8574 /* Explicitly and immediately move forward the conversation last_frame,
8575 * although it would one way or another be changed later
8576 * in the conversation helper functions.
8577 */
8581 }
8582 }
8585 }
8587 /* SYN-ACK */
8590 }
8592 /* ACKs */
8596 }
8599 }
8600 }
8602 /* FIN-ACK */
8605 }
8607 /* RST */
8608 /* XXX: A RST segment should be validated (RFC 9293 3.5.3),
8609 * and if not valid should not change the conversation state.
8610 */
8613 }
8615 /* Store the completeness at the conversation level,
8616 * both as numerical and as Flag First Letters string, to avoid
8617 * computing many times the same thing.
8618 */
8622 tcpd->conversation_completeness_str = completeness_flags_to_str_first_letter(wmem_file_scope(), tcpd->conversation_completeness) ;
8623 }
8624 }
8627 tcpd->conversation_completeness_str = completeness_flags_to_str_first_letter(wmem_file_scope(), tcpd->conversation_completeness) ;
8628 }
8629 }
8634 }
8637 }
8642 tf=proto_tree_add_uint_format_value(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq + 1, "%u (relative sequence number)", nxtseq + 1);
8644 tf=proto_tree_add_uint_format_value(tcp_tree, hf_tcp_nxtseq, tvb, offset, 0, nxtseq, "%u (relative sequence number)", nxtseq);
8645 }
8651 }
8652 }
8654 }
8657 hide_seqack_abs_item = proto_tree_add_uint(tcp_tree, hf_tcp_ack_abs, tvb, offset + 8, 4, tcph->th_rawack);
8663 }
8670 }
8671 }
8673 /* Note if the ACK field is non-zero */
8676 }
8677 }
8680 // This should be consistent with ip.hdr_len.
8681 proto_tree_add_uint_bits_format_value(tcp_tree, hf_tcp_hdr_len, tvb, (offset + 12) << 3, 4, tcph->th_hlen,
8694 ace);
8699 }
8703 tf_rst = proto_tree_add_boolean(field_tree, hf_tcp_flags_reset, tvb, offset + 13, 1, tcph->th_flags);
8704 tf_syn = proto_tree_add_boolean(field_tree, hf_tcp_flags_syn, tvb, offset + 13, 1, tcph->th_flags);
8705 tf_fin = proto_tree_add_boolean(field_tree, hf_tcp_flags_fin, tvb, offset + 13, 1, tcph->th_flags);
8707 tf = proto_tree_add_string(field_tree, hf_tcp_flags_str, tvb, offset + 12, 2, flags_str_first_letter);
8709 }
8715 /* Save the server port to help determine dissector used */
8717 }
8721 /* Save the server port to help determine dissector used */
8724 }
8725 /* Remember where the next segment will start. */
8729 }
8730 }
8731 /* Initialize the is_first_ack */
8733 }
8735 /* XXX - find a way to know the server port and output only that one */
8738 /* Track closing initiator.
8739 If it was not already closed by the reverse flow, it means we are the first */
8745 }
8746 }
8748 /* XXX - find a way to know the server port and output only that one */
8751 }
8756 /* If all of the following:
8757 * - we care (the pref is set)
8758 * - this is a pure ACK
8759 * - we have a timestamp for the most-recently-transmitted SYN
8760 * - we haven't seen a pure ACK yet (no ts_first_rtt stored)
8761 * then assume it's the last part of the handshake and store the initial
8762 * RTT time
8763 */
8765 }
8767 /*
8768 * Remember if we have already seen at least one ACK,
8769 * then we can neutralize the Window Scale side-effect at the beginning (issue 14690)
8770 */
8775 }
8776 }
8780 /* re-calculate window size based on scaling factor */
8784 }
8786 /* i.e. Unknown, but wasn't signalled with no scaling, so use preference setting instead! */
8789 }
8790 }
8791 }
8796 /* As discussed in bug 5541, it is better to use two separate
8797 * fields for the real and calculated window size.
8798 */
8801 /* Check if the window value of this reset packet is in the NetScaler error code range */
8802 const char *tcp_ns_reset_window_error_descr = try_val_to_str(real_window, netscaler_reset_window_error_code_vals);
8807 }
8808 }
8809 scaled_pi = proto_tree_add_uint(tcp_tree, hf_tcp_window_size, tvb, offset + 14, 2, tcph->th_win);
8816 /* Unknown */
8817 {
8821 /* Use preference setting (if set) */
8825 }
8827 scaled_pi = proto_tree_add_int_format_value(tcp_tree, hf_tcp_window_size_scalefactor, tvb, offset + 14, 2,
8829 win_scale,
8832 }
8836 /* No window scaling used */
8837 scaled_pi = proto_tree_add_int_format_value(tcp_tree, hf_tcp_window_size_scalefactor, tvb, offset + 14, 2, tcpd->fwd->win_scale, "%d (no window scaling used)", tcpd->fwd->win_scale);
8842 /* Scaling from signalled value */
8843 scaled_pi = proto_tree_add_int_format_value(tcp_tree, hf_tcp_window_size_scalefactor, tvb, offset + 14, 2, 1<<tcpd->fwd->win_scale, "%d", 1<<tcpd->fwd->win_scale);
8845 }
8846 }
8847 }
8849 /* Supply the sequence number of the first byte and of the first byte
8850 after the segment. */
8855 /* Assume we'll pass un-reassembled data to subdissectors. */
8858 /*
8859 * Assume, initially, that we can't desegment.
