search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
FIXUP: WIP: verification_trailer
[wireshark-wip.git] / epan / dissectors / packet-skype.c
blob9fb9cb6af3db9d4d83c5109ceb2905bc0f6416ce
1 /* packet-skype.c
2 * Routines for the disassembly of Skype
3 *
4 * $Id$
5 *
6 * Copyright 2009 Joerg Mayer (see AUTHORS file)
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
16 *
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 */
26
27 /*
28 * Documentation that formed the basis of the packet decoding:
29 * https://github.com/matthiasbock/OpenSkype/wiki/Skype's-UDP-Format
30 * For additional information see: http://wiki.wireshark.org/Skype
31 *
32 * TODO:
33 * - Authentication
34 * - TCP
35 * - Conversation stuff (to obtain external IPs for decryption)
36 * - Decryption (with given keys)
37 * - Test CRC check (requires working decryption)
38 * - Heuristics to reliably detect Skype traffic - most likely impossible
39 * to implement in Wireshark (see http://en.wikipedia.org/wiki/Skype)
40 * - Improve tests
41 */
42
43 #include "config.h"
44
45 #include <glib.h>
46 #include <epan/wmem/wmem.h>
47 #include <epan/packet.h>
48 #include <epan/conversation.h>
49
50 /* Things we may want to remember for a whole conversation */
51 typedef struct _skype_udp_conv_info_t {
52 guint32 global_src_ip;
53 guint32 global_dst_ip;
54 } skype_udp_conv_info_t;
55
56 /* protocol handles */
57 static int proto_skype = -1;
58
59 /* ett handles */
60 static int ett_skype = -1;
61
62 #define SKYPE_SOM_UNK_MASK 0xF0
63 #define SKYPE_SOM_TYPE_MASK 0x0F
64
65 /* hf elements */
66 /* Start of Message */
67 static int hf_skype_som_id = -1;
68 static int hf_skype_som_unk = -1;
69 static int hf_skype_som_type = -1;
70 /* Message body */
71 /* Unknown_0 */
72 static int hf_skype_unknown_0_unk1 = -1;
73 /* Payload */
74 static int hf_skype_payload_iv = -1;
75 static int hf_skype_payload_crc = -1;
76 static int hf_skype_payload_enc_data = -1;
77 /* Resend */
78 static int hf_skype_ffr_num = -1;
79 static int hf_skype_ffr_unk1 = -1;
80 static int hf_skype_ffr_iv = -1;
81 static int hf_skype_ffr_crc = -1;
82 static int hf_skype_ffr_enc_data = -1;
83 /* Nat info */
84 static int hf_skype_natinfo_srcip = -1;
85 static int hf_skype_natinfo_dstip = -1;
86 /* Nat request */
87 static int hf_skype_natrequest_srcip = -1;
88 static int hf_skype_natrequest_dstip = -1;
89 /* Audio */
90 static int hf_skype_audio_unk1 = -1;
91 /* Unknown_f */
92 static int hf_skype_unknown_f_unk1 = -1;
93 /* Unknown packet type */
94 static int hf_skype_unknown_packet = -1;
95
96
97 #define PROTO_SHORT_NAME "SKYPE"
98 #define PROTO_LONG_NAME "SKYPE"
99
100 typedef enum {
101 SKYPE_TYPE_UNKNOWN_0 = 0,
102 SKYPE_TYPE_PAYLOAD = 2,
103 SKYPE_TYPE_FFR = 3,
104 SKYPE_TYPE_NAT_INFO = 5,
105 SKYPE_TYPE_NAT_REPEAT = 7,
106 SKYPE_TYPE_AUDIO = 0xd,
107 SKYPE_TYPE_UNKNOWN_F = 0xf
108 } skype_type_t;
109
110
111 static const value_string skype_type_vals[] = {
112 { SKYPE_TYPE_UNKNOWN_0, "Unknown_0" },
113 { SKYPE_TYPE_PAYLOAD, "Payload" },
114 { SKYPE_TYPE_FFR, "Fragment/Forward/Resend" },
115 { SKYPE_TYPE_NAT_INFO , "NAT info" },
116 { SKYPE_TYPE_NAT_REPEAT,"NAT repeat" },
117 { SKYPE_TYPE_AUDIO, "Audio" },
