diff options
| author | Michael Mann <mmann78@netscape.net> | 2016-12-24 17:54:36 -0500 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2016-12-25 08:06:53 +0000 |
| commit | 78d56e5dd74ca22bbfbbf94ba8a74becc15b23d3 (patch) | |
| tree | 003a8724b0c97cd800ee670daf7040472a24c3ce /plugins/transum | |
| parent | 2563503301aa4321a9a7a1ed392c9cbbe147fd2f (diff) | |
| download | wireshark-78d56e5dd74ca22bbfbbf94ba8a74becc15b23d3.tar.gz | |
Cleanup transum post-dissector.
1. Enable/disable preference not needed - just use Enabled Protocol
dialog interface. Added support for backwards compatibility of preference.
2. Add value_string for calculation values
3. Create an structured array of "hfs of interest" so they can more easily
be extended.
4. Convert a bunch of arrays into hash tables and lists. For the amount
of wasted space they were taking up, we can live with the very slight
performance degrade. Also puts less limits on number of things to process.
Change-Id: I7399789d62432b507062ed9cdc20ad974b9dde1b
Reviewed-on: https://code.wireshark.org/review/19406
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'plugins/transum')
| -rw-r--r-- | plugins/transum/decoders.c | 231 | ||||
| -rw-r--r-- | plugins/transum/decoders.h | 12 | ||||
| -rw-r--r-- | plugins/transum/packet-transum.c | 849 | ||||
| -rw-r--r-- | plugins/transum/packet-transum.h | 81 | ||||
| -rw-r--r-- | plugins/transum/preferences.h | 6 |
5 files changed, 514 insertions, 665 deletions
diff --git a/plugins/transum/decoders.c b/plugins/transum/decoders.c index 0e55fbcc49..8f3a34e85f 100644 --- a/plugins/transum/decoders.c +++ b/plugins/transum/decoders.c @@ -34,30 +34,26 @@ #include "decoders.h" extern TSUM_PREFERENCES preferences; -extern PKT_INFO *sub_packet; -extern gboolean *dcerpc_req_pkt_type; -extern gboolean *dcerpc_context_zero; -extern HF_OF_INTEREST hf_of_interest; /* Returns the number of sub-packets of interest */ -int decode_syn(packet_info *pinfo _U_, proto_tree *tree _U_) +int decode_syn(packet_info *pinfo _U_, proto_tree *tree _U_, PKT_INFO* pkt_info) { - if (sub_packet[0].tcp_flags_ack) - sub_packet[0].rrpd.c2s = FALSE; + if (pkt_info->tcp_flags_ack) + pkt_info->rrpd.c2s = FALSE; else { - sub_packet[0].rrpd.c2s = TRUE; - sub_packet[0].rrpd.state = RRPD_STATE_4; - add_detected_tcp_svc(sub_packet[0].dstport); + pkt_info->rrpd.c2s = TRUE; + pkt_info->rrpd.state = RRPD_STATE_4; + add_detected_tcp_svc(pkt_info->dstport); } - sub_packet[0].rrpd.session_id = 1; - sub_packet[0].rrpd.msg_id = 1; - sub_packet[0].rrpd.suffix = 1; - sub_packet[0].rrpd.decode_based = TRUE; - sub_packet[0].rrpd.calculation = RTE_CALC_SYN; - sub_packet[0].pkt_of_interest = TRUE; + pkt_info->rrpd.session_id = 1; + pkt_info->rrpd.msg_id = 1; + pkt_info->rrpd.suffix = 1; + pkt_info->rrpd.decode_based = TRUE; + pkt_info->rrpd.calculation = RTE_CALC_SYN; + pkt_info->pkt_of_interest = TRUE; return 1; } @@ -65,52 +61,52 @@ int decode_syn(packet_info *pinfo _U_, proto_tree *tree _U_) /* This function sets basic information in the sub_packet entry. Because we don't expect multiple DCE-RPC messages in a single packet - we only use sub_packet[0]. + we only use single PKT_INFO Returns the number of sub-packets of interest, which in this case is always 1. */ -int decode_dcerpc(packet_info *pinfo _U_, proto_tree *tree) +int decode_dcerpc(packet_info *pinfo _U_, proto_tree *tree, PKT_INFO* pkt_info) { guint32 field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */ size_t field_value_count; /* How many entries are there in the extracted field array */ guint32 dcerpc_cn_ctx_id = 0; - if (!extract_uint(tree, hf_of_interest.dcerpc_ver, field_uint, &field_value_count)) + if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DCERPC_VER].hf, field_uint, &field_value_count)) { if (field_value_count) - sub_packet[0].dcerpc_ver = field_uint[0]; + pkt_info->dcerpc_ver = field_uint[0]; } - if (!extract_uint(tree, hf_of_interest.dcerpc_pkt_type, field_uint, &field_value_count)) + if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DCERPC_PKT_TYPE].hf, field_uint, &field_value_count)) { if (field_value_count) - sub_packet[0].dcerpc_pkt_type = field_uint[0]; + pkt_info->dcerpc_pkt_type = field_uint[0]; } if (field_value_count) { - if (!extract_uint(tree, hf_of_interest.dcerpc_cn_ctx_id, field_uint, &field_value_count)) + if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DCERPC_CN_CTX_ID].hf, field_uint, &field_value_count)) { if (field_value_count) dcerpc_cn_ctx_id = field_uint[0]; } - if (dcerpc_context_zero[sub_packet[0].dcerpc_pkt_type]) + if (is_dcerpc_context_zero(pkt_info->dcerpc_pkt_type)) { /* This is needed to overcome an apparent Wireshark bug found in the LUA code - is this still true in C? */ - sub_packet[0].rrpd.session_id = 1; + pkt_info->rrpd.session_id = 1; } else { if (dcerpc_cn_ctx_id) - sub_packet[0].rrpd.session_id = dcerpc_cn_ctx_id; + pkt_info->rrpd.session_id = dcerpc_cn_ctx_id; else - sub_packet[0].rrpd.session_id = 1; + pkt_info->rrpd.session_id = 1; } - if (!extract_uint(tree, hf_of_interest.dcerpc_cn_call_id, field_uint, &field_value_count)) + if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DCERPC_CN_CALL_ID].hf, field_uint, &field_value_count)) { if (field_value_count) - sub_packet[0].rrpd.msg_id = field_uint[0]; + pkt_info->rrpd.msg_id = field_uint[0]; } } else @@ -120,32 +116,32 @@ int decode_dcerpc(packet_info *pinfo _U_, proto_tree *tree) the rrpd functions will either create a new rrpd_list (or temp_rsp_rrpd_list) entry or update the last entry for this ip_proto:stream_no. */ - sub_packet[0].rrpd.session_id = 0; - sub_packet[0].rrpd.msg_id = 0; + pkt_info->rrpd.session_id = 0; + pkt_info->rrpd.msg_id = 0; } - if (dcerpc_req_pkt_type[sub_packet[0].dcerpc_pkt_type]) + if (is_dcerpc_req_pkt_type(pkt_info->dcerpc_pkt_type)) { - sub_packet[0].rrpd.c2s = TRUE; - preferences.tcp_svc_port[sub_packet[0].dstport] = RTE_CALC_DCERPC; /* make sure we have this DCE-RPC service port set */ + pkt_info->rrpd.c2s = TRUE; + wmem_map_insert(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport), GUINT_TO_POINTER(RTE_CALC_DCERPC)); /* make sure we have this DCE-RPC service port set */ } else { - sub_packet[0].rrpd.c2s = FALSE; - preferences.tcp_svc_port[sub_packet[0].srcport] = RTE_CALC_DCERPC; /* make sure we have this DCE-RPC service port set */ + pkt_info->rrpd.c2s = FALSE; + wmem_map_insert(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->srcport), GUINT_TO_POINTER(RTE_CALC_DCERPC)); /* make sure we have this DCE-RPC service port set */ } - sub_packet[0].rrpd.suffix = 1; - sub_packet[0].rrpd.decode_based = TRUE; - sub_packet[0].rrpd.calculation = RTE_CALC_DCERPC; - sub_packet[0].pkt_of_interest = TRUE; + pkt_info->rrpd.suffix = 1; + pkt_info->rrpd.decode_based = TRUE; + pkt_info->rrpd.calculation = RTE_CALC_DCERPC; + pkt_info->pkt_of_interest = TRUE; return 1; } /* Returns the number of sub-packets of interest */ -int decode_smb(packet_info *pinfo _U_, proto_tree *tree) +int decode_smb(packet_info *pinfo _U_, proto_tree *tree, PKT_INFO* pkt_info, PKT_INFO* subpackets) { guint32 field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */ size_t field_value_count; /* How many entries are there in the extracted field array */ @@ -156,47 +152,47 @@ int decode_smb(packet_info *pinfo _U_, proto_tree *tree) size_t msg_id_count; /* set the direction information */ - if (sub_packet[0].dstport == 445) - sub_packet[0].rrpd.c2s = TRUE; + if (pkt_info->dstport == 445) + pkt_info->rrpd.c2s = TRUE; else - sub_packet[0].rrpd.c2s = FALSE; + pkt_info->rrpd.c2s = FALSE; - extract_uint(tree, hf_of_interest.smb_mid, field_uint, &field_value_count); + extract_uint(tree, hf_of_interest[HF_INTEREST_SMB_MID].hf, field_uint, &field_value_count); if (field_value_count) { - sub_packet[0].rrpd.calculation = RTE_CALC_SMB1; - sub_packet[0].pkt_of_interest = FALSE; /* can't process SMB1 at the moment */ + pkt_info->rrpd.calculation = RTE_CALC_SMB1; + pkt_info->pkt_of_interest = FALSE; /* can't process SMB1 at the moment */ return 0; } else { /* Default in case we don't have header information */ - sub_packet[0].rrpd.session_id = 0; - sub_packet[0].rrpd.msg_id = 0; - sub_packet[0].rrpd.suffix = 1; - sub_packet[0].rrpd.decode_based = TRUE; - sub_packet[0].rrpd.calculation = RTE_CALC_SMB2; - sub_packet[0].pkt_of_interest = TRUE; - - extract_ui64(tree, hf_of_interest.smb2_msg_id, msg_id, &msg_id_count); + pkt_info->rrpd.session_id = 0; + pkt_info->rrpd.msg_id = 0; + pkt_info->rrpd.suffix = 1; + pkt_info->rrpd.decode_based = TRUE; + pkt_info->rrpd.calculation = RTE_CALC_SMB2; + pkt_info->pkt_of_interest = TRUE; + + extract_ui64(tree, hf_of_interest[HF_INTEREST_SMB2_MSG_ID].hf, msg_id, &msg_id_count); if (msg_id_count) /* test for header information */ { - extract_ui64(tree, hf_of_interest.smb2_ses_id, ses_id, &ses_id_count); + extract_ui64(tree, hf_of_interest[HF_INTEREST_SMB2_SES_ID].hf, ses_id, &ses_id_count); - for (size_t i = 0; i < msg_id_count; i++) + for (size_t i = 0; (i < msg_id_count) && (i < MAX_SUBPKTS_PER_PACKET); i++) { - sub_packet[i].rrpd.c2s = sub_packet[0].rrpd.c2s; - sub_packet[i].rrpd.ip_proto = sub_packet[0].rrpd.ip_proto; - sub_packet[i].rrpd.stream_no = sub_packet[0].rrpd.stream_no; + subpackets[i].rrpd.c2s = pkt_info->rrpd.c2s; + subpackets[i].rrpd.ip_proto = pkt_info->rrpd.ip_proto; + subpackets[i].rrpd.stream_no = pkt_info->rrpd.stream_no; - sub_packet[i].rrpd.session_id = ses_id[i]; - sub_packet[i].rrpd.msg_id = msg_id[i]; - sub_packet[i].rrpd.suffix = 1; + subpackets[i].rrpd.session_id = ses_id[i]; + subpackets[i].rrpd.msg_id = msg_id[i]; + subpackets[i].rrpd.suffix = 1; - sub_packet[i].rrpd.decode_based = TRUE; - sub_packet[i].rrpd.calculation = RTE_CALC_SMB2; - sub_packet[i].pkt_of_interest = TRUE; + subpackets[i].rrpd.decode_based = TRUE; + subpackets[i].rrpd.calculation = RTE_CALC_SMB2; + subpackets[i].pkt_of_interest = TRUE; } return (int)msg_id_count; } @@ -206,46 +202,48 @@ int decode_smb(packet_info *pinfo _U_, proto_tree *tree) } /* Returns the number of sub-packets of interest */ -int decode_gtcp(packet_info *pinfo, proto_tree *tree) +int decode_gtcp(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info) { guint32 field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */ gboolean field_bool[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */ size_t field_value_count; /* How many entries are there in the extracted field array */ - if (!extract_uint(tree, hf_of_interest.tcp_stream, field_uint, &field_value_count)) - sub_packet[0].rrpd.stream_no = field_uint[0]; + if (!extract_uint(tree, hf_of_interest[HF_INTEREST_TCP_STREAM].hf, field_uint, &field_value_count)) + pkt_info->rrpd.stream_no = field_uint[0]; - sub_packet[0].srcport = pinfo->srcport; - sub_packet[0].dstport = pinfo->destport; + pkt_info->srcport = pinfo->srcport; + pkt_info->dstport = pinfo->destport; - if (!extract_uint(tree, hf_of_interest.tcp_len, field_uint, &field_value_count)) - sub_packet[0].len = field_uint[0]; + if (!extract_uint(tree, hf_of_interest[HF_INTEREST_TCP_LEN].hf, field_uint, &field_value_count)) + pkt_info->len = field_uint[0]; - if (!extract_bool(tree, hf_of_interest.tcp_flags_syn, field_bool, &field_value_count)) - sub_packet[0].tcp_flags_syn = field_bool[0]; + if (!extract_bool(tree, hf_of_interest[HF_INTEREST_TCP_FLAGS_SYN].hf, field_bool, &field_value_count)) + pkt_info->tcp_flags_syn = field_bool[0]; - if (!extract_bool(tree, hf_of_interest.tcp_flags_ack, field_bool, &field_value_count)) - sub_packet[0].tcp_flags_ack = field_bool[0]; + if (!extract_bool(tree, hf_of_interest[HF_INTEREST_TCP_FLAGS_ACK].hf, field_bool, &field_value_count)) + pkt_info->tcp_flags_ack = field_bool[0]; - if (!extract_bool(tree, hf_of_interest.tcp_flags_reset, field_bool, &field_value_count)) - sub_packet[0].tcp_flags_reset = field_bool[0]; + if (!extract_bool(tree, hf_of_interest[HF_INTEREST_TCP_FLAGS_RESET].hf, field_bool, &field_value_count)) + pkt_info->tcp_flags_reset = field_bool[0]; - if (!extract_bool(tree, hf_of_interest.tcp_retran, field_bool, &field_value_count)) - sub_packet[0].tcp_retran = field_bool[0]; + if (!extract_bool(tree, hf_of_interest[HF_INTEREST_TCP_RETRAN].hf, field_bool, &field_value_count)) + pkt_info->tcp_retran = field_bool[0]; - if (!extract_bool(tree, hf_of_interest.tcp_keep_alive, field_bool, &field_value_count)) - sub_packet[0].tcp_keep_alive = field_bool[0]; + if (!extract_bool(tree, hf_of_interest[HF_INTEREST_TCP_KEEP_ALIVE].hf, field_bool, &field_value_count)) + pkt_info->tcp_keep_alive = field_bool[0]; - if ((preferences.tcp_svc_port[sub_packet[0].dstport] || preferences.tcp_svc_port[sub_packet[0].srcport]) && (sub_packet[0].len > 0)) + if (((wmem_map_lookup(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport)) != NULL) || + (wmem_map_lookup(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->srcport)) != NULL)) && + (pkt_info->len > 0)) { - if (preferences.tcp_svc_port[sub_packet[0].dstport]) - sub_packet[0].rrpd.c2s = TRUE; + if (wmem_map_lookup(preferences.tcp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport)) != NULL) + pkt_info->rrpd.c2s = TRUE; - sub_packet[0].rrpd.session_id = 1; - sub_packet[0].rrpd.msg_id = 1; - sub_packet[0].rrpd.calculation = RTE_CALC_GTCP; - sub_packet[0].rrpd.decode_based = FALSE; - sub_packet[0].pkt_of_interest = TRUE; + pkt_info->rrpd.session_id = 1; + pkt_info->rrpd.msg_id = 1; + pkt_info->rrpd.calculation = RTE_CALC_GTCP; + pkt_info->rrpd.decode_based = FALSE; + pkt_info->pkt_of_interest = TRUE; return 1; } @@ -254,49 +252,50 @@ int decode_gtcp(packet_info *pinfo, proto_tree *tree) } /* Returns the number of sub-packets of interest */ -int decode_dns(packet_info *pinfo _U_, proto_tree *tree) +int decode_dns(packet_info *pinfo _U_, proto_tree *tree, PKT_INFO* pkt_info) { guint32 field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */ size_t field_value_count; /* How many entries are there in the extracted field array */ - if (!extract_uint(tree, hf_of_interest.dns_id, field_uint, &field_value_count)) - sub_packet[0].rrpd.msg_id = field_uint[0]; + if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DNS_ID].hf, field_uint, &field_value_count)) + pkt_info->rrpd.msg_id = field_uint[0]; - sub_packet[0].rrpd.session_id = 1; - sub_packet[0].rrpd.suffix = 1; /* need to do something tricky here as dns.id gets reused */ - sub_packet[0].rrpd.decode_based = TRUE; - sub_packet[0].rrpd.calculation = RTE_CALC_DNS; - sub_packet[0].pkt_of_interest = TRUE; + pkt_info->rrpd.session_id = 1; + pkt_info->rrpd.suffix = 1; /* need to do something tricky here as dns.id gets reused */ + pkt_info->rrpd.decode_based = TRUE; + pkt_info->rrpd.calculation = RTE_CALC_DNS; + pkt_info->pkt_of_interest = TRUE; return 1; } /* Returns the number of sub-packets of interest */ -int decode_gudp(packet_info *pinfo, proto_tree *tree) +int decode_gudp(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info) { guint32 field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */ size_t field_value_count; /* How many entries are there in the extracted field array */ - sub_packet[0].srcport = pinfo->srcport; - sub_packet[0].dstport = pinfo->destport; + pkt_info->srcport = pinfo->srcport; + pkt_info->dstport = pinfo->destport; - if (!extract_uint(tree, hf_of_interest.udp_stream, field_uint, &field_value_count)) - sub_packet[0].rrpd.stream_no = field_uint[0]; + if (!extract_uint(tree, hf_of_interest[HF_INTEREST_UDP_STREAM].hf, field_uint, &field_value_count)) + pkt_info->rrpd.stream_no = field_uint[0]; - if (!extract_uint(tree, hf_of_interest.udp_length, field_uint, &field_value_count)) - sub_packet[0].len = field_uint[0]; + if (!extract_uint(tree, hf_of_interest[HF_INTEREST_UDP_LENGTH].hf, field_uint, &field_value_count)) + pkt_info->len = field_uint[0]; - if (preferences.udp_svc_port[sub_packet[0].dstport] || preferences.udp_svc_port[sub_packet[0].srcport]) + if ((wmem_map_lookup(preferences.udp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport)) != NULL) || + (wmem_map_lookup(preferences.udp_svc_ports, GUINT_TO_POINTER(pkt_info->srcport)) != NULL)) { - if (preferences.udp_svc_port[sub_packet[0].dstport]) - sub_packet[0].rrpd.c2s = TRUE; - - sub_packet[0].rrpd.session_id = 1; - sub_packet[0].rrpd.msg_id = 1; - sub_packet[0].rrpd.suffix = 1; - sub_packet[0].rrpd.decode_based = FALSE; - sub_packet[0].rrpd.calculation = RTE_CALC_GUDP; - sub_packet[0].pkt_of_interest = TRUE; + if (wmem_map_lookup(preferences.udp_svc_ports, GUINT_TO_POINTER(pkt_info->dstport)) != NULL) + pkt_info->rrpd.c2s = TRUE; + + pkt_info->rrpd.session_id = 1; + pkt_info->rrpd.msg_id = 1; + pkt_info->rrpd.suffix = 1; + pkt_info->rrpd.decode_based = FALSE; + pkt_info->rrpd.calculation = RTE_CALC_GUDP; + pkt_info->pkt_of_interest = TRUE; } return 1; diff --git a/plugins/transum/decoders.h b/plugins/transum/decoders.h index 2725f20a7d..05d4ac1da1 100644 --- a/plugins/transum/decoders.h +++ b/plugins/transum/decoders.h @@ -23,12 +23,12 @@ */ #include "config.h" -gboolean decode_syn(packet_info *pinfo, proto_tree *tree); -gboolean decode_dcerpc(packet_info *pinfo, proto_tree *tree); -gboolean decode_smb(packet_info *pinfo, proto_tree *tree); -gboolean decode_gtcp(packet_info *pinfo, proto_tree *tree); -gboolean decode_dns(packet_info *pinfo, proto_tree *tree); -gboolean decode_gudp(packet_info *pinfo, proto_tree *tree); +int decode_syn(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info); +int decode_dcerpc(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info); +int decode_smb(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info, PKT_INFO* subpackets); +int decode_gtcp(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info); +int decode_dns(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info); +int decode_gudp(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info); /* * Editor modelines - http://www.wireshark.org/tools/modelines.html diff --git a/plugins/transum/packet-transum.c b/plugins/transum/packet-transum.c index 81a528d012..08e5169471 