aboutsummaryrefslogtreecommitdiffstats
path: root/epan/dissectors/packet-msproxy.c
diff options
context:
space:
mode:
Diffstat (limited to 'epan/dissectors/packet-msproxy.c')
-rw-r--r--epan/dissectors/packet-msproxy.c1291
1 files changed, 1291 insertions, 0 deletions
diff --git a/epan/dissectors/packet-msproxy.c b/epan/dissectors/packet-msproxy.c
new file mode 100644
index 0000000000..b42d1f0a22
--- /dev/null
+++ b/epan/dissectors/packet-msproxy.c
@@ -0,0 +1,1291 @@
+/* packet-msproxy.c
+ * Routines for Microsoft Proxy packet dissection
+ * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
+ *
+ * $Id$
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * This was derived from the dante socks implementation source code.
+ * Most of the information came from common.h and msproxy_clientprotocol.c
+ *
+ * See http://www.inet.no/dante for more information
+ */
+
+/************************************************************************
+ * *
+ * Notes: These are possible command values. User input is welcome *
+ * *
+ * Command = 0x040a - Remote host closed connection (maybe ?? ) *
+ * Command = 0x0411 - Remote host closed connection *
+ * Command = 0x0413 - Local host closed connection or SYN worked *
+ * *
+ ************************************************************************/
+
+
+
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <glib.h>
+
+#include <epan/packet.h>
+#include <epan/resolv.h>
+#include <epan/conversation.h>
+
+#include "packet-tcp.h"
+#include "packet-udp.h"
+
+extern void udp_hash_add(guint16 proto,
+ void (*dissect)(const guchar *, int, frame_data *, proto_tree *));
+
+
+static int proto_msproxy = -1;
+
+static int ett_msproxy = -1;
+static int ett_msproxy_name = -1;
+
+static int hf_msproxy_cmd = -1;
+static int hf_msproxy_clntport = -1;
+
+static int hf_msproxy_dstaddr = -1;
+
+static int hf_msproxy_srcport = -1;
+static int hf_msproxy_dstport = -1;
+static int hf_msproxy_serverport = -1;
+static int hf_msproxy_serveraddr = -1;
+static int hf_msproxy_bindport = -1;
+static int hf_msproxy_bindaddr = -1;
+static int hf_msproxy_boundport = -1;
+static int hf_msproxy_bind_id = -1;
+static int hf_msproxy_resolvaddr = -1;
+
+static int hf_msproxy_server_int_addr = -1;
+static int hf_msproxy_server_int_port = -1;
+static int hf_msproxy_server_ext_addr = -1;
+static int hf_msproxy_server_ext_port = -1;
+
+static dissector_handle_t msproxy_sub_handle;
+
+
+#define UDP_PORT_MSPROXY 1745
+
+#define N_MSPROXY_HELLO 0x05 /* packet 1 from client */
+#define N_MSPROXY_ACK 0x10 /* packet 1 from server */
+#define N_MSPROXY_USERINFO_ACK 0x04 /* packet 2 from server */
+#define N_MSPROXY_AUTH 0x47 /* packet 3 from client */
+#define N_MSPROXY_RESOLVE 0x07 /* Resolve request */
+
+
+/*$$$ 0x0500 was dante value, I see 0x05ff and 0x0500 */
+
+#define MSPROXY_HELLO 0x0500
+#define MSPROXY_HELLO_2 0x05ff
+
+#define MSPROXY_HELLO_ACK 0x1000
+
+#define MSPROXY_USERINFO 0x1000
+#define MSPROXY_USERINFO_ACK 0x0400
+
+#define MSPROXY_AUTH 0x4700
+#define MSPROXY_AUTH_1_ACK 0x4714
+#define MSPROXY_AUTH_2 0x4701
+#define MSPROXY_AUTH_2_ACK 0x4715
+#define MSPROXY_AUTH_2_ACK2 0x4716
+
+#define MSPROXY_RESOLVE 0x070d
+#define MSPROXY_RESOLVE_ACK 0x070f
+
+#define MSPROXY_BIND 0x0704
+#define MSPROXY_BIND_ACK 0x0706
+
+#define MSPROXY_TCP_BIND 0x0707
+#define MSPROXY_TCP_BIND_ACK 0x0708
+
+#define MSPROXY_LISTEN 0x0406
+
+#define MSPROXY_BINDINFO 0x0709
+
+#define MSPROXY_BINDINFO_ACK 0x070a
+
+#define MSPROXY_CONNECT 0x071e
+#define MSPROXY_CONNECT_ACK 0x0703
+
+#define MSPROXY_UDPASSOCIATE 0x0705
+#define MSPROXY_UDPASSOCIATE_ACK 0x0706
+
+#define MSPROXY_UDP_BIND_REQ 0x070b
+
+#define MSPROXY_CONNECTED 0x042c
+#define MSPROXY_SESSIONEND 0x251e
+
+#define MSPROXY_BIND_AUTHFAILED 0x0804
+#define MSPROXY_CONNECT_AUTHFAILED 0x081e
