/* packet-gnutella.c * Routines for gnutella dissection * Copyright 2001, B. Johannessen * * $Id: packet-gnutella.c,v 1.15 2002/08/28 21:00:13 jmayer Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include #include #include #include #include #include "packet-gnutella.h" static int proto_gnutella = -1; static int hf_gnutella_stream = -1; static int hf_gnutella_truncated = -1; static int hf_gnutella_header = -1; static int hf_gnutella_header_id = -1; static int hf_gnutella_header_payload = -1; static int hf_gnutella_header_ttl = -1; static int hf_gnutella_header_hops = -1; static int hf_gnutella_header_size = -1; static int hf_gnutella_pong_payload = -1; static int hf_gnutella_pong_port = -1; static int hf_gnutella_pong_ip = -1; static int hf_gnutella_pong_files = -1; static int hf_gnutella_pong_kbytes = -1; static int hf_gnutella_query_payload = -1; static int hf_gnutella_query_min_speed = -1; static int hf_gnutella_query_search = -1; static int hf_gnutella_queryhit_payload = -1; static int hf_gnutella_queryhit_count = -1; static int hf_gnutella_queryhit_port = -1; static int hf_gnutella_queryhit_ip = -1; static int hf_gnutella_queryhit_speed = -1; static int hf_gnutella_queryhit_extra = -1; static int hf_gnutella_queryhit_servent_id = -1; static int hf_gnutella_queryhit_hit = -1; static int hf_gnutella_queryhit_hit_index = -1; static int hf_gnutella_queryhit_hit_size = -1; static int hf_gnutella_queryhit_hit_name = -1; static int hf_gnutella_queryhit_hit_extra = -1; static int hf_gnutella_push_payload = -1; static int hf_gnutella_push_servent_id = -1; static int hf_gnutella_push_index = -1; static int hf_gnutella_push_ip = -1; static int hf_gnutella_push_port = -1; static gint ett_gnutella = -1; static void dissect_gnutella_pong(tvbuff_t *tvb, guint offset, proto_tree *tree, guint size) { if(offset + size > tvb_length(tvb)) { proto_tree_add_item(tree, hf_gnutella_truncated, tvb, offset, size, FALSE); return; } proto_tree_add_item(tree, hf_gnutella_pong_port, tvb, offset + GNUTELLA_PONG_PORT_OFFSET, GNUTELLA_PORT_LENGTH, TRUE); proto_tree_add_item(tree, hf_gnutella_pong_ip, tvb, offset + GNUTELLA_PONG_IP_OFFSET, GNUTELLA_IP_LENGTH, FALSE); proto_tree_add_item(tree, hf_gnutella_pong_files, tvb, offset + GNUTELLA_PONG_FILES_OFFSET, GNUTELLA_LONG_LENGTH, TRUE); proto_tree_add_item(tree, hf_gnutella_pong_kbytes, tvb, offset + GNUTELLA_PONG_KBYTES_OFFSET, GNUTELLA_LONG_LENGTH, TRUE); } static void dissect_gnutella_query(tvbuff_t *tvb, guint offset, proto_tree *tree, guint size) { if(offset + size > tvb_length(tvb)) { proto_tree_add_item(tree, hf_gnutella_truncated, tvb, offset, size, FALSE); return; } proto_tree_add_item(tree, hf_gnutella_query_min_speed, tvb, offset + GNUTELLA_QUERY_SPEED_OFFSET, GNUTELLA_SHORT_LENGTH, TRUE); if (size > GNUTELLA_SHORT_LENGTH) { proto_tree_add_item(tree, hf_gnutella_query_search, tvb, offset + GNUTELLA_QUERY_SEARCH_OFFSET, size - GNUTELLA_SHORT_LENGTH, FALSE); } else { proto_tree_add_text(tree, tvb, offset + GNUTELLA_QUERY_SEARCH_OFFSET, 0, "Missing data for Query Search."); } } static void dissect_gnutella_queryhit(tvbuff_t *tvb, guint offset, proto_tree *tree, guint size) { proto_tree *qhi, *hit_tree; int hit_count, i; int hit_offset; int name_length, extra_length; int idx_at_offset, size_at_offset; int servent_id_at_offset; int name_at_offset, extra_at_offset; int cur_char, remaining, used; if(offset + size > tvb_length(tvb)) { proto_tree_add_item(tree, hf_gnutella_truncated, tvb, offset, size, FALSE); return; } hit_count = tvb_get_guint8(tvb, offset + GNUTELLA_QUERYHIT_COUNT_OFFSET); proto_tree_add_uint(tree, hf_gnutella_queryhit_count, tvb, offset + GNUTELLA_QUERYHIT_COUNT_OFFSET, GNUTELLA_BYTE_LENGTH, hit_count); proto_tree_add_item(tree, hf_gnutella_queryhit_port, tvb, offset + GNUTELLA_QUERYHIT_PORT_OFFSET, GNUTELLA_PORT_LENGTH, TRUE); proto_tree_add_item(tree, hf_gnutella_queryhit_ip, tvb, offset + GNUTELLA_QUERYHIT_IP_OFFSET, GNUTELLA_IP_LENGTH, FALSE); proto_tree_add_item(tree, hf_gnutella_queryhit_speed, tvb, offset + GNUTELLA_QUERYHIT_SPEED_OFFSET, GNUTELLA_LONG_LENGTH, TRUE); hit_offset = offset + GNUTELLA_QUERYHIT_FIRST_HIT_OFFSET; for(i = 0; i < hit_count; i++) { idx_at_offset = hit_offset; size_at_offset = hit_offset + GNUTELLA_QUERYHIT_HIT_SIZE_OFFSET; hit_offset += (GNUTELLA_LONG_LENGTH * 2); name_length = 0; extra_length = 0; name_at_offset = hit_offset; while(hit_offset - offset < size) { cur_char = tvb_get_guint8(tvb, hit_offset); if(cur_char == '\0') break; hit_offset++; name_length++; } hit_offset++; extra_at_offset = hit_offset; while(hit_offset - offset < size) { cur_char = tvb_get_guint8(tvb, hit_offset); if(cur_char == '\0') break; hit_offset++; extra_length++; } hit_offset++; qhi = proto_tree_add_item(tree, hf_gnutella_queryhit_hit, tvb, idx_at_offset, (GNUTELLA_LONG_LENGTH * 2) + name_length + extra_length + GNUTELLA_QUERYHIT_END_OF_STRING_LENGTH, FALSE); hit_tree = proto_item_add_subtree(qhi, ett_gnutella); proto_tree_add_item(hit_tree, hf_gnutella_queryhit_hit_index, tvb, idx_at_offset, GNUTELLA_LONG_LENGTH, TRUE); proto_tree_add_item(hit_tree, hf_gnutella_queryhit_hit_size, tvb, size_at_offset, GNUTELLA_LONG_LENGTH, TRUE); proto_tree_add_item(hit_tree, hf_gnutella_queryhit_hit_name, tvb, name_at_offset, name_length, FALSE); if(extra_length) { proto_tree_add_item(hit_tree, hf_gnutella_queryhit_hit_extra, tvb, extra_at_offset, extra_length, FALSE); } } used = hit_offset - offset; remaining = size - used; if(remaining > GNUTELLA_SERVENT_ID_LENGTH) { servent_id_at_offset = hit_offset + remaining - GNUTELLA_SERVENT_ID_LENGTH; proto_tree_add_item(tree, hf_gnutella_queryhit_extra, tvb, hit_offset, servent_id_at_offset - hit_offset, FALSE); } else { servent_id_at_offset = hit_offset; } proto_tree_add_item(tree, hf_gnutella_queryhit_servent_id, tvb, servent_id_at_offset, GNUTELLA_SERVENT_ID_LENGTH, FALSE); } static void dissect_gnutella_push(tvbuff_t *tvb, guint offset, proto_tree *tree, guint size) { if(offset + size > tvb_length(tvb)) { proto_tree_add_item(tree, hf_gnutella_truncated, tvb, offset, size, FALSE); return; } proto_tree_add_item(tree, hf_gnutella_push_servent_id, tvb, offset + GNUTELLA_PUSH_SERVENT_ID_OFFSET, GNUTELLA_SERVENT_ID_LENGTH, FALSE); proto_tree_add_item(tree, hf_gnutella_push_index, tvb, offset + GNUTELLA_PUSH_INDEX_OFFSET, GNUTELLA_LONG_LENGTH, TRUE); proto_tree_add_item(tree, hf_gnutella_push_ip, tvb, offset + GNUTELLA_PUSH_IP_OFFSET, GNUTELLA_IP_LENGTH, FALSE); proto_tree_add_item(tree, hf_gnutella_push_port, tvb, offset + GNUTELLA_PUSH_PORT_OFFSET, GNUTELLA_PORT_LENGTH, TRUE); } static void dissect_gnutella(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_item *ti, *hi, *pi; proto_tree *gnutella_tree, *gnutella_header_tree, *gnutella_pong_tree; proto_tree *gnutella_queryhit_tree, *gnutella_push_tree; proto_tree *gnutella_query_tree; int snap_len, payload_descriptor, offset; unsigned int size; char *payload_descriptor_text; if (check_col(pinfo->cinfo, COL_PROTOCOL)) col_set_str(pinfo->cinfo, COL_PROTOCOL, "Gnutella"); if (check_col(pinfo->cinfo, COL_INFO)) col_set_str(pinfo->cinfo, COL_INFO, "Gnutella"); snap_len = tvb_length(tvb); if(snap_len < GNUTELLA_HEADER_LENGTH) { if (check_col(pinfo->cinfo, COL_INFO)) col_append_fstr(pinfo->cinfo, COL_INFO, ", %i bytes [INCOMPLETE]", snap_len); return; } else { if (check_col(pinfo->cinfo, COL_INFO)) col_append_fstr(pinfo->cinfo, COL_INFO, ", %i bytes", snap_len); } if (tree) { ti = proto_tree_add_item(tree, proto_gnutella, tvb, 0, -1, FALSE); gnutella_tree = proto_item_add_subtree(ti, ett_gnutella); offset = 0; size = tvb_get_letohl( tvb, offset + GNUTELLA_HEADER_SIZE_OFFSET); if(size > GNUTELLA_MAX_SNAP_SIZE) { proto_tree_add_item(gnutella_tree, hf_gnutella_stream, tvb, offset, snap_len, FALSE); return; } while(snap_len - offset >= GNUTELLA_HEADER_LENGTH) { payload_descriptor = tvb_get_guint8( tvb, offset + GNUTELLA_HEADER_PAYLOAD_OFFSET); size = tvb_get_letohl( tvb, offset + GNUTELLA_HEADER_SIZE_OFFSET); switch(payload_descriptor) { case GNUTELLA_PING: payload_descriptor_text = GNUTELLA_PING_NAME; break; case GNUTELLA_PONG: payload_descriptor_text = GNUTELLA_PONG_NAME; break; case GNUTELLA_PUSH: payload_descriptor_text = GNUTELLA_PUSH_NAME; break; case GNUTELLA_QUERY: payload_descriptor_text = GNUTELLA_QUERY_NAME; break; case GNUTELLA_QUERYHIT: payload_descriptor_text = GNUTELLA_QUERYHIT_NAME; break; default: payload_descriptor_text = GNUTELLA_UNKNOWN_NAME; break; } hi = proto_tree_add_item(gnutella_tree, hf_gnutella_header, tvb, offset, GNUTELLA_HEADER_LENGTH, FALSE); gnutella_header_tree = proto_item_add_subtree(hi, ett_gnutella); proto_tree_add_item(gnutella_header_tree, hf_gnutella_header_id, tvb, offset + GNUTELLA_HEADER_ID_OFFSET, GNUTELLA_SERVENT_ID_LENGTH, FALSE); proto_tree_add_uint_format(gnutella_header_tree, hf_gnutella_header_payload, tvb, offset + GNUTELLA_HEADER_PAYLOAD_OFFSET, GNUTELLA_BYTE_LENGTH, payload_descriptor, "Payload: %i (%s)", payload_descriptor, payload_descriptor_text); proto_tree_add_item(gnutella_header_tree, hf_gnutella_header_ttl, tvb, offset + GNUTELLA_HEADER_TTL_OFFSET, GNUTELLA_BYTE_LENGTH, FALSE); proto_tree_add_item(gnutella_header_tree, hf_gnutella_header_hops, tvb, offset + GNUTELLA_HEADER_HOPS_OFFSET, GNUTELLA_BYTE_LENGTH, FALSE); proto_tree_add_uint(gnutella_header_tree, hf_gnutella_header_size, tvb, offset + GNUTELLA_HEADER_SIZE_OFFSET, GNUTELLA_LONG_LENGTH, size); if (size > 0) { switch(payload_descriptor) { case GNUTELLA_PONG: pi = proto_tree_add_item( gnutella_header_tree, hf_gnutella_pong_payload, tvb, offset + GNUTELLA_HEADER_LENGTH, size, FALSE); gnutella_pong_tree = proto_item_add_subtree( pi, ett_gnutella); dissect_gnutella_pong( tvb, offset + GNUTELLA_HEADER_LENGTH, gnutella_pong_tree, size); break; case GNUTELLA_PUSH: pi = proto_tree_add_item( gnutella_header_tree, hf_gnutella_push_payload, tvb, offset + GNUTELLA_HEADER_LENGTH, size, FALSE); gnutella_push_tree = proto_item_add_subtree( pi, ett_gnutella); dissect_gnutella_push( tvb, offset + GNUTELLA_HEADER_LENGTH, gnutella_push_tree, size); break; case GNUTELLA_QUERY: pi = proto_tree_add_item( gnutella_header_tree, hf_gnutella_query_payload, tvb, offset + GNUTELLA_HEADER_LENGTH, size, FALSE); gnutella_query_tree = proto_item_add_subtree( pi, ett_gnutella); dissect_gnutella_query( tvb, offset + GNUTELLA_HEADER_LENGTH, gnutella_query_tree, size); break; case GNUTELLA_QUERYHIT: pi = proto_tree_add_item( gnutella_header_tree, hf_gnutella_queryhit_payload, tvb, offset + GNUTELLA_HEADER_LENGTH, size, FALSE); gnutella_queryhit_tree = proto_item_add_subtree( pi, ett_gnutella); dissect_gnutella_queryhit( tvb, offset + GNUTELLA_HEADER_LENGTH, gnutella_queryhit_tree, size); break; } } offset = offset + GNUTELLA_HEADER_LENGTH + size; } } } void proto_register_gnutella(void) { static hf_register_info hf[] = { { &hf_gnutella_header, { "Descriptor Header", "gnutella.header", FT_NONE, BASE_NONE, NULL, 0, "Gnutella Descriptor Header", HFILL } }, { &hf_gnutella_pong_payload, { "Pong", "gnutella.pong.payload", FT_NONE, BASE_NONE, NULL, 0, "Gnutella Pong Payload", HFILL } }, { &hf_gnutella_push_payload, { "Push", "gnutella.push.payload", FT_NONE, BASE_NONE, NULL, 0, "Gnutella Push Payload", HFILL } }, { &hf_gnutella_query_payload, { "Query", "gnutella.query.payload", FT_NONE, BASE_NONE, NULL, 0, "Gnutella Query Payload", HFILL } }, { &hf_gnutella_queryhit_payload, { "QueryHit", "gnutella.queryhit.payload", FT_NONE, BASE_NONE, NULL, 0, "Gnutella QueryHit Payload", HFILL } }, { &hf_gnutella_truncated, { "Truncated Frame", "gnutella.truncated", FT_NONE, BASE_NONE, NULL, 0, "The Gnutella Frame Was Truncated", HFILL } }, { &hf_gnutella_stream, { "Gnutella Upload / Download Stream", "gnutella.stream", FT_NONE, BASE_NONE, NULL, 0, "Gnutella Upload / Download Stream", HFILL } }, { &hf_gnutella_header_id, { "ID", "gnutella.header.id", FT_BYTES, BASE_HEX, NULL, 0, "Gnutella Descriptor ID", HFILL } }, { &hf_gnutella_header_payload, { "Payload", "gnutella.header.payload", FT_UINT8, BASE_DEC, NULL, 0, "Gnutella Descriptor Payload", HFILL } }, { &hf_gnutella_header_ttl, { "TTL", "gnutella.header.ttl", FT_UINT8, BASE_DEC, NULL, 0, "Gnutella Descriptor Time To Live", HFILL } }, { &hf_gnutella_header_hops, { "Hops", "gnutella.header.hops", FT_UINT8, BASE_DEC, NULL, 0, "Gnutella Descriptor Hop Count", HFILL } }, { &hf_gnutella_header_size, { "Length", "gnutella.header.size", FT_UINT8, BASE_DEC, NULL, 0, "Gnutella Descriptor Payload