search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
HACK: 2nd try to match RowsetProperties
[wireshark-wip.git] / epan / dissectors / packet-http.c
blob71580005279a3c0945a324622eab87f6af18de80
1 /* packet-http.c
2 * Routines for HTTP packet disassembly
3 * RFC 1945 (HTTP/1.0)
4 * RFC 2616 (HTTP/1.1)
5 *
6 * Guy Harris <guy@alum.mit.edu>
7 *
8 * Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net>
9 * Copyright 2002, Tim Potter <tpot@samba.org>
10 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
11 *
12 * $Id$
13 *
14 * Wireshark - Network traffic analyzer
15 * By Gerald Combs <gerald@wireshark.org>
16 * Copyright 1998 Gerald Combs
17 *
18 * This program is free software; you can redistribute it and/or
19 * modify it under the terms of the GNU General Public License
20 * as published by the Free Software Foundation; either version 2
21 * of the License, or (at your option) any later version.
22 *
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
27 *
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
31 */
32
33 #include "config.h"
34
35 #include <stdlib.h>
36 #include <string.h>
37 #include <ctype.h>
38 #include <errno.h>
39
40 #include <glib.h>
41 #include <epan/conversation.h>
42 #include <epan/packet.h>
43 #include <epan/strutil.h>
44 #include <epan/base64.h>
45 #include <epan/stats_tree.h>
46
47 #include <epan/req_resp_hdrs.h>
48 #include "packet-http.h"
49 #include "packet-tcp.h"
50 #include "packet-ssl.h"
51 #include <epan/prefs.h>
52 #include <epan/expert.h>
53 #include <epan/uat.h>
54 #include <epan/wmem/wmem.h>
55
56 typedef enum _http_type {
57 HTTP_REQUEST,
58 HTTP_RESPONSE,
59 HTTP_NOTIFICATION,
60 HTTP_OTHERS
61 } http_type_t;
62
63 #include <epan/tap.h>
64
65
66 static int http_tap = -1;
67 static int http_eo_tap = -1;
68
69 static int proto_http = -1;
70 static int hf_http_notification = -1;
71 static int hf_http_response = -1;
72 static int hf_http_request = -1;
73 static int hf_http_response_line = -1;
74 static int hf_http_request_line = -1;
75 static int hf_http_basic = -1;
76 static int hf_http_request_method = -1;
77 static int hf_http_request_uri = -1;
78 static int hf_http_request_full_uri = -1;
79 static int hf_http_version = -1;
80 static int hf_http_response_code = -1;
81 static int hf_http_response_phrase = -1;
82 static int hf_http_authorization = -1;
83 static int hf_http_proxy_authenticate = -1;
84 static int hf_http_proxy_authorization = -1;
85 static int hf_http_proxy_connect_host = -1;
86 static int hf_http_proxy_connect_port = -1;
87 static int hf_http_www_authenticate = -1;
88 static int hf_http_content_type = -1;
89 static int hf_http_content_length_header = -1;
90 static int hf_http_content_length = -1;
91 static int hf_http_content_encoding = -1;
92 static int hf_http_transfer_encoding = -1;
93 static int hf_http_upgrade = -1;
94 static int hf_http_user_agent = -1;
95 static int hf_http_host = -1;
96 static int hf_http_connection = -1;
97 static int hf_http_cookie = -1;
98 static int hf_http_accept = -1;
99 static int hf_http_referer = -1;
100 static int hf_http_accept_language = -1;
101 static int hf_http_accept_encoding = -1;
102 static int hf_http_date = -1;
103 static int hf_http_cache_control = -1;
104 static int hf_http_server = -1;
105 static int hf_http_location = -1;
106 static int hf_http_sec_websocket_accept = -1;
107 static int hf_http_sec_websocket_extensions = -1;
108 static int hf_http_sec_websocket_key = -1;
109 static int hf_http_sec_websocket_protocol = -1;
110 static int hf_http_sec_websocket_version = -1;
111 static int hf_http_set_cookie = -1;
112 static int hf_http_last_modified = -1;
113 static int hf_http_x_forwarded_for = -1;
114 static int hf_http_request_in = -1;
115 static int hf_http_response_in = -1;
116 static int hf_http_next_request_in = -1;
117 static int hf_http_next_response_in = -1;
118 static int hf_http_prev_request_in = -1;
119 static int hf_http_prev_response_in = -1;
120 static int hf_http_time = -1;
121
122 static gint ett_http = -1;
123 static gint ett_http_ntlmssp = -1;
124 static gint ett_http_kerberos = -1;
125 static gint ett_http_request = -1;
126 static gint ett_http_chunked_response = -1;
127 static gint ett_http_chunk_data = -1;
128 static gint ett_http_encoded_entity = -1;
129 static gint ett_http_header_item = -1;
130
131 static expert_field ei_http_chat = EI_INIT;
132 static expert_field ei_http_chunked_and_length = EI_INIT;
133 static expert_field ei_http_subdissector_failed = EI_INIT;
134
135 static dissector_handle_t http_handle;
136
137 static dissector_handle_t data_handle;
138 static dissector_handle_t media_handle;
139 static dissector_handle_t websocket_handle;
140 static dissector_handle_t http2_handle;
141
142 /* Stuff for generation/handling of fields for custom HTTP headers */
143 typedef struct _header_field_t {
144 gchar* header_name;
145 gchar* header_desc;
146 } header_field_t;
147
148 static header_field_t* header_fields = NULL;
149 static guint num_header_fields = 0;
150
151 static GHashTable* header_fields_hash = NULL;
152
153 static void
154 header_fields_update_cb(void *r, const char **err)
155 {
156 header_field_t *rec = (header_field_t *)r;
157 char c;
158
159 if (rec->header_name == NULL) {
160 *err = g_strdup("Header name can't be empty");
161 return;
162 }
163
164 g_strstrip(rec->header_name);
165 if (rec->header_name[0] == 0) {
166 *err = g_strdup("Header name can't be empty");
167 return;
168 }
169
170 /* Check for invalid characters (to avoid asserting out when
171 * registering the field).
172 */
173 c = proto_check_field_name(rec->header_name);
174 if (c) {
175 *err = g_strdup_printf("Header name can't contain '%c'", c);
176 return;
177 }
178
179 *err = NULL;
180 }
181
182 static void *
183 header_fields_copy_cb(void* n, const void* o, size_t siz _U_)
184 {
185 header_field_t* new_rec = (header_field_t*)n;
186 const header_field_t* old_rec = (const header_field_t*)o;
187
188 if (old_rec->header_name) {
189 new_rec->header_name = g_strdup(old_rec->header_name);
190 } else {
191 new_rec->header_name = NULL;
192 }
193
194 if (old_rec->header_desc) {
195 new_rec->header_desc = g_strdup(old_rec->header_desc);
196 } else {
197 new_rec->header_desc = NULL;
198 }
199
200 return new_rec;
201 }
202
203 static void
204 header_fields_free_cb(void*r)
205 {
206 header_field_t* rec = (header_field_t*)r;
207
208 if (rec->header_name) g_free(rec->header_name);
209 if (rec->header_desc) g_free(rec->header_desc);
210 }
211
212 UAT_CSTRING_CB_DEF(header_fields, header_name, header_field_t)
213 UAT_CSTRING_CB_DEF(header_fields, header_desc, header_field_t)
214
215 /*
216 * desegmentation of HTTP headers
217 * (when we are over TCP or another protocol providing the desegmentation API)
218 */
219 static gboolean http_desegment_headers = TRUE;
220
221 /*
222 * desegmentation of HTTP bodies
223 * (when we are over TCP or another protocol providing the desegmentation API)
224 * TODO let the user filter on content-type the bodies he wants desegmented
225 */
226 static gboolean http_desegment_body = TRUE;
227
228 /*
229 * De-chunking of content-encoding: chunk entity bodies.
230 */
231 static gboolean http_dechunk_body = TRUE;
232
233 /*
234 * Decompression of zlib encoded entities.
235 */
236 #ifdef HAVE_LIBZ
237 static gboolean http_decompress_body = TRUE;
238 #else
239 static gboolean http_decompress_body = FALSE;
240 #endif
241
242 /* Simple Service Discovery Protocol
243 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
244 * SSDP is the discovery protocol of Universal Plug and Play
245 * UPnP http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
246 */
247 #define TCP_PORT_SSDP 1900
248 #define UDP_PORT_SSDP 1900
249
250 /*
251 * tcp and ssl ports
252 *
253 * 2710 is the XBT BitTorrent tracker
254 */
255
256 #define TCP_DEFAULT_RANGE "80,3128,3132,5985,8080,8088,11371,1900,2869,2710"
257 #define SSL_DEFAULT_RANGE "443"
258
259 #define UPGRADE_WEBSOCKET 1
260 #define UPGRADE_HTTP2 2
261
262 static range_t *global_http_tcp_range = NULL;
263 static range_t *global_http_ssl_range = NULL;
264
265 static range_t *http_tcp_range = NULL;
266 static range_t *http_ssl_range = NULL;
267
268 typedef void (*ReqRespDissector)(tvbuff_t*, proto_tree*, int, const guchar*,
269 const guchar*, http_conv_t *);
270
271 /*
272 * Structure holding information from headers needed by main
273 * HTTP dissector code.
274 */
275 typedef struct {
276 char *content_type;
277 char *content_type_parameters;
278 gboolean have_content_length;
279 gint64 content_length;
280 char *content_encoding;
281 char *transfer_encoding;
282 guint8 upgrade;
283 } headers_t;
284
285 static int is_http_request_or_reply(const gchar *data, int linelen,
286 http_type_t *type, ReqRespDissector
287 *reqresp_dissector, http_conv_t *conv_data);
288 static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
289 proto_tree *tree, int offset);
290 static void process_header(tvbuff_t *tvb, int offset, int next_offset,
291 const guchar *line, int linelen, int colon_offset,
292 packet_info *pinfo, proto_tree *tree,
293 headers_t *eh_ptr, http_conv_t *conv_data,
294 int http_type);
295 static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len);
296 static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb,
297 packet_info *pinfo, gchar *value);
298 static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb,
299 gchar *value);
300 static gboolean check_auth_kerberos(proto_item *hdr_item, tvbuff_t *tvb,
301 packet_info *pinfo, const gchar *value);
302
303 static dissector_table_t port_subdissector_table;
304 static dissector_table_t media_type_subdissector_table;
305 static heur_dissector_list_t heur_subdissector_list;
306
307 static dissector_handle_t ntlmssp_handle;
308 static dissector_handle_t gssapi_handle;
309
310 /* --- HTTP Status Codes */
311 /* Note: The reference for uncommented entries is RFC 2616 */
312 static const value_string vals_status_code[] = {
313 { 100, "Continue" },
314 { 101, "Switching Protocols" },
315 { 102, "Processing" }, /* RFC 2518 */
316 { 199, "Informational - Others" },
317
318 { 200, "OK"},
319 { 201, "Created"},
320 { 202, "Accepted"},
321 { 203, "Non-authoritative Information"},
322 { 204, "No Content"},
323 { 205, "Reset Content"},
324 { 206, "Partial Content"},
325 { 207, "Multi-Status"}, /* RFC 4918 */
326 { 226, "IM Used"}, /* RFC 3229 */
327 { 299, "Success - Others"},
328
329 { 300, "Multiple Choices"},
330 { 301, "Moved Permanently"},
331 { 302, "Found"},
332 { 303, "See Other"},
333 { 304, "Not Modified"},
334 { 305, "Use Proxy"},
335 { 307, "Temporary Redirect"},
336 { 399, "Redirection - Others"},
337
338 { 400, "Bad Request"},
339 { 401, "Unauthorized"},
340 { 402, "Payment Required"},
341 { 403, "Forbidden"},
342 { 404, "Not Found"},
343 { 405, "Method Not Allowed"},
344 { 406, "Not Acceptable"},
345 { 407, "Proxy Authentication Required"},
346 { 408, "Request Time-out"},
347 { 409, "Conflict"},
348 { 410, "Gone"},
349 { 411, "Length Required"},
350 { 412, "Precondition Failed"},
351 { 413, "Request Entity Too Large"},
352 { 414, "Request-URI Too Long"},
353 { 415, "Unsupported Media Type"},
354 { 416, "Requested Range Not Satisfiable"},
355 { 417, "Expectation Failed"},
356 { 418, "I'm a teapot"}, /* RFC 2324 */
357 { 422, "Unprocessable Entity"}, /* RFC 4918 */
358 { 423, "Locked"}, /* RFC 4918 */
359 { 424, "Failed Dependency"}, /* RFC 4918 */
360 { 426, "Upgrade Required"}, /* RFC 2817 */
361 { 428, "Precondition Required"}, /* RFC 6585 */
362 { 429, "Too Many Requests"}, /* RFC 6585 */
363 { 431, "Request Header Fields Too Large"}, /* RFC 6585 */
364 { 499, "Client Error - Others"},
365
366 { 500, "Internal Server Error"},
367 { 501, "Not Implemented"},
368 { 502, "Bad Gateway"},
369 { 503, "Service Unavailable"},
370 { 504, "Gateway Time-out"},
371 { 505, "HTTP Version not supported"},
372 { 507, "Insufficient Storage"}, /* RFC 4918 */
373 { 511, "Network Authentication Required"}, /* RFC 6585 */
374 { 599, "Server Error - Others"},
375
376 { 0, NULL}
377 };
378
379 static const gchar* st_str_reqs = "HTTP Requests by Server";
380 static const gchar* st_str_reqs_by_srv_addr = "HTTP Requests by Server Address";
381 static const gchar* st_str_reqs_by_http_host = "HTTP Requests by HTTP Host";
382 static const gchar* st_str_resps_by_srv_addr = "HTTP Responses by Server Address";
383
384 static int st_node_reqs = -1;
385 static int st_node_reqs_by_srv_addr = -1;
386 static int st_node_reqs_by_http_host = -1;
387 static int st_node_resps_by_srv_addr = -1;
388
389 /* HTTP/Load Distribution stats init function */
390 static void
391 http_reqs_stats_tree_init(stats_tree* st)
392 {
393 st_node_reqs = stats_tree_create_node(st, st_str_reqs, 0, TRUE);
394 st_node_reqs_by_srv_addr = stats_tree_create_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
395 st_node_reqs_by_http_host = stats_tree_create_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
396 st_node_resps_by_srv_addr = stats_tree_create_node(st, st_str_resps_by_srv_addr, 0, TRUE);
397 }
398
399 /* HTTP/Load Distribution stats packet function */
400 static int
401 http_reqs_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt _U_, const void* p)
402 {
403 const http_info_value_t* v = (const http_info_value_t*)p;
404 int reqs_by_this_host;
405 int reqs_by_this_addr;
406 int resps_by_this_addr;
407 int i = v->response_code;
408 gchar *ip_str;
409
410
411 if (v->request_method) {
412 ip_str = ep_address_to_str(&pinfo->dst);
413
414 tick_stat_node(st, st_str_reqs, 0, FALSE);
415 tick_stat_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
416 tick_stat_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
417 reqs_by_this_addr = tick_stat_node(st, ip_str, st_node_reqs_by_srv_addr, TRUE);
418
419 if (v->http_host) {
420 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_reqs_by_http_host, TRUE);