100644 --- a/plugins/transum/packet-transum.c +++ b/plugins/transum/packet-transum.c @@ -56,24 +56,57 @@ void proto_reg_handoff_transum(void); #define SMB2_CMD_SESSION_SETUP 1 -#define SIZEOF_TEMP_STRING 512 -#define SIZEOF_SUMMARY 1024 +/* The following are the field ids for the protocol values used by TRANSUM. + Make sure they line up with ehf_of_interest order */ +HF_OF_INTEREST_INFO hf_of_interest[HF_INTEREST_END_OF_LIST] = { + { -1, "ip.proto" }, + { -1, "ipv6.nxt" }, + + { -1, "tcp.analysis.retransmission" }, + { -1, "tcp.analysis.keep_alive" }, + { -1, "tcp.flags.syn" }, + { -1, "tcp.flags.ack" }, + { -1, "tcp.flags.reset" }, + { -1, "tcp.flags.urg" }, + { -1, "tcp.seq" }, + { -1, "tcp.srcport" }, + { -1, "tcp.dstport" }, + { -1, "tcp.stream" }, + { -1, "tcp.len" }, + + { -1, "udp.srcport" }, + { -1, "udp.dstport" }, + { -1, "udp.stream" }, + { -1, "udp.length" }, + + { -1, "tds.type" }, + { -1, "tds.length" }, + + { -1, "smb.mid" }, + + { -1, "smb2.sesid" }, + { -1, "smb2.msg_id" }, + { -1, "smb2.cmd" }, + + { -1, "dcerpc.ver" }, + { -1, "dcerpc.pkt_type" }, + { -1, "dcerpc.cn_call_id" }, + { -1, "dcerpc.cn_ctx_id" }, + + { -1, "dns.id"}, +}; -/* The following are the field ids for the protocol values used by TRANSUM */ -HF_OF_INTEREST hf_of_interest; -range_t *tcp_svc_port_range_values; +static range_t *tcp_svc_port_range_values; -range_t *udp_svc_port_range_values; +static range_t *udp_svc_port_range_values; TSUM_PREFERENCES preferences; -gboolean *detected_tcp_svc = NULL; /* this array is used to track services detected during the syn/syn-ack process */ - -PKT_INFO *sub_packet = NULL; +static wmem_map_t *detected_tcp_svc; /* this array is used to track services detected during the syn/syn-ack process */ -gboolean *dcerpc_req_pkt_type = NULL; /* used to indicate if a DCE-RPC pkt_type is a request */ +static wmem_map_t *dcerpc_req_pkt_type; /* used to indicate if a DCE-RPC pkt_type is a request */ /* This array contains calls and returns that have no TRUE context_id @@ -81,28 +114,24 @@ This is needed to overcome an apparent bug in Wireshark where the field name of context id in parameters is the same as context id in a message header */ -gboolean *dcerpc_context_zero= NULL; +static wmem_map_t *dcerpc_context_zero; +#if 0 /* rrpd-related globals */ - guint32 rrpd_suffix = 0; -guint32 dummy_msgid = 0xa7; /* This value is used for protocols that don't have msg_id such as GTCP, GUDP and SYN */ +#endif /* - The rrpd_list is the master array that holds information about all of the APDU Request-Response Pairs seen in the - trace. Each time an entry is added to this list the next_free_rrpd index is incremented. This index is used to - accelerate appending entries to the rrpd_list and also as the start point for find operations as these start from the - end of the list and search backwards through the list. + The rrpd_list holds information about all of the APDU Request-Response Pairs seen in the trace. */ -RRPD *rrpd_list; -int next_free_rrpd = 0; +static wmem_list_t *rrpd_list = NULL; /* - output_rrpd is an array of pointers to RRPDs on the rrpd_list. The index into the array is frame number. This array is + output_rrpd is a hash of pointers to RRPDs on the rrpd_list. The index is the frame number. This hash is used during Wireshark's second scan. As each packet is processed, TRANSUM uses the packet's frame number to index into - this array to determine if we have RTE data for this particular packet, and if so the write_rte function is called. + this hash to determine if we have RTE data for this particular packet, and if so the write_rte function is called. */ -RRPD *output_rrpd[MAX_PACKETS]; +static wmem_map_t *output_rrpd; /* The temp_rsp_rrpd_list holds RRPDs for APDUs where we have not yet seen the header information and so we can't @@ -111,29 +140,28 @@ RRPD *output_rrpd[MAX_PACKETS]; TCP Reassembly enabled. Once we receive a header packet for an APDU we migrate the entry from this array to the main rrpd_list. */ -RRPD *temp_rsp_rrpd_list; /* Reuse these for speed and efficient memory use - issue a warning if we run out */ +static wmem_list_t *temp_rsp_rrpd_list = NULL; /* Reuse these for speed and efficient memory use - issue a warning if we run out */ static gint ett_transum = -1; static gint ett_transum_header = -1; static gint ett_transum_data = -1; -int proto_transum = -1; - -int hf_tsum = -1; -int hf_tsum_status = -1; -int hf_tsum_time_units = -1; -int hf_tsum_req_first_seg = -1; -int hf_tsum_req_last_seg = -1; -int hf_tsum_rsp_first_seg = -1; -int hf_tsum_rsp_last_seg = -1; -int hf_tsum_apdu_rsp_time = -1; -int hf_tsum_service_time = -1; -int hf_tsum_req_spread = -1; -int hf_tsum_rsp_spread = -1; -int hf_tsum_clip_filter = -1; -int hf_tsum_calculation = -1; -int hf_tsum_summary = -1; +static int proto_transum = -1; + +static int hf_tsum_status = -1; +//static int hf_tsum_time_units = -1; +static int hf_tsum_req_first_seg = -1; +static int hf_tsum_req_last_seg = -1; +static int hf_tsum_rsp_first_seg = -1; +static int hf_tsum_rsp_last_seg = -1; +static int hf_tsum_apdu_rsp_time = -1; +static int hf_tsum_service_time = -1; +static int hf_tsum_req_spread = -1; +static int hf_tsum_rsp_spread = -1; +static int hf_tsum_clip_filter = -1; +static int hf_tsum_calculation = -1; +static int hf_tsum_summary = -1; static const enum_val_t capture_position_vals[] = { { "TRACE_CAP_CLIENT", "Client", TRACE_CAP_CLIENT }, @@ -142,6 +170,17 @@ static const enum_val_t capture_position_vals[] = { { NULL, NULL, 0} }; +static const value_string rrdp_calculation_vals[] = { + { RTE_CALC_GTCP, "Generic TCP" }, + { RTE_CALC_SYN, "SYN and SYN/ACK" }, + { RTE_CALC_DCERPC, "DCE-RPC" }, + { RTE_CALC_SMB2, "SMB2" }, + { RTE_CALC_GUDP, "Generic UDP" }, + { RTE_CALC_DNS, "DNS" }, + + { 0, NULL } +}; + /*static const enum_val_t time_multiplier_vals[] = { { "RTE_TIME_SEC", "seconds", RTE_TIME_SEC }, { "RTE_TIME_MSEC", "milliseconds", RTE_TIME_MSEC }, @@ -151,105 +190,74 @@ static const enum_val_t capture_position_vals[] = { static int fake_tap = 0xa7a7a7a7; - -static void init_detected_tcp_svc(void) -{ - for (int i = 0; i < 64 * 1024; i++) - detected_tcp_svc[i] = FALSE; -} - void add_detected_tcp_svc(guint16 port) { - detected_tcp_svc[port] = TRUE; + wmem_map_insert(detected_tcp_svc, GUINT_TO_POINTER(port), GUINT_TO_POINTER(port)); } static void init_dcerpc_data(void) { - for (int i = 0; i < 256; i++) - dcerpc_req_pkt_type[i] = FALSE; - - dcerpc_req_pkt_type[0] = TRUE; - dcerpc_req_pkt_type[11] = TRUE; - dcerpc_req_pkt_type[14] = TRUE; - - for (int i = 0; i < 256; i++) - dcerpc_context_zero[i] = FALSE; - - dcerpc_context_zero[11] = TRUE; - dcerpc_context_zero[12] = TRUE; - dcerpc_context_zero[14] = TRUE; - dcerpc_context_zero[15] = TRUE; - - return; -} - -static void clear_rrpd(RRPD *rrpd) -{ - memset(rrpd, 0x00, sizeof(RRPD)); -} - -static void init_rrpd_data(void) -{ - for (int i = 0; i < MAX_PACKETS; i++) - output_rrpd[i] = NULL; - - return; + wmem_map_insert(dcerpc_req_pkt_type, GUINT_TO_POINTER(0), GUINT_TO_POINTER(0)); + wmem_map_insert(dcerpc_req_pkt_type, GUINT_TO_POINTER(11), GUINT_TO_POINTER(11)); + wmem_map_insert(dcerpc_req_pkt_type, GUINT_TO_POINTER(14), GUINT_TO_POINTER(14)); + + wmem_map_insert(dcerpc_context_zero, GUINT_TO_POINTER(11), GUINT_TO_POINTER(11)); + wmem_map_insert(dcerpc_context_zero, GUINT_TO_POINTER(12), GUINT_TO_POINTER(12)); + wmem_map_insert(dcerpc_context_zero, GUINT_TO_POINTER(14), GUINT_TO_POINTER(14)); + wmem_map_insert(dcerpc_context_zero, GUINT_TO_POINTER(15), GUINT_TO_POINTER(15)); } /* This function should be called before any change to RTE data. */ static void null_output_rrpd_entries(RRPD *in_rrpd) { - output_rrpd[in_rrpd->req_first_frame] = NULL; - output_rrpd[in_rrpd->req_last_frame] = NULL; - output_rrpd[in_rrpd->rsp_first_frame] = NULL; - output_rrpd[in_rrpd->rsp_last_frame] = NULL; + wmem_map_remove(output_rrpd, GUINT_TO_POINTER(in_rrpd->req_first_frame)); + wmem_map_remove(output_rrpd, GUINT_TO_POINTER(in_rrpd->req_last_frame)); + wmem_map_remove(output_rrpd, GUINT_TO_POINTER(in_rrpd->rsp_first_frame)); + wmem_map_remove(output_rrpd, GUINT_TO_POINTER(in_rrpd->rsp_last_frame)); } /* This function should be called after any change to RTE data. */ static void update_output_rrpd(RRPD *in_rrpd) { if (preferences.rte_on_first_req) - output_rrpd[in_rrpd->req_first_frame] = in_rrpd; + wmem_map_insert(output_rrpd, GUINT_TO_POINTER(in_rrpd->req_first_frame), in_rrpd); if (preferences.rte_on_last_req) - output_rrpd[in_rrpd->req_last_frame] = in_rrpd; + wmem_map_insert(output_rrpd, GUINT_TO_POINTER(in_rrpd->req_last_frame), in_rrpd); if (preferences.rte_on_first_rsp) - output_rrpd[in_rrpd->rsp_first_frame] = in_rrpd; + wmem_map_insert(output_rrpd, GUINT_TO_POINTER(in_rrpd->rsp_first_frame), in_rrpd); if (preferences.rte_on_last_rsp) - output_rrpd[in_rrpd->rsp_last_frame] = in_rrpd; + wmem_map_insert(output_rrpd, GUINT_TO_POINTER(in_rrpd->rsp_last_frame), in_rrpd); } /* Return the index of the