Add dissector for Clash of Clans protocol

Stash from 9 December 2013 (not updated since), dissector started on 30
November 2013.  Earliest capture if from 5 October 2013.

4 files changed, 238 insertions, 1 deletions

diff --git a/doc/packet-PROTOABBREV.c b/doc/packet-PROTOABBREV.c
index 625e165349..9ff75ac3e2 100644
--- a/doc/packet-PROTOABBREV.c
+++ b/doc/packet-PROTOABBREV.c
@@ -215,7 +215,9 @@ proto_register_PROTOABBREV(void)
 
     /* Setup protocol expert items */
     static ei_register_info ei[] = {
-        { &ei_PROTOABBREV_EXPERTABBREV, { "PROTOABBREV.EXPERTABBREV", PI_SEVERITY, PI_GROUP, "EXPERTDESCR", EXPFILL }},
+        /* see epan/expert.h for possible values for PI_GROUP
+         * (expert_group_vals) and PI_SEVERITY (expert_severity_vals) */
+        { &ei_PROTOABBREV_EXPERTABBREV, { "PROTOABBREV.EXPERTABBREV", PI_GROUP, PI_SEVERITY, "EXPERTDESCR", EXPFILL }},
     };
 
     /* Register the protocol name and description */
diff --git a/epan/CMakeLists.txt b/epan/CMakeLists.txt
index ababa4df4b..4dce4255b1 100644
--- a/epan/CMakeLists.txt
+++ b/epan/CMakeLists.txt
@@ -464,6 +464,7 @@ set(DISSECTOR_SRC
 	dissectors/packet-cmpp.c
 	dissectors/packet-cnip.c
 	dissectors/packet-coap.c
+	dissectors/packet-coc.c
 	dissectors/packet-collectd.c
 	dissectors/packet-componentstatus.c
 	dissectors/packet-cops.c
diff --git a/epan/dissectors/Makefile.common b/epan/dissectors/Makefile.common
index 37d626201f..47cd00459d 100644
--- a/epan/dissectors/Makefile.common
+++ b/epan/dissectors/Makefile.common
@@ -385,6 +385,7 @@ DISSECTOR_SRC = \
 	packet-cmpp.c		\
 	packet-cnip.c		\
 	packet-coap.c		\
+	packet-coc.c \
 	packet-collectd.c	\
 	packet-componentstatus.c \
 	packet-cops.c		\
diff --git a/epan/dissectors/packet-coc.c b/epan/dissectors/packet-coc.c
new file mode 100644
index 0000000000..e447861ecd
--- /dev/null
+++ b/epan/dissectors/packet-coc.c
@@ -0,0 +1,233 @@
+/* packet-coc.c
+ * Routines for Clash of Clans dissection
+ * Copyright 2013, Peter Wu <lekensteyn@gmail.com>
+ *
+ * $Id$
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "config.h"
+
+#include <glib.h>
+
+#include <epan/packet.h>
+#include <epan/expert.h>
+#include "packet-tcp.h"
+
+/* find duplicate IDs:
+awk -F'[,{ ]*' < epan/dissectors/packet-coc.c '/value_string/{p=1}p{if(/^}/)exit;if($2 ~ /^0x/)print $2}' | sort | uniq -d
+*/
+
+const value_string types[] = {
+    { 0x2775, "Request: login?"}, // always the same for every time the program opens
+    /* ???? while viewing battle log of clan */
+    { 0x277c, "Req: 0x277c? req for 0x4e8c" }, /* 0 bytes, every 30s while in attack log of clan */
+    //{ 0x2781, "Resp: update check result?" }, // 36 bytes sent by client [5 Oct]
+    { 0x2910, "Req: ?"},
+    { 0x3715, "Req: refresh own village details" }, /* response: 0x5e25, 0 bytes */
+    { 0x371a, "Req: attack via defender log (vengeance)" },
+    /* 12 byte per "click" (elixer/gold claim/gravestones cleanup); insert unit
+     * in battle */
+    { 0x3716, "Req: pos update+actions" },
+    { 0x3721, "Req: ? 8 bytes, while typing msg battle log " }, /* shown while typing msg for "share battle" */
+    /* shown when pressing "show battle" from defender log, but also when having
+     * enemy open (just attacked it, now visiting it and looking around) */
+    { 0x3722, "Req: show battle" }, /* response: 0x5e32 */