421 tick_stat_node(st, ip_str, reqs_by_this_host, FALSE);
422
423 tick_stat_node(st, v->http_host, reqs_by_this_addr, FALSE);
424 }
425
426 return 1;
427
428 } else if (i != 0) {
429 ip_str = ep_address_to_str(&pinfo->src);
430
431 tick_stat_node(st, st_str_resps_by_srv_addr, 0, FALSE);
432 resps_by_this_addr = tick_stat_node(st, ip_str, st_node_resps_by_srv_addr, TRUE);
433
434 if ( (i>100)&&(i<400) ) {
435 tick_stat_node(st, "OK", resps_by_this_addr, FALSE);
436 } else {
437 tick_stat_node(st, "KO", resps_by_this_addr, FALSE);
438 }
439
440 return 1;
441 }
442
443 return 0;
444 }
445
446
447 static int st_node_requests_by_host = -1;
448 static const gchar *st_str_requests_by_host = "HTTP Requests by HTTP Host";
449
450 /* HTTP/Requests stats init function */
451 static void
452 http_req_stats_tree_init(stats_tree* st)
453 {
454 st_node_requests_by_host = stats_tree_create_node(st, st_str_requests_by_host, 0, TRUE);
455 }
456
457 /* HTTP/Requests stats packet function */
458 static int
459 http_req_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p)
460 {
461 const http_info_value_t* v = (const http_info_value_t*)p;
462 int reqs_by_this_host;
463
464 if (v->request_method) {
465 tick_stat_node(st, st_str_requests_by_host, 0, FALSE);
466
467 if (v->http_host) {
468 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_requests_by_host, TRUE);
469
470 if (v->request_uri) {
471 tick_stat_node(st, v->request_uri, reqs_by_this_host, TRUE);
472 }
473 }
474
475 return 1;
476 }
477
478 return 0;
479 }
480
481 static const gchar *st_str_packets = "Total HTTP Packets";
482 static const gchar *st_str_requests = "HTTP Request Packets";
483 static const gchar *st_str_responses = "HTTP Response Packets";
484 static const gchar *st_str_resp_broken = "???: broken";
485 static const gchar *st_str_resp_100 = "1xx: Informational";
486 static const gchar *st_str_resp_200 = "2xx: Success";
487 static const gchar *st_str_resp_300 = "3xx: Redirection";
488 static const gchar *st_str_resp_400 = "4xx: Client Error";
489 static const gchar *st_str_resp_500 = "5xx: Server Error";
490 static const gchar *st_str_other = "Other HTTP Packets";
491
492 static int st_node_packets = -1;
493 static int st_node_requests = -1;
494 static int st_node_responses = -1;
495 static int st_node_resp_broken = -1;
496 static int st_node_resp_100 = -1;
497 static int st_node_resp_200 = -1;
498 static int st_node_resp_300 = -1;
499 static int st_node_resp_400 = -1;
500 static int st_node_resp_500 = -1;
501 static int st_node_other = -1;
502
503
504 /* HTTP/Packet Counter stats init function */
505 static void
506 http_stats_tree_init(stats_tree* st)
507 {
508 st_node_packets = stats_tree_create_node(st, st_str_packets, 0, TRUE);
509 st_node_requests = stats_tree_create_pivot(st, st_str_requests, st_node_packets);
510 st_node_responses = stats_tree_create_node(st, st_str_responses, st_node_packets, TRUE);
511 st_node_resp_broken = stats_tree_create_node(st, st_str_resp_broken, st_node_responses, TRUE);
512 st_node_resp_100 = stats_tree_create_node(st, st_str_resp_100, st_node_responses, TRUE);
513 st_node_resp_200 = stats_tree_create_node(st, st_str_resp_200, st_node_responses, TRUE);
514 st_node_resp_300 = stats_tree_create_node(st, st_str_resp_300, st_node_responses, TRUE);
515 st_node_resp_400 = stats_tree_create_node(st, st_str_resp_400, st_node_responses, TRUE);
516 st_node_resp_500 = stats_tree_create_node(st, st_str_resp_500, st_node_responses, TRUE);
517 st_node_other = stats_tree_create_node(st, st_str_other, st_node_packets,FALSE);
518 }
519
520 /* HTTP/Packet Counter stats packet function */
521 static int
522 http_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p)
523 {
524 const http_info_value_t* v = (const http_info_value_t*)p;
525 guint i = v->response_code;
526 int resp_grp;
527 const gchar *resp_str;
528 gchar str[64];
529
530 tick_stat_node(st, st_str_packets, 0, FALSE);
531
532 if (i) {
533 tick_stat_node(st, st_str_responses, st_node_packets, FALSE);
534
535 if ( (i<100)||(i>=600) ) {
536 resp_grp = st_node_resp_broken;
537 resp_str = st_str_resp_broken;
538 } else if (i<200) {
539 resp_grp = st_node_resp_100;
540 resp_str = st_str_resp_100;
541 } else if (i<300) {
542 resp_grp = st_node_resp_200;
543 resp_str = st_str_resp_200;
544 } else if (i<400) {
545 resp_grp = st_node_resp_300;
546 resp_str = st_str_resp_300;
547 } else if (i<500) {
548 resp_grp = st_node_resp_400;
549 resp_str = st_str_resp_400;
550 } else {
551 resp_grp = st_node_resp_500;
552 resp_str = st_str_resp_500;
553 }
554
555 tick_stat_node(st, resp_str, st_node_responses, FALSE);
556
557 g_snprintf(str, sizeof(str), "%u %s", i,
558 val_to_str(i, vals_status_code, "Unknown (%d)"));
559 tick_stat_node(st, str, resp_grp, FALSE);
560 } else if (v->request_method) {
561 stats_tree_tick_pivot(st,st_node_requests,v->request_method);
562 } else {
563 tick_stat_node(st, st_str_other, st_node_packets, FALSE);
564 }
565
566 return 1;
567 }
568
569
570 static void
571 dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
572 const char *line)
573 {
574 tvbuff_t *ntlmssp_tvb;
575
576 ntlmssp_tvb = base64_to_tvb(tvb, line);
577 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP / GSSAPI Data");
578 if (tvb_strneql(ntlmssp_tvb, 0, "NTLMSSP", 7) == 0)
579 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
580 else
581 call_dissector(gssapi_handle, ntlmssp_tvb, pinfo, tree);
582 }
583
584 static void
585 dissect_http_kerberos(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
586 const char *line)
587 {
588 tvbuff_t *kerberos_tvb;
589
590 kerberos_tvb = base64_to_tvb(tvb, line + 9); /* skip 'Kerberos ' which is 9 chars */
591 add_new_data_source(pinfo, kerberos_tvb, "Kerberos Data");
592 call_dissector(gssapi_handle, kerberos_tvb, pinfo, tree);
593
594 }
595
596
597 static http_conv_t *
598 get_http_conversation_data(packet_info *pinfo)
599 {
600 conversation_t *conversation;
601 http_conv_t *conv_data;
602
603 conversation = find_or_create_conversation(pinfo);
604
605 /* Retrieve information from conversation
606 * or add it if it isn't there yet
607 */
608 conv_data = (http_conv_t *)conversation_get_proto_data(conversation, proto_http);
609 if(!conv_data) {
610 /* Setup the conversation structure itself */
611 conv_data = (http_conv_t *)wmem_alloc0(wmem_file_scope(), sizeof(http_conv_t));
612
613 conversation_add_proto_data(conversation, proto_http,
614 conv_data);
615 }
616
617 return conv_data;
618 }
619
620 /**
621 * create a new http_req_res_t and add it to the conversation.
622 * @return the new allocated object which is already added to the linked list
623 */
624 static http_req_res_t* push_req_res(http_conv_t *conv_data)
625 {
626 http_req_res_t *req_res = (http_req_res_t *)wmem_alloc0(wmem_file_scope(), sizeof(http_req_res_t));
627 nstime_set_unset(&(req_res->req_ts));
628 req_res->number = ++conv_data->req_res_num;
629
630 if (! conv_data->req_res_tail) {
631 conv_data->req_res_tail = req_res;
632 } else {
633 req_res->prev = conv_data->req_res_tail;
634 conv_data->req_res_tail->next = req_res;
635 conv_data->req_res_tail = req_res;
636 }
637
638 return req_res;
639 }
640
641 /**
642 * push a request frame number and its time stamp to the conversation data.
643 */
644 static void push_req(http_conv_t *conv_data, packet_info *pinfo)
645 {
646 /* a request will always create a new http_req_res_t object */
647 http_req_res_t *req_res = push_req_res(conv_data);
648
649 req_res->req_framenum = pinfo->fd->num;
650 req_res->req_ts = pinfo->fd->abs_ts;
651
652 p_add_proto_data(pinfo->fd, proto_http, 0, req_res);
653 }
654
655 /**
656 * push a response frame number to the conversation data.
657 */
658 static void push_res(http_conv_t *conv_data, packet_info *pinfo)
659 {
660 /* a response will create a new http_req_res_t object: if no
661 object exists, or if one exists for another response. In
662 both cases the corresponding request was not
663 detected/included in the conversation. In all other cases
664 the http_req_res_t object created by the request is
665 used. */
666 http_req_res_t *req_res = conv_data->req_res_tail;
667 if (!req_res || req_res->res_framenum > 0) {
668 req_res = push_req_res(conv_data);
669 }
670 req_res->res_framenum = pinfo->fd->num;
671 p_add_proto_data(pinfo->fd, proto_http, 0, req_res);
672 }
673
674 /*
675 * TODO: remove this ugly global variable.
676 * XXX: do we really want to have to pass this from one function to another?
677 */
678 static http_info_value_t *stat_info;
679
680 static int
681 dissect_http_message(tvbuff_t *tvb, int offset, packet_info *pinfo,
682 proto_tree *tree, http_conv_t *conv_data)
683 {
684 const char *proto_tag;
685 proto_tree *http_tree = NULL;
686 proto_item *ti = NULL;
687 proto_item *hidden_item;
688 const guchar *line;
689 gint next_offset;
690 const guchar *linep, *lineend;
691 int orig_offset;
692 int first_linelen, linelen;
693 gboolean is_request_or_reply;
694 gboolean saw_req_resp_or_header;
695 guchar c;
696 http_type_t http_type;
697 proto_item *hdr_item = NULL;
698 ReqRespDissector reqresp_dissector;
699 proto_tree *req_tree;
700 int colon_offset;
701 headers_t headers;
702 int datalen;
703 int reported_datalen = -1;
704 dissector_handle_t handle;
705 gboolean dissected = FALSE;
706 /*guint i;*/
707 /*http_info_value_t *si;*/
708 http_eo_t *eo_info;
709
710 /*
711 * Is this a request or response?
712 *
713 * Note that "tvb_find_line_end()" will return a value that
714 * is not longer than what's in the buffer, so the
715 * "tvb_get_ptr()" call won't throw an exception.
716 */
717 first_linelen = tvb_find_line_end(tvb, offset,
718 tvb_ensure_length_remaining(tvb, offset), &next_offset,
719 TRUE);
720
721 if (first_linelen == -1) {
722 /* No complete line was found in this segment, do
723 * desegmentation if we're told to.
724 */
725 if (!req_resp_hdrs_do_reassembly(tvb, offset, pinfo,
726 http_desegment_headers, http_desegment_body)) {
727 /*
728 * More data needed for desegmentation.
729 */
730 return -1;
731 }
732 }
733
734 /*
735 * Is the first line a request or response?
736 */
737 line = tvb_get_ptr(tvb, offset, first_linelen);
738 http_type = HTTP_OTHERS; /* type not known yet */
739 is_request_or_reply = is_http_request_or_reply((const gchar *)line,
740 first_linelen, &http_type, NULL, conv_data);
741 if (is_request_or_reply) {
742 /*
743 * Yes, it's a request or response.
744 * Do header desegmentation if we've been told to,
745 * and do body desegmentation if we've been told to and
746 * we find a Content-Length header.
747 */
748 if (!req_resp_hdrs_do_reassembly(tvb, offset, pinfo,
749 http_desegment_headers, http_desegment_body)) {
750 /*
751 * More data needed for desegmentation.
752 */
753 return -1;
754 }
755 }
756
757 stat_info = wmem_new(wmem_packet_scope(), http_info_value_t);
758 stat_info->framenum = pinfo->fd->num;
759 stat_info->response_code = 0;
760 stat_info->request_method = NULL;
761 stat_info->request_uri = NULL;
762 stat_info->http_host = NULL;
763
764 switch (pinfo->match_uint) {
765
766 case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
767 proto_tag = "SSDP";
768 break;
769
770 default:
771 proto_tag = "HTTP";
772 break;
773 }
774
775 col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
776 /*
777 * Put the first line from the buffer into the summary
778 * if it's an HTTP request or reply (but leave out the
779 * line terminator).
780 * Otherwise, just call it a continuation.
781 *
782 * Note that "tvb_find_line_end()" will return a value that
783 * is not longer than what's in the buffer, so the
784 * "tvb_get_ptr()" call won't throw an exception.
785 */
786 if (is_request_or_reply) {
787 line = tvb_get_ptr(tvb, offset, first_linelen);
788 col_add_fstr(pinfo->cinfo, COL_INFO, "%s ", format_text(line, first_linelen));
789 }
790 else
791 col_set_str(pinfo->cinfo, COL_INFO, "Continuation or non-HTTP traffic");
792
793 orig_offset = offset;
794 if (tree) {
795 ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
796 ENC_NA);
797 http_tree = proto_item_add_subtree(ti, ett_http);
798 }
799
800 /*
801 * Process the packet data, a line at a time.
802 */
803 http_type = HTTP_OTHERS; /* type not known yet */
804 headers.content_type = NULL; /* content type not known yet */
805 headers.content_type_parameters = NULL; /* content type parameters too */
806 headers.have_content_length = FALSE; /* content length not known yet */
807 headers.content_length = 0; /* content length set to 0 (avoid a gcc warning) */
808 headers.content_encoding = NULL; /* content encoding not known yet */
809 headers.transfer_encoding = NULL; /* transfer encoding not known yet */
810 headers.upgrade = 0; /* assume we're not upgrading */
811 saw_req_resp_or_header = FALSE; /* haven't seen anything yet */
812 while (tvb_reported_length_remaining(tvb, offset) > 0) {
813 /*
814 * Find the end of the line.
815 * XXX - what if we don't find it because the packet
816 * is cut short by a snapshot length or the header is
817 * split across TCP segments? How much dissection should
818 * we do on it?
819 */
820 linelen = tvb_find_line_end(tvb, offset,
821 tvb_ensure_length_remaining(tvb, offset), &next_offset,
822 FALSE);
823 if (linelen < 0)
824 return -1;
825
826 /*
827 * Get a buffer that refers to the line.
828 */
829 line = tvb_get_ptr(tvb, offset, linelen);
830 lineend = line + linelen;
831 colon_offset = -1;
832
833 /*
834 * OK, does it look like an HTTP request or response?
835 */
836 reqresp_dissector = NULL;
837 is_request_or_reply =
838 is_http_request_or_reply((const gchar *)line,
839 linelen, &http_type, &reqresp_dissector, conv_data);
840 if (is_request_or_reply)
841 goto is_http;
842
843 /*
844 * No. Does it look like a blank line (as would appear
845 * at the end of an HTTP request)?
846 */
847 if (linelen == 0)
848 goto is_http; /* Yes. */
849
850 /*
851 * No. Does it look like a header?