8860 */
8864 /* The packet isn't part of an un-reassembled fragmented datagram
8865 and isn't truncated. This means we have all the data, and thus
8866 can checksum it and, unless it's being returned in an error
8867 packet, are willing to allow subdissectors to request reassembly
8868 on it. */
8871 /* We haven't turned checksum checking off; checksum it. */
8873 /* Set up the fields of the pseudo-header. */
8890 /* TCP runs only atop IPv4 and IPv6.... */
8893 }
8894 /* See discussion in packet-udp.c of partial checksums used in
8895 * checksum offloading in Linux and Windows (and possibly others.)
8896 */
8909 /* XXX - What should this special status be? */
8917 /* Checksum is treated as valid on most systems, so we're willing to desegment it. */
8923 /* Don't use PROTO_CHECKSUM_IN_CKSUM because we expect the value
8924 * to match what we pass in. */
8925 item = proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, g_htons(partial_cksum),
8927 proto_item_append_text(item, " (matches partial checksum, not 0x%04x, likely caused by \"TCP checksum offload\")", shouldbe_cksum);
8930 /* XXX Add a new status, e.g. PROTO_CHECKSUM_E_PARTIAL? */
8932 item = proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, computed_cksum,
8934 }
8940 /* Checksum is valid, so we're willing to desegment it. */
8946 /* Checksum is invalid, so we're not willing to desegment it. */
8950 }
8951 }
8953 proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, 0,
8956 /* We didn't check the checksum, and don't care if it's valid,
8957 so we're willing to desegment it. */
8959 }
8961 /* We don't have all the packet data, so we can't checksum it... */
8962 proto_tree_add_checksum(tcp_tree, tvb, offset+16, hf_tcp_checksum, hf_tcp_checksum_status, &ei_tcp_checksum_bad, pinfo, 0,
8965 /* ...and aren't willing to desegment it. */
8967 }
8970 /* We're willing to desegment this. Is desegmentation enabled? */
8972 /* Yes - is this segment being returned in an error packet? */
8974 /* No - indicate that we will desegment.
8975 We do NOT want to desegment segments returned in error
8976 packets, as they're not part of a TCP connection. */
8978 }
8979 }
8980 }
8982 item = proto_tree_add_item_ret_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, ENC_BIG_ENDIAN, &th_urp);
8985 /* Export the urgent pointer, for the benefit of protocols such as
8986 rlogin. */
8991 /* Note if the urgent pointer field is non-zero */
8993 }
8994 }
8999 /* If there's more than just the fixed-length header (20 bytes), create
9000 a protocol tree item for the options. (We already know there's
9001 not less than the fixed-length header - we checked that above.)
9003 We ensure that we don't throw an exception here, so that we can
9004 do some analysis before we dissect the options and possibly
9005 throw an exception. (Trying to avoid throwing an exception when
9006 dissecting options is not something we should do.) */
9018 }
9019 }
9023 /* handle conversation timestamps */
9026 }
9028 /* Now dissect the options. */
9036 /* Do some post evaluation of some Riverbed probe options in the list */
9037 option_data = (rvbd_option_data*)p_get_proto_data(pinfo->pool, pinfo, proto_tcp_option_rvbd_probe, pinfo->curr_layer_num);
9039 {
9041 {
9042 /* Distinguish S+ from S+* */
9046 }
9047 }
9049 }
9051 /* handle TCP seq# analysis, print any extra SEQ/ACK data for this segment*/
9055 /* May need to recover absolute values here... */
9060 }
9061 }
9063 }
9067 /* Check the validity of the window scale value
9068 */
9070 }
9073 /* If the SYN or the SYN+ACK offered SCPS capabilities,
9074 * validate the flow's bidirectional scps capabilities.
9075 * The or protects against broken implementations offering
9076 * SCPS capabilities on SYN+ACK even if it wasn't offered with the SYN
9077 */
9080 }
9082 }
9083 }
9089 }
9090 }
9092 /* Skip over header + options */
9095 /* Check the packet length to see if there's more data
9096 (it could be an ACK-only packet) */
9108 }
9109 }
9111 /* Nothing more to add to tcph, go ahead and send to the taps. */
9112 CLEANUP_CALL_AND_POP;
9114 /* if it is an MPTCP packet */
9117 }
9119 /* If we're reassembling something whose length isn't known
9120 * beforehand, and that runs all the way to the end of
9121 * the data stream, a FIN indicates the end of the data
9122 * stream and thus the completion of reassembly, so we
9123 * need to explicitly check for that here.
9124 */
9130 /* Is this the FIN that ended the data stream or is it a
9131 * retransmission of that FIN?
