search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
HACK: pinfo->private_data points to smb_info again
[wireshark-wip.git] / epan / dissectors / packet-smtp.c
blob5e72370a7666ec0994d36d159dac1f8e1cd70fde
1 /* packet-smtp.c
2 * Routines for SMTP packet disassembly
3 *
4 * $Id$
5 *
6 * Copyright (c) 2000 by Richard Sharpe <rsharpe@ns.aus.com>
7 *
8 * Added RFC 4954 SMTP Authentication
9 * Michael Mann * Copyright 2012
10 *
11 * Wireshark - Network traffic analyzer
12 * By Gerald Combs <gerald@wireshark.org>
13 * Copyright 1999 Gerald Combs
14 *
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 */
29
30 #include "config.h"
31
32 #include <stdlib.h>
33 #include <ctype.h>
34
35 #include <glib.h>
36
37 #include <epan/packet.h>
38 #include <epan/conversation.h>
39 #include <epan/prefs.h>
40 #include <epan/strutil.h>
41 #include <epan/wmem/wmem.h>
42 #include <epan/reassemble.h>
43 #include <epan/base64.h>
44 #include <epan/dissectors/packet-ssl.h>
45
46 /* RFC 2821 */
47 #define TCP_PORT_SMTP 25
48 #define TCP_PORT_SSL_SMTP 465
49
50 /* RFC 4409 */
51 #define TCP_PORT_SUBMISSION 587
52
53 static int proto_smtp = -1;
54
55 static int hf_smtp_req = -1;
56 static int hf_smtp_rsp = -1;
57 static int hf_smtp_message = -1;
58 static int hf_smtp_command_line = -1;
59 static int hf_smtp_req_command = -1;
60 static int hf_smtp_req_parameter = -1;
61 static int hf_smtp_response = -1;
62 static int hf_smtp_rsp_code = -1;
63 static int hf_smtp_rsp_parameter = -1;
64 static int hf_smtp_username = -1;
65 static int hf_smtp_password = -1;
66
67 static int hf_smtp_data_fragments = -1;
68 static int hf_smtp_data_fragment = -1;
69 static int hf_smtp_data_fragment_overlap = -1;
70 static int hf_smtp_data_fragment_overlap_conflicts = -1;
71 static int hf_smtp_data_fragment_multiple_tails = -1;
72 static int hf_smtp_data_fragment_too_long_fragment = -1;
73 static int hf_smtp_data_fragment_error = -1;
74 static int hf_smtp_data_fragment_count = -1;
75 static int hf_smtp_data_reassembled_in = -1;
76 static int hf_smtp_data_reassembled_length = -1;
77
78 static int ett_smtp = -1;
79 static int ett_smtp_cmdresp = -1;
80
81 static gint ett_smtp_data_fragment = -1;
82 static gint ett_smtp_data_fragments = -1;
83
84 static gboolean stmp_decryption_enabled = FALSE;
85 /* desegmentation of SMTP command and response lines */
86 static gboolean smtp_desegment = TRUE;
87 static gboolean smtp_data_desegment = TRUE;
88
89 static reassembly_table smtp_data_reassembly_table;
90
91 static const fragment_items smtp_data_frag_items = {
92 /* Fragment subtrees */
93 &ett_smtp_data_fragment,
94 &ett_smtp_data_fragments,
95 /* Fragment fields */
96 &hf_smtp_data_fragments,
97 &hf_smtp_data_fragment,
98 &hf_smtp_data_fragment_overlap,
99 &hf_smtp_data_fragment_overlap_conflicts,
100 &hf_smtp_data_fragment_multiple_tails,
101 &hf_smtp_data_fragment_too_long_fragment,
102 &hf_smtp_data_fragment_error,
103 &hf_smtp_data_fragment_count,
104 /* Reassembled in field */
105 &hf_smtp_data_reassembled_in,
106 /* Reassembled length field */
107 &hf_smtp_data_reassembled_length,
108 /* Reassembled data field */
109 NULL,
110 /* Tag */
111 "DATA fragments"
112 };
113
114 static dissector_handle_t ssl_handle;
115 static dissector_handle_t imf_handle;
116 static dissector_handle_t ntlmssp_handle;
117
118 /*
119 * A CMD is an SMTP command, MESSAGE is the message portion, and EOM is the
120 * last part of a message
121 */
122 #define SMTP_PDU_CMD 0
123 #define SMTP_PDU_MESSAGE 1
124 #define SMTP_PDU_EOM 2
125
126 struct smtp_proto_data {
127 guint16 pdu_type;
128 guint16 conversation_id;
129 gboolean more_frags;
130 };
131
132 /*
133 * State information stored with a conversation.
134 */
135 typedef enum {
136 SMTP_STATE_READING_CMDS, /* reading commands */
137 SMTP_STATE_READING_DATA, /* reading message data */
138 SMTP_STATE_AWAITING_STARTTLS_RESPONSE /* sent STARTTLS, awaiting response */
139 } smtp_state_t;
140
141 typedef enum {
142 SMTP_AUTH_STATE_NONE, /* No authentication seen or used */
143 SMTP_AUTH_STATE_START, /* Authentication started, waiting for username */
144 SMTP_AUTH_STATE_USERNAME_REQ, /* Received username request from server */
145 SMTP_AUTH_STATE_USERNAME_RSP, /* Received username response from client */
146 SMTP_AUTH_STATE_PASSWORD_REQ, /* Received password request from server */
147 SMTP_AUTH_STATE_PASSWORD_RSP, /* Received password request from server */
148 SMTP_AUTH_STATE_PLAIN_START_REQ, /* Received AUTH PLAIN command from client*/
149 SMTP_AUTH_STATE_PLAIN_CRED_REQ, /* Received AUTH PLAIN command including creds from client*/
150 SMTP_AUTH_STATE_PLAIN_REQ, /* Received AUTH PLAIN request from server */
151 SMTP_AUTH_STATE_PLAIN_RSP, /* Received AUTH PLAIN response from client */
152 SMTP_AUTH_STATE_NTLM_REQ, /* Received ntlm negotiate request from client */
153 SMTP_AUTH_STATE_NTLM_CHALLANGE, /* Received ntlm challange request from server */
154 SMTP_AUTH_STATE_NTLM_RSP, /* Received ntlm auth request from client */
155 SMTP_AUTH_STATE_SUCCESS, /* Password received, authentication successful, start decoding */
156 SMTP_AUTH_STATE_FAILED /* authentication failed, no decoding */
157 } smtp_auth_state_t;
158
159 struct smtp_session_state {
160 smtp_state_t smtp_state; /* Current state */
161 smtp_auth_state_t auth_state; /* Current authentication state */
162 /* Values that need to be saved because state machine can't be used during tree dissection */
163 guint32 first_auth_frame; /* First frame involving authentication. */
164 guint32 username_frame; /* Frame containing client username */
165 guint32 password_frame; /* Frame containing client password */
166 guint32 last_auth_frame; /* Last frame involving authentication. */
167 gboolean crlf_seen; /* Have we seen a CRLF on the end of a packet */
168 gboolean data_seen; /* Have we seen a DATA command yet */
169 guint32 msg_read_len; /* Length of BDAT message read so far */
170 guint32 msg_tot_len; /* Total length of BDAT message */
171 gboolean msg_last; /* Is this the last BDAT chunk */
172 guint32 last_nontls_frame; /* last non-TLS frame; 0 if not known or no TLS */
173 guint32 username_cmd_frame; /* AUTH command contains username */
174 guint32 user_pass_cmd_frame; /* AUTH command contains username and password */
175 guint32 user_pass_frame; /* Frame contains username and password */
176 guint32 ntlm_req_frame; /* Frame containing NTLM request */
177 guint32 ntlm_cha_frame; /* Frame containing NTLM challange. */
178 guint32 ntlm_rsp_frame; /* Frame containing NTLM response. */
179 };
180
181 /*
182 * See
183 *
184 * http://support.microsoft.com/default.aspx?scid=kb;[LN];812455
185 *
186 * for the Exchange extensions.