852 */
853 linep = line;
854 colon_offset = offset;
855 while (linep < lineend) {
856 c = *linep++;
857
858 /*
859 * This must be a CHAR to be part of a token; that
860 * means it must be ASCII.
861 */
862 if (!isascii(c))
863 break; /* not ASCII, thus not a CHAR */
864
865 /*
866 * This mustn't be a CTL to be part of a token.
867 *
868 * XXX - what about leading LWS on continuation
869 * lines of a header?
870 */
871 if (iscntrl(c))
872 break; /* CTL, not part of a header */
873
874 /*
875 * This mustn't be a SEP to be part of a token;
876 * a ':' ends the token, everything else is an
877 * indication that this isn't a header.
878 */
879 switch (c) {
880
881 case '(':
882 case ')':
883 case '<':
884 case '>':
885 case '@':
886 case ',':
887 case ';':
888 case '\\':
889 case '"':
890 case '/':
891 case '[':
892 case ']':
893 case '?':
894 case '=':
895 case '{':
896 case '}':
897 case ' ':
898 /*
899 * It's a separator, so it's not part of a
900 * token, so it's not a field name for the
901 * beginning of a header.
902 *
903 * (We don't have to check for HT; that's
904 * already been ruled out by "iscntrl()".)
905 */
906 goto not_http;
907
908 case ':':
909 /*
910 * This ends the token; we consider this
911 * to be a header.
912 */
913 goto is_http;
914
915 default:
916 colon_offset++;
917 break;
918 }
919 }
920
921 /*
922 * We haven't seen the colon, but everything else looks
923 * OK for a header line.
924 *
925 * If we've already seen an HTTP request or response
926 * line, or a header line, and we're at the end of
927 * the tvbuff, we assume this is an incomplete header
928 * line. (We quit this loop after seeing a blank line,
929 * so if we've seen a request or response line, or a
930 * header line, this is probably more of the request
931 * or response we're presumably seeing. There is some
932 * risk of false positives, but the same applies for
933 * full request or response lines or header lines,
934 * although that's less likely.)
935 *
936 * We throw an exception in that case, by checking for
937 * the existence of the next byte after the last one
938 * in the line. If it exists, "tvb_ensure_bytes_exist()"
939 * throws no exception, and we fall through to the
940 * "not HTTP" case. If it doesn't exist,
941 * "tvb_ensure_bytes_exist()" will throw the appropriate
942 * exception.
943 */
944 if (saw_req_resp_or_header)
945 tvb_ensure_bytes_exist(tvb, offset, linelen + 1);
946
947 not_http:
948 /*
949 * We don't consider this part of an HTTP request or
950 * reply, so we don't display it.
951 * (Yeah, that means we don't display, say, a text/http
952 * page, but you can get that from the data pane.)
953 */
954 break;
955
956 is_http:
957 /*
958 * Process this line.
959 */
960 if (linelen == 0) {
961 /*
962 * This is a blank line, which means that
963 * whatever follows it isn't part of this
964 * request or reply.
965 */
966 proto_tree_add_text(http_tree, tvb, offset,
967 next_offset - offset, "%s",
968 tvb_format_text(tvb, offset, next_offset - offset));
969 offset = next_offset;
970 break;
971 }
972
973 /*
974 * Not a blank line - either a request, a reply, or a header
975 * line.
976 */
977 saw_req_resp_or_header = TRUE;
978 if (is_request_or_reply) {
979 char *text = tvb_format_text(tvb, offset, next_offset - offset);
980 if (tree) {
981 hdr_item = proto_tree_add_text(http_tree, tvb,
982 offset, next_offset - offset, "%s", text);
983 }
984 expert_add_info_format(pinfo, hdr_item, &ei_http_chat, "%s", text);
985 if (reqresp_dissector) {
986 if (tree) req_tree = proto_item_add_subtree(hdr_item, ett_http_request);
987 else req_tree = NULL;
988
989 reqresp_dissector(tvb, req_tree, offset, line,
990 lineend, conv_data);
991 }
992
993 } else {
994 /*
995 * Header.
996 */
997 process_header(tvb, offset, next_offset, line, linelen,
998 colon_offset, pinfo, http_tree, &headers, conv_data,
999 http_type);
1000 }
1001 offset = next_offset;
1002 }
1003
1004 if (tree && stat_info->http_host && stat_info->request_uri) {
1005 proto_item *e_ti;
1006 gchar *uri = wmem_strdup_printf(wmem_packet_scope(), "%s://%s%s",
1007 "http", /* XXX, https? */
1008 g_strstrip(wmem_strdup(wmem_packet_scope(), stat_info->http_host)), stat_info->request_uri);
1009
1010 e_ti = proto_tree_add_string(http_tree,
1011 hf_http_request_full_uri, tvb, 0,
1012 0, uri);
1013
1014 PROTO_ITEM_SET_URL(e_ti);
1015 PROTO_ITEM_SET_GENERATED(e_ti);
1016 }
1017
1018 if (!PINFO_FD_VISITED(pinfo)) {
1019 if (http_type == HTTP_REQUEST) {
1020 push_req(conv_data, pinfo);
1021 } else if (http_type == HTTP_RESPONSE) {
1022 push_res(conv_data, pinfo);
1023 }
1024 }
1025
1026 if (tree) {
1027 proto_item *pi;
1028 http_req_res_t *curr = (http_req_res_t *)p_get_proto_data(pinfo->fd, proto_http, 0);
1029 http_req_res_t *prev = curr ? curr->prev : NULL;
1030 http_req_res_t *next = curr ? curr->next : NULL;
1031
1032 switch (http_type) {
1033
1034 case HTTP_NOTIFICATION:
1035 hidden_item = proto_tree_add_boolean(http_tree,
1036 hf_http_notification, tvb, 0, 0, 1);
1037 PROTO_ITEM_SET_HIDDEN(hidden_item);
1038 break;
1039
1040 case HTTP_RESPONSE:
1041 hidden_item = proto_tree_add_boolean(http_tree,
1042 hf_http_response, tvb, 0, 0, 1);
1043 PROTO_ITEM_SET_HIDDEN(hidden_item);
1044
1045 if (curr) {
1046 nstime_t delta;
1047
1048 pi = proto_tree_add_text(http_tree, tvb, 0, 0, "HTTP response %u/%u", curr->number, conv_data->req_res_num);
1049 PROTO_ITEM_SET_GENERATED(pi);
1050
1051 if (! nstime_is_unset(&(curr->req_ts))) {
1052 nstime_delta(&delta, &pinfo->fd->abs_ts, &(curr->req_ts));
1053 pi = proto_tree_add_time(http_tree, hf_http_time, tvb, 0, 0, &delta);
1054 PROTO_ITEM_SET_GENERATED(pi);
1055 }
1056 }
1057 if (prev && prev->req_framenum) {
1058 pi = proto_tree_add_uint(http_tree, hf_http_prev_request_in, tvb, 0, 0, prev->req_framenum);
1059 PROTO_ITEM_SET_GENERATED(pi);
1060 }
1061 if (prev && prev->res_framenum) {
1062 pi = proto_tree_add_uint(http_tree, hf_http_prev_response_in, tvb, 0, 0, prev->res_framenum);
1063 PROTO_ITEM_SET_GENERATED(pi);
1064 }
1065 if (curr && curr->req_framenum) {
1066 pi = proto_tree_add_uint(http_tree, hf_http_request_in, tvb, 0, 0, curr->req_framenum);
1067 PROTO_ITEM_SET_GENERATED(pi);
1068 }
1069 if (next && next->req_framenum) {
1070 pi = proto_tree_add_uint(http_tree, hf_http_next_request_in, tvb, 0, 0, next->req_framenum);
1071 PROTO_ITEM_SET_GENERATED(pi);
1072 }
1073 if (next && next->res_framenum) {
1074 pi = proto_tree_add_uint(http_tree, hf_http_next_response_in, tvb, 0, 0, next->res_framenum);
1075 PROTO_ITEM_SET_GENERATED(pi);
1076 }
1077
1078 break;
1079
1080 case HTTP_REQUEST:
1081 hidden_item = proto_tree_add_boolean(http_tree,
1082 hf_http_request, tvb, 0, 0, 1);
1083 PROTO_ITEM_SET_HIDDEN(hidden_item);
1084
1085 if (curr) {
1086 pi = proto_tree_add_text(http_tree, tvb, 0, 0, "HTTP request %u/%u", curr->number, conv_data->req_res_num);
1087 PROTO_ITEM_SET_GENERATED(pi);
1088 }
1089 if (prev && prev->req_framenum) {
1090 pi = proto_tree_add_uint(http_tree, hf_http_prev_request_in, tvb, 0, 0, prev->req_framenum);
1091 PROTO_ITEM_SET_GENERATED(pi);
1092 }
1093 if (curr && curr->res_framenum) {
1094 pi = proto_tree_add_uint(http_tree, hf_http_response_in, tvb, 0, 0, curr->res_framenum);
1095 PROTO_ITEM_SET_GENERATED(pi);
1096 }
1097 if (next && next->req_framenum) {
1098 pi = proto_tree_add_uint(http_tree, hf_http_next_request_in, tvb, 0, 0, next->req_framenum);
1099 PROTO_ITEM_SET_GENERATED(pi);
1100 }
1101
1102 break;
1103
1104 case HTTP_OTHERS:
1105 default:
1106 break;
1107 }
1108 }
1109
1110 reported_datalen = tvb_reported_length_remaining(tvb, offset);
1111 datalen = tvb_length_remaining(tvb, offset);
1112
1113 /*
1114 * If a content length was supplied, the amount of data to be
1115 * processed as HTTP payload is the minimum of the content
1116 * length and the amount of data remaining in the frame.
1117 *
1118 * If a message is received with both a Transfer-Encoding
1119 * header field and a Content-Length header field, the latter
1120 * MUST be ignored.
1121 *
1122 * If no content length was supplied (or if a bad content length
1123 * was supplied), the amount of data to be processed is the amount
1124 * of data remaining in the frame.
1125 *
1126 * If there was no Content-Length entity header, we should
1127 * accumulate all data until the end of the connection.
1128 * That'd require that the TCP dissector call subdissectors
1129 * for all frames with FIN, even if they contain no data,
1130 * which would require subdissectors to deal intelligently
1131 * with empty segments.
1132 *
1133 * According to RFC 2616, however, 1xx responses, 204 responses,
1134 * and 304 responses MUST NOT include a message body; if no
1135 * content length is specified for them, we don't attempt to
1136 * dissect the body.
1137 *
1138 * XXX - it says the same about responses to HEAD requests;
1139 * unless there's a way to determine from the response
1140 * whether it's a response to a HEAD request, we have to
1141 * keep information about the request and associate that with
1142 * the response in order to handle that.
1143 */
1144 if (headers.have_content_length &&
1145 headers.content_length != -1 &&
1146 headers.transfer_encoding == NULL) {
1147 if (datalen > headers.content_length)
1148 datalen = (int)headers.content_length;
1149
1150 /*
1151 * XXX - limit the reported length in the tvbuff we'll
1152 * hand to a subdissector to be no greater than the
1153 * content length.
1154 *
1155 * We really need both unreassembled and "how long it'd
1156 * be if it were reassembled" lengths for tvbuffs, so
1157 * that we throw the appropriate exceptions for
1158 * "not enough data captured" (running past the length),
1159 * "packet needed reassembly" (within the length but
1160 * running past the unreassembled length), and
1161 * "packet is malformed" (running past the reassembled
1162 * length).
1163 */
1164 if (reported_datalen > headers.content_length)
1165 reported_datalen = (int)headers.content_length;
1166 } else {
1167 switch (http_type) {
1168
1169 case HTTP_REQUEST:
1170 /*
1171 * Requests have no content if there's no
1172 * Content-Length header and no Transfer-Encoding
1173 * header.
1174 */
1175 if (headers.transfer_encoding == NULL)
1176 datalen = 0;
1177 else
1178 reported_datalen = -1;
1179 break;
1180
1181 case HTTP_RESPONSE:
1182 if ((stat_info->response_code/100) == 1 ||
1183 stat_info->response_code == 204 ||
1184 stat_info->response_code == 304)
1185 datalen = 0; /* no content! */
1186 else {
1187 /*
1188 * XXX - responses to HEAD requests,
1189 * and possibly other responses,
1190 * "MUST NOT" include a
1191 * message-body.
1192 */
1193 reported_datalen = -1;
1194 }
1195 break;
1196
1197 default:
1198 /*
1199 * XXX - what about HTTP_NOTIFICATION?
1200 */
1201 reported_datalen = -1;
1202 break;
1203 }
1204 }
1205
1206 if (datalen > 0) {
1207 /*
1208 * There's stuff left over; process it.
1209 */
1210 tvbuff_t *next_tvb;
1211 void *save_private_data = NULL;
1212 gboolean private_data_changed = FALSE;
1213 gint chunks_decoded = 0;
1214
1215 /*
1216 * Create a tvbuff for the payload.
1217 *
1218 * The amount of data to be processed that's
1219 * available in the tvbuff is "datalen", which
1220 * is the minimum of the amount of data left in
1221 * the tvbuff and any specified content length.
1222 *
1223 * The amount of data to be processed that's in
1224 * this frame, regardless of whether it was
1225 * captured or not, is "reported_datalen",
1226 * which, if no content length was specified,
1227 * is -1, i.e. "to the end of the frame.
1228 */
1229 next_tvb = tvb_new_subset(tvb, offset, datalen,
1230 reported_datalen);
1231
1232 /*
1233 * Handle *transfer* encodings other than "identity".
1234 */
1235 if (headers.transfer_encoding != NULL &&
1236 g_ascii_strcasecmp(headers.transfer_encoding, "identity") != 0) {
1237 if (http_dechunk_body &&
1238 (g_ascii_strncasecmp(headers.transfer_encoding, "chunked", 7)
1239 == 0)) {
1240
1241 chunks_decoded = chunked_encoding_dissector(
1242 &next_tvb, pinfo, http_tree, 0);
1243
1244 if (chunks_decoded <= 0) {
1245 /*
1246 * The chunks weren't reassembled,
1247 * or there was a single zero
1248 * length chunk.
1249 */
1250 goto body_dissected;
1251 } else {
1252 /*
1253 * Add a new data source for the
1254 * de-chunked data.
1255 */
1256 #if 0 /* Handled in chunked_encoding_dissector() */
1257 tvb_set_child_real_data_tvbuff(tvb,
1258 next_tvb);
1259 #endif
1260 add_new_data_source(pinfo, next_tvb,
1261 "De-chunked entity body");
1262 }
1263 } else {
1264 /*
1265 * We currently can't handle, for example,
1266 * "gzip", "compress", or "deflate" as
1267 * *transfer* encodings; just handle them
1268 * as data for now.
1269 */
1270 call_dissector(data_handle, next_tvb, pinfo,
1271 http_tree);
1272 goto body_dissected;
1273 }
1274 }
1275 /*
1276 * At this point, any chunked *transfer* coding has been removed
1277 * (the entity body has been dechunked) so it can be presented
1278 * for the following operation (*content* encoding), or it has
1279 * been been handed off to the data dissector.
1280 *
1281 * Handle *content* encodings other than "identity" (which
1282 * shouldn't appear in a Content-Encoding header, but
1283 * we handle it in any case).
1284 */
1285 if (headers.content_encoding != NULL &&
1286 g_ascii_strcasecmp(headers.content_encoding, "identity") != 0) {
1287 /*
1288 * We currently can't handle, for example, "compress";
1289 * just handle them as data for now.