+    /* while in battle log of clan, a few seconds before it ends */
+    { 0x37e6, "Req: 12 bytes" }, /* results in 0x5e2f? */
+    { 0x37eb, "Send chat message" },
+    { 0x4e87, "Resp: server maintenance" }, /* response to 0x2775, always 28 bytes */
+    { 0x4e88, "Resp: login?"},
+    { 0x4e89, "Resp: (5+6 after login)??"},
+    { 0x4e8c, "Resp: 0x4e8c? resp for 0227c" }, /* 0 bytes */
+    /* first after login; shown when clicking "Stop" at countdown for vengeance */
+    { 0x5e25, "Resp: own village details update" }, /* response to 0x3715; e.g. 14234, 14235 bytes */
+    /* return to home from battle log; cancel vengeance countdown (defender) */
+    { 0x5e27, "Resp: vengeance not possible, player is online" },
+    { 0x5e2b, "Resp: village details of enemy" }, /* via vengeance "attack", "skip attack", varying size, seen 12028, 16370, others */
+    { 0x5e2f, "Resp: new unit recruited??" }, /* got this from svr three times in two seconds when at recruit screen, also switching between buildings */
+    { 0x5e31, "Resp: ? 19047 bytes, while typing msg battle log" }, /* shown while typing msg for "share battle", resp to 0x3721 */
+    { 0x5e32, "Resp: view attack log (as defender)" },
+    { 0x5ef7, "Resp: (2 after login)??"},
+    //{ 0x5ef8, "Resp: update check?" }, // see below[5 Oct]
+    { 0x5ef8, "Resp: clan update? New troops received?" },
+    { 0x5efe, "Recv chat message" }, /* actually, confirms message above; 8 bytes for "plz donate troops counter increased"? */
+    { 0x5f5b, "Resp: (4 after login)??"},
+    { 0x5f62, "Resp: 0x5f62??" }, /* not really 'resp', but svr send 8 bytes to us, after 3 seconds client send 0x3715*/
+    /* in one case 2.6 sec after getting enemy village details (attack, 0x5e2b); ??? sync maybe? Also notifies when new troops received */
+    { 0x608b, "Resp: sync client state?" }, /* varying size */
+    { 0x0000, NULL }
+};
+/*
+ * 0x2775 Login req: always 441 bytes, the same data
+ * 0x4e88 Login resp: always 347 bytes, different data:
+ * - 103 bytes the same
+ * Note: share battle report did not immediately send report.
+ * Building did not increase the size of the 0x3716 request (12 bytes)
+ *
+ * 3 seconds after receiving last 0x608b message from svr (game is already
+ * closed for 40 seconds), svr sends FIN/ACK.
+ */
+
+void proto_reg_handoff_coc(void);
+
+/* Initialize the protocol and registered fields */
+static int proto_coc = -1;
+static int hf_coc_type = -1;
+static int hf_coc_len = -1;
+static int hf_coc_other = -1;
+static int hf_coc_data = -1;
+static expert_field ei_coc_type_unknown = EI_INIT;
+static expert_field ei_coc_type_notsure = EI_INIT;
+
+#define COC_PORT 9339
+
+/* Initialize the subtree pointers */
+static gint ett_coc = -1;
+
+/* header: type (2 bytes), length (3 bytes), other (2 bytes) */
+#define COC_HDR_LENGTH 7
+
+static int
+dissect_coc_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+        void *data _U_)
+{
+    proto_item *ti, *pi_type;
+    proto_tree *coc_tree;
+
+    guint type;
+    const gchar *type_str;
+    guint data_len;
+    guint offset = 0;
+
+    /*** COLUMN DATA ***/
+    col_set_str(pinfo->cinfo, COL_PROTOCOL, "CoC");
+
+    type = tvb_get_ntohs(tvb, 0);
+    data_len = tvb_get_ntoh24(tvb, 2);
+    col_add_fstr(pinfo->cinfo, COL_INFO,