187 */
188 static const struct {
189 const char *command;
190 int len;
191 } commands[] = {
192 { "STARTTLS", 8 }, /* RFC 2487 */
193 { "X-EXPS", 6 }, /* Microsoft Exchange */
194 { "X-LINK2STATE", 12 }, /* Microsoft Exchange */
195 { "XEXCH50", 7 } /* Microsoft Exchange */
196 };
197
198 #define NCOMMANDS (sizeof commands / sizeof commands[0])
199
200 /* The following were copied from RFC 2821 */
201 static const value_string response_codes_vs[] = {
202 { 211, "System status, or system help reply" },
203 { 214, "Help message" },
204 { 220, "<domain> Service ready" },
205 { 221, "<domain> Service closing transmission channel" },
206 { 235, "Authentication successful" },
207 { 250, "Requested mail action okay, completed" },
208 { 251, "User not local; will forward to <forward-path>" },
209 { 252, "Cannot VRFY user, but will accept message and attempt delivery" },
210 { 334, "AUTH input" },
211 { 354, "Start mail input; end with <CRLF>.<CRLF>" },
212 { 421, "<domain> Service not available, closing transmission channel" },
213 { 432, "A password transition is needed" },
214 { 450, "Requested mail action not taken: mailbox unavailable" },
215 { 451, "Requested action aborted: local error in processing" },
216 { 452, "Requested action not taken: insufficient system storage" },
217 { 454, "Temporary authenticaion failed" },
218 { 500, "Syntax error, command unrecognized" },
219 { 501, "Syntax error in parameters or arguments" },
220 { 502, "Command not implemented" },
221 { 503, "Bad sequence of commands" },
222 { 504, "Command parameter not implemented" },
223 { 530, "Authentication required" },
224 { 534, "Authentication mechanism is too weak" },
225 { 535, "Authentication credentials invalid" },
226 { 538, "Encryption required for requested authentication mechanism" },
227 { 550, "Requested action not taken: mailbox unavailable" },
228 { 551, "User not local; please try <forward-path>" },
229 { 552, "Requested mail action aborted: exceeded storage allocation" },
230 { 553, "Requested action not taken: mailbox name not allowed" },
231 { 554, "Transaction failed" },
232 { 0, NULL }
233 };
234 static value_string_ext response_codes_vs_ext = VALUE_STRING_EXT_INIT(response_codes_vs);
235
236 static gboolean
237 line_is_smtp_command(const guchar *command, int commandlen)
238 {
239 size_t i;
240
241 /*
242 * To quote RFC 821, "Command codes are four alphabetic
243 * characters".
244 *
245 * However, there are some SMTP extensions that involve commands
246 * longer than 4 characters and/or that contain non-alphabetic
247 * characters; we treat them specially.
248 *
249 * XXX - should we just have a table of known commands? Or would
250 * that fail to catch some extensions we don't know about?
251 */
252 if (commandlen == 4 && g_ascii_isalpha(command[0]) &&
253 g_ascii_isalpha(command[1]) && g_ascii_isalpha(command[2]) &&
254 g_ascii_isalpha(command[3])) {
255 /* standard 4-alphabetic command */
256 return TRUE;
257 }
258
259 /*
260 * Check the list of non-4-alphabetic commands.
261 */
262 for (i = 0; i < NCOMMANDS; i++) {
263 if (commandlen == commands[i].len &&
264 g_ascii_strncasecmp(command, commands[i].command, commands[i].len) == 0)
265 return TRUE;
266 }
267 return FALSE;
268 }
269
270 static void
271 dissect_smtp_data(tvbuff_t *tvb, int offset, proto_tree *smtp_tree)
272 {
273 gint next_offset;
274
275 if (smtp_tree) {
276 while (tvb_offset_exists(tvb, offset)) {
277 /*
278 * Find the end of the line.
279 */
280 tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
281
282 /*
283 * Put this line.
284 */
285 proto_tree_add_item(smtp_tree, hf_smtp_message, tvb,
286 offset, next_offset - offset, ENC_ASCII|ENC_NA);
287
288 /*
289 * Step to the next line.