118 { SKYPE_TYPE_UNKNOWN_F, "Unknown_F" },
119
120 { 0, NULL }
121 };
122
123
124 static int
125 dissect_skype_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
126 {
127 proto_item *ti;
128 proto_tree *skype_tree = NULL;
129 guint32 offset = 0;
130 guint32 packet_length;
131 guint8 packet_type;
132
133 /* XXX: Just until we know how to decode skype over tcp */
134 packet_type = 255;
135
136 packet_length = tvb_length(tvb);
137
138 col_set_str(pinfo->cinfo, COL_PROTOCOL, PROTO_SHORT_NAME);
139 col_add_str(pinfo->cinfo, COL_INFO, val_to_str(packet_type,
140 skype_type_vals, "Type 0x%1x"));
141
142 if (tree) {
143 /* Start of message dissection */
144 ti = proto_tree_add_item(tree, proto_skype, tvb, offset, -1,
145 ENC_NA);
146 skype_tree = proto_item_add_subtree(ti, ett_skype);
147
148 /* Body dissection */
149 switch (packet_type) {
150
151 default:
152 proto_tree_add_item(skype_tree, hf_skype_unknown_packet, tvb, offset, -1,
153 ENC_NA);
154 offset = packet_length;
155 break;
156 }
157 }
158 return offset;
159 }
160
161 static int
162 dissect_skype_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
163 {
164 proto_item *ti;
165 proto_tree *skype_tree = NULL;
166 guint32 offset = 0;
167 guint32 packet_length;
168 guint8 packet_type, packet_unk;
169
170 conversation_t *conversation = NULL;
171 skype_udp_conv_info_t *skype_udp_info;
172
173 /* look up the conversation */
174 conversation = find_or_create_conversation(pinfo);
175
176 /* if conversation found get the data pointer that you stored */
177 skype_udp_info = (skype_udp_conv_info_t *)conversation_get_proto_data(conversation, proto_skype);
178 if (!skype_udp_info) {
179 /* new conversation create local data structure */
180 skype_udp_info = wmem_new(wmem_file_scope(), skype_udp_conv_info_t);
181 skype_udp_info->global_src_ip = 0;
182 skype_udp_info->global_dst_ip = 0;
183 conversation_add_proto_data(conversation, proto_skype,
184 skype_udp_info);
185 }
186 /* at this point the conversation data is ready */
187
188 packet_type = tvb_get_guint8(tvb, 2) & SKYPE_SOM_TYPE_MASK;
189 packet_unk = (tvb_get_guint8(tvb, 2) & SKYPE_SOM_UNK_MASK) >> 4;
190
191 packet_length = tvb_length(tvb);
192
193 col_set_str(pinfo->cinfo, COL_PROTOCOL, PROTO_SHORT_NAME);
194 col_add_str(pinfo->cinfo, COL_INFO, val_to_str(packet_type,
195 skype_type_vals, "Type 0x%1x"));
196 if (packet_unk) {
197 col_append_fstr(pinfo->cinfo, COL_INFO, " Unk: %1x", packet_unk);
198 }
199
200 if (tree) {
201 /* Start of message dissection */
202 ti = proto_tree_add_item(tree, proto_skype, tvb, offset, -1,
203 ENC_NA);
204 skype_tree = proto_item_add_subtree(ti, ett_skype);
205
206 proto_tree_add_item(skype_tree, hf_skype_som_id, tvb, offset, 2,
207 ENC_BIG_ENDIAN);
208 offset += 2;
209 proto_tree_add_item(skype_tree, hf_skype_som_unk, tvb, offset, 1,
210 ENC_NA);
211 proto_tree_add_item(skype_tree, hf_skype_som_type, tvb, offset, 1,
212 ENC_NA);
213 offset += 1;
214
215 /* Body dissection */
216 switch (packet_type) {
217
218 case SKYPE_TYPE_UNKNOWN_0:
219 proto_tree_add_item(skype_tree, hf_skype_unknown_0_unk1, tvb, offset, -1,
220 ENC_NA);
221 offset = packet_length;
222 break;
223 case SKYPE_TYPE_PAYLOAD:
