Wireshark  2.9.0-477-g68ec514b
The Wireshark network protocol analyzer
packet-tcp.h
1 /* packet-tcp.h
2  *
3  * Wireshark - Network traffic analyzer
4  * By Gerald Combs <gerald@wireshark.org>
5  * Copyright 1998 Gerald Combs
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  */
9 
10 #ifndef __PACKET_TCP_H__
11 #define __PACKET_TCP_H__
12 
13 #ifdef __cplusplus
14 extern "C" {
15 #endif /* __cplusplus */
16 
17 #include "ws_symbol_export.h"
18 
19 #include <epan/conversation.h>
20 #include <epan/wmem/wmem.h>
21 #include <epan/wmem/wmem_interval_tree.h>
22 
23 /* TCP flags */
24 #define TH_FIN 0x0001
25 #define TH_SYN 0x0002
26 #define TH_RST 0x0004
27 #define TH_PUSH 0x0008
28 #define TH_ACK 0x0010
29 #define TH_URG 0x0020
30 #define TH_ECN 0x0040
31 #define TH_CWR 0x0080
32 #define TH_NS 0x0100
33 #define TH_RES 0x0E00 /* 3 reserved bits */
34 #define TH_MASK 0x0FFF
35 
36 #define IS_TH_FIN(x) (x & TH_FIN)
37 #define IS_TH_URG(x) (x & TH_URG)
38 
39 /* Idea for gt: either x > y, or y is much bigger (assume wrap) */
40 #define GT_SEQ(x, y) ((gint32)((y) - (x)) < 0)
41 #define LT_SEQ(x, y) ((gint32)((x) - (y)) < 0)
42 #define GE_SEQ(x, y) ((gint32)((y) - (x)) <= 0)
43 #define LE_SEQ(x, y) ((gint32)((x) - (y)) <= 0)
44 #define EQ_SEQ(x, y) (x) == (y)
45 
46 /* mh as in mptcp header */
47 struct mptcpheader {
48 
49  gboolean mh_mpc; /* true if seen an mp_capable option */
50  gboolean mh_join; /* true if seen an mp_join option */
51  gboolean mh_dss; /* true if seen a dss */
52  gboolean mh_fastclose; /* true if seen a fastclose */
53  gboolean mh_fail; /* true if seen an MP_FAIL */
54 
55  guint8 mh_capable_flags; /* to get hmac version for instance */
56  guint8 mh_dss_flags; /* data sequence signal flag */
57  guint32 mh_dss_ssn; /* DSS Subflow Sequence Number */
58  guint64 mh_dss_rawdsn; /* DSS Data Sequence Number */
59  guint64 mh_dss_rawack; /* DSS raw data ack */
60  guint16 mh_dss_length; /* mapping/DSS length */
61 
62  guint64 mh_key; /* Sender key in MP_CAPABLE */
63  guint32 mh_token; /* seen in MP_JOIN. Should be a hash of the initial key */
64 
65  guint32 mh_stream; /* this stream index field is included to help differentiate when address/port pairs are reused */
66 
67  /* Data Sequence Number of the current segment. It needs to be computed from previous mappings
68  * and as such is not necessarily set
69  */
70  guint64 mh_rawdsn64;
71  /* DSN formatted according to the wireshark MPTCP options */
72  guint64 mh_dsn;
73 };
74 
75 /* the tcp header structure, passed to tap listeners */
76 typedef struct tcpheader {
77  guint32 th_rawseq; /* raw value */
78  guint32 th_seq; /* raw or relative value depending on tcp_relative_seq */
79 
80  guint32 th_ack;
81  gboolean th_have_seglen; /* TRUE if th_seglen is valid */
82  guint32 th_seglen; /* in bytes */
83  guint32 th_win; /* make it 32 bits so we can handle some scaling */
84  guint16 th_sport;
85  guint16 th_dport;
86  guint8 th_hlen;
87  guint16 th_flags;
88  guint32 th_stream; /* this stream index field is included to help differentiate when address/port pairs are reused */
89  address ip_src;
90  address ip_dst;
91 
92  /* This is the absolute maximum we could find in TCP options (RFC2018, section 3) */
93  #define MAX_TCP_SACK_RANGES 4
94  guint8 num_sack_ranges;
95  guint32 sack_left_edge[MAX_TCP_SACK_RANGES];
96  guint32 sack_right_edge[MAX_TCP_SACK_RANGES];
97 
98  /* header for TCP option Multipath Operation */
99  struct mptcpheader *th_mptcp;
100 } tcp_info_t;
101 
102 /*
103  * Private data passed from the TCP dissector to subdissectors.