290 */
291 offset = next_offset;
292 }
293 }
294 }
295
296 static void
297 dissect_ntlm_auth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
298 const char *line)
299 {
300 tvbuff_t *ntlm_tvb;
301
302 ntlm_tvb = base64_to_tvb(tvb, line);
303 if(tvb_strneql(ntlm_tvb, 0, "NTLMSSP", 7) == 0) {
304 add_new_data_source(pinfo, ntlm_tvb, "NTLMSSP Data");
305 call_dissector(ntlmssp_handle, ntlm_tvb, pinfo, tree);
306 }
307 }
308
309 static void
310 decode_plain_auth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
311 gint a_offset, int a_linelen)
312 {
313 gint returncode;
314 gint length_user1;
315 gint length_user2;
316 gint length_pass;
317 guint8 *decrypt = NULL;
318
319 decrypt = tvb_get_string(wmem_packet_scope(), tvb, a_offset, a_linelen);
320 if (stmp_decryption_enabled) {
321 returncode = (gint)epan_base64_decode(decrypt);
322 if (returncode) {
323 length_user1 = (gint)strlen(decrypt);
324 if (returncode >= (length_user1 + 1)) {
325 length_user2 = (gint)strlen(decrypt + length_user1 + 1);
326 proto_tree_add_string(tree, hf_smtp_username, tvb,
327 a_offset, a_linelen, decrypt + length_user1 + 1);
328 col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", decrypt + length_user1 + 1);
329
330 if (returncode >= (length_user1 + 1 + length_user2 + 1)) {
331 length_pass = (gint)strlen(decrypt + length_user1 + length_user2 + 2);
332 proto_tree_add_string(tree, hf_smtp_password, tvb,
333 a_offset, length_pass, decrypt + length_user1 + length_user2 + 2);
334 col_append_str(pinfo->cinfo, COL_INFO, " ");
335 col_append_fstr(pinfo->cinfo, COL_INFO, " Pass: %s", decrypt + length_user1 + length_user2 + 2);
336 }
337 }
338 }
339 }
340 else {
341 proto_tree_add_string(tree, hf_smtp_username, tvb,
342 a_offset, a_linelen, decrypt);
343 proto_tree_add_string(tree, hf_smtp_password, tvb,
344 a_offset, a_linelen, decrypt);
345 col_append_str(pinfo->cinfo, COL_INFO, decrypt);
346 }
347 }
348
349 static void
350 dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
351 {
352 struct smtp_proto_data *spd_frame_data;
353 proto_tree *smtp_tree = NULL;
354 proto_tree *cmdresp_tree = NULL;
355 proto_item *ti, *hidden_item;
356 int offset = 0;
357 int request = 0;
358 conversation_t *conversation;
359 struct smtp_session_state *session_state;
360 const guchar *line, *linep, *lineend;
361 guint32 code;
362 int linelen = 0;
363 gint length_remaining;
364 gboolean eom_seen = FALSE;
365 gint next_offset;
366 gint loffset = 0;
367 int cmdlen;
368 fragment_head *frag_msg = NULL;
369 tvbuff_t *next_tvb;
370 guint8 *decrypt = NULL;
371 guint8 *base64_string = NULL;
372 guint8 line_code[3];
373
374 /* As there is no guarantee that we will only see frames in the
375 * the SMTP conversation once, and that we will see them in
376 * order - in Wireshark, the user could randomly click on frames
377 * in the conversation in any order in which they choose - we
378 * have to store information with each frame indicating whether
379 * it contains commands or data or an EOM indication.
380 *
381 * XXX - what about frames that contain *both*? TCP is a
382 * byte-stream protocol, and there are no guarantees that
383 * TCP segment boundaries will correspond to SMTP commands
384 * or EOM indications.
385 *
386 * We only need that for the client->server stream; responses
387 * are easy to manage.
388 *
389 * If we have per frame data, use that, else, we must be on the first
390 * pass, so we figure it out on the first pass.
391 */
392
393 /*
394 * Find or create the conversation for this.
395 */
396 conversation = find_or_create_conversation(pinfo);
397
398 /*
399 * Is there a request structure attached to this conversation?
400 */
401 session_state = (struct smtp_session_state *)conversation_get_proto_data(conversation, proto_smtp);
402 if (!session_state) {
403 /*
404 * No - create one and attach it.
405 */
406 session_state = (struct smtp_session_state *)wmem_alloc0(wmem_file_scope(), sizeof(struct smtp_session_state));
407 session_state->smtp_state = SMTP_STATE_READING_CMDS;
408 session_state->auth_state = SMTP_AUTH_STATE_NONE;
409 session_state->msg_last = TRUE;
410
411 conversation_add_proto_data(conversation, proto_smtp, session_state);
412 }
413
414 /* Are we doing TLS?
415 * FIXME In my understanding of RFC 2487 client and server can send SMTP cmds
416 * after a rejected TLS negotiation
417 */
418 if (session_state->last_nontls_frame != 0 && pinfo->fd->num > session_state->last_nontls_frame) {
419 guint16 save_can_desegment;
420 guint32 save_last_nontls_frame;
421
422 /* This is TLS, not raw SMTP. TLS can desegment */
423 save_can_desegment = pinfo->can_desegment;
424 pinfo->can_desegment = pinfo->saved_can_desegment;
425
426 /* Make sure the SSL dissector will not be called again after decryption */
427 save_last_nontls_frame = session_state->last_nontls_frame;
428 session_state->last_nontls_frame = 0;
429
430 call_dissector(ssl_handle, tvb, pinfo, tree);
431
432 pinfo->can_desegment = save_can_desegment;
433 session_state->last_nontls_frame = save_last_nontls_frame;
434 return;
435 }
436
437 /* Is this a request or a response? */
438 request = pinfo->destport == pinfo->match_uint;
439
440 /*
441 * Is there any data attached to this frame?
442 */
443 spd_frame_data = (struct smtp_proto_data *)p_get_proto_data(pinfo->fd, proto_smtp, 0);
444
445 if (!spd_frame_data) {
446
447 /*
448 * No frame data.
449 */
450 if (request) {
451
452 /*
453 * Create a frame data structure and attach it to the packet.
454 */
455 spd_frame_data = (struct smtp_proto_data *)wmem_alloc0(wmem_file_scope(), sizeof(struct smtp_proto_data));
456
457 spd_frame_data->conversation_id = conversation->index;
458 spd_frame_data->more_frags = TRUE;
459
460 p_add_proto_data(pinfo->fd, proto_smtp, 0, spd_frame_data);
461
462 }
463
464 /*
465 * Get the first line from the buffer.
466 *
467 * Note that "tvb_find_line_end()" will, if it doesn't return
468 * -1, return a value that is not longer than what's in the buffer,
469 * and "tvb_find_line_end()" will always return a value that is not
470 * longer than what's in the buffer, so the "tvb_get_ptr()" call
471 * won't throw an exception.