+#define MSPROXY_CONNREFUSED 0x4 /* low 12 bits seem to vary. */
+
+#define FROM_SERVER 1 /* direction of packet data for get_msproxy_cmd_name */
+#define FROM_CLIENT 0
+
+
+
+
+/*$$$ should this be the same as redirect_entry_t ?? */
+/* then the add_conversation could just copy the structure */
+/* using the same allocation (instance for you object guys) */
+/* wouldn't work because there may be multiple child conversations */
+/* from the same MSProxy conversation */
+
+typedef struct {
+ guint32 dst_addr;
+ guint32 clnt_port;
+ guint32 dst_port;
+ guint32 server_int_port;
+ int proto;
+}hash_entry_t;
+
+
+/************** conversation hash stuff ***************/
+
+#define hash_init_count 20
+#define hash_val_length (sizeof(hash_entry_t))
+
+static GMemChunk *vals = NULL;
+
+typedef struct {
+ guint32 remote_addr;
+ guint32 clnt_port;
+ guint32 server_int_port;
+ guint32 remote_port;
+ int proto;
+}redirect_entry_t;
+
+
+/************** negotiated conversation hash stuff ***************/
+
+#define redirect_init_count 20
+#define redirect_val_length (sizeof(redirect_entry_t))
+
+static GMemChunk *redirect_vals = NULL;
+
+
+static guint32 last_row= 0; /* used to see if packet is new */
+
+static void msproxy_sub_dissector( tvbuff_t *tvb, packet_info *pinfo,
+ proto_tree *tree) {
+
+/* Conversation dissector called from TCP or UDP dissector. Decode and */
+/* display the msproxy header, the pass the rest of the data to the tcp */
+/* or udp port decode routine to handle the payload. */
+
+ guint32 *ptr;
+ redirect_entry_t *redirect_info;
+ conversation_t *conversation;
+ proto_tree *msp_tree;
+ proto_item *ti;
+
+ conversation = find_conversation( &pinfo->src, &pinfo->dst,
+ pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
+
+ g_assert( conversation); /* should always find a conversation */
+
+ redirect_info = conversation_get_proto_data(conversation,
+ proto_msproxy);
+
+ if (check_col(pinfo->cinfo, COL_PROTOCOL))
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "MS Proxy");
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_set_str(pinfo->cinfo, COL_INFO,
+ (( redirect_info->proto == PT_TCP) ? "TCP stream" :
+ "UDP packets"));
+
+ if ( tree) {
+ ti = proto_tree_add_item( tree, proto_msproxy, tvb, 0, 0,
+ FALSE );
+
+ msp_tree = proto_item_add_subtree(ti, ett_msproxy);
+
+ proto_tree_add_uint( msp_tree, hf_msproxy_dstport, tvb, 0, 0,
+ redirect_info->remote_port);
+
+ proto_tree_add_ipv4( msp_tree, hf_msproxy_dstaddr, tvb, 0, 0,
+ redirect_info->remote_addr);
+
+ }
+
+/* set pinfo->{src/dst port} and call the UDP sub-dissector lookup */
+
+ if ( pinfo->srcport == redirect_info->clnt_port)
+ ptr = &pinfo->destport;
+ else
+ ptr = &pinfo->srcport;
+
+ *ptr = redirect_info->remote_port;
+
+ if ( redirect_info->proto == PT_TCP)
+ decode_tcp_ports( tvb, 0, pinfo, tree, pinfo->srcport,
+ pinfo->destport);
+ else
+ decode_udp_ports( tvb, 0, pinfo, tree, pinfo->srcport,
+ pinfo->destport, -1);
+
+ *ptr = redirect_info->server_int_port;
+}
+
+
+
+static void add_msproxy_conversation( packet_info *pinfo,
+ hash_entry_t *hash_info){
+
+/* check to see if a conversation already exists, if it does assume */
+/* it's our conversation and quit. Otherwise create a new conversation. */
+/* Load the conversation dissector to our dissector and load the */
+/* conversation data structure with the info needed to call the TCP or */
+/* UDP port decoder. */
+
+/* NOTE: Currently this assume that the conversation will be created */
+/* during a packet from the server. If that changes, pinfo->src */
+/* and pinfo->dst will not be correct and this routine will have */
+/* to change. */
+
+ conversation_t *conversation;
+ redirect_entry_t *new_conv_info;
+
+ if (pinfo->fd->flags.visited) {
+ /*
+ * We've already processed this frame once, so we
+ * should already have done this.