RRPD that has been appended */ -static int append_to_rrpd_list(RRPD *in_rrpd) +static RRPD* append_to_rrpd_list(RRPD *in_rrpd) { - if (next_free_rrpd > MAX_RRPDS) - next_free_rrpd = 0; - - memcpy(&(rrpd_list[next_free_rrpd]), in_rrpd, sizeof(RRPD)); + RRPD *next_rrpd = (RRPD*)wmem_memdup(wmem_file_scope(), in_rrpd, sizeof(RRPD)); if (preferences.reassembly) { - if (rrpd_list[next_free_rrpd].msg_id) - rrpd_list[next_free_rrpd].state = RRPD_STATE_3; + if (next_rrpd->msg_id) + next_rrpd->state = RRPD_STATE_3; else - rrpd_list[next_free_rrpd].state = RRPD_STATE_1; + next_rrpd->state = RRPD_STATE_1; } else { - if (rrpd_list[next_free_rrpd].msg_id) - rrpd_list[next_free_rrpd].state = RRPD_STATE_4; + if (next_rrpd->msg_id) + next_rrpd->state = RRPD_STATE_4; else - rrpd_list[next_free_rrpd].state = RRPD_STATE_2; + next_rrpd->state = RRPD_STATE_2; } - update_output_rrpd(&rrpd_list[next_free_rrpd]); + update_output_rrpd(next_rrpd); - next_free_rrpd++; + wmem_list_append(rrpd_list, next_rrpd); - return (next_free_rrpd - 1); + return next_rrpd; } /* @@ -260,33 +268,34 @@ An input state value of 0 means that we don't care about state. Returns the rrpd_list index value of the match or -1 if no match is found. */ -static int find_latest_rrpd(RRPD *in_rrpd, int state) +static RRPD *find_latest_rrpd(RRPD *in_rrpd, int state) { - int i; - int rrpd_index = -1; + RRPD *rrpd_index = NULL, *rrpd; + wmem_list_frame_t* i; - for (i = next_free_rrpd; i >= 0; i--) + for (i = wmem_list_tail(rrpd_list); i != NULL; i = wmem_list_frame_prev(i)) { - if (rrpd_list[i].ip_proto == in_rrpd->ip_proto && rrpd_list[i].stream_no == in_rrpd->stream_no) + rrpd = (RRPD*)wmem_list_frame_data(i); + if (rrpd->ip_proto == in_rrpd->ip_proto && rrpd->stream_no == in_rrpd->stream_no) { if (in_rrpd->decode_based) { /* If this is decode-based and we are checking for entries in RRPD_STATE_1 we need to match on ip_proto and stream_no alone. */ if (state == RRPD_STATE_1) { - if (rrpd_list[i].session_id == 0 && rrpd_list[i].msg_id == 0 && rrpd_list[i].suffix == 1) + if (rrpd->session_id == 0 && rrpd->msg_id == 0 && rrpd->suffix == 1) { - rrpd_index = i; + rrpd_index = rrpd; break; } } /* if this stream is decode_based we need to take into account the session_id, msg_id and suffix */ - if (rrpd_list[i].session_id == in_rrpd->session_id && rrpd_list[i].msg_id == in_rrpd->msg_id && rrpd_list[i].suffix == in_rrpd->suffix) + if (rrpd->session_id == in_rrpd->session_id && rrpd->msg_id == in_rrpd->msg_id && rrpd->suffix == in_rrpd->suffix) { - if (state == RRPD_STATE_DONT_CARE || rrpd_list[i].state == state) + if (state == RRPD_STATE_DONT_CARE || rrpd->state == state) { - rrpd_index = i; + rrpd_index = rrpd; break; } } @@ -294,9 +303,9 @@ static int find_latest_rrpd(RRPD *in_rrpd, int state) else { /* if this stream is not decode_based we don't need to take into account the session_id, msg_id and suffix */ - if (state == RRPD_STATE_DONT_CARE || rrpd_list[i].state == state) + if (state == RRPD_STATE_DONT_CARE || rrpd->state == state) { - rrpd_index = i; + rrpd_index = rrpd; break; } } @@ -305,113 +314,113 @@ static int find_latest_rrpd(RRPD *in_rrpd, int state) return rrpd_index; } -static void update_rrpd_list_entry(int match_index, RRPD *in_rrpd) +static void update_rrpd_list_entry(RRPD *match, RRPD *in_rrpd) { - null_output_rrpd_entries(&rrpd_list[match_index]); + null_output_rrpd_entries(match); - switch (rrpd_list[match_index].state) + switch (match->state) { case RRPD_STATE_1: if (in_rrpd->c2s) { - rrpd_list[match_index].req_last_frame = in_rrpd->req_last_frame; - rrpd_list[match_index].req_last_rtime = in_rrpd->req_last_rtime; + match->req_last_frame = in_rrpd->req_last_frame; + match->req_last_rtime = in_rrpd->req_last_rtime; if (in_rrpd->msg_id) { - rrpd_list[match_index].session_id = in_rrpd->session_id; - rrpd_list[match_index].msg_id = in_rrpd->msg_id; - rrpd_list[match_index].suffix = in_rrpd->suffix; - rrpd_list[match_index].state = RRPD_STATE_3; + match->session_id = in_rrpd->session_id; + match->msg_id = in_rrpd->msg_id; + match->suffix = in_rrpd->suffix; + match->state = RRPD_STATE_3; } } else { - rrpd_list[match_index].rsp_first_frame = in_rrpd->rsp_first_frame; - rrpd_list[match_index].rsp_first_rtime = in_rrpd->rsp_first_rtime; - rrpd_list[match_index].rsp_last_frame = in_rrpd->rsp_last_frame; - rrpd_list[match_index].rsp_last_rtime = in_rrpd->rsp_last_rtime; + match->rsp_first_frame = in_rrpd->rsp_first_frame; + match->rsp_first_rtime = in_rrpd->rsp_first_rtime; + match->rsp_last_frame = in_rrpd->rsp_last_frame; + match->rsp_last_rtime = in_rrpd->rsp_last_rtime; if (in_rrpd->msg_id) - rrpd_list[match_index].state = RRPD_STATE_7; + match->state = RRPD_STATE_7; else - rrpd_list[match_index].state = RRPD_STATE_5; + match->state = RRPD_STATE_5; } break; case RRPD_STATE_2: if (in_rrpd->c2s) { - rrpd_list[match_index].req_last_frame = in_rrpd->req_last_frame; - rrpd_list[match_index].req_last_rtime = in_rrpd->req_last_rtime; + match->req_last_frame = in_rrpd->req_last_frame; + match->req_last_rtime = in_rrpd->req_last_rtime; if (in_rrpd->msg_id) { - rrpd_list[match_index].session_id = in_rrpd->session_id; - rrpd_list[match_index].msg_id = in_rrpd->msg_id; - rrpd_list[match_index].suffix = in_rrpd->suffix; - rrpd_list[match_index].state = RRPD_STATE_4; + match->session_id = in_rrpd->session_id; + match->msg_id = in_rrpd->msg_id; + match->suffix = in_rrpd->suffix; + match->state = RRPD_STATE_4; } } else { - rrpd_list[match_index].rsp_first_frame = in_rrpd->rsp_first_frame; - rrpd_list[match_index].rsp_first_rtime = in_rrpd->rsp_first_rtime; - rrpd_list[match_index].rsp_last_frame = in_rrpd->rsp_last_frame; - rrpd_list[match_index].rsp_last_rtime = in_rrpd->rsp_last_rtime; + match->rsp_first_frame = in_rrpd->rsp_first_frame; + match->rsp_first_rtime = in_rrpd->rsp_first_rtime; + match->rsp_last_frame = in_rrpd->rsp_last_frame; + match->rsp_last_rtime = in_rrpd->rsp_last_rtime; if (in_rrpd->msg_id) - rrpd_list[match_index].state = RRPD_STATE_8; + match->state = RRPD_STATE_8; else - rrpd_list[match_index].state = RRPD_STATE_6; + match->state = RRPD_STATE_6; } break; case RRPD_STATE_3: if (in_rrpd->c2s) { - rrpd_list[match_index].req_last_frame = in_rrpd->req_last_frame; - rrpd_list[match_index].req_last_rtime = in_rrpd->req_last_rtime; + match->req_last_frame = in_rrpd->req_last_frame; + match->req_last_rtime = in_rrpd->req_last_rtime; if (in_rrpd->msg_id) { - rrpd_list[match_index].session_id = in_rrpd->session_id; - rrpd_list[match_index].msg_id = in_rrpd->msg_id; - rrpd_list[match_index].suffix = in_rrpd->suffix; - rrpd_list[match_index].state = RRPD_STATE_3; + match->session_id = in_rrpd->session_id; + match->msg_id = in_rrpd->msg_id; + match->suffix = in_rrpd->suffix; + match->state = RRPD_STATE_3; } } else { - rrpd_list[match_index].rsp_first_frame = in_rrpd->rsp_first_frame; - rrpd_list[match_index].rsp_first_rtime = in_rrpd->rsp_first_rtime; - rrpd_list[match_index].rsp_last_frame = in_rrpd->rsp_last_frame; - rrpd_list[match_index].rsp_last_rtime = in_rrpd->rsp_last_rtime; + match->rsp_first_frame = in_rrpd->rsp_first_frame; + match->rsp_first_rtime = in_rrpd->rsp_first_rtime; + match->rsp_last_frame = in_rrpd->rsp_last_frame; + match->rsp_last_rtime = in_rrpd->rsp_last_rtime; if (in_rrpd->msg_id) - rrpd_list[match_index].state = RRPD_STATE_7; + match->state = RRPD_STATE_7; else - rrpd_list[match_index].state = RRPD_STATE_5; + match->state = RRPD_STATE_5; } break; case RRPD_STATE_4: if (in_rrpd->c2s) { - rrpd_list[match_index].req_last_frame = in_rrpd->req_last_frame; - rrpd_list[match_index].req_last_rtime = in_rrpd->req_last_rtime; + match->req_last_frame = in_rrpd->req_last_frame; + match->req_last_rtime = in_rrpd->req_last_rtime; if (in_rrpd->msg_id) { - rrpd_list[match_index].session_id = in_rrpd->session_id; - rrpd_list[match_index].msg_id = in_rrpd->msg_id; - rrpd_list[match_index].suffix = in_rrpd->suffix; - rrpd_list[match_index].state = RRPD_STATE_4; + match->session_id = in_rrpd->session_id; + match->msg_id = in_rrpd->msg_id; + match->suffix = in_rrpd->suffix; + match->state = RRPD_STATE_4; } } else { - rrpd_list[match_index].rsp_first_frame = in_rrpd->rsp_first_frame; - rrpd_list[match_index].rsp_first_rtime = in_rrpd->rsp_first_rtime; - rrpd_list[match_index].rsp_last_frame = in_rrpd->rsp_last_frame; - rrpd_list[match_index].rsp_last_rtime = in_rrpd->rsp_last_rtime; + match->rsp_first_frame = in_rrpd->rsp_first_frame; + match->rsp_first_rtime = in_rrpd->rsp_first_rtime; + match->rsp_last_frame = in_rrpd->rsp_last_frame; + match->rsp_last_rtime = in_rrpd->rsp_last_rtime; if (in_rrpd->msg_id) - rrpd_list[match_index].state = RRPD_STATE_8; + match->state = RRPD_STATE_8; else - rrpd_list[match_index].state = RRPD_STATE_6; + match->state = RRPD_STATE_6; } break; @@ -423,12 +432,12 @@ static void update_rrpd_list_entry(int match_index, RRPD *in_rrpd) } else { - rrpd_list[match_index].rsp_last_frame = in_rrpd->rsp_last_frame; - rrpd_list[match_index].rsp_last_rtime = in_rrpd->rsp_last_rtime; + match->rsp_last_frame = in_rrpd->rsp_last_frame; + match->rsp_last_rtime = in_rrpd->rsp_last_rtime; if (in_rrpd->msg_id) - rrpd_list[match_index].state = RRPD_STATE_7; + match->state = RRPD_STATE_7; else - rrpd_list[match_index].state = RRPD_STATE_5; + match->state = RRPD_STATE_5; } break; @@ -440,12 +449,12 @@ static void update_rrpd_list_entry(int match_index, RRPD *in_rrpd) } else { - rrpd_list[match_index].rsp_last_frame = in_rrpd->rsp_last_frame; - rrpd_list[match_index].rsp_last_rtime = in_rrpd->rsp_last_rtime; + match->rsp_last_frame = in_rrpd->rsp_last_frame; + match->rsp_last_rtime = in_rrpd->rsp_last_rtime; if (in_rrpd->msg_id) - rrpd_list[match_index].state = RRPD_STATE_8; + match->state = RRPD_STATE_8; else - rrpd_list[match_index].state = RRPD_STATE_6; + match->state = RRPD_STATE_6; } break; @@ -457,8 +466,8 @@ static void update_rrpd_list_entry(int match_index, RRPD *in_rrpd) } else { - rrpd_list[match_index].rsp_last_frame = in_rrpd->rsp_last_frame; - rrpd_list[match_index].rsp_last_rtime = in_rrpd->rsp_last_rtime; + match->rsp_last_frame = in_rrpd->rsp_last_frame; + match->rsp_last_rtime = in_rrpd->rsp_last_rtime; } break; @@ -470,13 +479,13 @@ static void update_rrpd_list_entry(int match_index, RRPD *in_rrpd) } else { - rrpd_list[match_index].rsp_last_frame = in_rrpd->rsp_last_frame; - rrpd_list[match_index].rsp_last_rtime = in_rrpd->rsp_last_rtime; + match->rsp_last_frame = in_rrpd->rsp_last_frame; + match->rsp_last_rtime = in_rrpd->rsp_last_rtime; } break; } - update_output_rrpd(&rrpd_list[match_index]); + update_output_rrpd(match); } /* @@ -484,23 +493,23 @@ static void update_rrpd_list_entry(int match_index, RRPD *in_rrpd) */ static void update_rrpd_list_entry_req(RRPD *in_rrpd) { - int match_index = -1; + RRPD *match; if (in_rrpd->decode_based) { while (TRUE) { - match_index = find_latest_rrpd(in_rrpd, RRPD_STATE_1); - if (match_index >= 0) /* Check to cover TCP Reassembly enabled */ + match = find_latest_rrpd(in_rrpd, RRPD_STATE_1); + if (match != NULL) /* Check to cover TCP Reassembly enabled */ { - update_rrpd_list_entry(match_index, in_rrpd); + update_rrpd_list_entry(match, in_rrpd); break; } - match_index = find_latest_rrpd(in_rrpd, RRPD_STATE_4); - if (match_index >= 0) + match = find_latest_rrpd(in_rrpd, RRPD_STATE_4); + if (match != NULL) { - update_rrpd_list_entry(match_index, in_rrpd); + update_rrpd_list_entry(match, in_rrpd); break; } @@ -515,89 +524,75 @@ static void update_rrpd_list_entry_req(RRPD *in_rrpd) This is not a decode_based calculation and so a change from s2c to c2s means that this packets starts of a new APDU RR pair. */ - match_index = find_latest_rrpd(in_rrpd, RRPD_STATE_DONT_CARE); - if (match_index >= 0) + match = find_latest_rrpd(in_rrpd, RRPD_STATE_DONT_CARE); + if (match != NULL) { - if (rrpd_list[match_index].state > RRPD_STATE_4 && in_rrpd->c2s) + if (match->state > RRPD_STATE_4 && in_rrpd->c2s) { append_to_rrpd_list(in_rrpd); } else /* no change of direction so just update the RTE data */ - update_rrpd_list_entry(match_index, in_rrpd); + update_rrpd_list_entry(match, in_rrpd); } else { append_to_rrpd_list(in_rrpd); } } - - return; } /* This function inserts an RRPD into the temp_rsp_rrpd_list. If this is successful return the index of the entry. If there is no space return -1. */ -static int insert_into_temp_rsp_rrpd_list(RRPD *in_rrpd) +static RRPD* insert_into_temp_rsp_rrpd_list(RRPD *in_rrpd) { - int i; + RRPD *rrpd = (RRPD*)wmem_memdup(wmem_file_scope(), in_rrpd, sizeof(RRPD)); - for (i = 0; i < SIZE_OF_TEMP_RSP_RRPD_LIST; i++) - { - if (temp_rsp_rrpd_list[i].ip_proto == 0) - break; - } + wmem_list_append(temp_rsp_rrpd_list, rrpd); - if (temp_rsp_rrpd_list[i].ip_proto) - { - temp_rsp_rrpd_list[i] = *in_rrpd; - return i; - } - - return -1; + return rrpd; } -static int find_temp_rsp_rrpd(RRPD *in_rrpd) +static RRPD* find_temp_rsp_rrpd(RRPD *in_rrpd) { - int entry_index = -1; + wmem_list_frame_t *i; + RRPD* rrpd; - for (int i = 0; i < SIZE_OF_TEMP_RSP_RRPD_LIST; i++) + for (i = wmem_list_head(temp_rsp_rrpd_list); i; i = wmem_list_frame_next(i)) { - if (temp_rsp_rrpd_list[i].ip_proto == in_rrpd->ip_proto && temp_rsp_rrpd_list[i].stream_no == in_rrpd->stream_no) - { - entry_index = i; - break; - } + rrpd = (RRPD*)wmem_list_frame_data(i); + if (rrpd->ip_proto == in_rrpd->ip_proto && rrpd->stream_no == in_rrpd->stream_no) + return rrpd; } - return entry_index; + + return NULL; } -static void update_temp_rsp_rrpd(int temp_list_index, RRPD *in_rrpd) +static void update_temp_rsp_rrpd(RRPD *temp_list, RRPD *in_rrpd) { - temp_rsp_rrpd_list[temp_list_index].rsp_last_frame = in_rrpd->rsp_last_frame; - temp_rsp_rrpd_list[temp_list_index].rsp_last_rtime = in_rrpd->rsp_last_rtime; + temp_list->rsp_last_frame = in_rrpd->rsp_last_frame; + temp_list->rsp_last_rtime = in_rrpd->rsp_last_rtime; } /* This function migrates an entry from the temp_rsp_rrpd_list to the main rrpd_list. */ -static void migrate_temp_rsp_rrpd(int main_list_index, int temp_list_index) +static void migrate_temp_rsp_rrpd(RRPD *main_list, RRPD *temp_list) { - update_rrpd_list_entry(main_list_index, &(temp_rsp_rrpd_list[temp_list_index])); + update_rrpd_list_entry(main_list, temp_list); - clear_rrpd(&temp_rsp_rrpd_list[temp_list_index]); + wmem_list_remove(temp_rsp_rrpd_list, temp_list); /* Update the state to 7 or 8 based on reassembly */ if (preferences.reassembly) - rrpd_list[main_list_index].state = RRPD_STATE_7; + main_list->state = RRPD_STATE_7; else - rrpd_list[main_list_index].state = RRPD_STATE_8; - - return; + main_list->state = RRPD_STATE_8; } static void update_rrpd_list_entry_rsp(RRPD *in_rrpd) { - int match_index = -1; + RRPD *match, *temp_list; if (in_rrpd->decode_based) { @@ -606,32 +601,32 @@ static void update_rrpd_list_entry_rsp(RRPD *in_rrpd) if (in_rrpd->msg_id) { /* If we have a msg_id in the input RRPD we must have header information. */ - int temp_list_index = find_temp_rsp_rrpd(in_rrpd); + temp_list = find_temp_rsp_rrpd(in_rrpd); - if (temp_list_index >= 0) + if (temp_list != NULL) { - update_temp_rsp_rrpd(temp_list_index, in_rrpd); + update_temp_rsp_rrpd(temp_list, in_rrpd); /* Migrate the temp_rsp_rrpd_list entry to the main rrpd_list */ - match_index = find_latest_rrpd(in_rrpd, RRPD_STATE_3); - if (match_index >= 0) - migrate_temp_rsp_rrpd(match_index, temp_list_index); + match = find_latest_rrpd(in_rrpd, RRPD_STATE_3); + if (match != NULL) + migrate_temp_rsp_rrpd(match, temp_list); } else { - match_index = find_latest_rrpd(in_rrpd, RRPD_STATE_3); + match = find_latest_rrpd(in_rrpd, RRPD_STATE_3); /* There isn't an entry in the temp_rsp_rrpd_list so update the master rrpd_list entry */ - if (match_index >= 0) - update_rrpd_list_entry(match_index, in_rrpd); + if (match != NULL) + update_rrpd_list_entry(match, in_rrpd); } } else { /* Update an existing entry to the temp_rsp_rrpd_list or add a new one. */ - int temp_list_index = find_temp_rsp_rrpd(in_rrpd); + temp_list = find_temp_rsp_rrpd(in_rrpd); - if (temp_list_index >= 0) - update_temp_rsp_rrpd(temp_list_index, in_rrpd); + if (temp_list != NULL) + update_temp_rsp_rrpd(temp_list, in_rrpd); else insert_into_temp_rsp_rrpd_list(in_rrpd); } @@ -639,16 +634,17 @@ static void update_rrpd_list_entry_rsp(RRPD *in_rrpd) else { /* Reassembly isn't set and so just go ahead and use the list function */ - match_index = find_latest_rrpd(in_rrpd, RRPD_STATE_8); - if (match_index >= 0) - update_rrpd_list_entry(match_index, in_rrpd); + match = find_latest_rrpd(in_rrpd, RRPD_STATE_8); + if (match != NULL) + update_rrpd_list_entry(match, in_rrpd); } } else { /* if this isn't decode_based then just go ahead and update the RTE data */ - match_index = find_latest_rrpd(in_rrpd, RRPD_STATE_DONT_CARE); - update_rrpd_list_entry(match_index, in_rrpd); + match = find_latest_rrpd(in_rrpd, RRPD_STATE_DONT_CARE); + if (match != NULL) + update_rrpd_list_entry(match, in_rrpd); } return; @@ -669,53 +665,6 @@ static void update_rrpd_rte_data(RRPD *in_rrpd) update_rrpd_list_entry_rsp(in_rrpd); } -/* This function initialises all of the sub_packets in the sub_packet array. */ -static void init_sub_packet(void) -{ - for (int i = 0; i < MAX_SUBPKTS_PER_PACKET; i++) - { - sub_packet[i].frame_number = 0; - sub_packet[i].relative_time.secs = 0; - sub_packet[i].relative_time.nsecs = 0; - - sub_packet[i].tcp_retran = FALSE; - sub_packet[i].tcp_keep_alive = FALSE; - sub_packet[i].tcp_flags_syn = FALSE; - sub_packet[i].tcp_flags_ack = FALSE; - sub_packet[i].tcp_flags_reset = FALSE; - sub_packet[i].tcp_flags_urg = FALSE; - sub_packet[i].tcp_seq = 0; - - sub_packet[i].srcport = 0; - sub_packet[i].dstport = 0; - sub_packet[i].len = 0; - - sub_packet[i].tds_type = 0; - sub_packet[i].tds_length = 0; - - sub_packet[i].smb2_msg_id = 0; - sub_packet[i].smb2_sesid = 0; - sub_packet[i].smb2_cmd = 0; - - sub_packet[i].smb_mid = 0; - - sub_packet[i].dcerpc_ver = 0; - sub_packet[i].dcerpc_pkt_type = 0; - sub_packet[i].dcerpc_cn_call_id = 