472 */
473 loffset = offset;
474 while (tvb_offset_exists(tvb, loffset)) {
475 linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset,
476 smtp_desegment && pinfo->can_desegment);
477 if (linelen == -1) {
478 if (offset == loffset) {
479 /*
480 * We didn't find a line ending, and we're doing desegmentation;
481 * tell the TCP dissector where the data for this message starts
482 * in the data it handed us, and tell it we need more bytes
483 */
484 pinfo->desegment_offset = loffset;
485 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
486 return;
487 } else {
488 linelen = tvb_length_remaining(tvb, loffset);
489 next_offset = loffset + linelen;
490 }
491 }
492
493 /*
494 * Check whether or not this packet is an end of message packet
495 * We should look for CRLF.CRLF and they may be split.
496 * We have to keep in mind that we may see what we want on
497 * two passes through here ...
498 */
499 if (session_state->smtp_state == SMTP_STATE_READING_DATA) {
500 /*
501 * The order of these is important ... We want to avoid
502 * cases where there is a CRLF at the end of a packet and a
503 * .CRLF at the beginning of the same packet.
504 */
505 if ((session_state->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) ||
506 tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0)
507 eom_seen = TRUE;
508
509 length_remaining = tvb_length_remaining(tvb, loffset);
510 if (length_remaining == tvb_reported_length_remaining(tvb, loffset) &&
511 tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0)
512 session_state->crlf_seen = TRUE;
513 else
514 session_state->crlf_seen = FALSE;
515 }
516
517 /*
518 * OK, Check if we have seen a DATA request. We do it here for
519 * simplicity, but we have to be careful below.
520 */
521 if (request) {
522 if (session_state->smtp_state == SMTP_STATE_READING_DATA) {
523 /*
524 * This is message data.
525 */
526 if (eom_seen) { /* Seen the EOM */
527 /*
528 * EOM.
529 * Everything that comes after it is commands.
530 */
531 spd_frame_data->pdu_type = SMTP_PDU_EOM;
532 session_state->smtp_state = SMTP_STATE_READING_CMDS;
533 break;
534 } else {
535 /*
536 * Message data with no EOM.
537 */
538 spd_frame_data->pdu_type = SMTP_PDU_MESSAGE;
539
540 if (session_state->msg_tot_len > 0) {
541 /*
542 * We are handling a BDAT message.
543 * Check if we have reached end of the data chunk.
544 */
545 session_state->msg_read_len += tvb_length_remaining(tvb, loffset);
546
547 if (session_state->msg_read_len == session_state->msg_tot_len) {
548 /*
549 * We have reached end of BDAT data chunk.
550 * Everything that comes after this is commands.
551 */
552 session_state->smtp_state = SMTP_STATE_READING_CMDS;
553
554 if (session_state->msg_last) {
555 /*
556 * We have found the LAST data chunk.
557 * The message can now be reassembled.
558 */
559 spd_frame_data->more_frags = FALSE;
560 }
561
562 break; /* no need to go through the remaining lines */
563 }
564 }
565 }
566 } else {
567 /*
568 * This is commands - unless the capture started in the
569 * middle of a session, and we're in the middle of data.
570 *
571 * Commands are not necessarily 4 characters; look
572 * for a space or the end of the line to see where
573 * the putative command ends.
574 */
575 if ((session_state->auth_state != SMTP_AUTH_STATE_NONE) &&
576 (pinfo->fd->num >= session_state->first_auth_frame) &&
577 ((session_state->last_auth_frame == 0) || (pinfo->fd->num <= session_state->last_auth_frame))) {
578 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen);
579 if ((stmp_decryption_enabled) && (epan_base64_decode(decrypt) > 0)) {
580 line = decrypt;
581 } else {
582 line = tvb_get_ptr(tvb, loffset, linelen);
583 }
584 } else {
585 line = tvb_get_ptr(tvb, loffset, linelen);
586 }
587
588 linep = line;
589 lineend = line + linelen;
590 while (linep < lineend && *linep != ' ')
591 linep++;
592 cmdlen = (int)(linep - line);
593 if (line_is_smtp_command(line, cmdlen)) {
594 if (g_ascii_strncasecmp(line, "DATA", 4) == 0) {
595 /*
596 * DATA command.
597 * This is a command, but everything that comes after it,
598 * until an EOM, is data.
599 */
600 spd_frame_data->pdu_type = SMTP_PDU_CMD;
601 session_state->smtp_state = SMTP_STATE_READING_DATA;
602 session_state->data_seen = TRUE;
603 } else if (g_ascii_strncasecmp(line, "BDAT", 4) == 0) {
604 /*
605 * BDAT command.
606 * This is a command, but everything that comes after it,
607 * until given length is received, is data.
608 */
609 guint32 msg_len;
610
611 msg_len = (guint32)strtoul (line+5, NULL, 10);
612
613 spd_frame_data->pdu_type = SMTP_PDU_CMD;
614 session_state->data_seen = TRUE;
615 session_state->msg_tot_len += msg_len;
616
617 if (msg_len == 0) {
618 /* No data to read, next will be a command */
619 session_state->smtp_state = SMTP_STATE_READING_CMDS;
620 } else {
621 session_state->smtp_state = SMTP_STATE_READING_DATA;
622 }
623
624 if (g_ascii_strncasecmp(line+linelen-4, "LAST", 4) == 0) {
625 /*
626 * This is the last data chunk.
627 */
628 session_state->msg_last = TRUE;
629
630 if (msg_len == 0) {
631 /*
632 * No more data to expect.
633 * The message can now be reassembled.
634 */
635 spd_frame_data->more_frags = FALSE;
636 }
637 } else {
638 session_state->msg_last = FALSE;
639 }
640 } else if ((g_ascii_strncasecmp(line, "AUTH LOGIN", 10) == 0) && (linelen <= 11)) {
641 /*
642 * AUTH LOGIN command.
643 * Username is in a seperate frame
644 */
645 spd_frame_data->pdu_type = SMTP_PDU_CMD;
646 session_state->smtp_state = SMTP_STATE_READING_CMDS;
647 session_state->auth_state = SMTP_AUTH_STATE_START;
648 session_state->first_auth_frame = pinfo->fd->num;
649 } else if ((g_ascii_strncasecmp(line, "AUTH LOGIN", 10) == 0) && (linelen > 11)) {
650 /*
651 * AUTH LOGIN command.
652 * Username follows the 'AUTH LOGIN' string
653 */
654 spd_frame_data->pdu_type = SMTP_PDU_CMD;
655 session_state->smtp_state = SMTP_STATE_READING_CMDS;
656 session_state->auth_state = SMTP_AUTH_STATE_USERNAME_RSP;
657 session_state->first_auth_frame = pinfo->fd->num;
658 session_state->username_cmd_frame = pinfo->fd->num;
659 } else if ((g_ascii_strncasecmp(line, "AUTH PLAIN", 10) == 0) && (linelen <= 11)) {
660 /*
661 * AUTH PLAIN command.