+ */
+ return;
+ }
+
+ conversation = find_conversation( &pinfo->src,
+ &pinfo->dst, hash_info->proto, hash_info->server_int_port,
+ hash_info->clnt_port, 0);
+
+ if ( !conversation) {
+ conversation = conversation_new( &pinfo->src, &pinfo->dst,
+ hash_info->proto, hash_info->server_int_port,
+ hash_info->clnt_port, 0);
+ }
+ conversation_set_dissector(conversation, msproxy_sub_handle);
+
+ new_conv_info = g_mem_chunk_alloc(redirect_vals);
+
+ new_conv_info->remote_addr = hash_info->dst_addr;
+ new_conv_info->clnt_port = hash_info->clnt_port;
+ new_conv_info->remote_port = hash_info->dst_port;
+ new_conv_info->server_int_port = hash_info->server_int_port;
+ new_conv_info->proto = hash_info->proto;
+
+ conversation_add_proto_data(conversation, proto_msproxy,
+ new_conv_info);
+}
+
+
+
+static int display_application_name(tvbuff_t *tvb, int offset,
+ proto_tree *tree) {
+
+/* display the application name in the proto tree. */
+
+/* NOTE: this routine assumes that the tree pointer is valid (not NULL) */
+
+ int length;
+
+ length = tvb_strnlen( tvb, offset, 255);
+ proto_tree_add_text( tree, tvb, offset, length, "Application: %.*s",
+ length, tvb_get_ptr( tvb, offset, length));
+
+ return length;
+}
+
+
+static char *get_msproxy_cmd_name( int cmd, int direction) {
+
+/* return the command name string for cmd */
+
+ switch (cmd){
+ case MSPROXY_HELLO_2:
+ case MSPROXY_HELLO: return "Hello";
+
+/* MSPROXY_HELLO_ACK & MSPROXY_USERINFO have the same value (0x1000). */
+/* So use the direction flag to determine which to use. */
+
+ case MSPROXY_USERINFO:
+ if ( direction == FROM_SERVER)
+ return "Hello Acknowledge";
+ else
+ return "User Info";
+ case MSPROXY_USERINFO_ACK: return "User Info Acknowledge";
+ case MSPROXY_AUTH: return "Authentication";
+ case MSPROXY_AUTH_1_ACK: return "Authentication Acknowledge";
+ case MSPROXY_AUTH_2: return "Authentication 2";
+ case MSPROXY_AUTH_2_ACK: return "Authentication 2 Acknowledge";
+ case MSPROXY_RESOLVE: return "Resolve";
+ case MSPROXY_RESOLVE_ACK: return "Resolve Acknowledge";
+ case MSPROXY_BIND: return "Bind";
+ case MSPROXY_TCP_BIND: return "TCP Bind";
+ case MSPROXY_TCP_BIND_ACK: return "TCP Bind Acknowledge";
+ case MSPROXY_LISTEN: return "Listen";
+ case MSPROXY_BINDINFO: return "Bind Info";
+ case MSPROXY_BINDINFO_ACK: return "Bind Info Acknowledge";
+ case MSPROXY_CONNECT: return "Connect";
+ case MSPROXY_CONNECT_ACK: return "Connect Acknowledge";
+ case MSPROXY_UDPASSOCIATE: return "UDP Associate";
+ case MSPROXY_UDP_BIND_REQ: return "UDP Bind";
+ case MSPROXY_UDPASSOCIATE_ACK: return "Bind or Associate Acknowledge";
+ case MSPROXY_CONNECTED: return "Connected";
+ case MSPROXY_SESSIONEND: return "Session End";
+
+ default: return "Unknown";
+ }
+}
+
+
+
+static void dissect_user_info_2(tvbuff_t *tvb, int offset,
+ proto_tree *tree) {
+
+/* decode the user, application, computer name */
+
+
+ int length;
+
+ if ( tree) {
+ length = tvb_strnlen( tvb, offset, 255);
+ if (length == -1)
+ return;
+ proto_tree_add_text( tree, tvb, offset, length + 1,
+ "User name: %.*s", length,
+ tvb_get_ptr( tvb, offset, length));
+ offset += length + 2;
+
+ length = tvb_strnlen( tvb, offset, 255);
+ if (length == -1)
+ return;
+ proto_tree_add_text( tree, tvb, offset, length + 1,
+ "Application name: %.*s", length,
+ tvb_get_ptr( tvb, offset, length));
+ offset += length + 1;
+
+ length = tvb_strnlen( tvb, offset, 255);
+ if (length == -1)
+ return;
+ proto_tree_add_text( tree, tvb, offset, length + 1,
+ "Client computer name: %.*s", length,
+ tvb_get_ptr( tvb, offset, length));
+ }
+}
+
+
+
+static void dissect_msproxy_request_1(tvbuff_t *tvb, int offset,
+ proto_tree *tree) {
+
+/* decode the request _1 structure */
+
+
+ offset += 182;
+
+ dissect_user_info_2( tvb, offset, tree);
+
+}
+
+
+
+static void dissect_bind(tvbuff_t *tvb, int offset,
+ proto_tree *tree, hash_entry_t *conv_info) {
+
+/* decode the bind request */
+