9132 */
9134 /* Either we haven't seen a FIN for this flow or we
9135 * have and it's this frame. Note that this is the FIN
9136 * for this flow, terminate reassembly and dissect the
9137 * results. */
9139 msp=(struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(tcpd->fwd->multisegment_pdus, tcph->th_seq);
9148 if(ipfd_head && ipfd_head->reassembled_in == pinfo->num && ipfd_head->reas_in_layer_num == pinfo->curr_layer_num) {
9151 /* create a new TVB structure for desegmented data
9152 * datalen-1 to strip the dummy FIN byte off
9153 */
9156 /* add desegmented data to the data source list */
9159 /* Show details of the reassembly */
9162 /* call the payload dissector
9163 * but make sure we don't offer desegmentation any more
9164 */
9167 process_tcp_payload(next_tvb, 0, pinfo, tree, tcp_tree, tcph->th_sport, tcph->th_dport, tcph->th_seq,
9171 }
9172 }
9174 /* Yes. This is a retransmission of the final FIN (or it's
9175 * the final FIN transmitted via a different path).
9176 * XXX - we need to flag retransmissions a bit better.
9177 */
9179 }
9180 }
9182 if (tcp_display_process_info && tcpd && ((tcpd->fwd && tcpd->fwd->process_info && tcpd->fwd->process_info->command) ||
9184 field_tree = proto_tree_add_subtree(tcp_tree, tvb, offset, 0, ett_tcp_process_info, &ti, "Process Information");
9187 proto_tree_add_uint(field_tree, hf_tcp_proc_dst_uid, tvb, 0, 0, tcpd->fwd->process_info->process_uid);
9188 proto_tree_add_uint(field_tree, hf_tcp_proc_dst_pid, tvb, 0, 0, tcpd->fwd->process_info->process_pid);
9189 proto_tree_add_string(field_tree, hf_tcp_proc_dst_uname, tvb, 0, 0, tcpd->fwd->process_info->username);
9190 proto_tree_add_string(field_tree, hf_tcp_proc_dst_cmd, tvb, 0, 0, tcpd->fwd->process_info->command);
9191 }
9193 proto_tree_add_uint(field_tree, hf_tcp_proc_src_uid, tvb, 0, 0, tcpd->rev->process_info->process_uid);
9194 proto_tree_add_uint(field_tree, hf_tcp_proc_src_pid, tvb, 0, 0, tcpd->rev->process_info->process_pid);
9195 proto_tree_add_string(field_tree, hf_tcp_proc_src_uname, tvb, 0, 0, tcpd->rev->process_info->username);
9196 proto_tree_add_string(field_tree, hf_tcp_proc_src_cmd, tvb, 0, 0, tcpd->rev->process_info->command);
9197 }
9198 }
9200 /*
9201 * XXX - what, if any, of this should we do if this is included in an
9202 * error packet? It might be nice to see the details of the packet
9203 * that caused the ICMP error, but it might not be nice to have the
9204 * dissector update state based on it.
9205 * Also, we probably don't want to run TCP taps on those packets.
9206 */
9209 /*
9210 * RFC1122 says:
9211 *
9212 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
9213 *
9214 * A TCP SHOULD allow a received RST segment to include data.
9215 *
9216 * DISCUSSION
9217 * It has been suggested that a RST segment could contain
9218 * ASCII text that encoded and explained the cause of the
9219 * RST. No standard has yet been established for such
9220 * data.
9221 *
9222 * so for segments with RST we just display the data as text.
9223 */
9224 proto_tree_add_item(tcp_tree, hf_tcp_reset_cause, tvb, offset, captured_length_remaining, ENC_NA|ENC_ASCII);
9226 /* When we have a frame with TCP SYN bit set and segmented TCP payload we need
9227 * to increment seq and nxtseq to detect the overlapping byte(s). This is to fix Bug 9882.
9228 */
9235 }
9236 }
9237 }
9239 }
9241 static void
9243 {
9246 /* MPTCP init */
9249 }
9251 void
9253 {
9336 // "Data Offset" in https://tools.ietf.org/html/rfc793#section-3.1 and
9337 // "Data offset" in https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
9398 /* 32 bits so we can present some values adjusted to window scaling */
9412 { "Checksum Status", "tcp.checksum.status", FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,
9436 { "Duplicate to the ACK in frame", "tcp.analysis.duplicate_ack_frame", FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_DUP_ACK), 0x0,
9440 { "This is a continuation to the PDU in frame", "tcp.continuation_to", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
9448 { "This is an ACK to the segment in frame", "tcp.analysis.acks_frame", FT_FRAMENUM, BASE_NONE, FRAMENUM_TYPE(FT_FRAMENUM_ACK), 0x0,