662 * Username and Password is in one seperate frame
663 */
664 spd_frame_data->pdu_type = SMTP_PDU_CMD;
665 session_state->smtp_state = SMTP_STATE_READING_CMDS;
666 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_START_REQ;
667 session_state->first_auth_frame = pinfo->fd->num;
668 } else if ((g_ascii_strncasecmp(line, "AUTH PLAIN", 10) == 0) && (linelen > 11)) {
669 /*
670 * AUTH PLAIN command.
671 * Username and Password follows the 'AUTH PLAIN' string
672 */
673 spd_frame_data->pdu_type = SMTP_PDU_CMD;
674 session_state->smtp_state = SMTP_STATE_READING_CMDS;
675 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_CRED_REQ;
676 session_state->first_auth_frame = pinfo->fd->num;
677 session_state->user_pass_cmd_frame = pinfo->fd->num;
678 } else if ((g_ascii_strncasecmp(line, "AUTH NTLM", 9) == 0) && (linelen > 10)) {
679 /*
680 * AUTH NTLM command with nlmssp request
681 */
682 spd_frame_data->pdu_type = SMTP_PDU_CMD;
683 session_state->smtp_state = SMTP_STATE_READING_CMDS;
684 session_state->auth_state = SMTP_AUTH_STATE_NTLM_REQ;
685 session_state->ntlm_req_frame = pinfo->fd->num;
686 } else if (g_ascii_strncasecmp(line, "STARTTLS", 8) == 0) {
687 /*
688 * STARTTLS command.
689 * This is a command, but if the response is 220,
690 * everything after the response is TLS.
691 */
692 session_state->smtp_state = SMTP_STATE_AWAITING_STARTTLS_RESPONSE;
693 spd_frame_data->pdu_type = SMTP_PDU_CMD;
694 } else {
695 /*
696 * Regular command.
697 */
698 spd_frame_data->pdu_type = SMTP_PDU_CMD;
699 }
700 } else if (session_state->auth_state == SMTP_AUTH_STATE_USERNAME_REQ) {
701 session_state->auth_state = SMTP_AUTH_STATE_USERNAME_RSP;
702 session_state->username_frame = pinfo->fd->num;
703 } else if (session_state->auth_state == SMTP_AUTH_STATE_PASSWORD_REQ) {
704 session_state->auth_state = SMTP_AUTH_STATE_PASSWORD_RSP;
705 session_state->password_frame = pinfo->fd->num;
706 } else if (session_state->auth_state == SMTP_AUTH_STATE_PLAIN_REQ) {
707 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_RSP;
708 session_state->user_pass_frame = pinfo->fd->num;
709 } else if (session_state->auth_state == SMTP_AUTH_STATE_NTLM_CHALLANGE) {
710 session_state->auth_state = SMTP_AUTH_STATE_NTLM_RSP;
711 session_state->ntlm_rsp_frame = pinfo->fd->num;
712 }
713 else {
714
715 /*
716 * Assume it's message data.
717 */
718 spd_frame_data->pdu_type = session_state->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD;
719 }
720 }
721 }
722
723 /*
724 * Step past this line.
725 */
726 loffset = next_offset;
727 }
728 }
729
730
731 /*
732 * From here, we simply add items to the tree and info to the info
733 * fields ...
734 */
735
736 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP");
737 col_clear(pinfo->cinfo, COL_INFO);
738
739 if (tree) { /* Build the tree info ... */
740 ti = proto_tree_add_item(tree, proto_smtp, tvb, offset, -1, ENC_NA);
741 smtp_tree = proto_item_add_subtree(ti, ett_smtp);
742 }
743
744 if (request) {
745 /*
746 * Check out whether or not we can see a command in there ...
747 * What we are looking for is not data_seen and the word DATA
748 * and not eom_seen.
749 *
750 * We will see DATA and session_state->data_seen when we process the
751 * tree view after we have seen a DATA packet when processing
752 * the packet list pane.
753 *
754 * On the first pass, we will not have any info on the packets
755 * On second and subsequent passes, we will.
756 */
757 switch (spd_frame_data->pdu_type) {
758
759 case SMTP_PDU_MESSAGE:
760 /* Column Info */
761 length_remaining = tvb_length_remaining(tvb, offset);
762 col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body");
763 col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining,
764 plurality (length_remaining, "", "s"));
765
766 if (smtp_data_desegment) {
767 frag_msg = fragment_add_seq_next(&smtp_data_reassembly_table, tvb, 0,
768 pinfo, spd_frame_data->conversation_id, NULL,
769 tvb_length(tvb), spd_frame_data->more_frags);
770 } else {
771 /*
772 * Message body.
773 * Put its lines into the protocol tree, a line at a time.
774 */
775 dissect_smtp_data(tvb, offset, smtp_tree);
776 }
777 break;
778
779 case SMTP_PDU_EOM:
780 /*
781 * End-of-message-body indicator.
782 *
783 * XXX - what about stuff after the first line?
784 * Unlikely, as the client should wait for a response to the
785 * DATA command this terminates before sending another
786 * request, but we should probably handle it.
787 */
788 col_set_str(pinfo->cinfo, COL_INFO, "C: .");
789
790 proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: .");
791
792 if (smtp_data_desegment) {
793 /* add final data segment */
794 if (loffset)
795 fragment_add_seq_next(&smtp_data_reassembly_table, tvb, 0,
796 pinfo, spd_frame_data->conversation_id, NULL,
797 loffset, spd_frame_data->more_frags);
798
799 /* terminate the desegmentation */
800 frag_msg = fragment_end_seq_next(&smtp_data_reassembly_table,
801 pinfo, spd_frame_data->conversation_id, NULL);
802 }
803 break;
804
805 case SMTP_PDU_CMD:
806 /*
807 * Command.
808 *
809 * XXX - what about stuff after the first line?
810 * Unlikely, as the client should wait for a response to the
811 * previous command before sending another request, but we
812 * should probably handle it.
813 */
814
815 loffset = offset;
816 while (tvb_offset_exists(tvb, loffset)) {
817 /*
818 * Find the end of the line.