+ offset += 18;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_bindaddr, tvb, offset, 4,
+ FALSE);
+ offset += 4;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_bindport, tvb, offset, 2,
+ FALSE);
+ offset += 6;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_clntport, tvb, offset, 2,
+ FALSE);
+ offset += 2;
+
+ conv_info->clnt_port = tvb_get_ntohs( tvb, offset);
+ offset += 6;
+
+ if ( tree){
+ proto_tree_add_item( tree, hf_msproxy_boundport, tvb, offset, 2,
+ FALSE);
+
+ offset += 82;
+ display_application_name( tvb, offset, tree);
+ }
+}
+
+
+
+static void dissect_auth(tvbuff_t *tvb, int offset,
+ proto_tree *tree) {
+
+/* decode the authorization request */
+
+ if ( tree) {
+ offset += 134;
+
+ proto_tree_add_text( tree, tvb, offset, 7, "NTLMSSP signature: %.7s",
+ tvb_get_ptr( tvb, offset, 7));
+ offset += 7;
+ }
+}
+
+
+
+static void dissect_tcp_bind(tvbuff_t *tvb, int offset,
+ proto_tree *tree, hash_entry_t *conv_info) {
+
+/* decode the bind packet. Set the protocol type in the conversation */
+/* information so the bind_info can use it to create the payload */
+/* dissector. */
+
+
+ conv_info->proto = PT_TCP;
+
+ if ( tree) {
+ offset += 6;
+
+ proto_tree_add_item( tree, hf_msproxy_bind_id, tvb, offset, 4,
+ FALSE);
+ offset += 16;
+
+ proto_tree_add_item( tree, hf_msproxy_boundport, tvb, offset, 2,
+ FALSE);
+
+ offset += 96;
+ display_application_name( tvb, offset, tree);
+ }
+}
+
+
+static void dissect_request_connect(tvbuff_t *tvb, int offset,
+ proto_tree *tree, hash_entry_t *conv_info) {
+
+/* decode the connect request, display */
+
+ conv_info->proto = PT_TCP;
+
+ offset += 20;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_dstport, tvb, offset, 2,
+ FALSE);
+
+ conv_info->dst_port = tvb_get_ntohs( tvb, offset);
+ offset += 2;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_dstaddr, tvb, offset, 4,
+ FALSE);
+
+ tvb_memcpy( tvb, (guint8 *)&conv_info->dst_addr, offset, sizeof( guint32));
+
+ offset += 12;
+
+ conv_info->clnt_port = tvb_get_ntohs( tvb, offset);
+
+ if ( tree){
+ proto_tree_add_uint( tree, hf_msproxy_clntport, tvb, offset, 2,
+ conv_info->clnt_port);
+
+ offset += 84;
+
+ display_application_name( tvb, offset, tree);
+ }
+}
+
+
+static void dissect_bind_info_ack(tvbuff_t *tvb, int offset, proto_tree *tree) {
+
+/* decode the client bind info ack */
+
+
+ if ( tree){
+ offset += 6;
+
+ proto_tree_add_item( tree, hf_msproxy_bind_id, tvb, offset, 4,
+ FALSE);
+ offset += 14;
+
+ proto_tree_add_item( tree, hf_msproxy_dstport, tvb, offset, 2,
+ FALSE);
+ offset += 2;
+
+ proto_tree_add_item( tree, hf_msproxy_dstaddr, tvb, offset, 4,
+ FALSE);
+ offset += 12;
+
+ proto_tree_add_item( tree, hf_msproxy_server_int_port, tvb,
+ offset, 2, FALSE);
+ offset += 4;
+
+ proto_tree_add_item( tree, hf_msproxy_server_ext_port, tvb,
+ offset, 2, FALSE);
+ offset += 2;
+
+ proto_tree_add_item( tree, hf_msproxy_server_ext_addr, tvb,
+ offset, 4, FALSE);
+
+ offset += 78;
+ display_application_name( tvb, offset, tree);
+ }
+}
+
+
+static void dissect_request_resolve(tvbuff_t *tvb, int offset,
+ proto_tree *tree) {
+
+/* dissect the request resolve structure */
+/* display a string with a length, characters encoding */
+/* they are displayed under a tree with the name in Label variable */
+/* return the length of the string and the length byte */
+
+ proto_tree *name_tree;
+ proto_item *ti;
+
+ int length = tvb_get_guint8( tvb, offset);
+
+ if ( tree){
+ ti = proto_tree_add_text(tree, tvb, offset, length + 1,
+ "Host Name: %.*s", length,
+ tvb_get_ptr( tvb, offset + 18, length));
+
+ name_tree = proto_item_add_subtree(ti, ett_msproxy_name);
+
+ proto_tree_add_text( name_tree, tvb, offset, 1, "Length: %d",
+ length);
+
+ ++offset;
+ offset += 17;
+
+ proto_tree_add_text( name_tree, tvb, offset, length, "String: %s",
+ tvb_get_ptr( tvb, offset, length));
+ }
+}
+
+
+
+static void dissect_udp_bind(tvbuff_t *tvb, int offset,
+ proto_tree *tree, hash_entry_t *conv_info) {