104  * NOTE: This structure is used by Export PDU functionality so
105  * make sure that handling is also updated if this structure
106  * changes!
107  */
108 struct tcpinfo {
109  guint32 seq; /* Sequence number of first byte in the data */
110  guint32 nxtseq; /* Sequence number of first byte after data */
111  guint32 lastackseq; /* Sequence number of last ack */
112  gboolean is_reassembled; /* This is reassembled data. */
113  guint16 flags; /* TCP flags */
114  guint16 urgent_pointer; /* Urgent pointer value for the current packet. */
115 };
116 
117 /*
118  * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
119  * consists of a fixed-length chunk of data that contains enough information
120  * to determine the length of the PDU, followed by rest of the PDU.
121  *
122  * The first three arguments are the arguments passed to the dissector
123  * that calls this routine.
124  *
125  * "proto_desegment" is the dissector's flag controlling whether it should
126  * desegment PDUs that cross TCP segment boundaries.
127  *
128  * "fixed_len" is the length of the fixed-length part of the PDU.
129  *
130  * "get_pdu_len()" is a routine called to get the length of the PDU from
131  * the fixed-length part of the PDU; it's passed "pinfo", "tvb", "offset" and
132  * "dissector_data".
133  *
134  * "dissect_pdu()" is the routine to dissect a PDU.
135  */
136 WS_DLL_PUBLIC void
137 tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
138  gboolean proto_desegment, guint fixed_len,
139  guint (*get_pdu_len)(packet_info *, tvbuff_t *, int, void*),
140  dissector_t dissect_pdu, void* dissector_data);
141 
142 extern struct tcp_multisegment_pdu *
143 pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, guint32 seq, guint32 nxtpdu, wmem_tree_t *multisegment_pdus);
144 
145 typedef struct _tcp_unacked_t {
146  struct _tcp_unacked_t *next;
147  guint32 frame;
148  guint32 seq;
149  guint32 nextseq;
150  nstime_t ts;
151 } tcp_unacked_t;
152 
153 struct tcp_acked {
154  guint32 frame_acked;
155  nstime_t ts;
156 
157  guint32 rto_frame;
158  nstime_t rto_ts; /* Time since previous packet for
159  retransmissions. */
160  guint16 flags; /* see TCP_A_* in packet-tcp.c */
161  guint32 dupack_num; /* dup ack number */
162  guint32 dupack_frame; /* dup ack to frame # */
163  guint32 bytes_in_flight; /* number of bytes in flight */
164  guint32 push_bytes_sent; /* bytes since the last PSH flag */
165 };
166 
167 /* One instance of this structure is created for each pdu that spans across
168  * multiple tcp segments.
169  */
171  guint32 seq;
172  guint32 nxtpdu;
173  guint32 first_frame;
174  guint32 last_frame;
175  nstime_t last_frame_time;
176  guint32 flags;
177 #define MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT 0x00000001
178 };
179 
180 
181 /* Represents the MPTCP DSS option mapping part
182  It allows to map relative subflow sequence number (ssn) to global MPTCP sequence numbers
183  under their 64 bits form
184 */
185 typedef struct _mptcp_dss_mapping_t {
186 
187 /* In DSS, SSN are enumeratad with relative seq_nb, i.e. starting from 0 */
188 
189  guint32 ssn_low;
190  guint32 ssn_high;
191 
192 /* Ideally the dsn should always be registered with the extended version
193  * but it may not be possible if we don't know the 32 MSB of the base_dsn
194  */
195  gboolean extended_dsn; /* TRUE if MPTCP_DSS_FLAG_DATA_8BYTES */
196 
197  guint64 rawdsn; /* matches the low member of range
198  should be converted to the 64 bits version before being registered
199  */
200 /* to check if mapping was sent before or after packet */
201 guint32 frame;
203 
204 
205 /* Structure used in mptcp meta member 'dsn_map'
206  */
208  guint32 frame; /* packet to look into PINFO_FD_NUM */
209  struct tcp_analysis* subflow; /* in order to get statistics */
211 
212 
213 /* Should basically look like a_tcp_flow_t but for mptcp with 64bit sequence number.