1290 *
1291 * After July 7, 2004 the LZW patent expires, so support
1292 * might be added then. However, I don't think that
1293 * anybody ever really implemented "compress", due to
1294 * the aforementioned patent.
1295 */
1296 tvbuff_t *uncomp_tvb = NULL;
1297 proto_item *e_ti = NULL;
1298 proto_tree *e_tree = NULL;
1299
1300 if (http_decompress_body &&
1301 (g_ascii_strcasecmp(headers.content_encoding, "gzip") == 0 ||
1302 g_ascii_strcasecmp(headers.content_encoding, "deflate") == 0 ||
1303 g_ascii_strcasecmp(headers.content_encoding, "x-gzip") == 0 ||
1304 g_ascii_strcasecmp(headers.content_encoding, "x-deflate") == 0))
1305 {
1306 uncomp_tvb = tvb_child_uncompress(tvb, next_tvb, 0,
1307 tvb_length(next_tvb));
1308 }
1309
1310 /*
1311 * Add the encoded entity to the protocol tree
1312 */
1313 e_ti = proto_tree_add_text(http_tree, next_tvb,
1314 0, tvb_length(next_tvb),
1315 "Content-encoded entity body (%s): %u bytes",
1316 headers.content_encoding,
1317 tvb_length(next_tvb));
1318 e_tree = proto_item_add_subtree(e_ti,
1319 ett_http_encoded_entity);
1320
1321 if (uncomp_tvb != NULL) {
1322 /*
1323 * Decompression worked
1324 */
1325
1326 /* XXX - Don't free this, since it's possible
1327 * that the data was only partially
1328 * decompressed, such as when desegmentation
1329 * isn't enabled.
1330 *
1331 tvb_free(next_tvb);
1332 */
1333 proto_item_append_text(e_ti, " -> %u bytes", tvb_length(uncomp_tvb));
1334 next_tvb = uncomp_tvb;
1335 add_new_data_source(pinfo, next_tvb,
1336 "Uncompressed entity body");
1337 } else {
1338 proto_item_append_text(e_ti, " [Error: Decompression failed]");
1339 call_dissector(data_handle, next_tvb, pinfo,
1340 e_tree);
1341
1342 goto body_dissected;
1343 }
1344 }
1345 /*
1346 * Note that a new data source is added for the entity body
1347 * only if it was content-encoded and/or transfer-encoded.
1348 */
1349
1350 /* Save values for the Export Object GUI feature if we have
1351 * an active listener to process it (which happens when
1352 * the export object window is open). */
1353 if(have_tap_listener(http_eo_tap)) {
1354 eo_info = wmem_new(wmem_packet_scope(), http_eo_t);
1355
1356 eo_info->hostname = conv_data->http_host;
1357 eo_info->filename = conv_data->request_uri;
1358 eo_info->content_type = headers.content_type;
1359 eo_info->payload_len = tvb_length(next_tvb);
1360 eo_info->payload_data = tvb_get_ptr(next_tvb, 0, eo_info->payload_len);
1361
1362 tap_queue_packet(http_eo_tap, pinfo, eo_info);
1363 }
1364
1365 /*
1366 * Do subdissector checks.
1367 *
1368 * First, if we have a Content-Type value, check whether
1369 * there's a subdissector for that media type.
1370 */
1371 handle = NULL;
1372 if (headers.content_type != NULL) {
1373 /*
1374 * We didn't find any subdissector that
1375 * registered for the port, and we have a
1376 * Content-Type value. Is there any subdissector
1377 * for that content type?
1378 */
1379 save_private_data = pinfo->private_data;
1380 private_data_changed = TRUE;
1381
1382 if (headers.content_type_parameters)
1383 pinfo->private_data = wmem_strdup(wmem_packet_scope(), headers.content_type_parameters);
1384 else
1385 pinfo->private_data = NULL;
1386 /*
1387 * Calling the string handle for the media type
1388 * dissector table will set pinfo->match_string
1389 * to headers.content_type for us.
1390 */
1391 pinfo->match_string = headers.content_type;
1392 handle = dissector_get_string_handle(
1393 media_type_subdissector_table,
1394 headers.content_type);
1395 if (handle == NULL &&
1396 strncmp(headers.content_type, "multipart/", sizeof("multipart/")-1) == 0) {
1397 /* Try to decode the unknown multipart subtype anyway */
1398 handle = dissector_get_string_handle(
1399 media_type_subdissector_table,
1400 "multipart/");
1401 }
1402 }
1403
1404 /*
1405 * Now, if we didn't find such a subdissector, check
1406 * whether some subdissector asked that they be called
1407 * if HTTP traffic was on some particular port. This
1408 * handles protocols that use HTTP syntax but don't have
1409 * a media type and instead use a specified port.
1410 */
1411 if (handle == NULL) {
1412 handle = dissector_get_uint_handle(port_subdissector_table,
1413 pinfo->match_uint);
1414 }
1415
1416 if (handle != NULL) {
1417 /*
1418 * We have a subdissector - call it.
1419 */
1420 dissected = call_dissector_only(handle, next_tvb, pinfo, tree, NULL);
1421 if (!dissected)
1422 expert_add_info(pinfo, http_tree, &ei_http_subdissector_failed);
1423 }
1424
1425 if (!dissected) {
1426 /*
1427 * We don't have a subdissector or we have one and it did not
1428 * dissect the payload - try the heuristic subdissectors.
1429 */
1430 dissected = dissector_try_heuristic(heur_subdissector_list,
1431 next_tvb, pinfo, tree, NULL);
1432 }
1433
1434 if (dissected) {
1435 /*
1436 * The subdissector dissected the body.
1437 * Fix up the top-level item so that it doesn't
1438 * include the stuff for that protocol.
1439 */
1440 if (ti != NULL)
1441 proto_item_set_len(ti, offset);
1442 } else {
1443 if (headers.content_type != NULL) {
1444 /*
1445 * Calling the default media handle if there is a content-type that
1446 * wasn't handled above.
1447 */
1448 call_dissector(media_handle, next_tvb, pinfo, tree);
1449 } else {
1450 /* Call the default data dissector */
1451 call_dissector(data_handle, next_tvb, pinfo, http_tree);
1452 }
1453 }
1454
1455 body_dissected:
1456 /*
1457 * Do *not* attempt at freeing the private data;
1458 * it may be in use by subdissectors.
1459 */
1460 if (private_data_changed) /*restore even NULL value*/
1461 pinfo->private_data = save_private_data;
1462 /*
1463 * We've processed "datalen" bytes worth of data
1464 * (which may be no data at all); advance the
1465 * offset past whatever data we've processed.
1466 */
1467 offset += datalen;
1468 }
1469
1470 if (http_type == HTTP_RESPONSE && pinfo->desegment_offset<=0 && pinfo->desegment_len<=0) {
1471 conv_data->upgrade = headers.upgrade;
1472 conv_data->startframe = pinfo->fd->num + 1;
1473 }
1474
1475 tap_queue_packet(http_tap, pinfo, stat_info);
1476
1477 return offset - orig_offset;
1478 }
1479
1480 /* This can be used to dissect an HTTP request until such time
1481 * that a more complete dissector is written for that HTTP request.
1482 * This simple dissector only puts the request method, URI, and
1483 * protocol version into a sub-tree.
1484 */
1485 static void
1486 basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1487 const guchar *line, const guchar *lineend,
1488 http_conv_t *conv_data)
1489 {
1490 const guchar *next_token;
1491 const gchar *request_uri;
1492 int tokenlen;
1493
1494 /* The first token is the method. */
1495 tokenlen = get_token_len(line, lineend, &next_token);
1496 if (tokenlen == 0)
1497 return;
1498 proto_tree_add_item(tree, hf_http_request_method, tvb, offset, tokenlen,
1499 ENC_ASCII|ENC_NA);
1500 if ((next_token - line) > 2 && next_token[-1] == ' ' && next_token[-2] == ' ') {
1501 /* Two spaces in a now indicates empty URI, so roll back one here */
1502 next_token--;
1503 }
1504 offset += (int) (next_token - line);
1505 line = next_token;
1506
1507 /* The next token is the URI. */
1508 tokenlen = get_token_len(line, lineend, &next_token);
1509
1510 /* Save the request URI for various later uses */
1511 request_uri = tvb_get_string(wmem_packet_scope(), tvb, offset, tokenlen);
1512 stat_info->request_uri = wmem_strdup(wmem_packet_scope(), request_uri);
1513 conv_data->request_uri = wmem_strdup(wmem_file_scope(), request_uri);
1514
1515 proto_tree_add_string(tree, hf_http_request_uri, tvb, offset, tokenlen,
1516 request_uri);
1517 offset += (int) (next_token - line);
1518 line = next_token;
1519
1520 /* Everything to the end of the line is the version. */
1521 tokenlen = (int) (lineend - line);
1522 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1523 ENC_ASCII|ENC_NA);
1524 }
1525
1526 static void
1527 basic_response_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1528 const guchar *line, const guchar *lineend,
1529 http_conv_t *conv_data _U_)
1530 {
1531 const guchar *next_token;
1532 int tokenlen;
1533 gchar response_code_chars[4];
1534
1535 /*
1536 * The first token is the HTTP Version.
1537 */
1538 tokenlen = get_token_len(line, lineend, &next_token);
1539 if (tokenlen == 0)
1540 return;
1541 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1542 ENC_ASCII|ENC_NA);
1543 /* Advance to the start of the next token. */
1544 offset += (int) (next_token - line);
1545 line = next_token;
1546
1547 /*
1548 * The second token is the Status Code.
1549 */
1550 tokenlen = get_token_len(line, lineend, &next_token);
1551 if (tokenlen < 3)
1552 return;
1553
1554 /* The Status Code characters must be copied into a null-terminated
1555 * buffer for strtoul() to parse them into an unsigned integer value.
1556 */
1557 memcpy(response_code_chars, line, 3);
1558 response_code_chars[3] = '\0';
1559
1560 stat_info->response_code = conv_data->response_code =
1561 (guint)strtoul(response_code_chars, NULL, 10);
1562
1563 proto_tree_add_uint(tree, hf_http_response_code, tvb, offset, 3,
1564 stat_info->response_code);
1565
1566 /* Advance to the start of the next token. */
1567 offset += (int) (next_token - line);
1568 line = next_token;
1569
1570 /*
1571 * The remaining tokens in the line comprise the Reason Phrase.
1572 */
1573 tokenlen = (int) (lineend - line);
1574 if (tokenlen < 1)
1575 return;
1576 proto_tree_add_item(tree, hf_http_response_phrase, tvb, offset,
1577 tokenlen, ENC_ASCII|ENC_NA);
1578
1579 }
1580
1581 #if 0 /* XXX: Replaced by code creating the "Dechunked" tvb O(N) rather tan O(N^2) */
1582 /*
1583 * Dissect the http data chunks and add them to the tree.
1584 */
1585 static int
1586 chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
1587 proto_tree *tree, int offset)
1588 {
1589 guint8 *chunk_string = NULL;
1590 guint32 chunk_size = 0;
1591 gint chunk_offset = 0;
1592 guint32 datalen = 0;
1593 gint linelen = 0;
1594 gint chunks_decoded = 0;
1595 tvbuff_t *tvb = NULL;
1596 tvbuff_t *new_tvb = NULL;
1597 gint chunked_data_size = 0;
1598 proto_tree *subtree = NULL;
1599 proto_item *ti = NULL;
1600
1601 if (tvb_ptr == NULL || *tvb_ptr == NULL) {
1602 return 0;
1603 }
1604
1605 tvb = *tvb_ptr;
1606
1607 datalen = tvb_reported_length_remaining(tvb, offset);
1608
1609 if (tree) {
1610 ti = proto_tree_add_text(tree, tvb, offset, datalen,
1611 "HTTP chunked response");
1612 subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
1613 }
1614
1615
1616 while (datalen > 0) {
1617 proto_item *chunk_ti = NULL;
1618 proto_tree *chunk_subtree = NULL;
1619 tvbuff_t *data_tvb = NULL; /* */
1620 gchar *c = NULL;
1621 guint8 *raw_data;
1622 gint raw_len = 0;
1623
1624 linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
1625
1626 if (linelen <= 0) {
1627 /* Can't get the chunk size line */
1628 break;
1629 }
1630
1631 chunk_string = tvb_get_string(wmem_packet_scope(), tvb, offset, linelen);
1632
1633 if (chunk_string == NULL) {
1634 /* Can't get the chunk size line */
1635 break;
1636 }
1637
1638 c = (gchar*) chunk_string;
1639
1640 /*
1641 * We don't care about the extensions.
1642 */
1643 if ((c = strchr(c, ';'))) {
1644 *c = '\0';
1645 }
1646
1647 chunk_size = strtol((gchar*)chunk_string, NULL, 16);
1648
1649 if (chunk_size > datalen) {
1650 /*
1651 * The chunk size is more than what's in the tvbuff,
1652 * so either the user hasn't enabled decoding, or all
1653 * of the segments weren't captured.
1654 */
1655 chunk_size = datalen;
1656 }
1657 #if 0
1658 else if (new_tvb == NULL) {
1659 new_tvb = tvb_new_composite();
1660 }
1661
1662
1663
1664 if (new_tvb != NULL && chunk_size != 0) {
1665 tvbuff_t *chunk_tvb = NULL;
1666
1667 chunk_tvb = tvb_new_subset(tvb, chunk_offset,
1668 chunk_size, datalen);
1669
1670 tvb_composite_append(new_tvb, chunk_tvb);
1671
1672 }
1673 #endif
1674
1675 chunked_data_size += chunk_size;
1676
1677 raw_data = g_malloc(chunked_data_size);
1678 raw_len = 0;
1679
1680 if (new_tvb != NULL) {
1681 raw_len = tvb_length_remaining(new_tvb, 0);
1682 tvb_memcpy(new_tvb, raw_data, 0, raw_len);
1683
1684 tvb_free(new_tvb);
1685 }
1686
1687 tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len),
1688 chunk_offset, chunk_size);
1689
1690 /* Don't create a new tvb if we have a single chunk with
1691 * a size of zero (meaning it is the end of the chunks). */
1692 if(chunked_data_size > 0) {
1693 new_tvb = tvb_new_real_data(raw_data,
1694 chunked_data_size, chunked_data_size);
1695 tvb_set_free_cb(new_tvb, g_free);
1696 }
1697
1698
1699 if (subtree) {
1700 if(chunk_size == 0) {
1701 chunk_ti = proto_tree_add_text(subtree, tvb,
1702 offset,
1703 chunk_offset - offset + chunk_size + 2,
1704 "End of chunked encoding");
1705 } else {
1706 chunk_ti = proto_tree_add_text(subtree, tvb,
1707 offset,
1708 chunk_offset - offset + chunk_size + 2,
1709 "Data chunk (%u octets)", chunk_size);
1710 }
1711
1712 chunk_subtree = proto_item_add_subtree(chunk_ti,
1713 ett_http_chunk_data);
1714
1715 proto_tree_add_text(chunk_subtree, tvb, offset,
1716 chunk_offset - offset, "Chunk size: %u octets",
1717 chunk_size);
1718
1719 data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size, chunk_size);
1720
1721
1722 /*
1723 * XXX - just use "proto_tree_add_text()"?