819 */
820 linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
821
822 /* Column Info */
823 if (loffset == offset)
824 col_append_str(pinfo->cinfo, COL_INFO, "C: ");
825 else
826 col_append_str(pinfo->cinfo, COL_INFO, " | ");
827
828 hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_req, tvb,
829 0, 0, TRUE);
830 PROTO_ITEM_SET_HIDDEN(hidden_item);
831
832 if (session_state->username_frame == pinfo->fd->num) {
833 if (decrypt == NULL) {
834 /* This line wasn't already decrypted through the state machine */
835 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen);
836 if (stmp_decryption_enabled) {
837 if (epan_base64_decode(decrypt) == 0) {
838 /* Go back to the original string */
839 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen);
840 }
841 }
842 }
843 proto_tree_add_string(smtp_tree, hf_smtp_username, tvb,
844 loffset, linelen, decrypt);
845 col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", decrypt);
846 } else if (session_state->password_frame == pinfo->fd->num) {
847 if (decrypt == NULL) {
848 /* This line wasn't already decrypted through the state machine */
849 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen);
850 if (stmp_decryption_enabled) {
851 if (epan_base64_decode(decrypt) == 0) {
852 /* Go back to the original string */
853 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen);
854 }
855 }
856 }
857 proto_tree_add_string(smtp_tree, hf_smtp_password, tvb,
858 loffset, linelen, decrypt);
859 col_append_fstr(pinfo->cinfo, COL_INFO, "Pass: %s", decrypt);
860 } else if (session_state->ntlm_rsp_frame == pinfo->fd->num) {
861 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen);
862 if (stmp_decryption_enabled) {
863 if (epan_base64_decode(decrypt) == 0) {
864 /* Go back to the original string */
865 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen);
866 col_append_str(pinfo->cinfo, COL_INFO, decrypt);
867 proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb,
868 loffset, linelen, ENC_ASCII|ENC_NA);
869 }
870 else {
871 base64_string = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen);
872 dissect_ntlm_auth(tvb, pinfo, smtp_tree, base64_string);
873 }
874 }
875 else {
876 col_append_str(pinfo->cinfo, COL_INFO, decrypt);
877 proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb,
878 loffset, linelen, ENC_ASCII|ENC_NA);
879 }
880 } else if (session_state->user_pass_frame == pinfo->fd->num) {
881 decode_plain_auth(tvb, pinfo, smtp_tree, loffset, linelen);
882 } else {
883
884 if (linelen >= 4)
885 cmdlen = 4;
886 else
887 cmdlen = linelen;
888
889 /*
890 * Put the command line into the protocol tree.
891 */
892 ti = proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb,
893 loffset, next_offset - loffset, ENC_ASCII|ENC_NA);
894 cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
895
896 proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb,
897 loffset, cmdlen, ENC_ASCII|ENC_NA);
898
899 if ((linelen > 5) && (session_state->username_cmd_frame == pinfo->fd->num) ) {
900 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
901 loffset + 5, linelen - 5, ENC_ASCII|ENC_NA);
902
903 if (decrypt == NULL) {
904 /* This line wasn't already decrypted through the state machine */
905 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 11, linelen - 11);
906 if (stmp_decryption_enabled) {
907 if (epan_base64_decode(decrypt) == 0) {
908 /* Go back to the original string */
909 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 11, linelen - 11);
910 }
911 }
912 }
913 proto_tree_add_string(cmdresp_tree, hf_smtp_username, tvb, loffset + 11, linelen - 11, decrypt);
914 col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 11));
915 col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", decrypt);
916 }
917 else if ((linelen > 5) && (session_state->ntlm_req_frame == pinfo->fd->num) ) {
918 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
919 loffset + 5, linelen - 5, ENC_ASCII|ENC_NA);
920 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10);
921 if (stmp_decryption_enabled) {
922 if (epan_base64_decode(decrypt) == 0) {
923 /* Go back to the original string */
924 decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10);
925 col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 10));
926 col_append_str(pinfo->cinfo, COL_INFO, decrypt);
927 }
928 else {
929 base64_string = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10);
930 col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 10));
931 dissect_ntlm_auth(tvb, pinfo, cmdresp_tree, base64_string);
932 }
933 }
934 else {
935 col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 10));
936 col_append_str(pinfo->cinfo, COL_INFO, decrypt);
937 }
938 }
939 else if ((linelen > 5) && (session_state->user_pass_cmd_frame == pinfo->fd->num) ) {
940 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
941 loffset + 5, linelen - 5, ENC_ASCII|ENC_NA);
942 col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 11));
943 decode_plain_auth(tvb, pinfo, cmdresp_tree, loffset + 11, linelen - 11);
944 }
945 else if (linelen > 5) {
946 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
947 loffset + 5, linelen - 5, ENC_ASCII|ENC_NA);
948 col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen));
949 }
950 else {
951 col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen));
952 }
953
954 if (smtp_data_desegment && !spd_frame_data->more_frags) {
955 /* terminate the desegmentation */
956 frag_msg = fragment_end_seq_next(&smtp_data_reassembly_table,
957 pinfo, spd_frame_data->conversation_id, NULL);
958 }
959 }
960 /*
961 * Step past this line.
962 */
963 loffset = next_offset;
964 }
965 }
966
967 if (smtp_data_desegment) {
968 next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled SMTP",
969 frag_msg, &smtp_data_frag_items, NULL, smtp_tree);
970 if (next_tvb) {
971 /* XXX: this is presumptuous - we may have negotiated something else */
972 if (imf_handle) {
973 call_dissector(imf_handle, next_tvb, pinfo, tree);
974 } else {
975 /*
976 * Message body.
977 * Put its lines into the protocol tree, a line at a time.
978 */
979 dissect_smtp_data(tvb, offset, smtp_tree);
980 }
981
982 pinfo->fragmented = FALSE;
983 } else {
984 pinfo->fragmented = TRUE;
985 }
986 }
987 } else {
988 /*
989 * Process the response, a line at a time, until we hit a line
990 * that doesn't have a continuation indication on it.
991 */
992 if (tree) {
993 hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_rsp, tvb,
994 0, 0, TRUE);
995 PROTO_ITEM_SET_HIDDEN(hidden_item);
996 }
997
998 loffset = offset;
999 while (tvb_offset_exists(tvb, offset)) {
1000 /*
1001 * Find the end of the line.
1002 */
1003 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
1004
1005 if (loffset == offset)
1006 col_append_str(pinfo->cinfo, COL_INFO, "S: ");
1007 else
1008 col_append_str(pinfo->cinfo, COL_INFO, " | ");
1009
1010 if (tree) {
1011 /*
1012 * Put it into the protocol tree.
