/* packet-http.c * Routines for HTTP packet disassembly * RFC 1945 (HTTP/1.0) * RFC 2616 (HTTP/1.1) * * Guy Harris <guy@alum.mit.edu> * * Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net> * Copyright 2002, Tim Potter <tpot@samba.org> * Copyright 1999, Andrew Tridgell <tridge@samba.org> * * $Id: packet-http.c 19674 2006-10-24 21:50:59Z gerald $ * * Wireshark - Network traffic analyzer * By Gerald Combs <gerald@wireshark.org> * Copyright 1998 Gerald Combs * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include <string.h> #include <ctype.h> #include <glib.h> #include <epan/conversation.h> #include <epan/packet.h> #include <epan/strutil.h> #include <epan/base64.h> #include <epan/emem.h> #include <epan/stats_tree.h> #include <epan/req_resp_hdrs.h> #include "packet-http.h" #include "packet-tcp.h" #include <epan/prefs.h> #include <epan/expert.h> typedef enum _http_type { HTTP_REQUEST, HTTP_RESPONSE, HTTP_NOTIFICATION, HTTP_OTHERS } http_type_t; #include <epan/tap.h> static int http_tap = -1; static int proto_http = -1; static int hf_http_notification = -1; static int hf_http_response = -1; static int hf_http_request = -1; static int hf_http_basic = -1; static int hf_http_request_method = -1; static int hf_http_request_uri = -1; static int hf_http_version = -1; static int hf_http_response_code = -1; static int hf_http_authorization = -1; static int hf_http_proxy_authenticate = -1; static int hf_http_proxy_authorization = -1; static int hf_http_www_authenticate = -1; static int hf_http_content_type = -1; static int hf_http_content_length = -1; static int hf_http_content_encoding = -1; static int hf_http_transfer_encoding = -1; static int hf_http_user_agent = -1; static int hf_http_host = -1; static int hf_http_connection = -1; static int hf_http_cookie = -1; static int hf_http_accept = -1; static int hf_http_referer = -1; static int hf_http_accept_language = -1; static int hf_http_accept_encoding = -1; static int hf_http_date = -1; static int hf_http_cache_control = -1; static int hf_http_server = -1; static int hf_http_location = -1; static int hf_http_set_cookie = -1; static int hf_http_last_modified = -1; static int hf_http_x_forwarded_for = -1; static gint ett_http = -1; static gint ett_http_ntlmssp = -1; static gint ett_http_request = -1; static gint ett_http_chunked_response = -1; static gint ett_http_chunk_data = -1; static gint ett_http_encoded_entity = -1; static dissector_handle_t data_handle; static dissector_handle_t media_handle; static dissector_handle_t http_handle; /* * desegmentation of HTTP headers * (when we are over TCP or another protocol providing the desegmentation API) */ static gboolean http_desegment_headers = TRUE; /* * desegmentation of HTTP bodies * (when we are over TCP or another protocol providing the desegmentation API) * TODO let the user filter on content-type the bodies he wants desegmented */ static gboolean http_desegment_body = TRUE; /* * De-chunking of content-encoding: chunk entity bodies. */ static gboolean http_dechunk_body = TRUE; /* * Decompression of zlib encoded entities. */ #ifdef HAVE_LIBZ static gboolean http_decompress_body = TRUE; #else static gboolean http_decompress_body = FALSE; #endif #define TCP_PORT_HTTP 80 #define TCP_PORT_PROXY_HTTP 3128 #define TCP_PORT_PROXY_ADMIN_HTTP 3132 #define TCP_ALT_PORT_HTTP 8080 #define TCP_RADAN_HTTP 8088 #define TCP_PORT_HKP 11371 #define TCP_PORT_DAAP 3689 #define HTTP_PORTS (TCP_PORT_HTTP || TCP_PORT_PROXY_HTTP || TCP_PORT_PROXY_ADMIN_HTTP || TCP_ALT_PORT_HTTP || TCP_RADAN_HTTP || \ TCP_PORT_HKP || TCP_PORT_DAAP) /* * SSDP is implemented atop HTTP (yes, it really *does* run over UDP). */ #define TCP_PORT_SSDP 1900 #define UDP_PORT_SSDP 1900 /* * tcp alternate port */ static guint http_alternate_tcp_port = 0; static guint alternate_tcp_port = 0; /* * Protocols implemented atop HTTP. */ typedef enum { PROTO_HTTP, /* just HTTP */ PROTO_SSDP, /* Simple Service Discovery Protocol */ PROTO_DAAP /* Digital Audio Access Protocol */ } http_proto_t; typedef void (*ReqRespDissector)(tvbuff_t*, proto_tree*, int, const guchar*, const guchar*); /* * Structure holding information from headers needed by main * HTTP dissector code. */ typedef struct { char *content_type; char *content_type_parameters; gboolean have_content_length; long content_length; /* XXX - make it 64-bit? */ char *content_encoding; char *transfer_encoding; } headers_t; static int is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type, ReqRespDissector *reqresp_dissector); static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo, proto_tree *tree, int offset); static void http_payload_subdissector(tvbuff_t *next_tvb, proto_tree *tree, proto_tree *sub_tree, packet_info *pinfo); static void process_header(tvbuff_t *tvb, int offset, int next_offset, const guchar *line, int linelen, int colon_offset, packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr); static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len); static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo, gchar *value); static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value); static dissector_table_t port_subdissector_table; static dissector_table_t media_type_subdissector_table; static heur_dissector_list_t heur_subdissector_list; static dissector_handle_t ntlmssp_handle=NULL; static dissector_handle_t gssapi_handle=NULL; static const value_string vals_status_code[] = { { 100, "Continue" }, { 101, "Switching Protocols" }, { 102, "Processing" }, { 199, "Informational - Others" }, { 200, "OK"}, { 201, "Created"}, { 202, "Accepted"}, { 203, "Non-authoritative Information"}, { 204, "No Content"}, { 205, "Reset Content"}, { 206, "Partial Content"}, { 207, "Multi-Status"}, { 299, "Success - Others"}, { 300, "Multiple Choices"}, { 301, "Moved Permanently"}, { 302, "Found"}, { 303, "See Other"}, { 304, "Not Modified"}, { 305, "Use Proxy"}, { 307, "Temporary Redirect"}, { 399, "Redirection - Others"}, { 400, "Bad Request"}, { 401, "Unauthorized"}, { 402, "Payment Required"}, { 403, "Forbidden"}, { 404, "Not Found"}, { 405, "Method Not Allowed"}, { 406, "Not Acceptable"}, { 407, "Proxy Authentication Required"}, { 408, "Request Time-out"}, { 409, "Conflict"}, { 410, "Gone"}, { 411, "Length Required"}, { 412, "Precondition Failed"}, { 413, "Request Entity Too Large"}, { 414, "Request-URI Too Long"}, { 415, "Unsupported Media Type"}, { 416, "Requested Range Not Satisfiable"}, { 417, "Expectation Failed"}, { 422, "Unprocessable Entity"}, { 423, "Locked"}, { 424, "Failed Dependency"}, { 499, "Client Error - Others"}, { 500, "Internal Server Error"}, { 501, "Not Implemented"}, { 502, "Bad Gateway"}, { 503, "Service Unavailable"}, { 504, "Gateway Time-out"}, { 505, "HTTP Version not supported"}, { 507, "Insufficient Storage"}, { 599, "Server Error - Others"}, { 0, NULL} }; static const gchar* st_str_reqs = "HTTP Requests by Server"; static const gchar* st_str_reqs_by_srv_addr = "HTTP Requests by Server Address"; static const gchar* st_str_reqs_by_http_host = "HTTP Requests by HTTP Host"; static const gchar* st_str_resps_by_srv_addr = "HTTP Responses by Server Address"; static int st_node_reqs = -1; static int st_node_reqs_by_srv_addr = -1; static int st_node_reqs_by_http_host = -1; static int st_node_resps_by_srv_addr = -1; static void http_reqs_stats_tree_init(stats_tree* st) { st_node_reqs = stats_tree_create_node(st, st_str_reqs, 0, TRUE); st_node_reqs_by_srv_addr = stats_tree_create_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE); st_node_reqs_by_http_host = stats_tree_create_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE); st_node_resps_by_srv_addr = stats_tree_create_node(st, st_str_resps_by_srv_addr, 0, TRUE); } static int http_reqs_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt _U_, const void* p) { const http_info_value_t* v = p; int reqs_by_this_host; int reqs_by_this_addr; int resps_by_this_addr; int i = v->response_code; static gchar ip_str[256]; if (v->request_method) { g_snprintf(ip_str,sizeof(ip_str),"%s",address_to_str(&pinfo->dst)); tick_stat_node(st, st_str_reqs, 0, FALSE); tick_stat_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE); tick_stat_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE); reqs_by_this_addr = tick_stat_node(st, ip_str, st_node_reqs_by_srv_addr, TRUE); if (v->http_host) { reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_reqs_by_http_host, TRUE); tick_stat_node(st, ip_str, reqs_by_this_host, FALSE); tick_stat_node(st, v->http_host, reqs_by_this_addr, FALSE); } return 1; } else if (i != 0) { g_snprintf(ip_str,sizeof(ip_str),"%s",address_to_str(&pinfo->src)); tick_stat_node(st, st_str_resps_by_srv_addr, 0, FALSE); resps_by_this_addr = tick_stat_node(st, ip_str, st_node_resps_by_srv_addr, TRUE); if ( (i>100)&&(i<400) ) { tick_stat_node(st, "OK", resps_by_this_addr, FALSE); } else { tick_stat_node(st, "KO", resps_by_this_addr, FALSE); } return 1; } return 0; } static int st_node_requests_by_host = -1; static const guint8* st_str_requests_by_host = "HTTP Requests by HTTP Host"; static void http_req_stats_tree_init(stats_tree* st) { st_node_requests_by_host = stats_tree_create_node(st, st_str_requests_by_host, 0, TRUE); } static int http_req_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p) { const http_info_value_t* v = p; int reqs_by_this_host; if (v->request_method) { tick_stat_node(st, st_str_requests_by_host, 0, FALSE); if (v->http_host) { reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_requests_by_host, TRUE); if (v->request_uri) { tick_stat_node(st, v->request_uri, reqs_by_this_host, TRUE); } } return 1; } return 0; } static const guint8* st_str_packets = "Total HTTP Packets"; static const guint8* st_str_requests = "HTTP Request Packets"; static const guint8* st_str_responses = "HTTP Response Packets"; static const guint8* st_str_resp_broken = "???: broken"; static const guint8* st_str_resp_100 = "1xx: Informational"; static const guint8* st_str_resp_200 = "2xx: Success"; static const guint8* st_str_resp_300 = "3xx: Redirection"; static const guint8* st_str_resp_400 = "4xx: Client Error"; static const guint8* st_str_resp_500 = "5xx: Server Error"; static const guint8* st_str_other = "Other HTTP Packets"; static int st_node_packets = -1; static int st_node_requests = -1; static int st_node_responses = -1; static int st_node_resp_broken = -1; static int st_node_resp_100 = -1; static int st_node_resp_200 = -1; static int st_node_resp_300 = -1; static int st_node_resp_400 = -1; static int st_node_resp_500 = -1; static int st_node_other = -1; static void http_stats_tree_init(stats_tree* st) { st_node_packets = stats_tree_create_node(st, st_str_packets, 0, TRUE); st_node_requests = stats_tree_create_pivot(st, st_str_requests, st_node_packets); st_node_responses = stats_tree_create_node(st, st_str_responses, st_node_packets, TRUE); st_node_resp_broken = stats_tree_create_node(st, st_str_resp_broken, st_node_responses, TRUE); st_node_resp_100 = stats_tree_create_node(st, st_str_resp_100, st_node_responses, TRUE); st_node_resp_200 = stats_tree_create_node(st, st_str_resp_200, st_node_responses, TRUE); st_node_resp_300 = stats_tree_create_node(st, st_str_resp_300, st_node_responses, TRUE); st_node_resp_400 = stats_tree_create_node(st, st_str_resp_400, st_node_responses, TRUE); st_node_resp_500 = stats_tree_create_node(st, st_str_resp_500, st_node_responses, TRUE); st_node_other = stats_tree_create_node(st, st_str_other, st_node_packets,FALSE); } static int http_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p) { const http_info_value_t* v = p; guint i = v->response_code; int resp_grp; const guint8* resp_str; static gchar str[64]; tick_stat_node(st, st_str_packets, 0, FALSE); if (i) { tick_stat_node(st, st_str_responses, st_node_packets, FALSE); if ( (i<100)||(i>=600) ) { resp_grp = st_node_resp_broken; resp_str = st_str_resp_broken; } else if (i<200) { resp_grp = st_node_resp_100; resp_str = st_str_resp_100; } else if (i<300) { resp_grp = st_node_resp_200; resp_str = st_str_resp_200; } else if (i<400) { resp_grp = st_node_resp_300; resp_str = st_str_resp_300; } else if (i<500) { resp_grp = st_node_resp_400; resp_str = st_str_resp_400; } else { resp_grp = st_node_resp_500; resp_str = st_str_resp_500; } tick_stat_node(st, resp_str, st_node_responses, FALSE); g_snprintf(str, sizeof(str),"%u %s",i,match_strval(i,vals_status_code)); tick_stat_node(st, str, resp_grp, FALSE); } else if (v->request_method) { stats_tree_tick_pivot(st,st_node_requests,v->request_method); } else { tick_stat_node(st, st_str_other, st_node_packets, FALSE); } return 1; } /* Return a tvb that contains the binary representation of a base64 string */ static tvbuff_t * base64_to_tvb(const char *base64) { tvbuff_t *tvb; char *data = g_strdup(base64); size_t len; len = epan_base64_decode(data); tvb = tvb_new_real_data((const guint8 *)data, len, len); tvb_set_free_cb(tvb, g_free); return tvb; } static void dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, const char *line) { tvbuff_t *ntlmssp_tvb; ntlmssp_tvb = base64_to_tvb(line); tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb); add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP / GSSAPI Data"); if (tvb_strneql(ntlmssp_tvb, 0, "NTLMSSP", 7) == 0) call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree); else call_dissector(gssapi_handle, ntlmssp_tvb, pinfo, tree); } /* * TODO: remove this ugly global variable. * XXX: do we really want to have to pass this from one function to another? */ static http_info_value_t *stat_info; static int dissect_http_message(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) { http_proto_t proto; const char *proto_tag; proto_tree *http_tree = NULL; proto_item *ti = NULL; const guchar *line; gint next_offset; const guchar *linep, *lineend; int orig_offset; int first_linelen, linelen; gboolean is_request_or_reply; gboolean saw_req_resp_or_header; guchar c; http_type_t http_type; proto_item *hdr_item = NULL; ReqRespDissector reqresp_dissector; proto_tree *req_tree; int colon_offset; headers_t headers; int datalen; int reported_datalen = -1; dissector_handle_t handle; gboolean dissected; /*guint i;*/ /*http_info_value_t *si;*/ conversation_t *conversation; /* * Is this a request or response? * * Note that "tvb_find_line_end()" will return a value that * is not longer than what's in the buffer, so the * "tvb_get_ptr()" call won't throw an exception. */ first_linelen = tvb_find_line_end(tvb, offset, tvb_ensure_length_remaining(tvb, offset), &next_offset, FALSE); /* * Is the first line a request or response? */ line = tvb_get_ptr(tvb, offset, first_linelen); http_type = HTTP_OTHERS; /* type not known yet */ is_request_or_reply = is_http_request_or_reply((const gchar *)line, first_linelen, &http_type, NULL); if (is_request_or_reply) { /* * Yes, it's a request or response. * Do header desegmentation if we've been told to, * and do body desegmentation if we've been told to and * we find a Content-Length header. */ if (!req_resp_hdrs_do_reassembly(tvb, offset, pinfo, http_desegment_headers, http_desegment_body)) { /* * More data needed for desegmentation. */ return -1; } } conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0); if(!conversation) { /* Conversation does not exist yet - create it */ conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, pinfo->srcport, pinfo->destport, 0); } /* Retrieve information from conversation * or add it if it isn't there yet */ stat_info = conversation_get_proto_data(conversation, proto_http); if(!stat_info) { stat_info = se_alloc(sizeof(http_info_value_t)); stat_info->response_code = 0; stat_info->request_method = NULL; stat_info->request_uri = NULL; stat_info->http_host = NULL; conversation_add_proto_data(conversation, proto_http, stat_info); } switch (pinfo->match_port) { case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */ proto = PROTO_SSDP; proto_tag = "SSDP"; break; case TCP_PORT_DAAP: proto = PROTO_DAAP; proto_tag = "DAAP"; break; default: proto = PROTO_HTTP; proto_tag = "HTTP"; break; } if (check_col(pinfo->cinfo, COL_PROTOCOL)) col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag); if (check_col(pinfo->cinfo, COL_INFO)) { /* * Put the first line from the buffer into the summary * if it's an HTTP request or reply (but leave out the * line terminator). * Otherwise, just call it a continuation. * * Note that "tvb_find_line_end()" will return a value that * is not longer than what's in the buffer, so the * "tvb_get_ptr()" call won't throw an exception. */ line = tvb_get_ptr(tvb, offset, first_linelen); if (is_request_or_reply) col_add_str(pinfo->cinfo, COL_INFO, format_text(line, first_linelen)); else col_set_str(pinfo->cinfo, COL_INFO, "Continuation or non-HTTP traffic"); } orig_offset = offset; if (tree) { ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1, FALSE); http_tree = proto_item_add_subtree(ti, ett_http); } /* * Process the packet data, a line at a time. */ http_type = HTTP_OTHERS; /* type not known yet */ headers.content_type = NULL; /* content type not known yet */ headers.content_type_parameters = NULL; /* content type parameters too */ headers.have_content_length = FALSE; /* content length not known yet */ headers.content_encoding = NULL; /* content encoding not known yet */ headers.transfer_encoding = NULL; /* transfer encoding not known yet */ saw_req_resp_or_header = FALSE; /* haven't seen anything yet */ while (tvb_reported_length_remaining(tvb, offset) != 0) { /* * Find the end of the line. * XXX - what if we don't find it because the packet * is cut short by a snapshot length or the header is * split across TCP segments? How much dissection should * we do on it? */ linelen = tvb_find_line_end(tvb, offset, tvb_ensure_length_remaining(tvb, offset), &next_offset, FALSE); if (linelen < 0) return -1; /* * Get a buffer that refers to the line. */ line = tvb_get_ptr(tvb, offset, linelen); lineend = line + linelen; colon_offset = -1; /* * OK, does it look like an HTTP request or response? */ reqresp_dissector = NULL; is_request_or_reply = is_http_request_or_reply((const gchar *)line, linelen, &http_type, &reqresp_dissector); if (is_request_or_reply) goto is_http; /* * No. Does it look like a blank line (as would appear * at the end of an HTTP request)? */ if (linelen == 0) goto is_http; /* Yes. */ /* * No. Does it look like a header? */ linep = line; colon_offset = offset; while (linep < lineend) { c = *linep++; /* * This must be a CHAR to be part of a token; that * means it must be ASCII. */ if (!isascii(c)) break; /* not ASCII, thus not a CHAR */ /* * This mustn't be a CTL to be part of a token. * * XXX - what about leading LWS on continuation * lines of a header? */ if (iscntrl(c)) break; /* CTL, not part of a header */ /* * This mustn't be a SEP to be part of a token; * a ':' ends the token, everything else is an * indication that this isn't a header. */ switch (c) { case '(': case ')': case '<': case '>': case '@': case ',': case ';': case '\\': case '"': case '/': case '[': case ']': case '?': case '=': case '{': case '}': case ' ': /* * It's a separator, so it's not part of a * token, so it's not a field name for the * beginning of a header. * * (We don't have to check for HT; that's * already been ruled out by "iscntrl()".) */ goto not_http; case ':': /* * This ends the token; we consider this * to be a header. */ goto is_http; default: colon_offset++; break; } } /* * We haven't seen the colon, but everything else looks * OK for a header line. * * If we've already seen an HTTP request or response * line, or a header line, and we're at the end of * the tvbuff, we assume this is an incomplete header * line. (We quit this loop after seeing a blank line, * so if we've seen a request or response line, or a * header line, this is probably more of the request * or response we're presumably seeing. There is some * risk of false positives, but the same applies for * full request or response lines or header lines, * although that's less likely.) * * We throw an exception in that case, by checking for * the existence of the next byte after the last one * in the line. If it exists, "tvb_ensure_bytes_exist()" * throws no exception, and we fall through to the * "not HTTP" case. If it doesn't exist, * "tvb_ensure_bytes_exist()" will throw the appropriate * exception. */ if (saw_req_resp_or_header) tvb_ensure_bytes_exist(tvb, offset, linelen + 1); not_http: /* * We don't consider this part of an HTTP request or * reply, so we don't display it. * (Yeah, that means we don't display, say, a text/http * page, but you can get that from the data pane.) */ break; is_http: /* * Process this line. */ if (linelen == 0) { /* * This is a blank line, which means that * whatever follows it isn't part of this * request or reply. */ proto_tree_add_text(http_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset)); offset = next_offset; break; } /* * Not a blank line - either a request, a reply, or a header * line. */ saw_req_resp_or_header = TRUE; if (is_request_or_reply) { if (tree) { hdr_item = proto_tree_add_text(http_tree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, next_offset - offset)); } expert_add_info_format(pinfo, hdr_item, PI_SEQUENCE, PI_CHAT, "%s", tvb_format_text(tvb, offset, next_offset - offset)); if (reqresp_dissector) { if (tree) req_tree = proto_item_add_subtree(hdr_item, ett_http_request); else req_tree = NULL; reqresp_dissector(tvb, req_tree, offset, line, lineend); } } else { /* * Header. */ process_header(tvb, offset, next_offset, line, linelen, colon_offset, pinfo, http_tree, &headers); } offset = next_offset; } if (tree) { switch (http_type) { case HTTP_NOTIFICATION: proto_tree_add_boolean_hidden(http_tree, hf_http_notification, tvb, 0, 0, 1); break; case HTTP_RESPONSE: proto_tree_add_boolean_hidden(http_tree, hf_http_response, tvb, 0, 0, 1); break; case HTTP_REQUEST: proto_tree_add_boolean_hidden(http_tree, hf_http_request, tvb, 0, 0, 1); break; case HTTP_OTHERS: default: break; } } /* * If a content length was supplied, the amount of data to be * processed as HTTP payload is the minimum of the content * length and the amount of data remaining in the frame. * * If no content length was supplied (or if a bad content length * was supplied), the amount of data to be processed is the amount * of data remaining in the frame. * * If there was no Content-Length entity header, we should * accumulate all data until the end of the connection. * That'd require that the TCP dissector call subdissectors * for all frames with