1724 * This means that, in TShark, you get
1725 * the entire chunk dumped out in hex,
1726 * in addition to whatever dissection is
1727 * done on the reassembled data.
1728 */
1729 call_dissector(data_handle, data_tvb, pinfo,
1730 chunk_subtree);
1731
1732 proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
1733 chunk_size, 2, "Chunk boundary");
1734 }
1735
1736 chunks_decoded++;
1737 offset = chunk_offset + chunk_size + 2;
1738 datalen = tvb_reported_length_remaining(tvb, offset);
1739 }
1740
1741 if (new_tvb != NULL) {
1742
1743 /* Placeholder for the day that composite tvbuffer's will work.
1744 tvb_composite_finalize(new_tvb);
1745 / * tvb_set_reported_length(new_tvb, chunked_data_size); * /
1746 */
1747
1748 /*
1749 * XXX - Don't free this, since the tvbuffer that was passed
1750 * may be used if the data spans multiple frames and reassembly
1751 * isn't enabled.
1752 *
1753 tvb_free(*tvb_ptr);
1754 */
1755 *tvb_ptr = new_tvb;
1756
1757 } else {
1758 /*
1759 * We didn't create a new tvb, so don't allow sub dissectors
1760 * try to decode the non-existent entity body.
1761 */
1762 chunks_decoded = -1;
1763 }
1764
1765 return chunks_decoded;
1766
1767 }
1768 #else
1769 /*
1770 * Dissect the http data chunks and add them to the tree.
1771 */
1772 static int
1773 chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
1774 proto_tree *tree, int offset)
1775 {
1776 tvbuff_t *tvb;
1777 guint32 datalen;
1778 guint32 orig_datalen;
1779 gint chunks_decoded;
1780 gint chunked_data_size;
1781 proto_tree *subtree;
1782 guint8 *raw_data;
1783 gint raw_len;
1784
1785 if ((tvb_ptr == NULL) || (*tvb_ptr == NULL)) {
1786 return 0;
1787 }
1788
1789 tvb = *tvb_ptr;
1790
1791 datalen = tvb_reported_length_remaining(tvb, offset);
1792
1793 subtree = NULL;
1794 if (tree) {
1795 proto_item *ti;
1796 ti = proto_tree_add_text(tree, tvb, offset, datalen,
1797 "HTTP chunked response");
1798 subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
1799 }
1800
1801 /* Dechunk the "chunked response" to a new memory buffer */
1802 orig_datalen = datalen;
1803 raw_data = (guint8 *)wmem_alloc(pinfo->pool, datalen);
1804 raw_len = 0;
1805 chunks_decoded = 0;
1806 chunked_data_size = 0;
1807
1808 while (datalen > 0) {
1809 tvbuff_t *data_tvb;
1810 guint32 chunk_size;
1811 gint chunk_offset;
1812 guint8 *chunk_string;
1813 gint linelen;
1814 gchar *c;
1815
1816 linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
1817
1818 if (linelen <= 0) {
1819 /* Can't get the chunk size line */
1820 break;
1821 }
1822
1823 chunk_string = tvb_get_string(wmem_packet_scope(), tvb, offset, linelen);
1824
1825 if (chunk_string == NULL) {
1826 /* Can't get the chunk size line */
1827 break;
1828 }
1829
1830 c = (gchar*)chunk_string;
1831
1832 /*
1833 * We don't care about the extensions.
1834 */
1835 if ((c = strchr(c, ';'))) {
1836 *c = '\0';
1837 }
1838
1839 chunk_size = (guint32)strtol((gchar*)chunk_string, NULL, 16);
1840
1841 if (chunk_size > datalen) {
1842 /*
1843 * The chunk size is more than what's in the tvbuff,
1844 * so either the user hasn't enabled decoding, or all
1845 * of the segments weren't captured.
1846 */
1847 chunk_size = datalen;
1848 }
1849
1850 chunked_data_size += chunk_size;
1851
1852 DISSECTOR_ASSERT((raw_len+chunk_size) <= orig_datalen);
1853 tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len), chunk_offset, chunk_size);
1854 raw_len += chunk_size;
1855
1856 if (subtree) {
1857 proto_item *chunk_ti;
1858 proto_tree *chunk_subtree;
1859
1860 if(chunk_size == 0) {
1861 chunk_ti = proto_tree_add_text(subtree, tvb,
1862 offset,
1863 chunk_offset - offset + chunk_size + 2,
1864 "End of chunked encoding");
1865 } else {
1866 chunk_ti = proto_tree_add_text(subtree, tvb,
1867 offset,
1868 chunk_offset - offset + chunk_size + 2,
1869 "Data chunk (%u octets)", chunk_size);
1870 }
1871
1872 chunk_subtree = proto_item_add_subtree(chunk_ti,
1873 ett_http_chunk_data);
1874
1875 proto_tree_add_text(chunk_subtree, tvb, offset,
1876 chunk_offset - offset, "Chunk size: %u octets",
1877 chunk_size);
1878
1879 data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size, datalen);
1880
1881 /*
1882 * XXX - just use "proto_tree_add_text()"?
1883 * This means that, in TShark, you get
1884 * the entire chunk dumped out in hex,
1885 * in addition to whatever dissection is
1886 * done on the reassembled data.
1887 */
1888 call_dissector(data_handle, data_tvb, pinfo,
1889 chunk_subtree);
1890
1891 proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
1892 chunk_size, 2, "Chunk boundary");
1893 }
1894
1895 chunks_decoded++;
1896 offset = chunk_offset + 2 + chunk_size; /* beginning of next chunk */
1897 datalen = tvb_reported_length_remaining(tvb, offset);
1898 }
1899
1900 if (chunked_data_size > 0) {
1901 tvbuff_t *new_tvb;
1902 new_tvb = tvb_new_child_real_data(tvb, raw_data, chunked_data_size, chunked_data_size);
1903 *tvb_ptr = new_tvb;
1904 } else {
1905 /*
1906 * There was no actual chunk data, so don't allow sub dissectors
1907 * try to decode the non-existent entity body.
1908 */
1909 chunks_decoded = -1;
1910 }
1911
1912 return chunks_decoded;
1913 }
1914 #endif
1915
1916 /* Call a subdissector to handle HTTP CONNECT's traffic */
1917 static void
1918 http_payload_subdissector(tvbuff_t *tvb, proto_tree *tree,
1919 packet_info *pinfo, http_conv_t *conv_data, void* data)
1920 {
1921 guint32 *ptr = NULL;
1922 guint32 uri_port, saved_port, srcport, destport;
1923 gchar **strings; /* An array for splitting the request URI into hostname and port */
1924 proto_item *item;
1925 proto_tree *proxy_tree;
1926 conversation_t *conv;
1927
1928 /* Grab the destination port number from the request URI to find the right subdissector */
1929 strings = g_strsplit(conv_data->request_uri, ":", 2);
1930
1931 if(strings[0] != NULL && strings[1] != NULL) {
1932 /*
1933 * The string was successfully split in two
1934 * Create a proxy-connect subtree
1935 */
1936 if(tree) {
1937 item = proto_tree_add_item(tree, proto_http, tvb, 0, -1, ENC_NA);
1938 proxy_tree = proto_item_add_subtree(item, ett_http);
1939
1940 item = proto_tree_add_string(proxy_tree, hf_http_proxy_connect_host,
1941 tvb, 0, 0, strings[0]);
1942 PROTO_ITEM_SET_GENERATED(item);
1943
1944 item = proto_tree_add_uint(proxy_tree, hf_http_proxy_connect_port,
1945 tvb, 0, 0, (guint32)strtol(strings[1], NULL, 10) );
1946 PROTO_ITEM_SET_GENERATED(item);
1947 }
1948
1949 uri_port = (int)strtol(strings[1], NULL, 10); /* Convert string to a base-10 integer */
1950
1951 if (value_is_in_range(http_tcp_range, pinfo->destport)) {
1952 srcport = pinfo->srcport;
1953 destport = uri_port;
1954 } else {
1955 srcport = uri_port;
1956 destport = pinfo->destport;
1957 }
1958
1959 conv = find_conversation(PINFO_FD_NUM(pinfo), &pinfo->src, &pinfo->dst, PT_TCP, srcport, destport, 0);
1960
1961 /* We may get stuck in a recursion loop if we let process_tcp_payload() call us.
1962 * So, if the port in the URI is one we're registered for or we have set up a
1963 * conversation (e.g., one we detected heuristically or via Decode-As) call the data
1964 * dissector directly.
1965 */
1966 if (value_is_in_range(http_tcp_range, uri_port) || (conv && conv->dissector_handle == http_handle)) {
1967 call_dissector(data_handle, tvb, pinfo, tree);
1968 } else {
1969 /* set pinfo->{src/dst port} and call the TCP sub-dissector lookup */
1970 if (value_is_in_range(http_tcp_range, pinfo->destport))
1971 ptr = &pinfo->destport;
1972 else
1973 ptr = &pinfo->srcport;
1974
1975 /* Increase pinfo->can_desegment because we are traversing
1976 * http and want to preserve desegmentation functionality for
1977 * the proxied protocol
1978 */
1979 if( pinfo->can_desegment>0 )
1980 pinfo->can_desegment++;
1981
1982 saved_port = *ptr;
1983 *ptr = uri_port;
1984 decode_tcp_ports(tvb, 0, pinfo, tree,
1985 pinfo->srcport, pinfo->destport, NULL,
1986 (struct tcpinfo *)data);
1987 *ptr = saved_port;
1988 }
1989 }
1990 g_strfreev(strings); /* Free the result of g_strsplit() above */
1991 }
1992
1993
1994
1995 /*
1996 * XXX - this won't handle HTTP 0.9 replies, but they're all data
1997 * anyway.
1998 */
1999 static int
2000 is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
2001 ReqRespDissector *reqresp_dissector,
2002 http_conv_t *conv_data)
2003 {
2004 int isHttpRequestOrReply = FALSE;
2005
2006 /*
2007 * From RFC 2774 - An HTTP Extension Framework
2008 *
2009 * Support the command prefix that identifies the presence of
2010 * a "mandatory" header.
2011 */
2012 if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
2013 data += 2;
2014 linelen -= 2;
2015 }
2016
2017 /*
2018 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
2019 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
2020 *
2021 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
2022 * SEARCH
2023 */
2024 if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
2025 *type = HTTP_RESPONSE;
2026 isHttpRequestOrReply = TRUE; /* response */
2027 if (reqresp_dissector)
2028 *reqresp_dissector = basic_response_dissector;
2029 } else {
2030 const guchar * ptr = (const guchar *)data;
2031 int indx = 0;
2032
2033 /* Look for the space following the Method */
2034 while (indx < linelen) {
2035 if (*ptr == ' ')
2036 break;
2037 else {
2038 ptr++;
2039 indx++;
2040 }
2041 }
2042
2043 /* Check the methods that have same length */
2044 switch (indx) {
2045
2046 case 3:
2047 if (strncmp(data, "GET", indx) == 0 ||
2048 strncmp(data, "PUT", indx) == 0) {
2049 *type = HTTP_REQUEST;
2050 isHttpRequestOrReply = TRUE;
2051 }
2052 else if (strncmp(data, "ICY", indx) == 0) {
2053 *type = HTTP_RESPONSE;
2054 isHttpRequestOrReply = TRUE;
2055 }
2056 break;
2057
2058 case 4:
2059 if (strncmp(data, "COPY", indx) == 0 ||
2060 strncmp(data, "HEAD", indx) == 0 ||
2061 strncmp(data, "LOCK", indx) == 0 ||
2062 strncmp(data, "MOVE", indx) == 0 ||
2063 strncmp(data, "POLL", indx) == 0 ||
2064 strncmp(data, "POST", indx) == 0) {
2065 *type = HTTP_REQUEST;
2066 isHttpRequestOrReply = TRUE;
2067 }
2068 break;
2069
2070 case 5:
2071 if (strncmp(data, "BCOPY", indx) == 0 ||
2072 strncmp(data, "BMOVE", indx) == 0 ||
2073 strncmp(data, "MKCOL", indx) == 0 ||
2074 strncmp(data, "TRACE", indx) == 0 ||
2075 strncmp(data, "LABEL", indx) == 0 || /* RFC 3253 8.2 */
2076 strncmp(data, "MERGE", indx) == 0) { /* RFC 3253 11.2 */
2077 *type = HTTP_REQUEST;
2078 isHttpRequestOrReply = TRUE;
2079 }
2080 break;
2081
2082 case 6:
2083 if (strncmp(data, "DELETE", indx) == 0 ||
2084 strncmp(data, "SEARCH", indx) == 0 ||
2085 strncmp(data, "UNLOCK", indx) == 0 ||
2086 strncmp(data, "REPORT", indx) == 0 || /* RFC 3253 3.6 */
2087 strncmp(data, "UPDATE", indx) == 0) { /* RFC 3253 7.1 */
2088 *type = HTTP_REQUEST;
2089 isHttpRequestOrReply = TRUE;
2090 }
2091 else if (strncmp(data, "NOTIFY", indx) == 0) {
2092 *type = HTTP_NOTIFICATION;
2093 isHttpRequestOrReply = TRUE;
2094 }
2095 break;
2096
2097 case 7:
2098 if (strncmp(data, "BDELETE", indx) == 0 ||
2099 strncmp(data, "CONNECT", indx) == 0 ||
2100 strncmp(data, "OPTIONS", indx) == 0 ||
2101 strncmp(data, "CHECKIN", indx) == 0) { /* RFC 3253 4.4, 9.4 */
2102 *type = HTTP_REQUEST;
2103 isHttpRequestOrReply = TRUE;
2104 }
2105 break;
2106
2107 case 8:
2108 if (strncmp(data, "PROPFIND", indx) == 0 ||
2109 strncmp(data, "CHECKOUT", indx) == 0 || /* RFC 3253 4.3, 9.3 */
2110 strncmp(data, "CCM_POST", indx) == 0) {
2111 *type = HTTP_REQUEST;
2112 isHttpRequestOrReply = TRUE;
2113 }
2114 break;
2115
2116 case 9:
2117 if (strncmp(data, "SUBSCRIBE", indx) == 0) {
2118 *type = HTTP_NOTIFICATION;
2119 isHttpRequestOrReply = TRUE;
2120 } else if (strncmp(data, "PROPPATCH", indx) == 0 ||
2121 strncmp(data, "BPROPFIND", indx) == 0) {
2122 *type = HTTP_REQUEST;
2123 isHttpRequestOrReply = TRUE;
2124 }
2125 break;
2126
2127 case 10:
2128 if (strncmp(data, "BPROPPATCH", indx) == 0 ||
2129 strncmp(data, "UNCHECKOUT", indx) == 0 || /* RFC 3253 4.5 */
2130 strncmp(data, "MKACTIVITY", indx) == 0) { /* RFC 3253 13.5 */
2131 *type = HTTP_REQUEST;
2132 isHttpRequestOrReply = TRUE;
2133 }
2134 break;
2135
2136 case 11:
2137 if (strncmp(data, "MKWORKSPACE", indx) == 0 || /* RFC 3253 6.3 */
2138 strncmp(data, "RPC_CONNECT", indx) == 0 || /* [MS-RPCH] 2.1.1.1.1 */
2139 strncmp(data, "RPC_IN_DATA", indx) == 0) { /* [MS-RPCH] 2.1.2.1.1 */
2140 *type = HTTP_REQUEST;
2141 isHttpRequestOrReply = TRUE;
2142 } else if (strncmp(data, "UNSUBSCRIBE", indx) == 0) {
2143 *type = HTTP_NOTIFICATION;
2144 isHttpRequestOrReply = TRUE;
2145 }
2146 break;
2147
2148 case 12:
2149 if (strncmp(data, "RPC_OUT_DATA", indx) == 0) { /* [MS-RPCH] 2.1.2.1.2 */
2150 *type = HTTP_REQUEST;
2151 isHttpRequestOrReply = TRUE;
2152 }
2153 break;
2154
2155 case 15:
2156 if (strncmp(data, "VERSION-CONTROL", indx) == 0) { /* RFC 3253 3.5 */
2157 *type = HTTP_REQUEST;
2158 isHttpRequestOrReply = TRUE;
2159 }
2160 break;
2161
2162 case 16:
2163 if (strncmp(data, "BASELINE-CONTROL", indx) == 0) { /* RFC 3253 12.6 */
2164 *type = HTTP_REQUEST;
2165 isHttpRequestOrReply = TRUE;
2166 }
2167 break;
2168
2169 default:
2170 break;
2171 }
2172
2173 if (isHttpRequestOrReply && reqresp_dissector) {
2174 *reqresp_dissector = basic_request_dissector;
2175
2176 stat_info->request_method = wmem_strndup(wmem_packet_scope(), data, indx+1);
2177 conv_data->request_method = wmem_strndup(wmem_file_scope(), data, indx+1);
2178 }
2179
2180
2181
2182 }
2183
2184 return isHttpRequestOrReply;
2185 }
2186
2187 /*
2188 * Process headers.