1013 */
1014 ti = proto_tree_add_item(smtp_tree, hf_smtp_response, tvb,
1015 offset, next_offset - offset, ENC_ASCII|ENC_NA);
1016 cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
1017 } else
1018 cmdresp_tree = NULL;
1019
1020 if (linelen >= 3) {
1021 line_code[0] = tvb_get_guint8(tvb, offset);
1022 line_code[1] = tvb_get_guint8(tvb, offset+1);
1023 line_code[2] = tvb_get_guint8(tvb, offset+2);
1024 if (isdigit(line_code[0]) && isdigit(line_code[1])
1025 && isdigit(line_code[2])) {
1026 /*
1027 * We have a 3-digit response code.
1028 */
1029 code = (line_code[0] - '0')*100 + (line_code[1] - '0')*10 + (line_code[2] - '0');
1030
1031 /*
1032 * If we're awaiting the response to a STARTTLS code, this
1033 * is it - if it's 220, all subsequent traffic will
1034 * be TLS, otherwise we're back to boring old SMTP.
1035 */
1036 if (session_state->smtp_state == SMTP_STATE_AWAITING_STARTTLS_RESPONSE) {
1037 if (code == 220) {
1038 /* This is the last non-TLS frame. */
1039 session_state->last_nontls_frame = pinfo->fd->num;
1040 }
1041 session_state->smtp_state = SMTP_STATE_READING_CMDS;
1042 }
1043
1044 if (code == 334) {
1045 switch(session_state->auth_state)
1046 {
1047 case SMTP_AUTH_STATE_START:
1048 session_state->auth_state = SMTP_AUTH_STATE_USERNAME_REQ;
1049 break;
1050 case SMTP_AUTH_STATE_USERNAME_RSP:
1051 session_state->auth_state = SMTP_AUTH_STATE_PASSWORD_REQ;
1052 break;
1053 case SMTP_AUTH_STATE_PLAIN_REQ:
1054 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_RSP;
1055 break;
1056 case SMTP_AUTH_STATE_PLAIN_START_REQ:
1057 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_REQ;
1058 break;
1059 case SMTP_AUTH_STATE_NTLM_REQ:
1060 session_state->auth_state = SMTP_AUTH_STATE_NTLM_CHALLANGE;
1061 break;
1062 case SMTP_AUTH_STATE_NONE:
1063 case SMTP_AUTH_STATE_USERNAME_REQ:
1064 case SMTP_AUTH_STATE_PASSWORD_REQ:
1065 case SMTP_AUTH_STATE_PASSWORD_RSP:
1066 case SMTP_AUTH_STATE_PLAIN_RSP:
1067 case SMTP_AUTH_STATE_PLAIN_CRED_REQ:
1068 case SMTP_AUTH_STATE_NTLM_RSP:
1069 case SMTP_AUTH_STATE_NTLM_CHALLANGE:
1070 case SMTP_AUTH_STATE_SUCCESS:
1071 case SMTP_AUTH_STATE_FAILED:
1072 /* ignore */
1073 break;
1074 }
1075 } else if ((session_state->auth_state == SMTP_AUTH_STATE_PASSWORD_RSP) ||
1076 ( session_state->auth_state == SMTP_AUTH_STATE_PLAIN_RSP) ||
1077 ( session_state->auth_state == SMTP_AUTH_STATE_NTLM_RSP) ||
1078 ( session_state->auth_state == SMTP_AUTH_STATE_PLAIN_CRED_REQ) ) {
1079 if (code == 235) {
1080 session_state->auth_state = SMTP_AUTH_STATE_SUCCESS;
1081 } else {
1082 session_state->auth_state = SMTP_AUTH_STATE_FAILED;
1083 }
1084 session_state->last_auth_frame = pinfo->fd->num;
1085 }
1086
1087 /*
1088 * Put the response code and parameters into the protocol tree.
1089 */
1090 proto_tree_add_uint(cmdresp_tree, hf_smtp_rsp_code, tvb, offset, 3,
1091 code);
1092
1093 decrypt = NULL;
1094 if (linelen >= 4) {
1095 if ((stmp_decryption_enabled) && (code == 334)) {
1096 decrypt = tvb_get_string(wmem_packet_scope(), tvb, offset + 4, linelen - 4);
1097 if (epan_base64_decode(decrypt) > 0) {
1098 if (g_ascii_strncasecmp(decrypt, "NTLMSSP", 7) == 0) {
1099 base64_string = tvb_get_string(wmem_packet_scope(), tvb, loffset + 4, linelen - 4);
1100 col_append_fstr(pinfo->cinfo, COL_INFO, "%d ", code);
1101 proto_tree_add_string(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
1102 offset + 4, linelen - 4, (const char*)base64_string);
1103 dissect_ntlm_auth(tvb, pinfo, cmdresp_tree, base64_string);
1104 }
1105 else {
1106 proto_tree_add_string(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
1107 offset + 4, linelen - 4, (const char*)decrypt);
1108
1109 col_append_fstr(pinfo->cinfo, COL_INFO, "%d %s", code, decrypt);
1110 }
1111 } else {
1112 decrypt = NULL;
1113 }
1114 }
1115
1116 if (decrypt == NULL) {
1117 proto_tree_add_item(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
1118 offset + 4, linelen - 4, ENC_ASCII|ENC_NA);
1119
1120 col_append_fstr(pinfo->cinfo, COL_INFO, "%d %s", code,
1121 tvb_get_string(wmem_packet_scope(), tvb, offset + 4, linelen - 4));
1122 }
1123 } else {
1124 col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, offset, linelen));
1125 }
1126 }
1127 }
1128 /*
1129 * Step past this line.