9456 { "Bytes sent since last PSH flag", "tcp.analysis.push_bytes_sent", FT_UINT32, BASE_DEC, NULL, 0x0,
9460 { "The RTT to ACK the segment was", "tcp.analysis.ack_rtt", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
9472 { "RTO based on delta from frame", "tcp.analysis.rto_frame", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
9484 { "Conflicting data in segment overlap", "tcp.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
9488 { "Multiple tail segments found", "tcp.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
9529 BASE_DEC, NULL, 0x0, "Length of this TCP option in bytes (including kind and length fields)", HFILL }},
9620 { "Do not attempt to establish new subflows to this address and port", "tcp.options.mptcp.nomoresubflows.flag", FT_UINT8,
9640 { "Data Sequence Number, Subflow Sequence Number, Data-level Length, Checksum present", "tcp.options.mptcp.dseqnpresent.flag", FT_UINT8,
9959 RVBD_FLAGS_TRPY_FW_RST_PROBE,
9961 HFILL }},
9966 RVBD_FLAGS_TRPY_FW_RST_INNER,
9967 "Reset state created by transparent inner on all firewalls"
9969 HFILL }},
9974 RVBD_FLAGS_TRPY_FW_RST,
9975 "Reset state created by probe on all firewalls before "
10022 { "Time until the last segment of this PDU", "tcp.pdu.time", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
10034 { "Time since first frame in this TCP stream", "tcp.time_relative", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
10038 { "Time since previous frame in this TCP stream", "tcp.time_delta", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
10090 { "Retransmission of FIN from frame", "tcp.fin_retransmission", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
10110 { "SYN Cookie Timestamp", "tcp.options.timestamp.tsval.syncookie.timestamp", FT_UINT32, BASE_DEC, NULL, 0x0,
10114 { "SYN Cookie ECN", "tcp.options.timestamp.tsval.syncookie.ecn", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
10118 { "SYN Cookie SACK", "tcp.options.timestamp.tsval.syncookie.sack", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
10122 { "SYN Cookie WScale", "tcp.options.timestamp.tsval.syncookie.wscale", FT_UINT8, BASE_DEC, NULL, 0x0,
10126 { "NetScaler TCP Reset Window Error Code", "tcp.nstrace.rst.window_error_code", FT_STRING, BASE_NONE, NULL, 0x0,
10128 };
10169 &ett_tcp_syncookie_option
10170 };
10174 &ett_mptcp_analysis_subflows
10175 };
10195 };
10204 };
10207 { &ei_tcp_opt_len_invalid, { "tcp.option.len.invalid", PI_SEQUENCE, PI_NOTE, "Invalid length for option", EXPFILL }},
10208 { &ei_tcp_analysis_retransmission, { "tcp.analysis.retransmission", PI_SEQUENCE, PI_NOTE, "This frame is a (suspected) retransmission", EXPFILL }},
10209 { &ei_tcp_analysis_fast_retransmission, { "tcp.analysis.fast_retransmission", PI_SEQUENCE, PI_NOTE, "This frame is a (suspected) fast retransmission", EXPFILL }},
10210 { &ei_tcp_analysis_spurious_retransmission, { "tcp.analysis.spurious_retransmission", PI_SEQUENCE, PI_NOTE, "This frame is a (suspected) spurious retransmission", EXPFILL }},
10211 { &ei_tcp_analysis_out_of_order, { "tcp.analysis.out_of_order", PI_SEQUENCE, PI_WARN, "This frame is a (suspected) out-of-order segment", EXPFILL }},
10212 { &ei_tcp_analysis_reused_ports, { "tcp.analysis.reused_ports", PI_SEQUENCE, PI_NOTE, "A new tcp session is started with the same ports as an earlier session in this trace", EXPFILL }},
10213 { &ei_tcp_analysis_lost_packet, { "tcp.analysis.lost_segment", PI_SEQUENCE, PI_WARN, "Previous segment(s) not captured (common at capture start)", EXPFILL }},
10214 { &ei_tcp_analysis_ack_lost_packet, { "tcp.analysis.ack_lost_segment", PI_SEQUENCE, PI_WARN, "ACKed segment that wasn't captured (common at capture start)", EXPFILL }},
10215 { &ei_tcp_analysis_window_update, { "tcp.analysis.window_update", PI_SEQUENCE, PI_CHAT, "TCP window update", EXPFILL }},
10216 { &ei_tcp_analysis_window_full, { "tcp.analysis.window_full", PI_SEQUENCE, PI_WARN, "TCP window specified by the receiver is now completely full", EXPFILL }},
10217 { &ei_tcp_analysis_keep_alive, { "tcp.analysis.keep_alive", PI_SEQUENCE, PI_NOTE, "TCP keep-alive segment", EXPFILL }},