2189 */
2190 typedef struct {
2191 const char *name;
2192 gint *hf;
2193 int special;
2194 } header_info;
2195
2196 #define HDR_NO_SPECIAL 0
2197 #define HDR_AUTHORIZATION 1
2198 #define HDR_AUTHENTICATE 2
2199 #define HDR_CONTENT_TYPE 3
2200 #define HDR_CONTENT_LENGTH 4
2201 #define HDR_CONTENT_ENCODING 5
2202 #define HDR_TRANSFER_ENCODING 6
2203 #define HDR_HOST 7
2204 #define HDR_UPGRADE 8
2205
2206 static const header_info headers[] = {
2207 { "Authorization", &hf_http_authorization, HDR_AUTHORIZATION },
2208 { "Proxy-Authorization", &hf_http_proxy_authorization, HDR_AUTHORIZATION },
2209 { "Proxy-Authenticate", &hf_http_proxy_authenticate, HDR_AUTHENTICATE },
2210 { "WWW-Authenticate", &hf_http_www_authenticate, HDR_AUTHENTICATE },
2211 { "Content-Type", &hf_http_content_type, HDR_CONTENT_TYPE },
2212 { "Content-Length", &hf_http_content_length_header, HDR_CONTENT_LENGTH },
2213 { "Content-Encoding", &hf_http_content_encoding, HDR_CONTENT_ENCODING },
2214 { "Transfer-Encoding", &hf_http_transfer_encoding, HDR_TRANSFER_ENCODING },
2215 { "Upgrade", &hf_http_upgrade, HDR_UPGRADE },
2216 { "User-Agent", &hf_http_user_agent, HDR_NO_SPECIAL },
2217 { "Host", &hf_http_host, HDR_HOST },
2218 { "Connection", &hf_http_connection, HDR_NO_SPECIAL },
2219 { "Cookie", &hf_http_cookie, HDR_NO_SPECIAL },
2220 { "Accept", &hf_http_accept, HDR_NO_SPECIAL },
2221 { "Referer", &hf_http_referer, HDR_NO_SPECIAL },
2222 { "Accept-Language", &hf_http_accept_language, HDR_NO_SPECIAL },
2223 { "Accept-Encoding", &hf_http_accept_encoding, HDR_NO_SPECIAL },
2224 { "Date", &hf_http_date, HDR_NO_SPECIAL },
2225 { "Cache-Control", &hf_http_cache_control, HDR_NO_SPECIAL },
2226 { "Server", &hf_http_server, HDR_NO_SPECIAL },
2227 { "Location", &hf_http_location, HDR_NO_SPECIAL },
2228 { "Sec-WebSocket-Accept", &hf_http_sec_websocket_accept, HDR_NO_SPECIAL },
2229 { "Sec-WebSocket-Extensions", &hf_http_sec_websocket_extensions, HDR_NO_SPECIAL },
2230 { "Sec-WebSocket-Key", &hf_http_sec_websocket_key, HDR_NO_SPECIAL },
2231 { "Sec-WebSocket-Protocol", &hf_http_sec_websocket_protocol, HDR_NO_SPECIAL },
2232 { "Sec-WebSocket-Version", &hf_http_sec_websocket_version, HDR_NO_SPECIAL },
2233 { "Set-Cookie", &hf_http_set_cookie, HDR_NO_SPECIAL },
2234 { "Last-Modified", &hf_http_last_modified, HDR_NO_SPECIAL },
2235 { "X-Forwarded-For", &hf_http_x_forwarded_for, HDR_NO_SPECIAL },
2236 };
2237
2238 /*
2239 *
2240 */
2241 static gint*
2242 get_hf_for_header(char* header_name)
2243 {
2244 gint* hf_id = NULL;
2245
2246 if (header_fields_hash) {
2247 hf_id = (gint*) g_hash_table_lookup(header_fields_hash, header_name);
2248 } else {
2249 hf_id = NULL;
2250 }
2251
2252 return hf_id;
2253 }
2254
2255 /*
2256 *
2257 */
2258 static void
2259 header_fields_initialize_cb(void)
2260 {
2261 static hf_register_info* hf;
2262 gint* hf_id;
2263 guint i;
2264 gchar* header_name;
2265
2266 if (header_fields_hash && hf) {
2267 guint hf_size = g_hash_table_size (header_fields_hash);
2268 /* Unregister all fields */
2269 for (i = 0; i < hf_size; i++) {
2270 proto_unregister_field (proto_http, *(hf[i].p_id));
2271
2272 g_free (hf[i].p_id);
2273 g_free ((char *) hf[i].hfinfo.name);
2274 g_free ((char *) hf[i].hfinfo.abbrev);
2275 g_free ((char *) hf[i].hfinfo.blurb);
2276 }
2277 g_hash_table_destroy (header_fields_hash);
2278 g_free (hf);
2279 header_fields_hash = NULL;
2280 }
2281
2282 if (num_header_fields) {
2283 header_fields_hash = g_hash_table_new(g_str_hash, g_str_equal);
2284 hf = g_new0(hf_register_info, num_header_fields);
2285
2286 for (i = 0; i < num_header_fields; i++) {
2287 hf_id = g_new(gint,1);
2288 *hf_id = -1;
2289 header_name = g_strdup(header_fields[i].header_name);
2290
2291 hf[i].p_id = hf_id;
2292 hf[i].hfinfo.name = header_name;
2293 hf[i].hfinfo.abbrev = g_strdup_printf("http.header.%s", header_name);
2294 hf[i].hfinfo.type = FT_STRING;
2295 hf[i].hfinfo.display = BASE_NONE;
2296 hf[i].hfinfo.strings = NULL;
2297 hf[i].hfinfo.blurb = g_strdup(header_fields[i].header_desc);
2298 hf[i].hfinfo.same_name_prev_id = -1;
2299 hf[i].hfinfo.same_name_next = NULL;
2300
2301 g_hash_table_insert(header_fields_hash, header_name, hf_id);
2302 }
2303
2304 proto_register_field_array(proto_http, hf, num_header_fields);
2305 }
2306 }
2307
2308 static void
2309 process_header(tvbuff_t *tvb, int offset, int next_offset,
2310 const guchar *line, int linelen, int colon_offset,
2311 packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr,
2312 http_conv_t *conv_data, int http_type)
2313 {
2314 int len;
2315 int line_end_offset;
2316 int header_len;
2317 gint hf_index;
2318 guchar c;
2319 int value_offset;
2320 int value_len;
2321 char *value;
2322 char *header_name;
2323 char *p;
2324 guchar *up;
2325 proto_item *hdr_item, *it;
2326 int i;
2327 int* hf_id;
2328
2329 len = next_offset - offset;
2330 line_end_offset = offset + linelen;
2331 header_len = colon_offset - offset;
2332 header_name = wmem_strndup(wmem_file_scope(), &line[0], header_len);
2333 hf_index = find_header_hf_value(tvb, offset, header_len);
2334
2335 /*
2336 * Skip whitespace after the colon.
2337 */
2338 value_offset = colon_offset + 1;
2339 while (value_offset < line_end_offset
2340 && ((c = line[value_offset - offset]) == ' ' || c == '\t'))
2341 value_offset++;
2342
2343 /*
2344 * Fetch the value.
2345 *
2346 * XXX - the line may well have a NUL in it. Wireshark should
2347 * really treat strings extracted from packets as counted
2348 * strings, so that NUL isn't any different from any other
2349 * character. For now, we just allocate a buffer that's
2350 * value_len+1 bytes long, copy value_len bytes, and stick
2351 * in a NUL terminator, so that the buffer for value actually
2352 * has value_len bytes in it.
2353 */
2354 value_len = line_end_offset - value_offset;
2355 value = (char *)wmem_alloc(wmem_packet_scope(), value_len+1);
2356 memcpy(value, &line[value_offset - offset], value_len);
2357 value[value_len] = '\0';
2358
2359 if (hf_index == -1) {
2360 /*
2361 * Not a header we know anything about.
2362 * Check if a HF generated from UAT information exists.
2363 */
2364 hf_id = get_hf_for_header(header_name);
2365
2366 if (tree) {
2367 if (!hf_id) {
2368 if (http_type == HTTP_REQUEST ||
2369 http_type == HTTP_RESPONSE) {
2370 it = proto_tree_add_item(tree,
2371 http_type == HTTP_RESPONSE ?
2372 hf_http_response_line :
2373 hf_http_request_line,
2374 tvb, offset, len,
2375 ENC_NA|ENC_ASCII);
2376 proto_item_set_text(it, "%s",
2377 format_text(line, len));
2378 } else {
2379 proto_tree_add_text(tree, tvb, offset,
2380 len, "%s", format_text(line, len));
2381 }
2382
2383 } else {
2384 proto_tree_add_string_format(tree,
2385 *hf_id, tvb, offset, len,
2386 value, "%s", format_text(line, len));
2387 if (http_type == HTTP_REQUEST ||
2388 http_type == HTTP_RESPONSE) {
2389 it = proto_tree_add_item(tree,
2390 http_type == HTTP_RESPONSE ?
2391 hf_http_response_line :
2392 hf_http_request_line,
2393 tvb, offset, len,
2394 ENC_NA|ENC_ASCII);
2395 proto_item_set_text(it, "%s",
2396 format_text(line, len));
2397 PROTO_ITEM_SET_HIDDEN(it);
2398 }
2399 }
2400 }
2401 } else {
2402 /*
2403 * Add it to the protocol tree as a particular field,
2404 * but display the line as is.
2405 */
2406 if (tree) {
2407 header_field_info *hfinfo;
2408 guint32 tmp;
2409
2410 hfinfo = proto_registrar_get_nth(*headers[hf_index].hf);
2411 switch(hfinfo->type){
2412 case FT_UINT8:
2413 case FT_UINT16:
2414 case FT_UINT24:
2415 case FT_UINT32:
2416 case FT_INT8:
2417 case FT_INT16:
2418 case FT_INT24:
2419 case FT_INT32:
2420 tmp=(guint32)strtol(value, NULL, 10);
2421 hdr_item = proto_tree_add_uint(tree, *headers[hf_index].hf, tvb, offset, len, tmp);
2422 if (http_type == HTTP_REQUEST ||
2423 http_type == HTTP_RESPONSE) {
2424 it = proto_tree_add_item(tree,
2425 http_type == HTTP_RESPONSE ?
2426 hf_http_response_line :
2427 hf_http_request_line,
2428 tvb, offset, len,
2429 ENC_NA|ENC_ASCII);
2430 proto_item_set_text(it, "%d", tmp);
2431 PROTO_ITEM_SET_HIDDEN(it);
2432 }
2433 break;
2434 default:
2435 hdr_item = proto_tree_add_string_format(tree,
2436 *headers[hf_index].hf, tvb, offset, len,
2437 value, "%s", format_text(line, len));
2438 if (http_type == HTTP_REQUEST ||
2439 http_type == HTTP_RESPONSE) {
2440 it = proto_tree_add_item(tree,
2441 http_type == HTTP_RESPONSE ?
2442 hf_http_response_line :
2443 hf_http_request_line,
2444 tvb, offset, len,
2445 ENC_NA|ENC_ASCII);
2446 proto_item_set_text(it, "%s",
2447 format_text(line, len));
2448 PROTO_ITEM_SET_HIDDEN(it);
2449 }
2450 }
2451 } else
2452 hdr_item = NULL;
2453
2454 /*
2455 * Do any special processing that particular headers
2456 * require.
2457 */
2458 switch (headers[hf_index].special) {
2459
2460 case HDR_AUTHORIZATION:
2461 if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
2462 break; /* dissected NTLMSSP */
2463 if (check_auth_basic(hdr_item, tvb, value))
2464 break; /* dissected basic auth */
2465 check_auth_kerberos(hdr_item, tvb, pinfo, value);
2466 break;
2467
2468 case HDR_AUTHENTICATE:
2469 if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
2470 break; /* dissected NTLMSSP */
2471 check_auth_kerberos(hdr_item, tvb, pinfo, value);
2472 break;
2473
2474 case HDR_CONTENT_TYPE:
2475 eh_ptr->content_type = (gchar*) wmem_memdup(wmem_packet_scope(), (guint8*)value,value_len + 1);
2476
2477 for (i = 0; i < value_len; i++) {
2478 c = value[i];
2479 if (c == ';' || g_ascii_isspace(c)) {
2480 /*
2481 * End of subtype - either
2482 * white space or a ";"
2483 * separating the subtype from
2484 * a parameter.
2485 */
2486 break;
2487 }
2488
2489 /*
2490 * Map the character to lower case;
2491 * content types are case-insensitive.
2492 */
2493 eh_ptr->content_type[i] = g_ascii_tolower(eh_ptr->content_type[i]);
2494 }
2495 eh_ptr->content_type[i] = '\0';
2496 /*
2497 * Now find the start of the optional parameters;
2498 * skip the optional white space and the semicolon
2499 * if this has not been done before.
2500 */
2501 i++;
2502 while (i < value_len) {
2503 c = eh_ptr->content_type[i];
2504 if (c == ';' || g_ascii_isspace(c))
2505 /* Skip till start of parameters */
2506 i++;
2507 else
2508 break;
2509 }
2510 if (i < value_len)
2511 eh_ptr->content_type_parameters = eh_ptr->content_type + i;
2512 else
2513 eh_ptr->content_type_parameters = NULL;
2514 break;
2515
2516 case HDR_CONTENT_LENGTH:
2517 errno = 0;
2518 eh_ptr->content_length = g_ascii_strtoll(value, &p, 10);
2519 up = (guchar *)p;
2520 if (eh_ptr->content_length < 0 ||
2521 p == value ||
2522 errno == ERANGE ||
2523 (*up != '\0' && !isspace(*up))) {
2524 /*
2525 * Content length not valid; pretend
2526 * we don't have it.