214 The meta is specific to a direction of the communication and aggregates information of
215 all the subflows
216 */
217 typedef struct _mptcp_meta_flow_t {
218 
219  guint8 static_flags; /* remember which fields are set */
220 
221  /* flags exchanged between hosts during 3WHS. Gives checksum/extensiblity/hmac information */
222  guint8 flags;
223  guint64 base_dsn; /* first data seq number (used by relative sequence numbers) seen. */
224  guint64 nextseq; /* highest seen nextseq */
225  guint64 dfin; /* data fin */
226 
227  guint8 version; /* negociated mptcp version */
228 
229  guint64 key; /* if it was set */
230 
231  /* expected token sha1 digest of keys, truncated to 32 most significant bits
232  derived from key. Stored to speed up subflow/MPTCP connection mapping */
233  guint32 token;
234 
235  guint32 nextseqframe; /* frame number for segment with highest sequence number */
236 
237  /* highest seen continuous seq number (without hole in the stream) */
238  guint64 maxseqtobeacked;
239 
240  guint64 fin; /* frame number of the final dataFIN */
241 
242  /* first addresses registered */
243  address ip_src;
244  address ip_dst;
245  guint32 sport;
246  guint32 dport;
248 
249 /* MPTCP data specific to this subflow direction */
251  guint8 static_flags; /* flags stating which of the flow */
252  guint32 nonce; /* used only for MP_JOIN */
253  guint8 address_id; /* sent during an MP_JOIN */
254 
255 
256  /* Attempt to map DSN to packets
257  * Ideally this was to generate application latency
258  * each node contains a GSList * ?
259  * this should be done in tap or 3rd party tools
260  */
261  wmem_itree_t *dsn_map;
262 
263  /* Map SSN to a DSS mappings, each node registers a mptcp_dss_mapping_t */
264  wmem_itree_t *mappings;
265  /* meta flow to which it is attached. Helps setting forward and backward meta flow */
266  mptcp_meta_flow_t *meta;
267 };
268 
269 
270 typedef enum {
271  MPTCP_HMAC_NOT_SET = 0,
272  MPTCP_HMAC_SHA1 = 1,
273  MPTCP_HMAC_LAST
274 } mptcp_hmac_algorithm_t;
275 
276 
277 #define MPTCP_CAPABLE_CRYPTO_MASK 0x3F
278 
279 #define MPTCP_CHECKSUM_MASK 0x80
280 
281 /* Information in a flow that is only used when tcp_analyze_seq preference
282  * is enabled, so save the memory when it isn't
283  */
285  tcp_unacked_t *segments;/* List of segments for which we haven't seen an ACK */
286  guint16 segment_count; /* How many unacked segments we're currently storing */
287  guint32 lastack; /* Last seen ack for the reverse flow */
288  nstime_t lastacktime; /* Time of the last ack packet */
289  guint32 lastnondupack; /* frame number of last seen non dupack */
290  guint32 dupacknum; /* dupack number */
291  guint32 nextseq; /* highest seen nextseq */
292  guint32 maxseqtobeacked;/* highest seen continuous seq number (without hole in the stream) from the fwd party,
293  * this is the maximum seq number that can be acked by the rev party in normal case.