FIN, even if they contain no data, * which would require subdissectors to deal intelligently * with empty segments. * * Acccording to RFC 2616, however, 1xx responses, 204 responses, * and 304 responses MUST NOT include a message body; if no * content length is specified for them, we don't attempt to * dissect the body. * * XXX - it says the same about responses to HEAD requests; * unless there's a way to determine from the response * whether it's a response to a HEAD request, we have to * keep information about the request and associate that with * the response in order to handle that. */ datalen = tvb_length_remaining(tvb, offset); if (headers.have_content_length && headers.content_length != -1) { if (datalen > headers.content_length) datalen = headers.content_length; /* * XXX - limit the reported length in the tvbuff we'll * hand to a subdissector to be no greater than the * content length. * * We really need both unreassembled and "how long it'd * be if it were reassembled" lengths for tvbuffs, so * that we throw the appropriate exceptions for * "not enough data captured" (running past the length), * "packet needed reassembly" (within the length but * running past the unreassembled length), and * "packet is malformed" (running past the reassembled * length). */ reported_datalen = tvb_reported_length_remaining(tvb, offset); if (reported_datalen > headers.content_length) reported_datalen = headers.content_length; } else { switch (http_type) { case HTTP_REQUEST: /* * Requests have no content if there's no * Content-Length header and no Transfer-Encoding * header. */ if (headers.transfer_encoding == NULL) datalen = 0; else reported_datalen = -1; break; case HTTP_RESPONSE: if ((stat_info->response_code/100) == 1 || stat_info->response_code == 204 || stat_info->response_code == 304) datalen = 0; /* no content! */ else { /* * XXX - responses to HEAD requests, * and possibly other responses, * "MUST NOT" include a * message-body. */ reported_datalen = -1; } break; default: /* * XXX - what about HTTP_NOTIFICATION? */ reported_datalen = -1; break; } } if (datalen > 0) { /* * There's stuff left over; process it. */ tvbuff_t *next_tvb; void *save_private_data = NULL; gint chunks_decoded = 0; /* * Create a tvbuff for the payload. * * The amount of data to be processed that's * available in the tvbuff is "datalen", which * is the minimum of the amount of data left in * the tvbuff and any specified content length. * * The amount of data to be processed that's in * this frame, regardless of whether it was * captured or not, is "reported_datalen", * which, if no content length was specified, * is -1, i.e. "to the end of the frame. */ next_tvb = tvb_new_subset(tvb, offset, datalen, reported_datalen); /* * BEWARE - next_tvb is a subset of another tvb, * so we MUST NOT attempt tvb_free(next_tvb); */ /* * Handle *transfer* encodings other than "identity". */ if (headers.transfer_encoding != NULL && strcasecmp(headers.transfer_encoding, "identity") != 0) { if (http_dechunk_body && (strncasecmp(headers.transfer_encoding, "chunked", 7) == 0)) { chunks_decoded = chunked_encoding_dissector( &next_tvb, pinfo, http_tree, 0); if (chunks_decoded <= 0) { /* * The chunks weren't reassembled, * or there was a single zero * length chunk. */ goto body_dissected; } else { /* * Add a new data source for the * de-chunked data. */ tvb_set_child_real_data_tvbuff(tvb, next_tvb); add_new_data_source(pinfo, next_tvb, "De-chunked entity body"); } } else { /* * We currently can't handle, for example, * "gzip", "compress", or "deflate" as * *transfer* encodings; just handle them * as data for now. */ call_dissector(data_handle, next_tvb, pinfo, http_tree); goto body_dissected; } } /* * At this point, any chunked *transfer* coding has been removed * (the entity body has been dechunked) so it can be presented * for the following operation (*content* encoding), or it has * been been handed off to the data dissector. * * Handle *content* encodings other than "identity" (which * shouldn't appear in a Content-Encoding header, but * we handle it in any case). */ if (headers.content_encoding != NULL && strcasecmp(headers.content_encoding, "identity") != 0) { /* * We currently can't handle, for example, "compress"; * just handle them as data for now. * * After July 7, 2004 the LZW patent expires, so support * might be added then. However, I don't think that * anybody ever really implemented "compress", due to * the aforementioned patent. */ tvbuff_t *uncomp_tvb = NULL; proto_item *e_ti = NULL; proto_tree *e_tree = NULL; if (http_decompress_body && (strcasecmp(headers.content_encoding, "gzip") == 0 || strcasecmp(headers.content_encoding, "deflate") == 0)) { uncomp_tvb = tvb_uncompress(next_tvb, 0, tvb_length(next_tvb)); } /* * Add the encoded entity to the protocol tree */ e_ti = proto_tree_add_text(http_tree, next_tvb, 0, tvb_length(next_tvb), "Content-encoded entity body (%s): %u bytes", headers.content_encoding, tvb_length(next_tvb)); e_tree = proto_item_add_subtree(e_ti, ett_http_encoded_entity); if (uncomp_tvb != NULL) { /* * Decompression worked */ /* XXX - Don't free this, since it's possible * that the data was only partially * decompressed, such as when desegmentation * isn't enabled. * tvb_free(next_tvb); */ proto_item_append_text(e_ti, " -> %u bytes", tvb_length(uncomp_tvb)); next_tvb = uncomp_tvb; tvb_set_child_real_data_tvbuff(tvb, next_tvb); add_new_data_source(pinfo, next_tvb, "Uncompressed entity body"); } else { if (chunks_decoded > 1) { tvb_set_child_real_data_tvbuff(tvb, next_tvb); add_new_data_source(pinfo, next_tvb, "Compressed entity body"); } call_dissector(data_handle, next_tvb, pinfo, e_tree); goto body_dissected; } } /* * Note that a new data source is added for the entity body * only if it was content-encoded and/or transfer-encoded. */ /* * Do subdissector checks. * * First, check whether some subdissector asked that they * be called if something was on some particular port. */ handle = dissector_get_port_handle(port_subdissector_table, pinfo->match_port); if (handle == NULL && headers.content_type != NULL) { /* * We didn't find any subdissector that * registered for the port, and we have a * Content-Type value. Is there any subdissector * for that content type? */ save_private_data = pinfo->private_data; if (headers.content_type_parameters) pinfo->private_data = ep_strdup(headers.content_type_parameters); else pinfo->private_data = NULL; /* * Calling the string handle for the media type * dissector table will set pinfo->match_string * to headers.content_type for us. */ pinfo->match_string = headers.content_type; handle = dissector_get_string_handle( media_type_subdissector_table, headers.content_type); } if (handle != NULL) { /* * We have a subdissector - call it. */ dissected = call_dissector(handle, next_tvb, pinfo, tree); } else { /* * We don't have a subdissector - try the heuristic * subdissectors. */ dissected = dissector_try_heuristic( heur_subdissector_list, next_tvb, pinfo, tree); } if (dissected) { /* * The subdissector dissected the body. * Fix up the top-level item so that it doesn't * include the stuff for that protocol. */ if (ti != NULL) proto_item_set_len(ti, offset); } else { if (headers.content_type != NULL) { /* * Calling the default media handle if there is a content-type that * wasn't handled above. */ call_dissector(media_handle, next_tvb, pinfo, tree); } else { /* Call the subdissector (defaults to data), otherwise. */ http_payload_subdissector(next_tvb, tree, http_tree, pinfo); } } body_dissected: /* * Do *not* attempt at freeing the private data; * it may be in use by subdissectors. */ if (save_private_data) pinfo->private_data = save_private_data; /* * We've processed "datalen" bytes worth of data * (which may be no data at all); advance the * offset past whatever data we've processed. */ offset += datalen; } tap_queue_packet(http_tap, pinfo, stat_info); return offset - orig_offset; } /* This can be used to dissect an HTTP request until such time * that a more complete dissector is written for that HTTP request. * This simple dissector only puts the request method, URI, and * protocol version into a sub-tree. */ static void basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int offset, const guchar *line, const guchar *lineend) { const guchar *next_token; int tokenlen; /* The first token is the method. */ tokenlen = get_token_len(line, lineend, &next_token); if (tokenlen == 0) return; proto_tree_add_item(tree, hf_http_request_method, tvb, offset, tokenlen, FALSE); offset += next_token - line; line = next_token; /* The next token is the URI. */ tokenlen = get_token_len(line, lineend, &next_token); if (tokenlen == 0) return; stat_info->request_uri = se_strdup((gchar*) tvb_get_ephemeral_string(tvb, offset, tokenlen)); proto_tree_add_string(tree, hf_http_request_uri, tvb, offset, tokenlen, stat_info->request_uri); offset += next_token - line; line = next_token; /* Everything to the end of the line is the version. */ tokenlen = lineend - line; if (tokenlen == 0) return; proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen, FALSE); } static void basic_response_dissector(tvbuff_t *tvb, proto_tree *tree, int offset, const guchar *line, const guchar *lineend) { const guchar *next_token; int tokenlen; gchar response_chars[4]; /* The first token is the version. */ tokenlen = get_token_len(line, lineend, &next_token); if (tokenlen == 0) return; proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen, FALSE); offset += next_token - line; line = next_token; /* The next token is the status code. */ tokenlen = get_token_len(line, lineend, &next_token); if (tokenlen < 3) return; memcpy(response_chars, line, 3); response_chars[3] = '\0'; stat_info->response_code = strtoul(response_chars,NULL,10); proto_tree_add_uint(tree, hf_http_response_code, tvb, offset, 3, stat_info->response_code); } /* * Dissect the http data chunks and add them to the tree. */ static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo, proto_tree *tree, int offset) { guint8 *chunk_string = NULL; guint32 chunk_size = 0; gint chunk_offset = 0; guint32 datalen = 0; gint linelen = 0; gint chunks_decoded = 0; tvbuff_t *tvb = NULL; tvbuff_t *new_tvb = NULL; gint chunked_data_size = 0; proto_tree *subtree = NULL; proto_item *ti = NULL; if (tvb_ptr == NULL || *tvb_ptr == NULL) { return 0; } tvb = *tvb_ptr; datalen = tvb_reported_length_remaining(tvb, offset); if (tree) { ti = proto_tree_add_text(tree, tvb, offset, datalen, "HTTP chunked response"); subtree = proto_item_add_subtree(ti, ett_http_chunked_response); } while (datalen != 0) { proto_item *chunk_ti = NULL; proto_tree *chunk_subtree = NULL; tvbuff_t *data_tvb = NULL; gchar *c = NULL; guint8 *raw_data; gint raw_len = 0; linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE); if (linelen <= 0) { /* Can't get the chunk size line */ break; } chunk_string = tvb_get_ephemeral_string(tvb, offset, linelen); if (chunk_string == NULL) { /* Can't get the chunk size line */ break; } c = (gchar*) chunk_string; /* * We don't care about the extensions. */ if ((c = strchr(c, ';'))) { *c = '\0'; } if ( ( chunk_size = strtol((gchar*)chunk_string, NULL, 16) ) == 0 ) { break; } if (chunk_size > datalen) { /* * The chunk size is more than what's in the tvbuff, * so either the user hasn't enabled decoding, or all * of the segments weren't captured. */ chunk_size = datalen; } /* * chunk_size is guaranteed to be >0 from here on */ #if 0 else if (new_tvb == NULL) { new_tvb = tvb_new_composite(); } if (new_tvb != NULL && chunk_size != 0) { tvbuff_t *chunk_tvb = NULL; chunk_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size, datalen); tvb_composite_append(new_tvb, chunk_tvb); } #endif chunked_data_size += chunk_size; raw_data = g_malloc(chunked_data_size); raw_len = 0; if (new_tvb != NULL) { raw_len = tvb_length_remaining(new_tvb, 0); tvb_memcpy(new_tvb, raw_data, 0, raw_len); tvb_free(new_tvb); } tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len), chunk_offset, chunk_size); new_tvb = tvb_new_real_data(raw_data, chunked_data_size, chunked_data_size); tvb_set_free_cb(new_tvb, g_free); if (subtree) { chunk_ti = proto_tree_add_text(subtree, tvb, offset, chunk_offset - offset + chunk_size + 2, "Data chunk (%u octets)", chunk_size); chunk_subtree = proto_item_add_subtree(chunk_ti, ett_http_chunk_data); proto_tree_add_text(chunk_subtree, tvb, offset, chunk_offset - offset, "Chunk size: %u octets", chunk_size); data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size, datalen); /* * XXX - just use "proto_tree_add_text()"? * This means that, in TShark, you get * the entire chunk dumped out in hex, * in addition to whatever dissection is * done on the reassembled data. */ call_dissector(data_handle, data_tvb, pinfo, chunk_subtree); proto_tree_add_text(chunk_subtree, tvb, chunk_offset + chunk_size, 2, "Chunk boundary"); } chunks_decoded++; offset = chunk_offset + chunk_size + 2; datalen = tvb_reported_length_remaining(tvb, offset); } if (new_tvb != NULL) { /* Placeholder for the day that composite tvbuffer's will work. tvb_composite_finalize(new_tvb); / * tvb_set_reported_length(new_tvb, chunked_data_size); * / */ /* * XXX - Don't free this, since the tvbuffer that was passed * may be used if the data spans multiple frames and reassembly * isn't enabled. * tvb_free(*tvb_ptr); */ *tvb_ptr = new_tvb; } else { /* * We didn't create a new tvb, so don't allow sub dissectors * try to decode the non-existant entity body. */ chunks_decoded = -1; } return chunks_decoded; } static void http_payload_subdissector(tvbuff_t *next_tvb, proto_tree *tree, proto_tree *sub_tree, packet_info *pinfo) { /* tree = the main protocol tree that the subdissector would be listed in * sub_tree = the http protocol tree */ guint32 *ptr; struct tcpinfo *tcpinfo = pinfo->private_data; struct tcp_analysis *tcpd=NULL; gchar **strings; /* An array for splitting the request URI into hostname and port */ /* Response code 200 means "OK" and strncmp() == 0 means the strings match exactly */ if(stat_info->request_uri && stat_info->response_code == 200 && stat_info->request_method && strncmp(stat_info->request_method, "CONNECT", 7) == 0) { /* Call a subdissector to handle HTTP CONNECT's traffic */ tcpd=get_tcp_conversation_data(pinfo); /* Grab the destination port number from the request URI to find the right subdissector */ strings = g_strsplit(stat_info->request_uri, ":", 2); if(strings[0] != NULL && strings[1] != NULL) { /* The string was successfuly split in two */ proto_tree_add_text(sub_tree, next_tvb, 0, 0, "Proxy connect hostname: %s", strings[0]); proto_tree_add_text(sub_tree, next_tvb, 0, 0, "Proxy connect port: %s", strings[1]); /* Replaces the pinfo->destport or srcport with the port the http connect was done to */ /* pinfo->srcport and destport are guint32 variables (epan/packet_info.h) */ if (pinfo->destport == HTTP_PORTS) ptr = &pinfo->destport; else ptr = &pinfo->srcport; *ptr = (int)strtol(strings[1], NULL, 10); /* Convert string to a base-10 