+
+/* Dissect the udp bind request. Load the protocol id (PT_UDP) and the */
+/* remote address so bind_info can use it to create conversation */
+/* dissector. */
+
+ conv_info->proto = PT_UDP;
+
+
+ offset += 8;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_bind_id, tvb, offset, 4,
+ FALSE);
+ offset += 12;
+
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_dstport, tvb, offset, 2,
+ FALSE);
+ offset += 2;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_dstaddr, tvb, offset, 4,
+ FALSE);
+
+ offset += 96;
+
+ if ( tree)
+ display_application_name( tvb, offset, tree);
+}
+
+
+static void dissect_udp_assoc(tvbuff_t *tvb, int offset,
+ proto_tree *tree, hash_entry_t *conv_info) {
+
+/* dissect the udp associate request. And load client port into */
+/* conversation data structure for later. */
+
+
+ offset += 28;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_clntport, tvb, offset, 2,
+ FALSE);
+
+ conv_info->clnt_port = tvb_get_ntohs( tvb, offset);
+
+ offset += 90;
+
+ if ( tree)
+ display_application_name( tvb, offset, tree);
+}
+
+
+static void dissect_msproxy_request(tvbuff_t *tvb,
+ proto_tree *tree, hash_entry_t *conv_info) {
+
+ int offset = 0;
+ int cmd;
+
+ if ( tree) {
+ proto_tree_add_text( tree, tvb, offset, 4, "Client id: 0x%0x",
+ tvb_get_letohl( tvb, offset));
+ offset += 4;
+
+ proto_tree_add_text( tree, tvb, offset, 4, "Version: 0x%04x",
+ tvb_get_letohl( tvb, offset));
+ offset += 4;
+
+ proto_tree_add_text( tree, tvb, offset, 4, "Server id: 0x%0x",
+ tvb_get_letohl( tvb, offset));
+ offset += 4;
+
+ proto_tree_add_text( tree, tvb, offset, 1, "Server ack: %u",
+ tvb_get_guint8( tvb, offset));
+ offset += 4;
+
+ proto_tree_add_text( tree, tvb, offset, 1, "Sequence Number: %u",
+ tvb_get_guint8( tvb, offset));
+ offset += 8;
+
+ proto_tree_add_text( tree, tvb, offset, 4, "RWSP signature: %.4s",
+ tvb_get_ptr( tvb, offset, 4));
+ offset += 12;
+ }
+ else /* no tree */
+ offset += 36;
+
+ cmd = tvb_get_ntohs( tvb, offset);
+
+ if ( tree)
+ proto_tree_add_uint_format( tree, hf_msproxy_cmd, tvb, offset, 2,
+ cmd, "Command: 0x%02x (%s)", cmd,
+ get_msproxy_cmd_name( cmd, FROM_CLIENT));
+
+ offset += 2;
+
+ switch (cmd){
+ case MSPROXY_AUTH:
+ dissect_auth( tvb, offset, tree);
+ break;
+
+ case MSPROXY_BIND:
+ dissect_bind( tvb, offset, tree, conv_info);
+ break;
+
+ case MSPROXY_UDP_BIND_REQ:
+ dissect_udp_bind( tvb, offset, tree, conv_info);
+ break;
+
+ case MSPROXY_AUTH_2: /*$$ this is probably wrong place for this */
+ case MSPROXY_TCP_BIND:
+ dissect_tcp_bind( tvb, offset, tree, conv_info);
+ break;
+
+ case MSPROXY_RESOLVE:
+ dissect_request_resolve( tvb, offset, tree);
+ break;
+
+ case MSPROXY_CONNECT:
+ case MSPROXY_LISTEN:
+ dissect_request_connect( tvb, offset, tree,
+ conv_info);
+ break;
+
+ case MSPROXY_BINDINFO_ACK:
+ dissect_bind_info_ack( tvb, offset, tree);
+ break;
+
+ case MSPROXY_HELLO:
+ case MSPROXY_HELLO_2:
+ dissect_msproxy_request_1( tvb, offset, tree);
+ break;
+
+ case MSPROXY_UDPASSOCIATE:
+ dissect_udp_assoc( tvb, offset, tree, conv_info);
+ break;
+ default:
+ if ( tree)
+ proto_tree_add_text( tree, tvb, offset, 0,
+ "Unhandled request command (report this, please)");
+ }
+}
+
+
+
+static void dissect_hello_ack(tvbuff_t *tvb, int offset, proto_tree *tree) {
+
+/* decode the hello acknowledge packet */
+
+ offset += 60;
+
+ if ( tree) {
+ proto_tree_add_item( tree, hf_msproxy_serverport, tvb, offset, 2,
+ FALSE);
+ offset += 2;
+
+ proto_tree_add_item( tree, hf_msproxy_serveraddr, tvb, offset, 4,
+ FALSE);
+ offset += 4;
+ }
+}
+
+
+
+/* XXX - implement me */
+static void dissect_user_info_ack(tvbuff_t *tvb _U_, int offset,
+ proto_tree *tree _U_) {
+
+/* decode the response _2 structure */
+
+ offset += 18;
+
+ offset += 2;
+
+}
+
+
+
+static void dissect_udpassociate_ack(tvbuff_t *tvb, int offset,
+ proto_tree *tree) {
+
+ offset += 6;
+
+ if ( tree) {
+ proto_tree_add_item( tree, hf_msproxy_bind_id, tvb, offset, 4,