0; - sub_packet[i].dcerpc_cn_ctx_id = 0; - - sub_packet[i].dns_id = 0; - - sub_packet[i].pkt_of_interest = FALSE; - sub_packet[i].rrpd.c2s = FALSE; - sub_packet[i].rrpd.state = RRPD_STATE_INIT; - - clear_rrpd(&sub_packet[i].rrpd); - } - - return; -} - #if 0 void set_pkt_rrpd(PKT_INFO *current_pkt, guint8 ip_proto, guint32 stream_no, guint64 session_id, guint64 msg_id, gboolean requires_suffix) { @@ -728,15 +677,23 @@ void set_pkt_rrpd(PKT_INFO *current_pkt, guint8 ip_proto, guint32 stream_no, gui current_pkt->rrpd.suffix = ++rrpd_suffix; else current_pkt->rrpd.suffix = 0; - - return; } #endif +gboolean is_dcerpc_context_zero(guint32 pkt_type) +{ + return (wmem_map_lookup(dcerpc_context_zero, GUINT_TO_POINTER(pkt_type)) != NULL); +} + +gboolean is_dcerpc_req_pkt_type(guint32 pkt_type) +{ + return (wmem_map_lookup(dcerpc_req_pkt_type, GUINT_TO_POINTER(pkt_type)) != NULL); +} + /* This function initialises the global variables and populates the - tcp_svc_port table with information from the preference settings + [tcp|udp]_svc_ports tables with information from the preference settings */ static void init_globals(void) { @@ -750,55 +707,21 @@ static void init_globals(void) function with a pointer of NULL and the called function just returns. */ remove_tap_listener(&fake_tap); - if (!preferences.tsumenabled) return; + if (!proto_is_protocol_enabled(find_protocol_by_id(proto_transum))) + return; /* Create and initialise some dynamic memory areas */ - detected_tcp_svc = (gboolean *)wmem_alloc0(wmem_file_scope(), (64 * 1024 * sizeof(gboolean))); - sub_packet = (PKT_INFO *)wmem_alloc0(wmem_file_scope(), (MAX_SUBPKTS_PER_PACKET * sizeof(PKT_INFO))); - rrpd_list = (RRPD *)wmem_alloc0(wmem_file_scope(), (MAX_RRPDS * sizeof(RRPD))); - temp_rsp_rrpd_list = (RRPD *)wmem_alloc0(wmem_file_scope(), (SIZE_OF_TEMP_RSP_RRPD_LIST * sizeof(RRPD))); - - next_free_rrpd = 0; - - GString* fake_tap_filter = g_string_new("frame"); - - /* ToDo: the following and the hf_of_interest mechanism above should be replaced by something array-based so that - it is easier to extend. */ - g_string_append_printf(fake_tap_filter, " || eth.type"); - g_string_append_printf(fake_tap_filter, " || ip.proto"); - g_string_append_printf(fake_tap_filter, " || ipv6.nxt"); - g_string_append_printf(fake_tap_filter, " || tcp.srcport"); - g_string_append_printf(fake_tap_filter, " || tcp.dstport"); - g_string_append_printf(fake_tap_filter, " || tcp.stream"); - g_string_append_printf(fake_tap_filter, " || tcp.analysis.retransmission"); - g_string_append_printf(fake_tap_filter, " || tcp.analysis.keep_alive"); - g_string_append_printf(fake_tap_filter, " || tcp.len"); - g_string_append_printf(fake_tap_filter, " || tcp.flags.syn"); - g_string_append_printf(fake_tap_filter, " || tcp.flags.ack"); - g_string_append_printf(fake_tap_filter, " || tcp.flags.reset"); - g_string_append_printf(fake_tap_filter, " || tcp.urgent_pointer"); - g_string_append_printf(fake_tap_filter, " || tcp.seq"); - - g_string_append_printf(fake_tap_filter, " || tds.type"); - g_string_append_printf(fake_tap_filter, " || tds.length"); - - g_string_append_printf(fake_tap_filter, " || udp.srcport"); - g_string_append_printf(fake_tap_filter, " || udp.dstport"); - g_string_append_printf(fake_tap_filter, " || udp.stream"); - g_string_append_printf(fake_tap_filter, " || udp.length"); - - g_string_append_printf(fake_tap_filter, " || smb2.msg_id"); - g_string_append_printf(fake_tap_filter, " || smb2.sesid"); - g_string_append_printf(fake_tap_filter, " || smb2.cmd"); - - g_string_append_printf(fake_tap_filter, " || smb.mid"); - - g_string_append_printf(fake_tap_filter, " || dcerpc.ver"); - g_string_append_printf(fake_tap_filter, " || dcerpc.pkt_type"); - g_string_append_printf(fake_tap_filter, " || dcerpc.cn_ctx_id"); - g_string_append_printf(fake_tap_filter, " || dcerpc.cn_call_id"); - - g_string_append_printf(fake_tap_filter, " || dns.id"); + detected_tcp_svc = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal); + rrpd_list = wmem_list_new(wmem_file_scope()); + temp_rsp_rrpd_list = wmem_list_new(wmem_file_scope()); + + GString* fake_tap_filter = g_string_new("frame || eth.type"); + + for (int i = 0; i < HF_INTEREST_END_OF_LIST; i++) + { + g_string_append_printf(fake_tap_filter, " || %s", hf_of_interest[i].proto_name); + } + /* this fake tap is needed to force WS to pass a tree to the dissectors on the first scan which causes the dissectors to create display filter values @@ -809,40 +732,45 @@ static void init_globals(void) TL_REQUIRES_NOTHING, NULL, NULL, NULL); /* NULL pointers as this is a fake tap */ + g_string_free(fake_tap_filter, TRUE); + if (error) { - report_failure("register_tap_listener() failed"); + report_failure("register_tap_listener() failed - %s", error->str); + g_string_free(error, TRUE); return; } - g_string_free(fake_tap_filter, TRUE); + preferences.tcp_svc_ports = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal); + preferences.udp_svc_ports = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal); - /* use the range values to populate the tcp_svc_port list*/ + /* use the range values to populate the tcp_svc_ports list*/ for (guint i = 0; i < tcp_svc_port_range_values->nranges; i++) { for (guint32 j = tcp_svc_port_range_values->ranges[i].low; j <= tcp_svc_port_range_values->ranges[i].high; j++) { - preferences.tcp_svc_port[j] = RTE_CALC_GTCP; + wmem_map_insert(preferences.tcp_svc_ports, GUINT_TO_POINTER(j), GUINT_TO_POINTER(RTE_CALC_GTCP)); } } - /* use the range values to populate the tcp_svc_port list*/ + /* use the range values to populate the udp_svc_ports list*/ for (guint i = 0; i < udp_svc_port_range_values->nranges; i++) { for (guint32 j = udp_svc_port_range_values->ranges[i].low; j <= udp_svc_port_range_values->ranges[i].high; j++) { - preferences.udp_svc_port[j] = RTE_CALC_GUDP; + wmem_map_insert(preferences.udp_svc_ports, GUINT_TO_POINTER(j), GUINT_TO_POINTER(RTE_CALC_GUDP)); } } - init_detected_tcp_svc(); + /* create arrays to hold some DCE-RPC values */ + dcerpc_context_zero = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal); + dcerpc_req_pkt_type = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal); init_dcerpc_data(); - preferences.tcp_svc_port[445] = RTE_CALC_SMB2; - preferences.udp_svc_port[53] = RTE_CALC_DNS; - - init_rrpd_data(); + wmem_map_insert(preferences.tcp_svc_ports, GUINT_TO_POINTER(445), GUINT_TO_POINTER(RTE_CALC_SMB2)); + wmem_map_insert(preferences.udp_svc_ports, GUINT_TO_POINTER(53), GUINT_TO_POINTER(RTE_CALC_DNS)); + output_rrpd = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal); } /* This function adds the RTE data to the tree. The summary ptr is currently @@ -856,13 +784,14 @@ static void write_rte(RRPD *in_rrpd, tvbuff_t *tvb, proto_tree *tree, char *summ nstime_t rte_rspspread; proto_tree *rte_tree; proto_item *pi; - - char *temp_string = (char *)wmem_alloc(wmem_packet_scope(), SIZEOF_TEMP_STRING); + wmem_strbuf_t *temp_string = wmem_strbuf_new(wmem_packet_scope(), ""); if (in_rrpd->req_first_frame) { - nstime_delta(&rte_reqspread, &(in_rrpd->req_last_rtime), &(in_rrpd->req_first_rtime)); + pi = proto_tree_add_item(tree, proto_transum, tvb, 0, -1, ENC_NA); + rte_tree = proto_item_add_subtree(pi, ett_transum); + nstime_delta(&rte_reqspread, &(in_rrpd->req_last_rtime), &(in_rrpd->req_first_rtime)); if (in_rrpd->rsp_first_frame) { /* calculate the RTE times */ @@ -870,17 +799,15 @@ static void write_rte(RRPD *in_rrpd, tvbuff_t *tvb, proto_tree *tree, char *summ nstime_delta(&rte_st, &(in_rrpd->rsp_first_rtime), &(in_rrpd->req_last_rtime)); nstime_delta(&rte_rspspread, &(in_rrpd->rsp_last_rtime), &(in_rrpd->rsp_first_rtime)); - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "OK"); + pi = proto_tree_add_string(rte_tree, hf_tsum_status, tvb, 0, 0, "OK"); } else - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "Response missing"); - - pi = proto_tree_add_item(tree, proto_transum, tvb, 0, -1, ENC_NA); - rte_tree = proto_item_add_subtree(pi, ett_transum); - - pi = proto_tree_add_string(rte_tree, hf_tsum_status, tvb, 0, 0, temp_string); + { + pi = proto_tree_add_string(rte_tree, hf_tsum_status, tvb, 0, 0, "Response missing"); + } PROTO_ITEM_SET_GENERATED(pi); + pi = proto_tree_add_uint(rte_tree, hf_tsum_req_first_seg, tvb, 0, 0, in_rrpd->req_first_frame); PROTO_ITEM_SET_GENERATED(pi); pi = proto_tree_add_uint(rte_tree, hf_tsum_req_last_seg, tvb, 0, 0, in_rrpd->req_last_frame); @@ -909,52 +836,22 @@ static void write_rte(RRPD *in_rrpd, tvbuff_t *tvb, proto_tree *tree, char *summ } if (in_rrpd->ip_proto == IP_PROTO_TCP) - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "tcp.stream==%d", in_rrpd->stream_no); + wmem_strbuf_append_printf(temp_string, "tcp.stream==%d", in_rrpd->stream_no); else if (in_rrpd->ip_proto == IP_PROTO_UDP) - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "udp.stream==%d", in_rrpd->stream_no); + wmem_strbuf_append_printf(temp_string, "udp.stream==%d", in_rrpd->stream_no); if (in_rrpd->rsp_first_frame) - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "%s && frame.number>=%d && frame.number<=%d", temp_string, in_rrpd->req_first_frame, in_rrpd->rsp_last_frame); + wmem_strbuf_append_printf(temp_string, " && frame.number>=%d && frame.number<=%d", in_rrpd->req_first_frame, in_rrpd->rsp_last_frame); else - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "%s && frame.number>=%d && frame.number<=%d", temp_string, in_rrpd->req_first_frame, in_rrpd->req_last_frame); + wmem_strbuf_append_printf(temp_string, " && frame.number>=%d && frame.number<=%d", in_rrpd->req_first_frame, in_rrpd->req_last_frame); if (in_rrpd->calculation == RTE_CALC_GTCP) - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "%s && tcp.len>0", temp_string); + wmem_strbuf_append_printf(temp_string, " && tcp.len>0"); - pi = proto_tree_add_string(rte_tree, hf_tsum_clip_filter, tvb, 0, 0, temp_string); + pi = proto_tree_add_string(rte_tree, hf_tsum_clip_filter, tvb, 0, 0, wmem_strbuf_get_str(temp_string)); PROTO_ITEM_SET_GENERATED(pi); - switch (in_rrpd->calculation) - { - case RTE_CALC_GTCP: - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "Generic TCP"); - break; - - case RTE_CALC_SYN: - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "SYN and SYN/ACK"); - break; - - case RTE_CALC_DCERPC: - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "DCE-RPC"); - break; - - case RTE_CALC_SMB2: - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "SMB2"); - break; - - case RTE_CALC_GUDP: - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "Generic UDP"); - break; - - case RTE_CALC_DNS: - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "DNS"); - break; - - default: - g_snprintf(temp_string, SIZEOF_TEMP_STRING, "Unknown calculation type: %d", in_rrpd->calculation); - break; - } - pi = proto_tree_add_string(rte_tree, hf_tsum_calculation, tvb, 0, 0, temp_string); + pi = proto_tree_add_string(rte_tree, hf_tsum_calculation, tvb, 0, 0, val_to_str(in_rrpd->calculation, rrdp_calculation_vals, "Unknown calculation type: %d")); PROTO_ITEM_SET_GENERATED(pi); if (in_rrpd->rsp_first_frame) @@ -973,119 +870,119 @@ static void write_rte(RRPD *in_rrpd, tvbuff_t *tvb, proto_tree *tree, char *summ /* This function sets initial values in the current_pkt structure and checks - the xxx_svc_port arrays to see if they conatin a match for the source or - destination port. This function also adds tcp_svc_port entries when it + the xxx_svc_port arrays to see if they contain a match for the source or + destination port. This function also adds tcp_svc_ports entries when it discovers DCE-RPC traffic. Returns the number of sub-packets to be processed. */ -static void set_proto_values(packet_info *pinfo, proto_tree *tree) +static void set_proto_values(packet_info *pinfo, proto_tree *tree, PKT_INFO* pkt_info, PKT_INFO* subpackets) { guint32 field_uint[MAX_RETURNED_ELEMENTS]; /* An extracted field array for unsigned integers */ size_t field_value_count; /* How many entries are there in the extracted field array */ - sub_packet[0].frame_number = pinfo->fd->num; /* easy access to frame number */ - sub_packet[0].relative_time = pinfo->rel_ts; + pkt_info->frame_number = pinfo->fd->num; /* easy access to frame number */ + pkt_info->relative_time = pinfo->rel_ts; int number_sub_pkts_of_interest = 0; /* default */ if (pinfo->ptype == PT_TCP) - sub_packet[0].rrpd.ip_proto = IP_PROTO_TCP; + pkt_info->rrpd.ip_proto = IP_PROTO_TCP; else if (pinfo->ptype == PT_UDP) - sub_packet[0].rrpd.ip_proto = IP_PROTO_UDP; + pkt_info->rrpd.ip_proto = IP_PROTO_UDP; - if (sub_packet[0].rrpd.ip_proto == IP_PROTO_TCP) + if (pkt_info->rrpd.ip_proto == IP_PROTO_TCP) { - number_sub_pkts_of_interest = decode_gtcp(pinfo, tree); + number_sub_pkts_of_interest = decode_gtcp(pinfo, tree, pkt_info); /* decode_gtcp may return 0 but we need to keep processing because we calculate RTE figures for all SYNs and also we may detect DCE-RPC later - (even though we don't currently have an entry in the tcp_svc_port list). */ + (even though we don't currently have an entry in the tcp_svc_ports list). */ - if (sub_packet[0].tcp_retran) + if (pkt_info->tcp_retran) { /* we may not want to continue with this packet if it's a retransmission */ /* If this is a server-side trace we need to ignore client-to-service TCP retransmissions the rationale being that if we saw the original in the trace the service process saw it too */ - if (sub_packet[0].rrpd.c2s && preferences.capture_position == CAPTURE_SERVICE) + if (pkt_info->rrpd.c2s && preferences.capture_position == CAPTURE_SERVICE) { - sub_packet[0].pkt_of_interest = FALSE; + pkt_info->pkt_of_interest = FALSE; return; } /* If this is a client-side trace we need to ignore service-to-client TCP retransmissions the rationale being that if we saw the original in the trace the client process saw it too */ - else if (!sub_packet[0].rrpd.c2s && preferences.capture_position == CAPTURE_CLIENT) + else if (!pkt_info->rrpd.c2s && preferences.capture_position == CAPTURE_CLIENT) { - sub_packet[0].pkt_of_interest = FALSE; + pkt_info->pkt_of_interest = FALSE; return; } } /* We are not interested in TCP Keep-Alive */ - if (sub_packet[0].tcp_keep_alive) + if (pkt_info->tcp_keep_alive) { - sub_packet[0].pkt_of_interest = FALSE; + pkt_info->pkt_of_interest = FALSE; return; } - if (sub_packet[0].len == 1) + if (pkt_info->len == 1) { - if (preferences.orphan_ka_discard && sub_packet[0].tcp_flags_ack && sub_packet[0].rrpd.c2s) + if (preferences.orphan_ka_discard && pkt_info->tcp_flags_ack && pkt_info->rrpd.c2s) { - sub_packet[0].pkt_of_interest = FALSE; + pkt_info->pkt_of_interest = FALSE; return; /* It's a KEEP-ALIVE -> stop processing this packet */ } } /* check if SYN */ - if (sub_packet[0].tcp_flags_syn) - number_sub_pkts_of_interest = decode_syn(pinfo, tree); + if (pkt_info->tcp_flags_syn) + number_sub_pkts_of_interest = decode_syn(pinfo, tree, pkt_info); - if (sub_packet[0].len > 0) + if (pkt_info->len > 0) { /* check if SMB2 */ - if (sub_packet[0].dstport == 445 || sub_packet[0].srcport == 445) - number_sub_pkts_of_interest = decode_smb(pinfo, tree); + if (pkt_info->dstport == 445 || pkt_info->srcport == 445) + number_sub_pkts_of_interest = decode_smb(pinfo, tree, pkt_info, subpackets); /* check if DCE-RPC */ - else if (!extract_uint(tree, hf_of_interest.dcerpc_ver, field_uint, &field_value_count)) + else if (!extract_uint(tree, hf_of_interest[HF_INTEREST_DCERPC_VER].hf, field_uint, &field_value_count)) { if (field_value_count) - number_sub_pkts_of_interest = decode_dcerpc(pinfo, tree); + number_sub_pkts_of_interest = decode_dcerpc(pinfo, tree, pkt_info); } } } - else if (sub_packet[0].rrpd.ip_proto == IP_PROTO_UDP) + else if (pkt_info->rrpd.ip_proto == IP_PROTO_UDP) { /* It's UDP */ - number_sub_pkts_of_interest = decode_gudp(pinfo, tree); + number_sub_pkts_of_interest = decode_gudp(pinfo, tree, pkt_info); - if (sub_packet[0].srcport == 53 || sub_packet[0].dstport == 53) - number_sub_pkts_of_interest = decode_dns(pinfo, tree); + if (pkt_info->srcport == 53 || pkt_info->dstport == 53) + number_sub_pkts_of_interest = decode_dns(pinfo, tree, pkt_info); } /* Set appropriate RTE values in the sub-packets */ - for (int i = 0; i < number_sub_pkts_of_interest; i++) + for (int i = 0; (i < number_sub_pkts_of_interest) && (i < MAX_SUBPKTS_PER_PACKET); i++) { - if (sub_packet[0].rrpd.c2s) + if (pkt_info->rrpd.c2s) { - sub_packet[i].rrpd.req_first_frame = sub_packet[0].frame_number; - sub_packet[i].rrpd.req_first_rtime = sub_packet[0].relative_time; - sub_packet[i].rrpd.req_last_frame = sub_packet[0].frame_number; - sub_packet[i].rrpd.req_last_rtime = sub_packet[0].relative_time; + subpackets[i].rrpd.req_first_frame = pkt_info->frame_number; + subpackets[i].rrpd.req_first_rtime = pkt_info->relative_time; + subpackets[i].rrpd.req_last_frame = pkt_info->frame_number; + subpackets[i].rrpd.req_last_rtime = pkt_info->relative_time; - sub_packet[i].frame_number = sub_packet[0].frame_number; /* this acts as a switch later */ + subpackets[i].frame_number = pkt_info->frame_number; /* this acts as a switch later */ } else { - sub_packet[i].rrpd.rsp_first_frame = sub_packet[0].frame_number; - sub_packet[i].rrpd.rsp_first_rtime = sub_packet[0].relative_time; - sub_packet[i].rrpd.rsp_last_frame = sub_packet[0].frame_number; - sub_packet[i].rrpd.rsp_last_rtime = sub_packet[0].relative_time; + subpackets[i].rrpd.rsp_first_frame = pkt_info->frame_number; + subpackets[i].rrpd.rsp_first_rtime = pkt_info->relative_time; + subpackets[i].rrpd.rsp_last_frame = pkt_info->frame_number; + subpackets[i].rrpd.rsp_last_rtime = pkt_info->relative_time; - sub_packet[i].frame_number = sub_packet[0].frame_number; /* this acts as a switch later */ + subpackets[i].frame_number = pkt_info->frame_number; /* this acts as a switch later */ } } } @@ -1098,12 +995,10 @@ static void set_proto_values(packet_info *pinfo, proto_tree *tree) */ static int dissect_transum(tvbuff_t *buffer, packet_info *pinfo, proto_tree *tree, void *data _U_) { - if (!preferences.tsumenabled) return 0; - /* if (there is RTE info associated with this packet we need to output it */ if (PINFO_FD_VISITED(pinfo)) { - RRPD *rrpd = output_rrpd[pinfo->num]; + RRPD *rrpd = (RRPD*)wmem_map_lookup(output_rrpd, GUINT_TO_POINTER(pinfo->num)); if (rrpd) /* Add the RTE data to the protocol decode tree if we output_flag is set */ @@ -1111,9 +1006,9 @@ static int dissect_transum(tvbuff_t *buffer, packet_info *pinfo, proto_tree *tre } else { - init_sub_packet(); + PKT_INFO *sub_packet = wmem_alloc0_array(wmem_packet_scope(), PKT_INFO, MAX_SUBPKTS_PER_PACKET); - set_proto_values(pinfo, tree); + set_proto_values(pinfo, tree, &sub_packet[0], sub_packet); if (sub_packet[0].pkt_of_interest) { @@ -1138,22 +1033,17 @@ proto_register_transum(void) dissector_handle_t transum_handle; static hf_register_info hf[] = { - { &hf_tsum, - { "TRANSUM", "transum", - FT_NONE, BASE_NONE, NULL, 0x0, - "Post-dissector to generate RTE information", HFILL } }, - { &hf_tsum_status, { "RTE Status", "transum.status", FT_STRING, BASE_NONE, NULL, 0x0, "Indication of completeness of the RTE information", HFILL } }, - +#if 0 { &hf_tsum_time_units, { "RTE Time Units", "transum.time_units", FT_STRING, BASE_NONE, NULL, 0x0, "Time units used (s, ms or us) for the RTE values", HFILL } }, - +#endif { &hf_tsum_req_first_seg, { "Req First Seg", "transum.firstreq", FT_FRAMENUM, BASE_NONE, NULL, 0x0, @@ -1228,14 +1118,13 @@ proto_register_transum(void) &ett_transum_data }; - proto_transum = proto_register_protocol( - "TRANSUM RTE Data", /* name */ - "TRANSUM", /* short name */ - "transum" /* abbrev */ - ); + proto_transum = proto_register_protocol("TRANSUM RTE Data", "TRANSUM", "transum"); + + /* Due to performance concerns of the dissector, it's disabled by default */ + proto_disable_by_default(proto_transum); + /* Set User Preferences defaults */ - preferences.tsumenabled = FALSE; preferences.capture_position = TRACE_CAP_CLIENT; preferences.reassembly = TRUE; @@ -1262,10 +1151,6 @@ proto_register_transum(void) preferences.rte_on_first_rsp = FALSE; preferences.rte_on_last_rsp = FALSE; - /* create arrays to hold some DCE-RPC values */ - dcerpc_req_pkt_type = (gboolean *)wmem_alloc(wmem_epan_scope(), (256 * sizeof(gboolean))); - dcerpc_context_zero = (gboolean *)wmem_alloc(wmem_epan_scope(), (256 * sizeof(gboolean))); - /* no start registering stuff */ proto_register_field_array(proto_transum, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); @@ -1273,10 +1158,7 @@ proto_register_transum(void) transum_module = prefs_register_protocol(proto_transum, NULL); /* ToDo: We need to rethink the NULL pointer so that a preference change causes a rescan */ /* Register the preferences */ - prefs_register_bool_preference(transum_module, "tsumenabled", - "TRANSUM enabled", - "Uncheck to bypass TRANSUM", - &preferences.tsumenabled); + prefs_register_obsolete_preference(transum_module, "tsumenabled"); prefs_register_enum_preference(transum_module, "capture_position", @@ -1348,7 +1230,6 @@ proto_register_transum(void) transum_handle = register_dissector("transum", dissect_transum, proto_transum); - transum_module = prefs_register_protocol(proto_transum, proto_reg_handoff_transum); register_init_routine(init_globals); register_postdissector(transum_handle); @@ -1357,44 +1238,10 @@ proto_register_transum(void) void proto_reg_handoff_transum(void) { /* Get the field id for each field we will need */ - hf_of_interest.ip_proto = proto_registrar_get_id_byname("ip.proto"); - hf_of_interest.ipv6_nxt = proto_registrar_get_id_byname("ipv6.nxt"); - hf_of_interest.tcp_retran = proto_registrar_get_id_byname("tcp.analysis.retransmission"); - hf_of_interest.tcp_keep_alive = proto_registrar_get_id_byname("tcp.analysis.keep_alive"); - hf_of_interest.tcp_flags_syn = proto_registrar_get_id_byname("tcp.flags.syn"); - hf_of_interest.tcp_flags_ack = proto_registrar_get_id_byname("tcp.flags.ack"); - hf_of_interest.tcp_flags_reset = proto_registrar_get_id_byname("tcp.flags.reset"); - hf_of_interest.tcp_flags_urg = proto_registrar_get_id_byname("tcp.flags.urg"); - hf_of_interest.tcp_seq = proto_registrar_get_id_byname("tcp.seq"); - hf_of_interest.tcp_srcport = proto_registrar_get_id_byname("tcp.srcport"); - hf_of_interest.tcp_dstport = proto_registrar_get_id_byname("tcp.dstport"); - hf_of_interest.tcp_stream = proto_registrar_get_id_byname("tcp.stream"); - hf_of_interest.tcp_len = proto_registrar_get_id_byname("tcp.len"); - - hf_of_interest.udp_srcport = proto_registrar_get_id_byname("udp.srcport"); - hf_of_interest.udp_dstport = proto_registrar_get_id_byname("udp.dstport"); - hf_of_interest.udp_stream = proto_registrar_get_id_byname("udp.stream"); - hf_of_interest.udp_length = proto_registrar_get_id_byname("udp.length"); - - hf_of_interest.tds_type = proto_registrar_get_id_byname("tds.type"); - hf_of_interest.tds_length = proto_registrar_get_id_byname("tds.length"); - - hf_of_interest.smb_mid = proto_registrar_get_id_byname("smb.mid"); - - hf_of_interest.smb2_ses_id = proto_registrar_get_id_byname("smb2.sesid"); - hf_of_interest.smb2_msg_id = proto_registrar_get_id_byname("smb2.msg_id"); - hf_of_interest.smb2_cmd = proto_registrar_get_id_byname("smb2.msg_cmd"); - - hf_of_interest.dcerpc_ver = proto_registrar_get_id_byname("dcerpc.ver"); - hf_of_interest.dcerpc_pkt_type = proto_registrar_get_id_byname("dcerpc.pkt_type"); - hf_of_interest.dcerpc_cn_call_id = proto_registrar_get_id_byname("dcerpc.cn_call_id"); - hf_of_interest.dcerpc_cn_ctx_id = proto_registrar_get_id_byname("dcerpc.cn_ctx_id"); - - hf_of_interest.dns_id = proto_registrar_get_id_byname("dns.id"); - - if (!preferences.tsumenabled) - proto_disable_by_default(proto_transum); - proto_set_decoding(proto_transum, preferences.tsumenabled); + for (int i = 0; i < HF_INTEREST_END_OF_LIST; i++) + { + hf_of_interest[i].hf = proto_registrar_get_id_byname(hf_of_interest[i].proto_name); + } } /* diff --git a/plugins/transum/packet-transum.h b/plugins/transum/packet-transum.h index 2ad98e8aef..ed3665069e 100644 --- a/plugins/transum/packet-transum.h +++ b/plugins/transum/packet-transum.h @@ -47,13 +47,7 @@ #define RTE_CALC_DCERPC 6 #define RTE_CALC_DNS 7 -#define RRPD_SIZE 64 - -#define MAX_STREAMS_PER_PROTOCOL 256*1024 -#define MAX_PACKETS 8000000 /* We support 8 million packets */ #define MAX_SUBPKTS_PER_PACKET 16 -#define MAX_RRPDS 1000000 /* We support 4 million RRPDs */ -#define SIZE_OF_TEMP_RSP_RRPD_LIST 1024 /* An RR pair is identified by a Fully Qualified Message ID (RRPD) @@ -143,48 +137,59 @@ typedef struct _PKT_INFO } PKT_INFO; -typedef struct _HF_OF_INTEREST -{ - int ip_proto; - int ipv6_nxt; +typedef enum { + HF_INTEREST_IP_PROTO = 0, + HF_INTEREST_IPV6_NXT, - int tcp_retran; - int tcp_keep_alive; - int tcp_flags_syn; - int tcp_flags_ack; - int tcp_flags_reset; - int tcp_flags_urg; - int tcp_seq; - int tcp_srcport; - int tcp_dstport; - int tcp_stream; - int tcp_len; + HF_INTEREST_TCP_RETRAN, + HF_INTEREST_TCP_KEEP_ALIVE, + HF_INTEREST_TCP_FLAGS_SYN, + HF_INTEREST_TCP_FLAGS_ACK, + HF_INTEREST_TCP_FLAGS_RESET, + HF_INTEREST_TCP_FLAGS_URG, + HF_INTEREST_TCP_SEQ, + HF_INTEREST_TCP_SRCPORT, + HF_INTEREST_TCP_DSTPORT, + HF_INTEREST_TCP_STREAM, + HF_INTEREST_TCP_LEN, - int udp_srcport; - int udp_dstport; - int udp_stream; - int udp_length; + HF_INTEREST_UDP_SRCPORT, + HF_INTEREST_UDP_DSTPORT, + HF_INTEREST_UDP_STREAM, + HF_INTEREST_UDP_LENGTH, - int tds_type; - int tds_length; + HF_INTEREST_TDS_TYPE, + HF_INTEREST_TDS_LENGTH, - int smb_mid; + HF_INTEREST_SMB_MID, - int smb2_ses_id; - int smb2_msg_id; - int smb2_cmd; + HF_INTEREST_SMB2_SES_ID, + HF_INTEREST_SMB2_MSG_ID, + HF_INTEREST_SMB2_CMD, - int dcerpc_ver; - int dcerpc_pkt_type; - int dcerpc_cn_call_id; - int dcerpc_cn_ctx_id; + HF_INTEREST_DCERPC_VER, + HF_INTEREST_DCERPC_PKT_TYPE, + HF_INTEREST_DCERPC_CN_CALL_ID, + HF_INTEREST_DCERPC_CN_CTX_ID, - int dns_id; + HF_INTEREST_DNS_ID, - int data_data; -} HF_OF_INTEREST; + HF_INTEREST_END_OF_LIST +} ehf_of_interest; + +typedef struct _HF_OF_INTEREST_INFO +{ + int hf; + const char* proto_name; + +} HF_OF_INTEREST_INFO; + +extern HF_OF_INTEREST_INFO hf_of_interest[HF_INTEREST_END_OF_LIST]; void add_detected_tcp_svc(guint16 port); +extern gboolean is_dcerpc_context_zero(guint32 pkt_type); +extern gboolean is_dcerpc_req_pkt_type(guint32 pkt_type); + /* * Editor modelines - http://www.wireshark.org/tools/modelines.html diff --git a/plugins/transum/preferences.h b/plugins/transum/preferences.h index 4daebbcaf6..6cde8ad8ae 100644 --- a/plugins/transum/preferences.h +++ b/plugins/transum/preferences.h @@ -37,12 +37,10 @@ * This is populated with preferences "service ports" data */ typedef struct _TSUM_PREFERENCES { - gboolean tsumenabled; int capture_position; gboolean reassembly; - guint8 tcp_svc_port[64 * 1024]; - guint8 udp_svc_port[64 * 1024]; - gboolean dcerpc_svc_port[64 * 1024]; + wmem_map_t *tcp_svc_ports; + wmem_map_t *udp_svc_ports; gboolean orphan_ka_discard; int time_multiplier; gboolean rte_on_first_req; |