224 proto_tree_add_item(skype_tree, hf_skype_payload_iv, tvb, offset, 4,
225 ENC_BIG_ENDIAN);
226 offset += 4;
227 proto_tree_add_item(skype_tree, hf_skype_payload_crc, tvb, offset, 4,
228 ENC_BIG_ENDIAN);
229 offset += 4;
230 proto_tree_add_item(skype_tree, hf_skype_payload_enc_data, tvb, offset, -1,
231 ENC_NA);
232 offset = packet_length;
233 break;
234 case SKYPE_TYPE_FFR:
235 proto_tree_add_item(skype_tree, hf_skype_ffr_num, tvb, offset, 1,
236 ENC_NA);
237 offset += 1;
238 proto_tree_add_item(skype_tree, hf_skype_ffr_unk1, tvb, offset, 4,
239 ENC_BIG_ENDIAN);
240 offset += 4;
241 proto_tree_add_item(skype_tree, hf_skype_ffr_iv, tvb, offset, 4,
242 ENC_BIG_ENDIAN);
243 offset += 4;
244 proto_tree_add_item(skype_tree, hf_skype_ffr_crc, tvb, offset, 4,
245 ENC_BIG_ENDIAN);
246 offset += 4;
247 proto_tree_add_item(skype_tree, hf_skype_ffr_enc_data, tvb, offset, -1,
248 ENC_NA);
249 offset = packet_length;
250 break;
251 case SKYPE_TYPE_NAT_INFO:
252 proto_tree_add_item(skype_tree, hf_skype_natinfo_srcip, tvb, offset, 4,
253 ENC_BIG_ENDIAN);
254 skype_udp_info->global_src_ip = tvb_get_ipv4(tvb, offset);
255 offset += 4;
256 proto_tree_add_item(skype_tree, hf_skype_natinfo_dstip, tvb, offset, 4,
257 ENC_BIG_ENDIAN);
258 skype_udp_info->global_dst_ip = tvb_get_ipv4(tvb, offset);
259 offset += 4;
260 break;
261 case SKYPE_TYPE_NAT_REPEAT:
262 proto_tree_add_item(skype_tree, hf_skype_natrequest_srcip, tvb, offset, 4,
263 ENC_BIG_ENDIAN);
264 skype_udp_info->global_src_ip = tvb_get_ipv4(tvb, offset);
265 offset += 4;
266 proto_tree_add_item(skype_tree, hf_skype_natrequest_dstip, tvb, offset, 4,
267 ENC_BIG_ENDIAN);
268 skype_udp_info->global_dst_ip = tvb_get_ipv4(tvb, offset);
269 offset += 4;
270 break;
271 case SKYPE_TYPE_AUDIO:
272 proto_tree_add_item(skype_tree, hf_skype_audio_unk1, tvb, offset, -1,
273 ENC_NA);
274 offset = packet_length;
275 break;
276 case SKYPE_TYPE_UNKNOWN_F:
277 proto_tree_add_item(skype_tree, hf_skype_unknown_f_unk1, tvb, offset, -1,
278 ENC_NA);
279 offset = packet_length;
280 break;
281 default:
282 proto_tree_add_item(skype_tree, hf_skype_unknown_packet, tvb, offset, -1,
283 ENC_NA);
284 offset = packet_length;
285 break;
286 }
287 }
288 return offset;
289 }
290
291 #if SKYPE_HEUR
292 static gboolean
293 test_skype_udp(tvbuff_t *tvb)
294 {
295 /* Minimum of 3 bytes, check for valid message type */
296 guint length = tvb_length(tvb);
297 guint8 type = tvb_get_guint8(tvb, 2) & 0xF;
298 if ( length >= 3 &&
299 ( type == 0 ||
300 /* FIXME: Extend this by minimum or exact length per message type */
301 type == 2 ||
302 type == 3 ||
303 type == 5 ||
304 type == 7 ||
305 type == 0xd ||
306 type == 0xf
307 )
308 ) {
309 return TRUE;
310 }
311 return FALSE;
312 }
313
314 static gboolean
315 dissect_skype_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
316 {
317 if (pinfo->ptype == PT_UDP) {
318 if ( !test_skype_udp(tvb) ) {
319 return FALSE;
320 }
321 dissect_skype_udp(tvb, pinfo, tree);
322 }
323 return TRUE;
324 }
325 #endif
326
327 static int
328 dissect_skype_static(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
329 {
330 /*
331 * Don't test for valid packet - we only end here when
332 * the user did a decode-as.