+ FALSE);
+ offset += 14;
+
+ proto_tree_add_item( tree, hf_msproxy_server_ext_port, tvb,
+ offset, 2, FALSE);
+ offset += 2;
+
+ proto_tree_add_item( tree, hf_msproxy_server_ext_addr, tvb,
+ offset, 4, FALSE);
+
+ offset += 96;
+ display_application_name( tvb, offset, tree);
+ }
+}
+
+
+
+static void dissect_auth_1_ack(tvbuff_t *tvb, int offset,
+ proto_tree *tree) {
+
+ offset += 134;
+ if ( tree) {
+ proto_tree_add_text( tree, tvb, offset, 7, "NTLMSSP signature: %.7s",
+ tvb_get_ptr( tvb, offset, 7));
+ offset += 48;
+
+ /* XXX - always 255? */
+ proto_tree_add_text( tree, tvb, offset, 255, "NT domain: %.255s",
+ tvb_get_ptr( tvb, offset, 255));
+ }
+}
+
+
+
+/* XXX - implement me */
+static void dissect_msproxy_response_4( tvbuff_t *tvb _U_, int offset,
+ proto_tree *tree _U_) {
+
+/* decode the response _4 structure */
+
+ offset += 134;
+}
+
+
+
+static void dissect_connect_ack( tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, hash_entry_t *conv_info) {
+
+/* decode the connect ack packet */
+ offset += 20;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_server_int_port, tvb,
+ offset, 2, FALSE);
+
+
+ conv_info->proto = PT_TCP;
+ conv_info->server_int_port = tvb_get_ntohs( tvb, offset);
+ offset += 2;
+
+ if ( tree){
+ proto_tree_add_item( tree, hf_msproxy_server_int_addr, tvb,
+ offset, 4, FALSE);
+ offset += 14;
+
+ proto_tree_add_item( tree, hf_msproxy_server_ext_port, tvb,
+ offset, 2, FALSE);
+ offset += 2;
+
+ proto_tree_add_item( tree, hf_msproxy_server_ext_addr, tvb,
+ offset, 4, FALSE);
+ offset += 80;
+
+ display_application_name( tvb, offset, tree);
+ }
+
+ add_msproxy_conversation( pinfo, conv_info);
+}
+
+
+
+static void dissect_tcp_bind_ack( tvbuff_t *tvb, int offset, proto_tree *tree) {
+
+/* decode the tcp bind */
+
+ if ( tree) {
+ offset += 6;
+
+ proto_tree_add_item( tree, hf_msproxy_bind_id, tvb, offset, 4,
+ FALSE);
+ offset += 16;
+
+ proto_tree_add_uint( tree, hf_msproxy_server_int_port, tvb,
+ offset, 2, FALSE);
+ offset += 6;
+
+ proto_tree_add_item( tree, hf_msproxy_server_ext_port, tvb,
+ offset, 2, FALSE);
+ offset += 2;
+
+ proto_tree_add_item( tree, hf_msproxy_server_ext_addr, tvb,
+ offset, 4, FALSE);
+
+ offset += 88;
+
+ display_application_name( tvb, offset, tree);
+ }
+}
+
+
+
+static void dissect_bind_info( tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, hash_entry_t *conv_info) {
+
+/* decode the Bind info response from server */
+
+ offset += 6;
+
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_bind_id, tvb, offset, 4,
+ FALSE);
+ offset += 14;
+
+
+ conv_info->dst_port = tvb_get_ntohs( tvb, offset);
+ if ( tree)
+ proto_tree_add_uint( tree, hf_msproxy_dstport, tvb, offset, 2,
+ conv_info->dst_port);
+ offset += 2;
+
+ tvb_memcpy( tvb, (guint8 *)&conv_info->dst_addr, offset, sizeof( guint32));
+ if ( tree)
+ proto_tree_add_item( tree, hf_msproxy_dstaddr, tvb, offset, 4,
+ FALSE);
+ offset += 12;
+
+ conv_info->server_int_port = tvb_get_ntohs( tvb, offset);
+ if ( tree)
+ proto_tree_add_uint( tree, hf_msproxy_server_int_port, tvb,
+ offset, 2, conv_info->server_int_port);
+ offset += 4;
+
+ if ( tree) {
+ proto_tree_add_item( tree, hf_msproxy_server_ext_port, tvb,
+ offset, 2, FALSE);
+ offset += 2;
+
+ proto_tree_add_item( tree, hf_msproxy_server_ext_addr, tvb,
+ offset, 4, FALSE);
+
+ offset += 78;
+ display_application_name( tvb, offset, tree);
+
+ }
+
+ add_msproxy_conversation( pinfo, conv_info);
+}
+
+
+
+static void dissect_resolve(tvbuff_t *tvb, int offset, proto_tree *tree) {
+
+/* dissect the response resolve structure */
+/* display a string with a length, characters encoding */
+/* they are displayed under a tree with the name in Label variable */
+/* return the length of the string and the length byte */
+
+ if ( tree) {
+ int addr_offset;
+
+ addr_offset = tvb_get_guint8( tvb, offset);
+
+ proto_tree_add_text( tree, tvb, offset, 1, "Address offset: %d",
+ addr_offset);
+
+ ++offset;
+
+ offset += 13;