10218 { &ei_tcp_analysis_keep_alive_ack, { "tcp.analysis.keep_alive_ack", PI_SEQUENCE, PI_NOTE, "ACK to a TCP keep-alive segment", EXPFILL }},
10219 { &ei_tcp_analysis_duplicate_ack, { "tcp.analysis.duplicate_ack", PI_SEQUENCE, PI_NOTE, "Duplicate ACK", EXPFILL }},
10220 { &ei_tcp_analysis_zero_window_probe, { "tcp.analysis.zero_window_probe", PI_SEQUENCE, PI_NOTE, "TCP Zero Window Probe", EXPFILL }},
10221 { &ei_tcp_analysis_zero_window, { "tcp.analysis.zero_window", PI_SEQUENCE, PI_WARN, "TCP Zero Window segment", EXPFILL }},
10222 { &ei_tcp_analysis_zero_window_probe_ack, { "tcp.analysis.zero_window_probe_ack", PI_SEQUENCE, PI_NOTE, "ACK to a TCP Zero Window Probe", EXPFILL }},
10223 { &ei_tcp_analysis_tfo_syn, { "tcp.analysis.tfo_syn", PI_SEQUENCE, PI_NOTE, "TCP SYN with TFO Cookie", EXPFILL }},
10224 { &ei_tcp_analysis_tfo_ack, { "tcp.analysis.tfo_ack", PI_SEQUENCE, PI_NOTE, "TCP SYN-ACK accepting TFO data", EXPFILL }},
10225 { &ei_tcp_analysis_tfo_ignored, { "tcp.analysis.tfo_ignored", PI_SEQUENCE, PI_NOTE, "TCP SYN-ACK ignoring TFO data", EXPFILL }},
10226 { &ei_tcp_analysis_partial_ack, { "tcp.analysis.partial_ack", PI_SEQUENCE, PI_NOTE, "Partial Acknowledgement of a segment", EXPFILL }},
10227 { &ei_tcp_connection_fin_active, { "tcp.connection.fin_active", PI_SEQUENCE, PI_NOTE, "This frame initiates the connection closing", EXPFILL }},
10228 { &ei_tcp_connection_fin_passive, { "tcp.connection.fin_passive", PI_SEQUENCE, PI_NOTE, "This frame undergoes the connection closing", EXPFILL }},
10229 { &ei_tcp_scps_capable, { "tcp.analysis.scps_capable", PI_SEQUENCE, PI_NOTE, "Connection establish request (SYN-ACK): SCPS Capabilities Negotiated", EXPFILL }},
10230 { &ei_tcp_option_sack_dsack, { "tcp.options.sack.dsack", PI_SEQUENCE, PI_WARN, "D-SACK Sequence", EXPFILL }},
10231 { &ei_tcp_option_snack_sequence, { "tcp.options.snack.sequence", PI_SEQUENCE, PI_NOTE, "SNACK Sequence", EXPFILL }},
10232 { &ei_tcp_option_wscale_shift_invalid, { "tcp.options.wscale.shift.invalid", PI_PROTOCOL, PI_WARN, "Window scale shift exceeds 14", EXPFILL }},
10233 { &ei_tcp_option_mss_absent, { "tcp.options.mss.absent", PI_PROTOCOL, PI_NOTE, "The SYN packet does not contain a MSS option", EXPFILL }},
10234 { &ei_tcp_option_mss_present, { "tcp.options.mss.present", PI_PROTOCOL, PI_WARN, "The non-SYN packet does contain a MSS option", EXPFILL }},
10235 { &ei_tcp_option_sack_perm_absent, { "tcp.options.sack_perm.absent", PI_PROTOCOL, PI_NOTE, "The SYN packet does not contain a SACK PERM option", EXPFILL }},
10236 { &ei_tcp_option_sack_perm_present, { "tcp.options.sack_perm.present", PI_PROTOCOL, PI_WARN, "The non-SYN packet does contain a SACK PERM option", EXPFILL }},
10237 { &ei_tcp_short_segment, { "tcp.short_segment", PI_MALFORMED, PI_WARN, "Short segment", EXPFILL }},
10238 { &ei_tcp_ack_nonzero, { "tcp.ack.nonzero", PI_PROTOCOL, PI_NOTE, "The acknowledgment number field is nonzero while the ACK flag is not set", EXPFILL }},
10239 { &ei_tcp_connection_synack, { "tcp.connection.synack", PI_SEQUENCE, PI_CHAT, "Connection establish acknowledge (SYN+ACK)", EXPFILL }},
10240 { &ei_tcp_connection_syn, { "tcp.connection.syn", PI_SEQUENCE, PI_CHAT, "Connection establish request (SYN)", EXPFILL }},
10241 { &ei_tcp_connection_fin, { "tcp.connection.fin", PI_SEQUENCE, PI_CHAT, "Connection finish (FIN)", EXPFILL }},
10242 /* According to RFCs, RST is an indication of an error. Some applications use it
10243 * to terminate a connection as well, which is a misbehavior (see e.g. rfc3360)
10244 */
10245 { &ei_tcp_connection_rst, { "tcp.connection.rst", PI_SEQUENCE, PI_WARN, "Connection reset (RST)", EXPFILL }},
10246 { &ei_tcp_checksum_ffff, { "tcp.checksum.ffff", PI_CHECKSUM, PI_WARN, "TCP Checksum 0xffff instead of 0x0000 (see RFC 1624)", EXPFILL }},
10247 { &ei_tcp_checksum_partial, { "tcp.checksum.partial", PI_CHECKSUM, PI_NOTE, "Partial (pseudo header) checksum (likely caused by \"TCP checksum offload\")", EXPFILL }},
10248 { &ei_tcp_checksum_bad, { "tcp.checksum_bad.expert", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