333 */
334 if (pinfo->ptype == PT_UDP) {
335 return dissect_skype_udp(tvb, pinfo, tree);
336 } else if (pinfo->ptype == PT_UDP) {
337 return dissect_skype_tcp(tvb, pinfo, tree);
338 }
339 return 0;
340 }
341
342 void
343 proto_register_skype(void)
344 {
345 static hf_register_info hf[] = {
346
347 /* Start of message fields */
348 { &hf_skype_som_id,
349 { "ID", "skype.som.id", FT_UINT16, BASE_HEX, NULL,
350 0x0, "Message ID", HFILL }},
351
352 { &hf_skype_som_unk,
353 { "Unknown", "skype.som.unk", FT_UINT8, BASE_HEX, NULL,
354 SKYPE_SOM_UNK_MASK, NULL, HFILL }},
355
356 { &hf_skype_som_type,
357 { "Type", "skype.som.type", FT_UINT8, BASE_HEX, VALS(skype_type_vals),
358 SKYPE_SOM_TYPE_MASK, "Message type", HFILL }},
359
360 /* Message body */
361
362 /* Unknown_0 */
363 { &hf_skype_unknown_0_unk1,
364 { "Unknown1", "skype.unknown_0.unk1", FT_BYTES, BASE_NONE, NULL,
365 0x0, NULL, HFILL }},
366
367 /* Payload */
368 { &hf_skype_payload_iv,
369 { "IV", "skype.payload.iv", FT_UINT32, BASE_HEX, NULL,
370 0x0, NULL, HFILL }},
371
372 { &hf_skype_payload_crc,
373 { "CRC", "skype.payload.crc", FT_UINT32, BASE_HEX, NULL,
374 0x0, NULL, HFILL }},
375
376 { &hf_skype_payload_enc_data,
377 { "Enc Data", "skype.payload.encdata", FT_BYTES, BASE_NONE, NULL,
378 0x0, NULL, HFILL }},
379
380 /* Resend */
381 { &hf_skype_ffr_num,
382 { "Num", "skype.ffr.num", FT_UINT8, BASE_HEX, NULL,
383 0x0, NULL, HFILL }},
384
385 { &hf_skype_ffr_unk1,
386 { "Unk1", "skype.ffr.unk1", FT_UINT32, BASE_HEX, NULL,
387 0x0, NULL, HFILL }},
388
389 { &hf_skype_ffr_iv,
390 { "IV", "skype.ffr.iv", FT_UINT32, BASE_HEX, NULL,
391 0x0, NULL, HFILL }},
392
393 { &hf_skype_ffr_crc,
394 { "CRC", "skype.ffr.crc", FT_UINT32, BASE_HEX, NULL,
395 0x0, NULL, HFILL }},
396
397 { &hf_skype_ffr_enc_data,
398 { "Enc Data", "skype.ffr.encdata", FT_BYTES, BASE_NONE, NULL,
399 0x0, NULL, HFILL }},
400
401 /* Nat info */
402 { &hf_skype_natinfo_srcip,
403 { "Src IP", "skype.natinfo.srcip", FT_IPv4, BASE_NONE, NULL,
404 0x0, "Global source IP", HFILL }},
405
406 { &hf_skype_natinfo_dstip,
407 { "Dst IP", "skype.natinfo.dstip", FT_UINT32, BASE_HEX, NULL,
408 0x0, "Global destination IP", HFILL }},
409
410 /* Nat request */
411 { &hf_skype_natrequest_srcip,
412 { "Src IP", "skype.natrequest.srcip", FT_IPv4, BASE_NONE, NULL,
413 0x0, "Global source IP", HFILL }},
414
415 { &hf_skype_natrequest_dstip,
416 { "Dst IP", "skype.natrequest.dstip", FT_UINT32, BASE_HEX, NULL,
417 0x0, NULL, HFILL }},
418
419 /* Audio */
420 { &hf_skype_audio_unk1,
421 { "Unknown1", "skype.audio.unk1", FT_BYTES, BASE_NONE, NULL,
422 0x0, NULL, HFILL }},
423
424 /* Unknown_F */
425 { &hf_skype_unknown_f_unk1,
426 { "Unknown1", "skype.unknown_f.unk1", FT_BYTES, BASE_NONE, NULL,
427 0x0, NULL, HFILL }},
428
429 /* Unknown packet */
430 { &hf_skype_unknown_packet,
431 { "Unknown Packet", "skype.unknown_packet", FT_BYTES, BASE_NONE, NULL,
432 0x0, NULL, HFILL }},
433
434 };
435 static gint *ett[] = {
436 &ett_skype,
437 };
438
439 proto_skype = proto_register_protocol(PROTO_LONG_NAME, PROTO_SHORT_NAME, "skype");
440 proto_register_field_array(proto_skype, hf, array_length(hf));
441 proto_register_subtree_array(ett, array_length(ett));
442 }
443
444 void
445 proto_reg_handoff_skype(void)
446 {
447 dissector_handle_t skype_handle;
448
449 skype_handle = new_create_dissector_handle(dissect_skype_static, proto_skype);
450 dissector_add_handle("tcp.port", skype_handle);
451 dissector_add_handle("udp.port", skype_handle);
452 #if SKYPE_HEUR
453 heur_dissector_add("tcp", dissect_skype_heur, proto_skype);
454 heur_dissector_add("udp", dissect_skype_heur, proto_skype);
455 #endif
456
457 }
458