+
+ offset += addr_offset;
+
+ proto_tree_add_item( tree, hf_msproxy_resolvaddr, tvb, offset, 4,
+ FALSE);
+ }
+}
+
+
+
+static void dissect_msproxy_response(tvbuff_t *tvb, packet_info *pinfo,
+ proto_tree *tree, hash_entry_t *conv_info) {
+
+ int offset = 0;
+ int cmd;
+
+ if ( tree) {
+ proto_tree_add_text( tree, tvb, offset, 4, "Client id: 0x%0x",
+ tvb_get_letohl( tvb, offset));
+ offset += 4;
+
+ proto_tree_add_text( tree, tvb, offset, 4, "Version: 0x%04x",
+ tvb_get_letohl( tvb, offset));
+ offset += 4;
+
+ proto_tree_add_text( tree, tvb, offset, 4, "Server id: 0x%04x",
+ tvb_get_letohl( tvb, offset));
+ offset += 4;
+
+ proto_tree_add_text( tree, tvb, offset, 1, "Client ack: 0x%02x",
+ tvb_get_guint8( tvb, offset));
+ offset += 4;
+
+ proto_tree_add_text( tree, tvb, offset, 1, "Sequence Number: 0x%02x",
+ tvb_get_guint8( tvb, offset));
+
+ offset += 8;
+
+ proto_tree_add_text( tree, tvb, offset, 4, "RWSP signature: %.4s",
+ tvb_get_ptr( tvb, offset, 4));
+
+ offset += 12;
+ }
+ else
+ offset += 36;
+
+ cmd = tvb_get_ntohs( tvb, offset);
+
+ if ( tree)
+ proto_tree_add_uint_format( tree, hf_msproxy_cmd, tvb, offset, 2,
+ cmd, "Command: 0x%02x (%s)", cmd,
+ get_msproxy_cmd_name( cmd, FROM_SERVER));
+ offset += 2;
+
+ switch (cmd) {
+ case MSPROXY_HELLO_ACK:
+ dissect_hello_ack( tvb, offset, tree);
+ break;
+
+ case MSPROXY_USERINFO_ACK:
+ dissect_user_info_ack( tvb, offset, tree);
+ break;
+
+ case MSPROXY_AUTH_1_ACK:
+ dissect_auth_1_ack( tvb, offset, tree);
+ break;
+
+/* this also handle the MSPROXY_BIND_ACK ??? check this */
+
+ case MSPROXY_UDPASSOCIATE_ACK:
+ dissect_udpassociate_ack( tvb, offset, tree);
+ break;
+
+ case MSPROXY_AUTH_2_ACK:
+ case MSPROXY_AUTH_2_ACK2:
+ dissect_msproxy_response_4( tvb, offset, tree);
+ break;
+
+ case MSPROXY_TCP_BIND_ACK:
+ dissect_tcp_bind_ack( tvb, offset, tree);
+ break;
+
+ case MSPROXY_CONNECT_ACK:
+ dissect_connect_ack( tvb, offset, pinfo, tree,
+ conv_info);
+ break;
+
+ case MSPROXY_BINDINFO:
+ dissect_bind_info( tvb, offset, pinfo, tree, conv_info);
+ break;
+
+ case MSPROXY_RESOLVE_ACK:
+ dissect_resolve( tvb, offset, tree);
+ break;
+
+ case MSPROXY_CONNECT_AUTHFAILED:
+ case MSPROXY_BIND_AUTHFAILED:
+ proto_tree_add_text( tree, tvb, offset, 0, "No know information (help wanted)");
+ break;
+
+ default:
+
+ if (tree &&
+ (((cmd >> 8) == MSPROXY_CONNREFUSED) ||
+ ((cmd >> 12) == MSPROXY_CONNREFUSED)))
+ proto_tree_add_text( tree, tvb, offset, 0,
+ "No know information (help wanted)");
+
+ else if ( tree)
+ proto_tree_add_text( tree, tvb, offset, 0,
+ "Unhandled response command (report this, please)");
+ }
+
+
+}
+
+
+
+static void dissect_msproxy(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
+
+
+ proto_tree *msproxy_tree = NULL;
+ proto_item *ti;
+ unsigned int cmd;
+
+
+ hash_entry_t *hash_info;
+ conversation_t *conversation;
+
+ if (check_col(pinfo->cinfo, COL_PROTOCOL))
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "MSproxy");
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_clear(pinfo->cinfo, COL_INFO);
+
+ conversation = find_conversation( &pinfo->src, &pinfo->dst,
+ pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
+
+ if ( !conversation) {
+ conversation = conversation_new( &pinfo->src, &pinfo->dst,
+ pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
+ }
+ hash_info = conversation_get_proto_data(conversation, proto_msproxy);
+ if ( !hash_info) {
+ hash_info = g_mem_chunk_alloc(vals);
+ conversation_add_proto_data(conversation, proto_msproxy,
+ hash_info);
+ }
+
+ if (check_col(pinfo->cinfo, COL_INFO)){
+
+ cmd = tvb_get_ntohs( tvb, 36);
+
+ if ( pinfo->srcport == UDP_PORT_MSPROXY)
+ col_add_fstr( pinfo->cinfo, COL_INFO, "Server message: %s",
+ get_msproxy_cmd_name( cmd, FROM_SERVER));
+ else
+ col_add_fstr(pinfo->cinfo, COL_INFO, "Client message: %s",
+ get_msproxy_cmd_name( cmd, FROM_CLIENT));
+
+ }
+
+ if (tree) { /* if proto tree, decode data */
+ ti = proto_tree_add_item( tree, proto_msproxy, tvb, 0, -1,