294  * If the rev party sends an ACK beyond this seq number it indicates TCP_A_ACK_LOST_PACKET contition */
295  guint32 nextseqframe; /* frame number for segment with highest
296  * sequence number
297  */
298  nstime_t nextseqtime; /* Time of the nextseq packet so we can
299  * distinguish between retransmission,
300  * fast retransmissions and outoforder
301  */
302 
304 
305  /* Process info, currently discovered via IPFIX */
306 typedef struct tcp_process_info_t {
307  guint32 process_uid; /* UID of local process */
308  guint32 process_pid; /* PID of local process */
309  gchar *username; /* Username of the local process */
310  gchar *command; /* Local process name + path + args */
311 
313 
314 typedef struct _tcp_flow_t {
315  guint8 static_flags; /* true if base seq set */
316  guint32 base_seq; /* base seq number (used by relative sequence numbers)*/
317 #define TCP_MAX_UNACKED_SEGMENTS 1000 /* The most unacked segments we'll store */
318  guint32 fin; /* frame number of the final FIN */
319  guint32 window; /* last seen window */
320  gint16 win_scale; /* -1 is we don't know, -2 is window scaling is not used */
321  gint16 scps_capable; /* flow advertised scps capabilities */
322  guint16 maxsizeacked; /* 0 if not yet known */
323  gboolean valid_bif; /* if lost pkts, disable BiF until ACK is recvd */
324  guint32 push_bytes_sent; /* bytes since the last PSH flag */
325  gboolean push_set_last; /* tracking last time PSH flag was set */
326 
327  tcp_analyze_seq_flow_info_t* tcp_analyze_seq_info;
328 
329 /* This tcp flow/session contains only one single PDU and should
330  * be reassembled until the final FIN segment.
331  */
332 #define TCP_FLOW_REASSEMBLE_UNTIL_FIN 0x0001
333  guint16 flags;
334 
335  /* see TCP_A_* in packet-tcp.c */
336  guint32 lastsegmentflags;
337 
338  /* This tree is indexed by sequence number and keeps track of all
339  * all pdus spanning multiple segments for this flow.
340  */
341  wmem_tree_t *multisegment_pdus;
342 
343  /* Process info, currently discovered via IPFIX */
344  tcp_process_info_t* process_info;
345 
346  /* MPTCP subflow intel */
348 } tcp_flow_t;
349 
350 /* Stores common information between both hosts of the MPTCP connection*/
352 
353  guint16 mp_flags; /* MPTCP meta analysis related, see MPTCP_META_* in packet-tcp.c */
354 
355  /*
356  * For other subflows, they link the meta via mptcp_subflow_t::meta_flow
357  * according to the validity of the token.
358  */
359  mptcp_meta_flow_t meta_flow[2];
360 
361  guint32 stream; /* Keep track of unique mptcp stream (per MP_CAPABLE handshake) */
362  guint8 hmac_algo; /* hmac decided after negociation */
363  wmem_list_t* subflows; /* List of subflows (tcp_analysis) */
364 
365  /* identifier of the tcp stream that saw the initial 3WHS with MP_CAPABLE option */
366  struct tcp_analysis *master;
367 };
368 
369 struct tcp_analysis {
370  /* These two structs are managed based on comparing the source
371  * and destination addresses and, if they're equal, comparing
372  * the source and destination ports.
373  *
374  * If the source is greater than the destination, then stuff
375  * sent from src is in ual1.
376  *
377  * If the source is less than the destination, then stuff
378  * sent from src is in ual2.
379  *
380  * XXX - if the addresses and ports are equal, we don't guarantee
381  * the behavior.
382  */
383  tcp_flow_t flow1;
384  tcp_flow_t flow2;
385 
386  /* These pointers are set by get_tcp_conversation_data()
387  * fwd point in the same direction as the current packet
388  * and rev in the reverse direction
389  */
390  tcp_flow_t *fwd;
391  tcp_flow_t *rev;
392 
393  /* This pointer is NULL or points to a tcp_acked struct if this
394  * packet has "interesting" properties such as being a KeepAlive or
395  * similar
396  */
397  struct tcp_acked *ta;
398  /* This structure contains a tree containing all the various ta's
399  * keyed by frame number.