10249 { &ei_tcp_urgent_pointer_non_zero, { "tcp.urgent_pointer.non_zero", PI_PROTOCOL, PI_NOTE, "The urgent pointer field is nonzero while the URG flag is not set", EXPFILL }},
10250 { &ei_tcp_suboption_malformed, { "tcp.suboption_malformed", PI_MALFORMED, PI_ERROR, "suboption would go past end of option", EXPFILL }},
10251 { &ei_tcp_nop, { "tcp.nop", PI_PROTOCOL, PI_WARN, "4 NOP in a row - a router may have removed some options", EXPFILL }},
10252 { &ei_tcp_non_zero_bytes_after_eol, { "tcp.non_zero_bytes_after_eol", PI_PROTOCOL, PI_ERROR, "Non zero bytes in option space after EOL option", EXPFILL }},
10253 { &ei_tcp_bogus_header_length, { "tcp.bogus_header_length", PI_PROTOCOL, PI_ERROR, "Bogus TCP Header length", EXPFILL }},
10254 };
10257 #if 0
10258 { &ei_mptcp_analysis_unexpected_idsn, { "mptcp.connection.unexpected_idsn", PI_PROTOCOL, PI_NOTE, "Unexpected initial sequence number", EXPFILL }},
10259 #endif
10260 { &ei_mptcp_analysis_echoed_key_mismatch, { "mptcp.connection.echoed_key_mismatch", PI_PROTOCOL, PI_WARN, "The echoed key in the ACK of the MPTCP handshake does not match the key of the SYN/ACK", EXPFILL }},
10261 { &ei_mptcp_analysis_missing_algorithm, { "mptcp.connection.missing_algorithm", PI_PROTOCOL, PI_WARN, "No crypto algorithm specified", EXPFILL }},
10262 { &ei_mptcp_analysis_unsupported_algorithm, { "mptcp.connection.unsupported_algorithm", PI_PROTOCOL, PI_WARN, "Unsupported algorithm", EXPFILL }},
10263 { &ei_mptcp_infinite_mapping, { "mptcp.dss.infinite_mapping", PI_PROTOCOL, PI_WARN, "Fallback to infinite mapping", EXPFILL }},
10264 { &ei_mptcp_mapping_missing, { "mptcp.dss.missing_mapping", PI_PROTOCOL, PI_WARN, "No mapping available", EXPFILL }},
10265 #if 0
10266 { &ei_mptcp_stream_incomplete, { "mptcp.incomplete", PI_PROTOCOL, PI_WARN, "Everything was not captured", EXPFILL }},
10267 { &ei_mptcp_analysis_dsn_out_of_order, { "mptcp.analysis.dsn.out_of_order", PI_PROTOCOL, PI_WARN, "Out of order dsn", EXPFILL }},
10268 #endif
10269 };
10328 };
10333 static decode_as_value_t tcp_da_values[3] = {{tcp_src_prompt, 1, tcp_da_src_values}, {tcp_dst_prompt, 1, tcp_da_dst_values}, {tcp_both_prompt, 2, tcp_da_both_values}};
10350 /* subdissector code */
10353 heur_subdissector_list = register_heur_dissector_list_with_description("tcp", "TCP heuristic", proto_tcp);
10357 /* Register TCP options as their own protocols so we can get the name of the option */
10358 proto_tcp_option_nop = proto_register_protocol_in_name_only("TCP Option - No-Operation (NOP)", "No-Operation (NOP)", "tcp.options.nop", proto_tcp, FT_BYTES);
10359 proto_tcp_option_eol = proto_register_protocol_in_name_only("TCP Option - End of Option List (EOL)", "End of Option List (EOL)", "tcp.options.eol", proto_tcp, FT_BYTES);
10360 proto_tcp_option_timestamp = proto_register_protocol_in_name_only("TCP Option - Timestamps", "Timestamps", "tcp.options.timestamp", proto_tcp, FT_BYTES);
10361 proto_tcp_option_mss = proto_register_protocol_in_name_only("TCP Option - Maximum segment size", "Maximum segment size", "tcp.options.mss", proto_tcp, FT_BYTES);
10362 proto_tcp_option_wscale = proto_register_protocol_in_name_only("TCP Option - Window scale", "Window scale", "tcp.options.wscale", proto_tcp, FT_BYTES);
10363 proto_tcp_option_sack_perm = proto_register_protocol_in_name_only("TCP Option - SACK permitted", "SACK permitted", "tcp.options.sack_perm", proto_tcp, FT_BYTES);
10364 proto_tcp_option_sack = proto_register_protocol_in_name_only("TCP Option - SACK", "SACK", "tcp.options.sack", proto_tcp, FT_BYTES);
10365 proto_tcp_option_echo = proto_register_protocol_in_name_only("TCP Option - Echo", "Echo", "tcp.options.echo", proto_tcp, FT_BYTES);
10366 proto_tcp_option_echoreply = proto_register_protocol_in_name_only("TCP Option - Echo reply", "Echo reply", "tcp.options.echoreply", proto_tcp, FT_BYTES);
10367 proto_tcp_option_cc = proto_register_protocol_in_name_only("TCP Option - CC", "CC", "tcp.options.cc", proto_tcp, FT_BYTES);
10368 proto_tcp_option_cc_new = proto_register_protocol_in_name_only("TCP Option - CC.NEW", "CC.NEW", "tcp.options.ccnew", proto_tcp, FT_BYTES);
10369 proto_tcp_option_cc_echo = proto_register_protocol_in_name_only("TCP Option - CC.ECHO", "CC.ECHO", "tcp.options.ccecho", proto_tcp, FT_BYTES);