+ FALSE );
+
+ msproxy_tree = proto_item_add_subtree(ti, ett_msproxy);
+ }
+
+ if ( pinfo->srcport == UDP_PORT_MSPROXY)
+ dissect_msproxy_response( tvb, pinfo, msproxy_tree, hash_info);
+ else
+ dissect_msproxy_request( tvb, msproxy_tree, hash_info);
+}
+
+
+
+static void msproxy_reinit( void){
+
+/* Do the cleanup work when a new pass through the packet list is */
+/* performed. Reset the highest row seen counter and re-initialize the */
+/* conversation memory chunks. */
+
+ last_row = 0;
+
+ if (vals)
+ g_mem_chunk_destroy(vals);
+
+ vals = g_mem_chunk_new("msproxy_vals", hash_val_length,
+ hash_init_count * hash_val_length,
+ G_ALLOC_AND_FREE);
+
+ if (redirect_vals)
+ g_mem_chunk_destroy(redirect_vals);
+
+ redirect_vals = g_mem_chunk_new("msproxy_redirect_vals", redirect_val_length,
+ redirect_init_count * redirect_val_length,
+ G_ALLOC_AND_FREE);
+}
+
+
+
+void
+proto_register_msproxy( void){
+
+/* Prep the msproxy protocol, for now, just register it */
+
+ static gint *ett[] = {
+ &ett_msproxy,
+ &ett_msproxy_name
+ };
+ static hf_register_info hf[] = {
+
+ { &hf_msproxy_cmd,
+ { "Command", "msproxy.command", FT_UINT16, BASE_DEC,
+ NULL, 0x0, "", HFILL
+ }
+ },
+
+ { &hf_msproxy_dstaddr,
+ { "Destination Address", "msproxy.dstaddr", FT_IPv4, BASE_NONE, NULL,
+ 0x0, "", HFILL
+ }
+ },
+
+ { &hf_msproxy_srcport,
+ { "Source Port", "msproxy.srcport", FT_UINT16,
+ BASE_DEC, NULL, 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_dstport,
+ { "Destination Port", "msproxy.dstport", FT_UINT16,
+ BASE_DEC, NULL, 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_clntport,
+ { "Client Port", "msproxy.clntport", FT_UINT16,
+ BASE_DEC, NULL, 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_server_ext_addr,
+ { "Server External Address", "msproxy.server_ext_addr", FT_IPv4, BASE_NONE, NULL,
+ 0x0, "", HFILL
+ }
+ },
+
+ { &hf_msproxy_server_ext_port,
+ { "Server External Port", "msproxy.server_ext_port", FT_UINT16,
+ BASE_DEC, NULL, 0x0, "", HFILL
+ }
+ },
+
+ { &hf_msproxy_server_int_addr,
+ { "Server Internal Address", "msproxy.server_int_addr", FT_IPv4, BASE_NONE, NULL,
+ 0x0, "", HFILL
+ }
+ },
+
+ { &hf_msproxy_server_int_port,
+ { "Server Internal Port", "msproxy.server_int_port", FT_UINT16,
+ BASE_DEC, NULL, 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_serverport,
+ { "Server Port", "msproxy.serverport", FT_UINT16,
+ BASE_DEC, NULL, 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_bindport,
+ { "Bind Port", "msproxy.bindport", FT_UINT16,
+ BASE_DEC, NULL, 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_boundport,
+ { "Bound Port", "msproxy.boundport", FT_UINT16,
+ BASE_DEC, NULL, 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_serveraddr,
+ { "Server Address", "msproxy.serveraddr", FT_IPv4, BASE_NONE, NULL,
+ 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_bindaddr,
+ { "Destination", "msproxy.bindaddr", FT_IPv4, BASE_NONE, NULL,
+ 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_bind_id,
+ { "Bound Port Id", "msproxy.bindid", FT_UINT32,
+ BASE_HEX, NULL, 0x0, "", HFILL
+ }
+ },
+ { &hf_msproxy_resolvaddr,
+ { "Address", "msproxy.resolvaddr", FT_IPv4, BASE_NONE, NULL,
+ 0x0, "", HFILL
+ }
+ }
+
+ };
+
+ proto_msproxy = proto_register_protocol( "MS Proxy Protocol",
+ "MS Proxy", "msproxy");
+
+ proto_register_field_array(proto_msproxy, hf, array_length(hf));
+ proto_register_subtree_array(ett, array_length(ett));
+
+ register_init_routine( &msproxy_reinit); /* register re-init routine */
+
+ msproxy_sub_handle = create_dissector_handle(msproxy_sub_dissector,
+ proto_msproxy);
+}
+
+
+void
+proto_reg_handoff_msproxy(void) {
+
+ /* dissector install routine */
+
+ dissector_handle_t msproxy_handle;
+
+ msproxy_handle = create_dissector_handle(dissect_msproxy,
+ proto_msproxy);
+ dissector_add("udp.port", UDP_PORT_MSPROXY, msproxy_handle);
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 21:08:09 +0000