400  */
401  wmem_tree_t *acked_table;
402 
403  /* Remember the timestamp of the first frame seen in this tcp
404  * conversation to be able to calculate a relative time compared
405  * to the start of this conversation
406  */
407  nstime_t ts_first;
408 
409  /* Remember the timestamp of the most recent SYN in this conversation in
410  * order to calculate the first_rtt below. Not necessarily ts_first, if
411  * the SYN is retransmitted. */
412  nstime_t ts_mru_syn;
413 
414  /* If we have the handshake, remember the RTT between the initial SYN
415  * and ACK for use detecting out-of-order segments. */
416  nstime_t ts_first_rtt;
417 
418  /* Remember the timestamp of the frame that was last seen in this
419  * tcp conversation to be able to calculate a delta time compared
420  * to previous frame in this conversation
421  */
422  nstime_t ts_prev;
423 
424  /* Keep track of tcp stream numbers instead of using the conversation
425  * index (as how it was done before). This prevents gaps in the
426  * stream index numbering
427  */
428  guint32 stream;
429 
430  /* Remembers the server port on the SYN (or SYN|ACK) packet to
431  * help determine which dissector to call
432  */
433  guint16 server_port;
434 
435  /* allocated only when mptcp enabled
436  * several tcp_analysis may refer to the same mptcp_analysis
437  * can exist without any meta
438  */
440 };
441 
442 /* Structure that keeps per packet data. First used to be able
443  * to calculate the time_delta from the last seen frame in this
444  * TCP conversation. Can be extended for future use.
445  */
447  nstime_t ts_del;
448 };
449 
450 /* Structure that keeps per packet data. Some operations are cpu-intensive and are
451  * best cached into this structure
452  */
453 typedef struct mptcp_per_packet_data_t_ {
454 
455  /* Mapping that covers this packet content */
456  mptcp_dss_mapping_t *mapping;
457 
459 
460 
461 WS_DLL_PUBLIC void dissect_tcp_payload(tvbuff_t *tvb, packet_info *pinfo, int offset,
462  guint32 seq, guint32 nxtseq, guint32 sport,
463  guint32 dport, proto_tree *tree,
464  proto_tree *tcp_tree,
465  struct tcp_analysis *tcpd, struct tcpinfo *tcpinfo);
466 
467 WS_DLL_PUBLIC struct tcp_analysis *get_tcp_conversation_data(conversation_t *conv,
468  packet_info *pinfo);
469 
470 WS_DLL_PUBLIC gboolean decode_tcp_ports(tvbuff_t *, int, packet_info *, proto_tree *, int, int, struct tcp_analysis *, struct tcpinfo *);
471 
484 extern void add_tcp_process_info(guint32 frame_num, address *local_addr, address *remote_addr, guint16 local_port, guint16 remote_port, guint32 uid, guint32 pid, gchar *username, gchar *command);
485 
490 WS_DLL_PUBLIC guint32 get_tcp_stream_count(void);
491 
496 WS_DLL_PUBLIC guint32 get_mptcp_stream_count(void);
497 
498 /* Follow Stream functionality shared with HTTP (and SSL?) */
499 extern gchar* tcp_follow_conv_filter(packet_info* pinfo, int* stream);
500 extern gchar* tcp_follow_index_filter(int stream);
501 extern gchar* tcp_follow_address_filter(address* src_addr, address* dst_addr, int src_port, int dst_port);
502 
503 #ifdef __cplusplus
504 }
505 #endif /* __cplusplus */
506 
507 #endif
Definition: wmem_tree-int.h:47
Definition: packet-tcp.h:108
Definition: packet-tcp.h:446
Definition: packet-tcp.h:453
Definition: packet_info.h:44
Definition: tvbuff-int.h:35
Definition: packet-tcp.h:351
Definition: packet-tcp.h:284
Definition: nstime.h:27
Definition: packet-tcp.h:170
Definition: packet-tcp.h:185
Definition: packet-tcp.h:47
Definition: conversation.h:89
Definition: packet-tcp.h:314
Definition: packet-tcp.h:369
Definition: packet-tcp.h:207
Definition: stream.c:40
Definition: packet-tcp.h:145
Definition: packet-tcp.h:217
Definition: packet-tcp.h:250
Definition: packet-tcp.h:306
Definition: packet-tcp.h:153
Definition: proto.h:759
Definition: wmem_list.c:23
Definition: address.h:47
Definition: packet-tcp.h:76