10370 proto_tcp_option_ao = proto_register_protocol_in_name_only("TCP Option - TCP AO", "TCP AO", "tcp.options.ao", proto_tcp, FT_BYTES);
10371 proto_tcp_option_md5 = proto_register_protocol_in_name_only("TCP Option - TCP MD5 signature", "TCP MD5 signature", "tcp.options.md5", proto_tcp, FT_BYTES);
10372 proto_tcp_option_scps = proto_register_protocol_in_name_only("TCP Option - SCPS capabilities", "SCPS capabilities", "tcp.options.scps", proto_tcp, FT_BYTES);
10373 proto_tcp_option_snack = proto_register_protocol_in_name_only("TCP Option - Selective Negative Acknowledgment", "Selective Negative Acknowledgment", "tcp.options.snack", proto_tcp, FT_BYTES);
10374 proto_tcp_option_scpsrec = proto_register_protocol_in_name_only("TCP Option - SCPS record boundary", "SCPS record boundary", "tcp.options.scpsrec", proto_tcp, FT_BYTES);
10375 proto_tcp_option_scpscor = proto_register_protocol_in_name_only("TCP Option - SCPS corruption experienced", "SCPS corruption experienced", "tcp.options.scpscor", proto_tcp, FT_BYTES);
10376 proto_tcp_option_qs = proto_register_protocol_in_name_only("TCP Option - Quick-Start", "Quick-Start", "tcp.options.qs", proto_tcp, FT_BYTES);
10377 proto_tcp_option_user_to = proto_register_protocol_in_name_only("TCP Option - User Timeout", "User Timeout", "tcp.options.user_to", proto_tcp, FT_BYTES);
10378 proto_tcp_option_tfo = proto_register_protocol_in_name_only("TCP Option - TCP Fast Open", "TCP Fast Open", "tcp.options.tfo", proto_tcp, FT_BYTES);
10379 proto_tcp_option_acc_ecn = proto_register_protocol_in_name_only("TCP Option - Accurate ECN", "Accurate ECN", "tcp.options.acc_ecn", proto_tcp, FT_BYTES);
10380 proto_tcp_option_rvbd_probe = proto_register_protocol_in_name_only("TCP Option - Riverbed Probe", "Riverbed Probe", "tcp.options.rvbd.probe", proto_tcp, FT_BYTES);
10381 proto_tcp_option_rvbd_trpy = proto_register_protocol_in_name_only("TCP Option - Riverbed Transparency", "Riverbed Transparency", "tcp.options.rvbd.trpy", proto_tcp, FT_BYTES);
10382 proto_tcp_option_exp = proto_register_protocol_in_name_only("TCP Option - Experimental", "Experimental", "tcp.options.experimental", proto_tcp, FT_BYTES);
10383 proto_tcp_option_unknown = proto_register_protocol_in_name_only("TCP Option - Unknown", "Unknown", "tcp.options.unknown", proto_tcp, FT_BYTES);
10387 /* Register configuration preferences */
10395 "Whether to validate the TCP checksum or not. "
10404 "Whether out-of-order segments should be buffered and reordered before passing it to a subdissector. "
10409 "Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT",
10413 "Make the TCP dissector use relative sequence numbers instead of absolute ones. "
10424 "Make the TCP dissector use this scaling factor for streams where the signalled scaling factor "
10428 /* Presumably a retired, unconditional version of what has been added back with the preference above... */
10433 "Make the TCP dissector track the number on un-ACKed bytes of data are in flight per packet. "
10435 "This takes a lot of memory but allows you to track how much data are in flight at a time and graphing it in io-graphs",
10439 "Evaluate BiF on actual sequence numbers or use the historical method based on payloads (default). "
10444 "Calculate relative packet number and timestamps relative to the first frame and the previous frame in the tcp conversation",
10448 "Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",
10466 "Assume TCP Experimental Options (253, 254) have an Experiment Identifier and use it for dissection",
10485 register_conversation_table(proto_tcp, false, tcpip_conversation_packet, tcpip_endpoint_packet);
10488 register_seq_analysis("tcp", "TCP Flows", proto_tcp, NULL, TL_REQUIRES_NOTHING, tcp_seq_analysis_packet);
10490 /* considers MPTCP as a distinct protocol (even if it's a TCP option) */
10491 proto_mptcp = proto_register_protocol("Multipath Transmission Control Protocol", "MPTCP", "mptcp");
10496 /* Register configuration preferences */
10513 "Scales logarithmically with the number of packets"
10514 "You need to capture the handshake for this to work."