2527 */
2528 eh_ptr->have_content_length = FALSE;
2529 } else {
2530 proto_tree *header_tree;
2531 proto_item *tree_item;
2532 /*
2533 * We do have a valid content length.
2534 */
2535 eh_ptr->have_content_length = TRUE;
2536 header_tree = proto_item_add_subtree(hdr_item, ett_http_header_item);
2537 tree_item = proto_tree_add_uint64(header_tree, hf_http_content_length,
2538 tvb, offset, len, eh_ptr->content_length);
2539 PROTO_ITEM_SET_GENERATED(tree_item);
2540 if (eh_ptr->transfer_encoding != NULL &&
2541 g_ascii_strncasecmp(eh_ptr->transfer_encoding, "chunked", 7) == 0) {
2542 expert_add_info(pinfo, hdr_item, &ei_http_chunked_and_length);
2543 }
2544 }
2545 break;
2546
2547 case HDR_CONTENT_ENCODING:
2548 eh_ptr->content_encoding = wmem_strndup(wmem_packet_scope(), value, value_len);
2549 break;
2550
2551 case HDR_TRANSFER_ENCODING:
2552 eh_ptr->transfer_encoding = wmem_strndup(wmem_packet_scope(), value, value_len);
2553 if (eh_ptr->have_content_length &&
2554 g_ascii_strncasecmp(eh_ptr->transfer_encoding, "chunked", 7) == 0) {
2555 expert_add_info(pinfo, hdr_item, &ei_http_chunked_and_length);
2556 }
2557 break;
2558
2559 case HDR_HOST:
2560 stat_info->http_host = wmem_strndup(wmem_packet_scope(), value, value_len);
2561 conv_data->http_host = wmem_strndup(wmem_file_scope(), value, value_len);
2562 break;
2563
2564 case HDR_UPGRADE:
2565 if (g_ascii_strncasecmp(value, "WebSocket", value_len) == 0){
2566 eh_ptr->upgrade = UPGRADE_WEBSOCKET;
2567 }
2568 /* Check if upgrade is HTTP 2.0 (work for HTTP/2.0 and draft HTTP-draft-XX/2.0) */
2569 if ( (g_str_has_prefix(value, "HTTP") && g_str_has_suffix(value, "/2.0")) == 1){
2570 eh_ptr->upgrade = UPGRADE_HTTP2;
2571 }
2572 break;
2573 }
2574 }
2575 }
2576
2577 /* Returns index of header tag in headers */
2578 static gint
2579 find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len)
2580 {
2581 guint i;
2582
2583 for (i = 0; i < array_length(headers); i++) {
2584 if (header_len == strlen(headers[i].name) &&
2585 tvb_strncaseeql(tvb, offset,
2586 headers[i].name, header_len) == 0)
2587 return i;
2588 }
2589
2590 return -1;
2591 }
2592
2593 /*
2594 * Dissect Microsoft's abomination called NTLMSSP over HTTP.
2595 */
2596 static gboolean
2597 check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo,
2598 gchar *value)
2599 {
2600 static const char *ntlm_headers[] = {
2601 "NTLM ",
2602 "Negotiate ",
2603 NULL
2604 };
2605 const char **header;
2606 size_t hdrlen;
2607 proto_tree *hdr_tree;
2608
2609 /*
2610 * Check for NTLM credentials and challenge; those can
2611 * occur with WWW-Authenticate.
2612 */
2613 for (header = &ntlm_headers[0]; *header != NULL; header++) {
2614 hdrlen = strlen(*header);
2615 if (strncmp(value, *header, hdrlen) == 0) {
2616 if (hdr_item != NULL) {
2617 hdr_tree = proto_item_add_subtree(hdr_item,
2618 ett_http_ntlmssp);
2619 } else
2620 hdr_tree = NULL;
2621 value += hdrlen;
2622 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, value);
2623 return TRUE;
2624 }
2625 }
2626 return FALSE;
2627 }
2628
2629 /*
2630 * Dissect HTTP Basic authorization.
2631 */
2632 static gboolean
2633 check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value)
2634 {
2635 static const char *basic_headers[] = {
2636 "Basic ",
2637 NULL
2638 };
2639 const char **header;
2640 size_t hdrlen;
2641 proto_tree *hdr_tree;
2642
2643 for (header = &basic_headers[0]; *header != NULL; header++) {
2644 hdrlen = strlen(*header);
2645 if (strncmp(value, *header, hdrlen) == 0) {
2646 if (hdr_item != NULL) {
2647 hdr_tree = proto_item_add_subtree(hdr_item,
2648 ett_http_ntlmssp);
2649 } else
2650 hdr_tree = NULL;
2651 value += hdrlen;
2652
2653 epan_base64_decode(value);
2654 proto_tree_add_string(hdr_tree, hf_http_basic, tvb,
2655 0, 0, value);
2656
2657 return TRUE;
2658 }
2659 }
2660 return FALSE;
2661 }
2662
2663 static gboolean
2664 check_auth_kerberos(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo,
2665 const gchar *value)
2666 {
2667 proto_tree *hdr_tree;
2668
2669 if (strncmp(value, "Kerberos ", 9) == 0) {
2670 if (hdr_item != NULL) {
2671 hdr_tree = proto_item_add_subtree(hdr_item, ett_http_kerberos);
2672 } else
2673 hdr_tree = NULL;
2674
2675 dissect_http_kerberos(tvb, pinfo, hdr_tree, value);
2676 return TRUE;
2677 }
2678 return FALSE;
2679 }
2680
2681 static int
2682 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
2683 {
2684 http_conv_t *conv_data;
2685 int offset = 0;
2686 int len;
2687
2688 /*
2689 * Check if this is proxied connection and if so, hand of dissection to the
2690 * payload-dissector.
2691 * Response code 200 means "OK" and strncmp() == 0 means the strings match exactly */
2692 conv_data = get_http_conversation_data(pinfo);
2693 if(pinfo->fd->num >= conv_data->startframe &&
2694 conv_data->response_code == 200 &&
2695 conv_data->request_method &&
2696 strncmp(conv_data->request_method, "CONNECT", 7) == 0 &&
2697 conv_data->request_uri) {
2698 if(conv_data->startframe == 0 && !pinfo->fd->flags.visited)
2699 conv_data->startframe = pinfo->fd->num;
2700 http_payload_subdissector(tvb, tree, pinfo, conv_data, data);
2701 } else {
2702 while (tvb_reported_length_remaining(tvb, offset) > 0) {
2703 if (conv_data->upgrade == UPGRADE_WEBSOCKET && pinfo->fd->num >= conv_data->startframe) {
2704 /*g_warning("Go Websocket");*/
2705 call_dissector_only(websocket_handle, tvb_new_subset_remaining(tvb, offset), pinfo, tree, NULL);
2706 break;
2707 }
2708 if (conv_data->upgrade == UPGRADE_HTTP2 && pinfo->fd->num >= conv_data->startframe) {
2709 /*g_warning("Go HTTP2");*/
2710 call_dissector_only(http2_handle, tvb_new_subset_remaining(tvb, offset), pinfo, tree, NULL);
2711 break;
2712 }
2713 len = dissect_http_message(tvb, offset, pinfo, tree, conv_data);
2714 if (len == -1)
2715 break;
2716 offset += len;
2717
2718 /*
2719 * OK, we've set the Protocol and Info columns for the
2720 * first HTTP message; set a fence so that subsequent
2721 * HTTP messages don't overwrite the Info column.
2722 */
2723 col_set_fence(pinfo->cinfo, COL_INFO);
2724 }
2725 }
2726
2727 return tvb_length(tvb);
2728 }
2729
2730 static gboolean
2731 dissect_http_heur_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
2732 {
2733 gint offset = 0, next_offset, linelen;
2734 conversation_t *conversation;
2735
2736
2737 /* Check if we have a line terminated by CRLF
2738 * Return the length of the line (not counting the line terminator at
2739 * the end), or, if we don't find a line terminator:
2740 *
2741 * if "deseg" is true, return -1;
2742 */
2743 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, TRUE);
2744 if((linelen == -1)||(linelen == 8)){
2745 return FALSE;
2746 }
2747
2748 /* Check if the line start or ends with the HTTP token */
2749 if((tvb_strncaseeql(tvb, linelen-8, "HTTP/1.1", 8) == 0)||(tvb_strncaseeql(tvb, 0, "HTTP/1.1", 8) == 0)){
2750 conversation = find_or_create_conversation(pinfo);
2751 conversation_set_dissector(conversation,http_handle);
2752 dissect_http(tvb, pinfo, tree, data);
2753 return TRUE;
2754 }
2755
2756 return FALSE;
2757 }
2758
2759 static void
2760 dissect_http_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
2761 {
2762 http_conv_t *conv_data;
2763
2764 conv_data = get_http_conversation_data(pinfo);
2765 dissect_http_message(tvb, 0, pinfo, tree, conv_data);
2766 }
2767
2768
2769 static void
2770 range_delete_http_ssl_callback(guint32 port) {
2771 ssl_dissector_delete(port, "http", TRUE);
2772 }
2773
2774 static void
2775 range_add_http_ssl_callback(guint32 port) {
2776 ssl_dissector_add(port, "http", TRUE);
2777 }
2778
2779 static void reinit_http(void) {
2780 dissector_delete_uint_range("tcp.port", http_tcp_range, http_handle);
2781 g_free(http_tcp_range);
2782 http_tcp_range = range_copy(global_http_tcp_range);
2783 dissector_add_uint_range("tcp.port", http_tcp_range, http_handle);
2784
2785 range_foreach(http_ssl_range, range_delete_http_ssl_callback);
2786 g_free(http_ssl_range);
2787 http_ssl_range = range_copy(global_http_ssl_range);
2788 range_foreach(http_ssl_range, range_add_http_ssl_callback);
2789 }
2790
2791 void
2792 proto_register_http(void)
2793 {
2794 static hf_register_info hf[] = {
2795 { &hf_http_notification,
2796 { "Notification", "http.notification",
2797 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2798 "TRUE if HTTP notification", HFILL }},
2799 { &hf_http_response,
2800 { "Response", "http.response",
2801 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2802 "TRUE if HTTP response", HFILL }},
2803 { &hf_http_request,
2804 { "Request", "http.request",
2805 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2806 "TRUE if HTTP request", HFILL }},
2807 { &hf_http_basic,
2808 { "Credentials", "http.authbasic",
2809 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2810 { &hf_http_response_line,
2811 { "Response line", "http.response.line",
2812 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2813 { &hf_http_request_line,
2814 { "Request line", "http.request.line",
2815 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2816 { &hf_http_request_method,
2817 { "Request Method", "http.request.method",
2818 FT_STRING, BASE_NONE, NULL, 0x0,
2819 "HTTP Request Method", HFILL }},
2820 { &hf_http_request_uri,
2821 { "Request URI", "http.request.uri",
2822 FT_STRING, BASE_NONE, NULL, 0x0,
2823 "HTTP Request-URI", HFILL }},
2824 { &hf_http_version,
2825 { "Request Version", "http.request.version",
2826 FT_STRING, BASE_NONE, NULL, 0x0,
2827 "HTTP Request HTTP-Version", HFILL }},
2828 { &hf_http_request_full_uri,
2829 { "Full request URI", "http.request.full_uri",
2830 FT_STRING, BASE_NONE, NULL, 0x0,
2831 "The full requested URI (including host name)", HFILL }},
2832 { &hf_http_response_code,
2833 { "Status Code", "http.response.code",
2834 FT_UINT16, BASE_DEC, NULL, 0x0,
2835 "HTTP Response Status Code", HFILL }},
2836 { &hf_http_response_phrase,
2837 { "Response Phrase", "http.response.phrase",
2838 FT_STRING, BASE_NONE, NULL, 0x0,
2839 "HTTP Response Reason Phrase", HFILL }},
2840 { &hf_http_authorization,
2841 { "Authorization", "http.authorization",
2842 FT_STRING, BASE_NONE, NULL, 0x0,
2843 "HTTP Authorization header", HFILL }},
2844 { &hf_http_proxy_authenticate,
2845 { "Proxy-Authenticate", "http.proxy_authenticate",
2846 FT_STRING, BASE_NONE, NULL, 0x0,
2847 "HTTP Proxy-Authenticate header", HFILL }},
2848 { &hf_http_proxy_authorization,
2849 { "Proxy-Authorization", "http.proxy_authorization",
2850 FT_STRING, BASE_NONE, NULL, 0x0,
2851 "HTTP Proxy-Authorization header", HFILL }},
2852 { &hf_http_proxy_connect_host,
2853 { "Proxy-Connect-Hostname", "http.proxy_connect_host",
2854 FT_STRING, BASE_NONE, NULL, 0x0,
2855 "HTTP Proxy Connect Hostname", HFILL }},
2856 { &hf_http_proxy_connect_port,
2857 { "Proxy-Connect-Port", "http.proxy_connect_port",
2858 FT_UINT16, BASE_DEC, NULL, 0x0,
2859 "HTTP Proxy Connect Port", HFILL }},
2860 { &hf_http_www_authenticate,
2861 { "WWW-Authenticate", "http.www_authenticate",
2862 FT_STRING, BASE_NONE, NULL, 0x0,
2863 "HTTP WWW-Authenticate header", HFILL }},
2864 { &hf_http_content_type,
2865 { "Content-Type", "http.content_type",
2866 FT_STRING, BASE_NONE, NULL, 0x0,
2867 "HTTP Content-Type header", HFILL }},
2868 { &hf_http_content_length_header,
2869 { "Content-Length", "http.content_length_header",
2870 FT_STRING, BASE_NONE, NULL, 0x0,
2871 "HTTP Content-Length header", HFILL }},
2872 { &hf_http_content_length,
2873 { "Content length", "http.content_length",
2874 FT_UINT64, BASE_DEC, NULL, 0x0,
2875 NULL, HFILL }},
2876 { &hf_http_content_encoding,
2877 { "Content-Encoding", "http.content_encoding",
2878 FT_STRING, BASE_NONE, NULL, 0x0,
2879 "HTTP Content-Encoding header", HFILL }},
2880 { &hf_http_transfer_encoding,
2881 { "Transfer-Encoding", "http.transfer_encoding",
2882 FT_STRING, BASE_NONE, NULL, 0x0,
2883 "HTTP Transfer-Encoding header", HFILL }},
2884 { &hf_http_upgrade,
2885 { "Upgrade", "http.upgrade",
2886 FT_STRING, BASE_NONE, NULL, 0x0,
2887 "HTTP Upgrade header", HFILL }},
2888 { &hf_http_user_agent,
2889 { "User-Agent", "http.user_agent",
2890 FT_STRING, BASE_NONE, NULL, 0x0,
2891 "HTTP User-Agent header", HFILL }},
2892 { &hf_http_host,
2893 { "Host", "http.host",
2894 FT_STRING, BASE_NONE, NULL, 0x0,
2895 "HTTP Host", HFILL }},
2896 { &hf_http_connection,
2897 { "Connection", "http.connection",
2898 FT_STRING, BASE_NONE, NULL, 0x0,
2899 "HTTP Connection", HFILL }},
2900 { &hf_http_cookie,
2901 { "Cookie", "http.cookie",
2902 FT_STRING, BASE_NONE, NULL, 0x0,
2903 "HTTP Cookie", HFILL }},
2904 { &hf_http_accept,
2905 { "Accept", "http.accept",
2906 FT_STRING, BASE_NONE, NULL, 0x0,
2907 "HTTP Accept", HFILL }},
2908 { &hf_http_referer,
2909 { "Referer", "http.referer",
2910 FT_STRING, BASE_NONE, NULL, 0x0,
2911 "HTTP Referer", HFILL }},
2912 { &hf_http_accept_language,
2913 { "Accept-Language", "http.accept_language",