1130 */
1131 offset = next_offset;
1132
1133 }
1134 }
1135 }
1136
1137 static void
1138 smtp_data_reassemble_init (void)
1139 {
1140 reassembly_table_init(&smtp_data_reassembly_table,
1141 &addresses_ports_reassembly_table_functions);
1142 }
1143
1144
1145 /* Register all the bits needed by the filtering engine */
1146
1147 void
1148 proto_register_smtp(void)
1149 {
1150 static hf_register_info hf[] = {
1151 { &hf_smtp_req,
1152 { "Request", "smtp.req",
1153 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1154
1155 { &hf_smtp_rsp,
1156 { "Response", "smtp.rsp",
1157 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1158
1159 { &hf_smtp_message,
1160 { "Message", "smtp.message",
1161 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1162
1163 { &hf_smtp_command_line,
1164 { "Command Line", "smtp.command_line",
1165 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1166
1167 { &hf_smtp_req_command,
1168 { "Command", "smtp.req.command",
1169 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1170
1171 { &hf_smtp_req_parameter,
1172 { "Request parameter", "smtp.req.parameter",
1173 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1174
1175 { &hf_smtp_response,
1176 { "Response", "smtp.response",
1177 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1178
1179 { &hf_smtp_rsp_code,
1180 { "Response code", "smtp.response.code",
1181 FT_UINT32, BASE_DEC|BASE_EXT_STRING, &response_codes_vs_ext, 0x0, NULL, HFILL }},
1182
1183 { &hf_smtp_rsp_parameter,
1184 { "Response parameter", "smtp.rsp.parameter",
1185 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1186
1187 { &hf_smtp_username,
1188 { "Username", "smtp.auth.username",
1189 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1190
1191 { &hf_smtp_password,
1192 { "Password", "smtp.auth.password",
1193 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1194
1195 /* Fragment entries */
1196 { &hf_smtp_data_fragments,
1197 { "DATA fragments", "smtp.data.fragments",
1198 FT_NONE, BASE_NONE, NULL, 0x00, "Message fragments", HFILL } },
1199
1200 { &hf_smtp_data_fragment,
1201 { "DATA fragment", "smtp.data.fragment",
1202 FT_FRAMENUM, BASE_NONE, NULL, 0x00, "Message fragment", HFILL } },
1203
1204 { &hf_smtp_data_fragment_overlap,
1205 { "DATA fragment overlap", "smtp.data.fragment.overlap", FT_BOOLEAN,
1206 BASE_NONE, NULL, 0x0, "Message fragment overlap", HFILL } },
1207
1208 { &hf_smtp_data_fragment_overlap_conflicts,
1209 { "DATA fragment overlapping with conflicting data",
1210 "smtp.data.fragment.overlap.conflicts", FT_BOOLEAN, BASE_NONE, NULL,
1211 0x0, "Message fragment overlapping with conflicting data", HFILL } },
1212
1213 { &hf_smtp_data_fragment_multiple_tails,
1214 { "DATA has multiple tail fragments", "smtp.data.fragment.multiple_tails",
1215 FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Message has multiple tail fragments", HFILL } },
1216
1217 { &hf_smtp_data_fragment_too_long_fragment,
1218 { "DATA fragment too long", "smtp.data.fragment.too_long_fragment",
1219 FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Message fragment too long", HFILL } },
1220
1221 { &hf_smtp_data_fragment_error,
1222 { "DATA defragmentation error", "smtp.data.fragment.error",
1223 FT_FRAMENUM, BASE_NONE, NULL, 0x00, "Message defragmentation error", HFILL } },
1224
1225 { &hf_smtp_data_fragment_count,
1226 { "DATA fragment count", "smtp.data.fragment.count",
1227 FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } },
1228
1229 { &hf_smtp_data_reassembled_in,
1230 { "Reassembled DATA in frame", "smtp.data.reassembled.in",
1231 FT_FRAMENUM, BASE_NONE, NULL, 0x00, "This DATA fragment is reassembled in this frame", HFILL } },
1232
1233 { &hf_smtp_data_reassembled_length,
1234 { "Reassembled DATA length", "smtp.data.reassembled.length",
1235 FT_UINT32, BASE_DEC, NULL, 0x00, "The total length of the reassembled payload", HFILL } },
1236 };
1237 static gint *ett[] = {
1238 &ett_smtp,
1239 &ett_smtp_cmdresp,
1240 &ett_smtp_data_fragment,
1241 &ett_smtp_data_fragments,
1242
1243 };
1244 module_t *smtp_module;
1245
1246 proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol",
1247 "SMTP", "smtp");
1248
1249 proto_register_field_array(proto_smtp, hf, array_length(hf));
1250 proto_register_subtree_array(ett, array_length(ett));
1251 register_init_routine (&smtp_data_reassemble_init);
1252
1253 /* Allow dissector to find be found by name. */
1254 register_dissector("smtp", dissect_smtp, proto_smtp);
1255
1256 /* Preferences */
1257 smtp_module = prefs_register_protocol(proto_smtp, NULL);
1258 prefs_register_bool_preference(smtp_module, "desegment_lines",
1259 "Reassemble SMTP command and response lines\nspanning multiple TCP segments",
1260 "Whether the SMTP dissector should reassemble command and response lines"
1261 " spanning multiple TCP segments. To use this option, you must also enable "
1262 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
1263 &smtp_desegment);
1264
1265 prefs_register_bool_preference(smtp_module, "desegment_data",
1266 "Reassemble SMTP DATA commands spanning multiple TCP segments",
1267 "Whether the SMTP dissector should reassemble DATA command and lines"
1268 " spanning multiple TCP segments. To use this option, you must also enable "
1269 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
1270 &smtp_data_desegment);
1271
1272 prefs_register_bool_preference(smtp_module, "decryption",
1273 "Decrypt AUTH parameters",
1274 "Whether the SMTP dissector should decrypt AUTH parameters",
1275 &stmp_decryption_enabled);
1276 }
1277
1278 /* The registration hand-off routine */
1279 void
1280 proto_reg_handoff_smtp(void)
1281 {
1282 dissector_handle_t smtp_handle;
1283
1284 smtp_handle = find_dissector("smtp");
1285 dissector_add_uint("tcp.port", TCP_PORT_SMTP, smtp_handle);
1286 ssl_dissector_add(TCP_PORT_SSL_SMTP, "smtp", TRUE);
1287 dissector_add_uint("tcp.port", TCP_PORT_SUBMISSION, smtp_handle);
1288
1289 /* find the IMF dissector */
1290 imf_handle = find_dissector("imf");
1291
1292 /* find the SSL dissector */
1293 ssl_handle = find_dissector("ssl");
1294
1295 /* find the NTLM dissector */
1296 ntlmssp_handle = find_dissector("ntlmssp");
1297 }
1298
1299 /*
1300 * Editor modelines - http://www.wireshark.org/tools/modelines.html
1301 *
1302 * Local variables:
1303 * c-basic-offset: 2
1304 * tab-width: 8
1305 * indent-tabs-mode: nil
1306 * End:
1307 *
1308 * vi: set shiftwidth=2 tabstop=8 expandtab:
1309 * :indentSize=2:tabSize=8:noTabs=true
1310 */