integer */ dissect_tcp_payload(next_tvb, pinfo, 0, tcpinfo->seq, /* 0 = offset */ tcpinfo->nxtseq, pinfo->srcport, pinfo->destport, tree, tree, tcpd); } g_strfreev(strings); /* Free the result of g_strsplit() above */ } else { /* Call the default data dissector */ call_dissector(data_handle, next_tvb, pinfo, sub_tree); } } /* * XXX - this won't handle HTTP 0.9 replies, but they're all data * anyway. */ static int is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type, ReqRespDissector *reqresp_dissector) { int isHttpRequestOrReply = FALSE; int prefix_len = 0; /* * From RFC 2774 - An HTTP Extension Framework * * Support the command prefix that identifies the presence of * a "mandatory" header. */ if (linelen >= 2 && strncmp(data, "M-", 2) == 0) { data += 2; linelen -= 2; prefix_len = 2; } /* * From draft-cohen-gena-client-01.txt, available from the uPnP forum: * NOTIFY, SUBSCRIBE, UNSUBSCRIBE * * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft: * SEARCH */ if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) { *type = HTTP_RESPONSE; isHttpRequestOrReply = TRUE; /* response */ if (reqresp_dissector) *reqresp_dissector = basic_response_dissector; } else { const guchar * ptr = (const guchar *)data; int index = 0; /* Look for the space following the Method */ while (index < linelen) { if (*ptr == ' ') break; else { ptr++; index++; } } /* Check the methods that have same length */ switch (index) { case 3: if (strncmp(data, "GET", index) == 0 || strncmp(data, "PUT", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } else if (strncmp(data, "ICY", index) == 0) { *type = HTTP_RESPONSE; isHttpRequestOrReply = TRUE; } break; case 4: if (strncmp(data, "COPY", index) == 0 || strncmp(data, "HEAD", index) == 0 || strncmp(data, "LOCK", index) == 0 || strncmp(data, "MOVE", index) == 0 || strncmp(data, "POLL", index) == 0 || strncmp(data, "POST", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 5: if (strncmp(data, "BCOPY", index) == 0 || strncmp(data, "BMOVE", index) == 0 || strncmp(data, "MKCOL", index) == 0 || strncmp(data, "TRACE", index) == 0 || strncmp(data, "LABEL", index) == 0 || /* RFC 3253 8.2 */ strncmp(data, "MERGE", index) == 0) { /* RFC 3253 11.2 */ *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 6: if (strncmp(data, "DELETE", index) == 0 || strncmp(data, "SEARCH", index) == 0 || strncmp(data, "UNLOCK", index) == 0 || strncmp(data, "REPORT", index) == 0 || /* RFC 3253 3.6 */ strncmp(data, "UPDATE", index) == 0) { /* RFC 3253 7.1 */ *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } else if (strncmp(data, "NOTIFY", index) == 0) { *type = HTTP_NOTIFICATION; isHttpRequestOrReply = TRUE; } break; case 7: if (strncmp(data, "BDELETE", index) == 0 || strncmp(data, "CONNECT", index) == 0 || strncmp(data, "OPTIONS", index) == 0 || strncmp(data, "CHECKIN", index) == 0) { /* RFC 3253 4.4, 9.4 */ *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 8: if (strncmp(data, "PROPFIND", index) == 0 || strncmp(data, "CHECKOUT", index) == 0 || /* RFC 3253 4.3, 9.3 */ strncmp(data, "CCM_POST", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 9: if (strncmp(data, "SUBSCRIBE", index) == 0) { *type = HTTP_NOTIFICATION; isHttpRequestOrReply = TRUE; } else if (strncmp(data, "PROPPATCH", index) == 0 || strncmp(data, "BPROPFIND", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 10: if (strncmp(data, "BPROPPATCH", index) == 0 || strncmp(data, "UNCHECKOUT", index) == 0 || /* RFC 3253 4.5 */ strncmp(data, "MKACTIVITY", index) == 0) { /* RFC 3253 13.5 */ *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 11: if (strncmp(data, "MKWORKSPACE", index) == 0) { /* RFC 3253 6.3 */ *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } else if (strncmp(data, "UNSUBSCRIBE", index) == 0) { *type = HTTP_NOTIFICATION; isHttpRequestOrReply = TRUE; } else if (strncmp(data, "RPC_CONNECT", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 15: if (strncmp(data, "VERSION-CONTROL", index) == 0) { /* RFC 3253 3.5 */ *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 16: if (strncmp(data, "BASELINE-CONTROL", index) == 0) { /* RFC 3253 12.6 */ *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; default: break; } if (isHttpRequestOrReply && reqresp_dissector) { *reqresp_dissector = basic_request_dissector; if (!stat_info->request_method) stat_info->request_method = se_strndup(data, index+1); } } return isHttpRequestOrReply; } /* * Process headers. */ typedef struct { const char *name; gint *hf; int special; } header_info; #define HDR_NO_SPECIAL 0 #define HDR_AUTHORIZATION 1 #define HDR_AUTHENTICATE 2 #define HDR_CONTENT_TYPE 3 #define HDR_CONTENT_LENGTH 4 #define HDR_CONTENT_ENCODING 5 #define HDR_TRANSFER_ENCODING 6 #define HDR_HOST 7 static const header_info headers[] = { { "Authorization", &hf_http_authorization, HDR_AUTHORIZATION }, { "Proxy-Authorization", &hf_http_proxy_authorization, HDR_AUTHORIZATION }, { "Proxy-Authenticate", &hf_http_proxy_authenticate, HDR_AUTHENTICATE }, { "WWW-Authenticate", &hf_http_www_authenticate, HDR_AUTHENTICATE }, { "Content-Type", &hf_http_content_type, HDR_CONTENT_TYPE }, { "Content-Length", &hf_http_content_length, HDR_CONTENT_LENGTH }, { "Content-Encoding", &hf_http_content_encoding, HDR_CONTENT_ENCODING }, { "Transfer-Encoding", &hf_http_transfer_encoding, HDR_TRANSFER_ENCODING }, { "User-Agent", &hf_http_user_agent, HDR_NO_SPECIAL }, { "Host", &hf_http_host, HDR_HOST }, { "Connection", &hf_http_connection, HDR_NO_SPECIAL }, { "Cookie", &hf_http_cookie, HDR_NO_SPECIAL }, { "Accept", &hf_http_accept, HDR_NO_SPECIAL }, { "Referer", &hf_http_referer, HDR_NO_SPECIAL }, { "Accept-Language", &hf_http_accept_language, HDR_NO_SPECIAL }, { "Accept-Encoding", &hf_http_accept_encoding, HDR_NO_SPECIAL }, { "Date", &hf_http_date, HDR_NO_SPECIAL }, { "Cache-Control", &hf_http_cache_control, HDR_NO_SPECIAL }, { "Server", &hf_http_server, HDR_NO_SPECIAL }, { "Location", &hf_http_location, HDR_NO_SPECIAL }, { "Set-Cookie", &hf_http_set_cookie, HDR_NO_SPECIAL }, { "Last-Modified", &hf_http_last_modified, HDR_NO_SPECIAL }, { "X-Forwarded-For", &hf_http_x_forwarded_for, HDR_NO_SPECIAL }, }; static void process_header(tvbuff_t *tvb, int offset, int next_offset, const guchar *line, int linelen, int colon_offset, packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr) { int len; int line_end_offset; int header_len; gint hf_index; guchar c; int value_offset; int value_len; char *value; char *p; guchar *up; proto_item *hdr_item; int i; len = next_offset - offset; line_end_offset = offset + linelen; header_len = colon_offset - offset; hf_index = find_header_hf_value(tvb, offset, header_len); if (hf_index == -1) { /* * Not a header we know anything about. Just put it into * the tree as text. */ if (tree) { proto_tree_add_text(tree, tvb, offset, len, "%s", format_text(line, len)); } } else { /* * Skip whitespace after the colon. */ value_offset = colon_offset + 1; while (value_offset < line_end_offset && ((c = line[value_offset - offset]) == ' ' || c == '\t')) value_offset++; /* * Fetch the value. */ value_len = line_end_offset - value_offset; value = ep_strndup(&line[value_offset - offset], value_len); /* * Add it to the protocol tree as a particular field, * but display the line as is. */ if (tree) { header_field_info *hfinfo; guint32 tmp; hfinfo = proto_registrar_get_nth(*headers[hf_index].hf); switch(hfinfo->type){ case FT_UINT8: case FT_UINT16: case FT_UINT24: case FT_UINT32: case FT_INT8: case FT_INT16: case FT_INT24: case FT_INT32: tmp=strtol(value, NULL, 10); hdr_item = proto_tree_add_uint(tree, *headers[hf_index].hf, tvb, offset, len, tmp); break; default: hdr_item = proto_tree_add_string_format(tree, *headers[hf_index].hf, tvb, offset, len, value, "%s", format_text(line, len)); } } else hdr_item = NULL; /* * Do any special processing that particular headers * require. */ switch (headers[hf_index].special) { case HDR_AUTHORIZATION: if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value)) break; /* dissected NTLMSSP */ check_auth_basic(hdr_item, tvb, value); break; case HDR_AUTHENTICATE: check_auth_ntlmssp(hdr_item, tvb, pinfo, value); break; case HDR_CONTENT_TYPE: eh_ptr->content_type = (gchar*) ep_memdup((guint8*)value,value_len + 1); for (i = 0; i < value_len; i++) { c = value[i]; if (c == ';' || isspace(c)) { /* * End of subtype - either * white space or a ";" * separating the subtype from * a parameter. */ break; } /* * Map the character to lower case; * content types are case-insensitive. */ eh_ptr->content_type[i] = tolower(eh_ptr->content_type[i]); } eh_ptr->content_type[i] = '\0'; /* * Now find the start of the optional parameters; * skip the optional white space and the semicolon * if this has not been done before. */ i++; while (i < value_len) { c = eh_ptr->content_type[i]; if (c == ';' || isspace(c)) /* Skip till start of parameters */ i++; else break; } if (i < value_len) eh_ptr->content_type_parameters = eh_ptr->content_type + i; else eh_ptr->content_type_parameters = NULL; break; case HDR_CONTENT_LENGTH: eh_ptr->content_length = strtol(value, &p, 10); up = (guchar *)p; if (eh_ptr->content_length < 0 || p == value || (*up != '\0' && !isspace(*up))) { /* * Content length not valid; pretend * we don't have it. */ eh_ptr->have_content_length = FALSE; } else { /* * We do have a valid content length. */ eh_ptr->have_content_length = TRUE; } break; case HDR_CONTENT_ENCODING: eh_ptr->content_encoding = ep_strndup(value, value_len); break; case HDR_TRANSFER_ENCODING: eh_ptr->transfer_encoding = ep_strndup(value, value_len); break; case HDR_HOST: stat_info->http_host = se_strndup(value, value_len); break; } } } /* Returns index of header tag in headers */ static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len) { guint i; for (i = 0; i < array_length(headers); i++) { if (header_len == strlen(headers[i].name) && tvb_strncaseeql(tvb, offset, headers[i].name, header_len) == 0) return i; } return -1; } /* * Dissect Microsoft's abomination called NTLMSSP over HTTP. */ static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo, gchar *value) { static const char *ntlm_headers[] = { "NTLM ", "Negotiate ", NULL }; const char **header; size_t hdrlen; proto_tree *hdr_tree; /* * Check for NTLM credentials and challenge; those can * occur with WWW-Authenticate. */ for (header = &ntlm_headers[0]; *header != NULL; header++) { hdrlen = strlen(*header); if (strncmp(value, *header, hdrlen) == 0) { if (hdr_item != NULL) { hdr_tree = proto_item_add_subtree(hdr_item, ett_http_ntlmssp); } else hdr_tree = NULL; value += hdrlen; dissect_http_ntlmssp(tvb, pinfo, hdr_tree, value); return TRUE; } } return FALSE; } /* * Dissect HTTP Basic authorization. */ static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value) { static const char *basic_headers[] = { "Basic ", NULL }; const char **header; size_t hdrlen; proto_tree *hdr_tree; size_t len; for (header = &basic_headers[0]; *header != NULL; header++) { hdrlen = strlen(*header); if (strncmp(value, *header, hdrlen) == 0) { if (hdr_item != NULL) { hdr_tree = proto_item_add_subtree(hdr_item, ett_http_ntlmssp); } else hdr_tree = NULL; value += hdrlen; len = epan_base64_decode(value); value[len] = '\0'; proto_tree_add_string(hdr_tree, hf_http_basic, tvb, 0, 0, value); return TRUE; } } return FALSE; } static void dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { int offset = 0; int len; while (tvb_reported_length_remaining(tvb, offset) != 0) { len = dissect_http_message(tvb, offset, pinfo, tree); if (len == -1) break; offset += len; /* * OK, we've set the Protocol and Info columns for the * first HTTP message; make the columns non-writable, * so that we don't change it for subsequent HTTP messages. */ col_set_writable(pinfo->cinfo, FALSE); } } static void dissect_http_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { dissect_http_message(tvb, 0, pinfo, tree); } static void reinit_http(void) { if ( http_alternate_tcp_port != alternate_tcp_port ) { if (alternate_tcp_port) dissector_delete("tcp.port", alternate_tcp_port, http_handle ); if (http_alternate_tcp_port) dissector_add("tcp.port", http_alternate_tcp_port, http_handle); alternate_tcp_port = http_alternate_tcp_port; } } void proto_register_http(void) { static hf_register_info hf[] = { { &hf_http_notification, { "Notification", "http.notification", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "TRUE if HTTP notification", HFILL }}, { &hf_http_response, { "Response", "http.response", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "TRUE if HTTP response", HFILL }}, { &hf_http_request, { "Request", "http.request", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "TRUE if HTTP request", HFILL }}, { &hf_http_basic, { "Credentials", "http.authbasic", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_http_request_method, { "Request Method", "http.request.method", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Request Method", HFILL }}, { &hf_http_request_uri, { "Request URI", "http.request.uri", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Request-URI", HFILL }}, { &hf_http_version, { "Request Version", "http.request.version", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Request HTTP-Version", HFILL }}, { &hf_http_response_code, { "Response Code", "http.response.code", FT_UINT16, BASE_DEC, NULL, 0x0, "HTTP Response Code", HFILL }}, { &hf_http_authorization, { "Authorization", "http.authorization", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Authorization header", HFILL }}, { &hf_http_proxy_authenticate, { "Proxy-Authenticate", "http.proxy_authenticate", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Proxy-Authenticate header", HFILL }}, { &hf_http_proxy_authorization, { "Proxy-Authorization", "http.proxy_authorization", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Proxy-Authorization header", HFILL }}, { &hf_http_www_authenticate, { "WWW-Authenticate", "http.www_authenticate", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP WWW-Authenticate header", HFILL }}, { &hf_http_content_type, { "Content-Type", "http.content_type", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Content-Type header", HFILL }}, { &hf_http_content_length, { "Content-Length", "http.content_length", FT_UINT32, BASE_DEC, NULL, 0x0, "HTTP Content-Length header", HFILL }}, { &hf_http_content_encoding, { "Content-Encoding", "http.content_encoding", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Content-Encoding header", HFILL }}, { &hf_http_transfer_encoding, { "Transfer-Encoding", "http.transfer_encoding", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Transfer-Encoding header", HFILL }}, { &hf_http_user_agent, { "User-Agent", "http.user_agent", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP User-Agent header", HFILL }}, { &hf_http_host, { "Host", "http.host", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Host", HFILL }}, { &hf_http_connection, { "Connection", "http.connection", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Connection", HFILL }}, { &hf_http_cookie, { "Cookie", "http.cookie", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Cookie", HFILL }}, { &hf_http_accept, { "Accept", "http.accept", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Accept", HFILL }}, { &hf_http_referer, { "Referer", "http.referer", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Referer", HFILL }}, { &hf_http_accept_language, { "Accept-Language", "http.accept_language", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Accept Language", HFILL }}, { &hf_http_accept_encoding, { "Accept Encoding", "http.accept_encoding", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Accept Encoding", HFILL }}, { &hf_http_date, { "Date", "http.date", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Date", HFILL }}, { &hf_http_cache_control, { "Cache-Control", "http.cache_control", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Cache Control", HFILL }}, { &hf_http_server, { "Server", "http.server", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Server", HFILL }}, { &hf_http_location, { "Location", "http.location", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Location", HFILL }}, { &hf_http_set_cookie, { "Set-Cookie", "http.set_cookie", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Set Cookie", HFILL }}, { &hf_http_last_modified, { "Last-Modified", "http.last_modified", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Last Modified", HFILL }}, { &hf_http_x_forwarded_for, { "X-Forwarded-For", "http.x_forwarded_for", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP X-Forwarded-For", HFILL }}, }; static gint *ett[] = { &ett_http, &ett_http_ntlmssp, &ett_http_request, &ett_http_chunked_response, &ett_http_chunk_data, &ett_http_encoded_entity, }; module_t *http_module; proto_http = proto_register_protocol("Hypertext Transfer Protocol", "HTTP", "http"); proto_register_field_array(proto_http, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); register_dissector("http", dissect_http, proto_http); http_module = prefs_register_protocol(proto_http, reinit_http); prefs_register_bool_preference(http_module, "desegment_headers", "Reassemble HTTP headers spanning multiple TCP segments", "Whether the HTTP dissector should reassemble headers " "of a request spanning multiple TCP segments. " "To use this option, you must also enable " "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", &http_desegment_headers); prefs_register_bool_preference(http_module, "desegment_body", "Reassemble HTTP bodies spanning multiple TCP segments", "Whether the HTTP dissector should use the " "\"Content-length:\" value, if present, to reassemble " "the body of a request spanning multiple TCP segments, " "and reassemble chunked data spanning multiple TCP segments. " "To use this option, you must also enable " "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", &http_desegment_body); prefs_register_bool_preference(http_module, "dechunk_body", "Reassemble chunked transfer-coded bodies", "Whether to reassemble bodies of entities that are transfered " "using the \"Transfer-Encoding: chunked\" method", &http_dechunk_body); #ifdef HAVE_LIBZ prefs_register_bool_preference(http_module, "decompress_body", "Uncompress entity bodies", "Whether to uncompress entity bodies that are compressed " "using \"Content-Encoding: \"", &http_decompress_body); #endif prefs_register_uint_preference(http_module, "tcp_alternate_port", "Alternate TCP port", "Decode packets on this TCP port as HTTP", 10,&http_alternate_tcp_port); http_handle = create_dissector_handle(dissect_http, proto_http); /* * Dissectors shouldn't register themselves in this table; * instead, they should call "http_dissector_add()", and * we'll register the port number they specify as a port * for HTTP, and register them in our subdissector table. * * This only works for protocols such as IPP that run over * HTTP on a specific non-HTTP port. */ port_subdissector_table = register_dissector_table("http.port", "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC); /* * Dissectors can register themselves in this table. * It's just "media_type", not "http.content_type", because * it's an Internet media type, usable by other protocols as well. */ media_type_subdissector_table = register_dissector_table("media_type", "Internet media type", FT_STRING, BASE_NONE); /* * Heuristic dissectors SHOULD register themselves in * this table using the standard heur_dissector_add() * function. */ register_heur_dissector_list("http", &heur_subdissector_list); /* * Register for tapping */ http_tap = register_tap("http"); } /* * Called by dissectors for protocols that run atop HTTP/TCP. */ void http_dissector_add(guint32 port, dissector_handle_t handle) { /* * Register ourselves as the handler for that port number * over TCP. */ dissector_add("tcp.port", port, http_handle); /* * And register them in *our* table for that port. */ dissector_add("http.port", port, handle); } void proto_reg_handoff_http(void) { dissector_handle_t http_udp_handle; data_handle = find_dissector("data"); media_handle = find_dissector("media"); dissector_add("tcp.port", TCP_PORT_HTTP, http_handle); dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle); dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle); dissector_add("tcp.port", TCP_RADAN_HTTP, http_handle); dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle); dissector_add("tcp.port", TCP_PORT_HKP, http_handle); /* * XXX - is there anything to dissect in the body of an SSDP * request or reply? I.e., should there be an SSDP dissector? */ dissector_add("tcp.port", TCP_PORT_SSDP, http_handle); http_udp_handle = create_dissector_handle(dissect_http_udp, proto_http); dissector_add("udp.port", UDP_PORT_SSDP, http_udp_handle); ntlmssp_handle = find_dissector("ntlmssp"); gssapi_handle = find_dissector("gssapi"); stats_tree_register("http","http","HTTP/Packet Counter", http_stats_tree_packet, http_stats_tree_init, NULL ); stats_tree_register("http","http_req","HTTP/Requests", http_req_stats_tree_packet, http_req_stats_tree_init, NULL ); stats_tree_register("http","http_srv","HTTP/Load Distribution",http_reqs_stats_tree_packet,http_reqs_stats_tree_init, NULL ); } /* * Content-Type: message/http */ static gint proto_message_http = -1; static gint ett_message_http = -1; static dissector_handle_t message_http_handle; static void dissect_message_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_tree *subtree; proto_item *ti; gint offset = 0, next_offset; gint len; if (check_col(pinfo->cinfo, COL_INFO)) col_append_str(pinfo->cinfo, COL_INFO, " (message/http)"); if (tree) { ti = proto_tree_add_item(tree, proto_message_http, tvb, 0, -1, FALSE); subtree = proto_item_add_subtree(ti, ett_message_http); while (tvb_reported_length_remaining(tvb, offset) != 0) { len = tvb_find_line_end(tvb, offset, tvb_ensure_length_remaining(tvb, offset), &next_offset, FALSE); if (len == -1) break; proto_tree_add_text(subtree, tvb, offset, next_offset - offset, "%s", tvb_format_text(tvb, offset, len)); offset = next_offset; } } } void proto_register_message_http(void) { static gint *ett[] = { &ett_message_http, }; proto_message_http = proto_register_protocol( "Media Type: message/http", "message/http", "message-http" ); proto_register_subtree_array(ett, array_length(ett)); } void proto_reg_handoff_message_http(void) { message_http_handle = create_dissector_handle(dissect_message_http, proto_message_http); dissector_add_string("media_type", "message/http", message_http_handle); }