2914 FT_STRING, BASE_NONE, NULL, 0x0,
2915 "HTTP Accept Language", HFILL }},
2916 { &hf_http_accept_encoding,
2917 { "Accept Encoding", "http.accept_encoding",
2918 FT_STRING, BASE_NONE, NULL, 0x0,
2919 "HTTP Accept Encoding", HFILL }},
2920 { &hf_http_date,
2921 { "Date", "http.date",
2922 FT_STRING, BASE_NONE, NULL, 0x0,
2923 "HTTP Date", HFILL }},
2924 { &hf_http_cache_control,
2925 { "Cache-Control", "http.cache_control",
2926 FT_STRING, BASE_NONE, NULL, 0x0,
2927 "HTTP Cache Control", HFILL }},
2928 { &hf_http_server,
2929 { "Server", "http.server",
2930 FT_STRING, BASE_NONE, NULL, 0x0,
2931 "HTTP Server", HFILL }},
2932 { &hf_http_location,
2933 { "Location", "http.location",
2934 FT_STRING, BASE_NONE, NULL, 0x0,
2935 "HTTP Location", HFILL }},
2936 { &hf_http_sec_websocket_accept,
2937 { "Sec-WebSocket-Accept", "http.sec_websocket_accept",
2938 FT_STRING, BASE_NONE, NULL, 0x0,
2939 NULL, HFILL }},
2940 { &hf_http_sec_websocket_extensions,
2941 { "Sec-WebSocket-Extensions", "http.sec_websocket_extensions",
2942 FT_STRING, BASE_NONE, NULL, 0x0,
2943 NULL, HFILL }},
2944 { &hf_http_sec_websocket_key,
2945 { "Sec-WebSocket-Key", "http.sec_websocket_key",
2946 FT_STRING, BASE_NONE, NULL, 0x0,
2947 NULL, HFILL }},
2948 { &hf_http_sec_websocket_protocol,
2949 { "Sec-WebSocket-Protocol", "http.sec_websocket_protocol",
2950 FT_STRING, BASE_NONE, NULL, 0x0,
2951 NULL, HFILL }},
2952 { &hf_http_sec_websocket_version,
2953 { "Sec-WebSocket-Version", "http.sec_websocket_version",
2954 FT_STRING, BASE_NONE, NULL, 0x0,
2955 NULL, HFILL }},
2956 { &hf_http_set_cookie,
2957 { "Set-Cookie", "http.set_cookie",
2958 FT_STRING, BASE_NONE, NULL, 0x0,
2959 "HTTP Set Cookie", HFILL }},
2960 { &hf_http_last_modified,
2961 { "Last-Modified", "http.last_modified",
2962 FT_STRING, BASE_NONE, NULL, 0x0,
2963 "HTTP Last Modified", HFILL }},
2964 { &hf_http_x_forwarded_for,
2965 { "X-Forwarded-For", "http.x_forwarded_for",
2966 FT_STRING, BASE_NONE, NULL, 0x0,
2967 "HTTP X-Forwarded-For", HFILL }},
2968 { &hf_http_request_in,
2969 { "Request in frame", "http.request_in",
2970 FT_FRAMENUM, BASE_NONE, NULL, 0,
2971 "This packet is a response to the packet with this number", HFILL }},
2972 { &hf_http_response_in,
2973 { "Response in frame","http.response_in",
2974 FT_FRAMENUM, BASE_NONE, NULL, 0,
2975 "This packet will be responded in the packet with this number", HFILL }},
2976 { &hf_http_next_request_in,
2977 { "Next request in frame", "http.next_request_in",
2978 FT_FRAMENUM, BASE_NONE, NULL, 0,
2979 "The next HTTP request starts in packet number", HFILL }},
2980 { &hf_http_next_response_in,
2981 { "Next response in frame","http.next_response_in",
2982 FT_FRAMENUM, BASE_NONE, NULL, 0,
2983 "The next HTTP response starts in packet number", HFILL }},
2984 { &hf_http_prev_request_in,
2985 { "Prev request in frame", "http.prev_request_in",
2986 FT_FRAMENUM, BASE_NONE, NULL, 0,
2987 "The previous HTTP request starts in packet number", HFILL }},
2988 { &hf_http_prev_response_in,
2989 { "Prev response in frame","http.prev_response_in",
2990 FT_FRAMENUM, BASE_NONE, NULL, 0,
2991 "The previous HTTP response starts in packet number", HFILL }},
2992 { &hf_http_time,
2993 { "Time since request", "http.time",
2994 FT_RELATIVE_TIME, BASE_NONE, NULL, 0,
2995 "Time since the request was send", HFILL }},
2996 };
2997 static gint *ett[] = {
2998 &ett_http,
2999 &ett_http_ntlmssp,
3000 &ett_http_kerberos,
3001 &ett_http_request,
3002 &ett_http_chunked_response,
3003 &ett_http_chunk_data,
3004 &ett_http_encoded_entity,
3005 &ett_http_header_item
3006 };
3007
3008 static ei_register_info ei[] = {
3009 { &ei_http_chat, { "http.chat", PI_SEQUENCE, PI_CHAT, "Formatted text", EXPFILL }},
3010 { &ei_http_chunked_and_length, { "http.chunkd_and_length", PI_MALFORMED, PI_WARN, "It is incorrect to specify a content-length header and chunked encoding together.", EXPFILL }},
3011 { &ei_http_subdissector_failed, { "http.subdissector_failed", PI_MALFORMED, PI_NOTE, "HTTP body subdissector failed, trying heuristic subdissector", EXPFILL }},
3012 };
3013
3014 /* UAT for header fields */
3015 static uat_field_t custom_header_uat_fields[] = {
3016 UAT_FLD_CSTRING(header_fields, header_name, "Header name", "HTTP header name"),
3017 UAT_FLD_CSTRING(header_fields, header_desc, "Field desc", "Description of the value contained in the header"),
3018 UAT_END_FIELDS
3019 };
3020
3021 module_t *http_module;
3022 expert_module_t* expert_http;
3023 uat_t* headers_uat;
3024
3025 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
3026 "HTTP", "http");
3027 proto_register_field_array(proto_http, hf, array_length(hf));
3028 proto_register_subtree_array(ett, array_length(ett));
3029 expert_http = expert_register_protocol(proto_http);
3030 expert_register_field_array(expert_http, ei, array_length(ei));
3031
3032 http_handle = new_register_dissector("http", dissect_http, proto_http);
3033
3034 http_module = prefs_register_protocol(proto_http, reinit_http);
3035 prefs_register_bool_preference(http_module, "desegment_headers",
3036 "Reassemble HTTP headers spanning multiple TCP segments",
3037 "Whether the HTTP dissector should reassemble headers "
3038 "of a request spanning multiple TCP segments. "
3039 "To use this option, you must also enable "
3040 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
3041 &http_desegment_headers);
3042 prefs_register_bool_preference(http_module, "desegment_body",
3043 "Reassemble HTTP bodies spanning multiple TCP segments",
3044 "Whether the HTTP dissector should use the "
3045 "\"Content-length:\" value, if present, to reassemble "
3046 "the body of a request spanning multiple TCP segments, "
3047 "and reassemble chunked data spanning multiple TCP segments. "
3048 "To use this option, you must also enable "
3049 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
3050 &http_desegment_body);
3051 prefs_register_bool_preference(http_module, "dechunk_body",
3052 "Reassemble chunked transfer-coded bodies",
3053 "Whether to reassemble bodies of entities that are transferred "
3054 "using the \"Transfer-Encoding: chunked\" method",
3055 &http_dechunk_body);
3056 #ifdef HAVE_LIBZ
3057 prefs_register_bool_preference(http_module, "decompress_body",
3058 "Uncompress entity bodies",
3059 "Whether to uncompress entity bodies that are compressed "
3060 "using \"Content-Encoding: \"",
3061 &http_decompress_body);
3062 #endif
3063 prefs_register_obsolete_preference(http_module, "tcp_alternate_port");
3064
3065 range_convert_str(&global_http_tcp_range, TCP_DEFAULT_RANGE, 65535);
3066 http_tcp_range = range_empty();
3067 prefs_register_range_preference(http_module, "tcp.port", "TCP Ports",
3068 "TCP Ports range",
3069 &global_http_tcp_range, 65535);
3070
3071 range_convert_str(&global_http_ssl_range, SSL_DEFAULT_RANGE, 65535);
3072 http_ssl_range = range_empty();
3073 prefs_register_range_preference(http_module, "ssl.port", "SSL/TLS Ports",
3074 "SSL/TLS Ports range",
3075 &global_http_ssl_range, 65535);
3076 /* UAT */
3077 headers_uat = uat_new("Custom HTTP headers fields Table",
3078 sizeof(header_field_t),
3079 "custom_http_header_fields",
3080 TRUE,
3081 (void**) &header_fields,
3082 &num_header_fields,
3083 /* specifies named fields, so affects dissection
3084 and the set of named fields */
3085 UAT_AFFECTS_DISSECTION|UAT_AFFECTS_FIELDS,
3086 NULL,
3087 header_fields_copy_cb,
3088 header_fields_update_cb,
3089 header_fields_free_cb,
3090 header_fields_initialize_cb,
3091 custom_header_uat_fields
3092 );
3093
3094 prefs_register_uat_preference(http_module, "custom_http_header_fields", "Custom HTTP headers fields",
3095 "A table to define custom HTTP header for which fields can be setup and used for filtering/data extraction etc.",
3096 headers_uat);
3097
3098 /*
3099 * Dissectors shouldn't register themselves in this table;
3100 * instead, they should call "http_dissector_add()", and
3101 * we'll register the port number they specify as a port
3102 * for HTTP, and register them in our subdissector table.
3103 *
3104 * This only works for protocols such as IPP that run over
3105 * HTTP on a specific non-HTTP port.
3106 */
3107 port_subdissector_table = register_dissector_table("http.port",
3108 "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
3109
3110 /*
3111 * Dissectors can register themselves in this table.
3112 * It's just "media_type", not "http.content_type", because
3113 * it's an Internet media type, usable by other protocols as well.
3114 */
3115 media_type_subdissector_table =
3116 register_dissector_table("media_type",
3117 "Internet media type", FT_STRING, BASE_NONE);
3118
3119 /*
3120 * Heuristic dissectors SHOULD register themselves in
3121 * this table using the standard heur_dissector_add()
3122 * function.
3123 */
3124 register_heur_dissector_list("http", &heur_subdissector_list);
3125
3126 /*
3127 * Register for tapping
3128 */
3129 http_tap = register_tap("http"); /* HTTP statistics tap */
3130 http_eo_tap = register_tap("http_eo"); /* HTTP Export Object tap */
3131 }
3132
3133 /*
3134 * Called by dissectors for protocols that run atop HTTP/TCP.
3135 */
3136 void
3137 http_dissector_add(guint32 port, dissector_handle_t handle)
3138 {
3139 /*
3140 * Register ourselves as the handler for that port number
3141 * over TCP.
3142 */
3143 dissector_add_uint("tcp.port", port, http_handle);
3144
3145 /*
3146 * And register them in *our* table for that port.
3147 */
3148 dissector_add_uint("http.port", port, handle);
3149 }
3150
3151 void
3152 http_port_add(guint32 port)
3153 {
3154 /*
3155 * Register ourselves as the handler for that port number
3156 * over TCP. We rely on our caller having registered
3157 * themselves for the appropriate media type.
3158 */
3159 dissector_add_uint("tcp.port", port, http_handle);
3160 }
3161
3162 void
3163 proto_reg_handoff_http(void)
3164 {
3165 dissector_handle_t http_udp_handle;
3166
3167 data_handle = find_dissector("data");
3168 media_handle = find_dissector("media");
3169 websocket_handle = find_dissector("websocket");
3170 http2_handle = find_dissector("http2");
3171 /*
3172 * XXX - is there anything to dissect in the body of an SSDP
3173 * request or reply? I.e., should there be an SSDP dissector?
3174 */
3175 http_udp_handle = create_dissector_handle(dissect_http_udp, proto_http);
3176 dissector_add_uint("udp.port", UDP_PORT_SSDP, http_udp_handle);
3177
3178 ntlmssp_handle = find_dissector("ntlmssp");
3179 gssapi_handle = find_dissector("gssapi");
3180
3181 stats_tree_register("http", "http", "HTTP/Packet Counter", 0, http_stats_tree_packet, http_stats_tree_init, NULL );
3182 stats_tree_register("http", "http_req", "HTTP/Requests", 0, http_req_stats_tree_packet, http_req_stats_tree_init, NULL );
3183 stats_tree_register("http", "http_srv", "HTTP/Load Distribution",0, http_reqs_stats_tree_packet, http_reqs_stats_tree_init, NULL );
3184
3185 }
3186
3187 /*
3188 * Content-Type: message/http
3189 */
3190
3191 static gint proto_message_http = -1;
3192 static gint ett_message_http = -1;
3193
3194 static void
3195 dissect_message_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
3196 {
3197 proto_tree *subtree;
3198 proto_item *ti;
3199 gint offset = 0, next_offset;
3200 gint len;
3201
3202 col_append_str(pinfo->cinfo, COL_INFO, " (message/http)");
3203 if (tree) {
3204 ti = proto_tree_add_item(tree, proto_message_http,
3205 tvb, 0, -1, ENC_NA);
3206 subtree = proto_item_add_subtree(ti, ett_message_http);
3207 while (tvb_reported_length_remaining(tvb, offset) > 0) {
3208 len = tvb_find_line_end(tvb, offset,
3209 tvb_ensure_length_remaining(tvb, offset),
3210 &next_offset, FALSE);
3211 if (len == -1)
3212 break;
3213 proto_tree_add_text(subtree, tvb, offset, next_offset - offset,
3214 "%s", tvb_format_text(tvb, offset, len));
3215 offset = next_offset;
3216 }
3217 }
3218 }
3219
3220 void
3221 proto_register_message_http(void)
3222 {
3223 static gint *ett[] = {
3224 &ett_message_http,
3225 };
3226
3227 proto_message_http = proto_register_protocol(
3228 "Media Type: message/http",
3229 "message/http",
3230 "message-http"
3231 );
3232 proto_register_subtree_array(ett, array_length(ett));
3233 }
3234
3235 void
3236 proto_reg_handoff_message_http(void)
3237 {
3238 dissector_handle_t message_http_handle;
3239
3240 message_http_handle = create_dissector_handle(dissect_message_http,
3241 proto_message_http);
3242
3243 dissector_add_string("media_type", "message/http", message_http_handle);
3244
3245 heur_dissector_add("tcp", dissect_http_heur_tcp, proto_http);
3246
3247
3248 reinit_http();
3249 }
3250
3251 /*
3252 * Editor modelines - http://www.wireshark.org/tools/modelines.html
3253 *
3254 * Local variables:
3255 * c-basic-offset: 8
3256 * tab-width: 8
3257 * indent-tabs-mode: true
3258 * End:
3259 *
3260 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
3261 * :indentSize=8:tabSize=8:noTabs=false:
3262 */