+        "%s, %u bytes", val_to_str(type, types, "Unknown type %04x"), data_len);
+
+    /*** PROTOCOL TREE ***/
+    ti = proto_tree_add_item(tree, proto_coc, tvb, 0, -1, ENC_NA);
+
+    coc_tree = proto_item_add_subtree(ti, ett_coc);
+
+    pi_type = proto_tree_add_item(coc_tree, hf_coc_type, tvb, offset, 2, ENC_BIG_ENDIAN);
+    type_str = try_val_to_str(type, types);
+    if (type_str == NULL) {
+        expert_add_info(pinfo, pi_type, &ei_coc_type_unknown);
+    } else if (type_str[0] == '?') {
+        expert_add_info(pinfo, pi_type, &ei_coc_type_notsure);
+    }
+    offset += 2;
+    proto_tree_add_item(coc_tree, hf_coc_len, tvb, offset, 3, ENC_BIG_ENDIAN);
+    offset += 3;
+    proto_tree_add_item(coc_tree, hf_coc_other, tvb, offset, 2, ENC_BIG_ENDIAN);
+    offset += 2;
+    proto_tree_add_item(coc_tree, hf_coc_data, tvb, offset, data_len, ENC_NA);
+
+    return tvb_length(tvb);
+}
+
+static guint
+get_coc_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
+{
+    return COC_HDR_LENGTH + tvb_get_ntoh24(tvb, offset + 2);
+}
+
+static int
+dissect_coc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+{
+    tcp_dissect_pdus(tvb, pinfo, tree, TRUE, COC_HDR_LENGTH,
+            get_coc_pdu_len, dissect_coc_common, data);
+    return tvb_length(tvb);
+}
+
+void
+proto_register_coc(void)
+{
+    expert_module_t *expert_coc;
+    static hf_register_info hf[] = {
+        { &hf_coc_type,
+            { "Type", "coc.type",
+               FT_UINT16, BASE_HEX, VALS(types), 0x0,
+               "Packet type", HFILL }
+        },
+        { &hf_coc_len,
+            { "Length", "coc.len",
+               FT_UINT24, BASE_DEC, NULL, 0x0,
+               "Data length", HFILL }
+        },
+        { &hf_coc_other,
+            { "Other", "coc.len",
+               FT_UINT16, BASE_HEX, NULL, 0x0,
+               "Unknown data field, version?", HFILL }
+        },
+        { &hf_coc_data,
+            { "Data", "coc.data",
+               FT_BYTES, BASE_NONE, NULL, 0x0,
+               "Packet data", HFILL }
+        },
+    };
+
+    /* Setup protocol subtree array */
+    static gint *ett[] = {
+        &ett_coc
+    };
+
+    static ei_register_info ei[] = {
+        { &ei_coc_type_unknown, { "coc.type.unknown", PI_UNDECODED, PI_WARN, "Unknown type", EXPFILL }},
+        { &ei_coc_type_notsure, { "coc.type.notsure", PI_UNDECODED, PI_NOTE, "Uncertain type", EXPFILL }},
+    };
+
+    /* Register the protocol name and description */
+    proto_coc = proto_register_protocol("Clash of Clans",
+            "CoC", "coc");
+
+    /* Required function calls to register the header fields and subtrees */
+    proto_register_field_array(proto_coc, hf, array_length(hf));
+    proto_register_subtree_array(ett, array_length(ett));
+
+    expert_coc = expert_register_protocol(proto_coc);
+    expert_register_field_array(expert_coc, ei, array_length(ei));
+}
+
+void
+proto_reg_handoff_coc(void)
+{
+    dissector_handle_t coc_handle;
+
+    coc_handle = new_create_dissector_handle(dissect_coc, proto_coc);
+    dissector_add_uint("tcp.port", COC_PORT, coc_handle);
+}
+
+/*
+ * Editor modelines  -  http://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 4
+ * tab-width: 8
+ * indent-tabs-mode: nil
+ * End:
+ *
+ * vi: set shiftwidth=4 tabstop=8 expandtab:
+ * :indentSize=4:tabSize=8:noTabs=true:
+ */