10520 "(Greedy algorithm: Scales linearly with number of subflows and"
10521 " logarithmic scaling with number of packets)"
10525 range_convert_str(wmem_epan_scope(), &tcp_clientport_dissectors_range, TCP_DEFAULT_CLIENTPORT_DISSECTORS, 65535);
10526 prefs_register_range_preference(tcp_module, "clientport_dissectors", "Client port dissectors",
10527 "Ports for which the dissector will to be chosen based on the client port instead of the server port",
10530 register_conversation_table(proto_mptcp, false, mptcpip_conversation_packet, tcpip_endpoint_packet);
10531 register_follow_stream(proto_tcp, "tcp_follow", tcp_follow_conv_filter, tcp_follow_index_filter, tcp_follow_address_filter,
10537 }
10539 void
10541 {
10549 /* Create dissection function handles for all TCP options */
10550 dissector_add_uint("tcp.option", TCPOPT_TIMESTAMP, create_dissector_handle( dissect_tcpopt_timestamp, proto_tcp_option_timestamp ));
10551 dissector_add_uint("tcp.option", TCPOPT_MSS, create_dissector_handle( dissect_tcpopt_mss, proto_tcp_option_mss ));
10552 dissector_add_uint("tcp.option", TCPOPT_WINDOW, create_dissector_handle( dissect_tcpopt_wscale, proto_tcp_option_wscale ));
10553 dissector_add_uint("tcp.option", TCPOPT_SACK_PERM, create_dissector_handle( dissect_tcpopt_sack_perm, proto_tcp_option_sack_perm ));
10554 dissector_add_uint("tcp.option", TCPOPT_SACK, create_dissector_handle( dissect_tcpopt_sack, proto_tcp_option_sack ));
10555 dissector_add_uint("tcp.option", TCPOPT_ECHO, create_dissector_handle( dissect_tcpopt_echo, proto_tcp_option_echo ));
10556 dissector_add_uint("tcp.option", TCPOPT_ECHOREPLY, create_dissector_handle( dissect_tcpopt_echo, proto_tcp_option_echoreply ));
10557 dissector_add_uint("tcp.option", TCPOPT_CC, create_dissector_handle( dissect_tcpopt_cc, proto_tcp_option_cc ));
10558 dissector_add_uint("tcp.option", TCPOPT_CCNEW, create_dissector_handle( dissect_tcpopt_cc, proto_tcp_option_cc_new ));
10559 dissector_add_uint("tcp.option", TCPOPT_CCECHO, create_dissector_handle( dissect_tcpopt_cc, proto_tcp_option_cc_echo ));
10560 dissector_add_uint("tcp.option", TCPOPT_MD5, create_dissector_handle( dissect_tcpopt_md5, proto_tcp_option_md5 ));
10561 dissector_add_uint("tcp.option", TCPOPT_AO, create_dissector_handle( dissect_tcpopt_ao, proto_tcp_option_ao ));
10562 dissector_add_uint("tcp.option", TCPOPT_SCPS, create_dissector_handle( dissect_tcpopt_scps, proto_tcp_option_scps ));
10563 dissector_add_uint("tcp.option", TCPOPT_SNACK, create_dissector_handle( dissect_tcpopt_snack, proto_tcp_option_snack ));
10564 dissector_add_uint("tcp.option", TCPOPT_RECBOUND, create_dissector_handle( dissect_tcpopt_recbound, proto_tcp_option_scpsrec ));
10565 dissector_add_uint("tcp.option", TCPOPT_CORREXP, create_dissector_handle( dissect_tcpopt_correxp, proto_tcp_option_scpscor ));
10566 dissector_add_uint("tcp.option", TCPOPT_QS, create_dissector_handle( dissect_tcpopt_qs, proto_tcp_option_qs ));
10567 dissector_add_uint("tcp.option", TCPOPT_USER_TO, create_dissector_handle( dissect_tcpopt_user_to, proto_tcp_option_user_to ));
10568 dissector_add_uint("tcp.option", TCPOPT_TFO, create_dissector_handle( dissect_tcpopt_tfo, proto_tcp_option_tfo ));
10569 dissector_add_uint("tcp.option", TCPOPT_RVBD_PROBE, create_dissector_handle( dissect_tcpopt_rvbd_probe, proto_tcp_option_rvbd_probe ));
10570 dissector_add_uint("tcp.option", TCPOPT_RVBD_TRPY, create_dissector_handle( dissect_tcpopt_rvbd_trpy, proto_tcp_option_rvbd_trpy ));
10571 dissector_add_uint("tcp.option", TCPOPT_ACC_ECN_0, create_dissector_handle( dissect_tcpopt_acc_ecn, proto_tcp_option_acc_ecn ));
10572 dissector_add_uint("tcp.option", TCPOPT_ACC_ECN_1, create_dissector_handle( dissect_tcpopt_acc_ecn, proto_tcp_option_acc_ecn ));
10573 dissector_add_uint("tcp.option", TCPOPT_EXP_FD, create_dissector_handle( dissect_tcpopt_exp, proto_tcp_option_exp ));
10574 dissector_add_uint("tcp.option", TCPOPT_EXP_FE, create_dissector_handle( dissect_tcpopt_exp, proto_tcp_option_exp ));
10575 dissector_add_uint("tcp.option", TCPOPT_MPTCP, create_dissector_handle( dissect_tcpopt_mptcp, proto_mptcp ));
10576 /* Common handle for all the unknown/unsupported TCP options */
10577 tcp_opt_unknown_handle = create_dissector_handle( dissect_tcpopt_unknown, proto_tcp_option_unknown );
10583 }
10585 /*
10586 * Editor modelines
10587 *
10588 * Local Variables:
10589 * c-basic-offset: 4
10590 * tab-width: 8
10591 * indent-tabs-mode: nil
10592 * End:
10593 *
10594 * ex: set shiftwidth=4 tabstop=8 expandtab:
10595 * :indentSize=4:tabSize=8:noTabs=true:
10596 */