Length", HFILL } }, { &hf_gnutella_pong_port, { "Port", "gnutella.pong.port", FT_UINT16, BASE_DEC, NULL, 0, "Gnutella Pong TCP Port", HFILL } }, { &hf_gnutella_pong_ip, { "IP", "gnutella.pong.ip", FT_IPv4, BASE_DEC, NULL, 0, "Gnutella Pong IP Address", HFILL } }, { &hf_gnutella_pong_files, { "Files Shared", "gnutella.pong.files", FT_UINT32, BASE_DEC, NULL, 0, "Gnutella Pong Files Shared", HFILL } }, { &hf_gnutella_pong_kbytes, { "KBytes Shared", "gnutella.pong.kbytes", FT_UINT32, BASE_DEC, NULL, 0, "Gnutella Pong KBytes Shared", HFILL } }, { &hf_gnutella_query_min_speed, { "Min Speed", "gnutella.query.min_speed", FT_UINT32, BASE_DEC, NULL, 0, "Gnutella Query Minimum Speed", HFILL } }, { &hf_gnutella_query_search, { "Search", "gnutella.query.search", FT_STRINGZ, BASE_NONE, NULL, 0, "Gnutella Query Search", HFILL } }, { &hf_gnutella_queryhit_hit, { "Hit", "gnutella.queryhit.hit", FT_NONE, BASE_NONE, NULL, 0, "Gnutella QueryHit", HFILL } }, { &hf_gnutella_queryhit_hit_index, { "Index", "gnutella.queryhit.hit.index", FT_UINT32, BASE_DEC, NULL, 0, "Gnutella QueryHit Index", HFILL } }, { &hf_gnutella_queryhit_hit_size, { "Size", "gnutella.queryhit.hit.size", FT_UINT32, BASE_DEC, NULL, 0, "Gnutella QueryHit Size", HFILL } }, { &hf_gnutella_queryhit_hit_name, { "Name", "gnutella.queryhit.hit.name", FT_STRING, BASE_NONE, NULL, 0, "Gnutella Query Name", HFILL } }, { &hf_gnutella_queryhit_hit_extra, { "Extra", "gnutella.queryhit.hit.extra", FT_BYTES, BASE_HEX, NULL, 0, "Gnutella Query Extra", HFILL } }, { &hf_gnutella_queryhit_count, { "Count", "gnutella.queryhit.count", FT_UINT8, BASE_DEC, NULL, 0, "Gnutella QueryHit Count", HFILL } }, { &hf_gnutella_queryhit_port, { "Port", "gnutella.queryhit.port", FT_UINT16, BASE_DEC, NULL, 0, "Gnutella QueryHit Port", HFILL } }, { &hf_gnutella_queryhit_ip, { "IP", "gnutella.queryhit.ip", FT_IPv4, BASE_DEC, NULL, 0, "Gnutella QueryHit IP Address", HFILL } }, { &hf_gnutella_queryhit_speed, { "Speed", "gnutella.queryhit.speed", FT_UINT32, BASE_DEC, NULL, 0, "Gnutella QueryHit Speed", HFILL } }, { &hf_gnutella_queryhit_extra, { "Extra", "gnutella.queryhit.extra", FT_BYTES, BASE_HEX, NULL, 0, "Gnutella QueryHit Extra", HFILL } }, { &hf_gnutella_queryhit_servent_id, { "Servent ID", "gnutella.queryhit.servent_id", FT_BYTES, BASE_HEX, NULL, 0, "Gnutella QueryHit Servent ID", HFILL } }, { &hf_gnutella_push_servent_id, { "Servent ID", "gnutella.push.servent_id", FT_BYTES, BASE_HEX, NULL, 0, "Gnutella Push Servent ID", HFILL } }, { &hf_gnutella_push_ip, { "IP", "gnutella.push.ip", FT_IPv4, BASE_DEC, NULL, 0, "Gnutella Push IP Address", HFILL } }, { &hf_gnutella_push_index, { "Index", "gnutella.push.index", FT_UINT32, BASE_DEC, NULL, 0, "Gnutella Push Index", HFILL } }, { &hf_gnutella_push_port, { "Port", "gnutella.push.port", FT_UINT16, BASE_DEC, NULL, 0, "Gnutella Push Port", HFILL } }, }; static gint *ett[] = { &ett_gnutella, }; proto_gnutella = proto_register_protocol("Gnutella Protocol", "GNUTELLA", "gnutella"); proto_register_field_array(proto_gnutella, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); } void proto_reg_handoff_gnutella(void) { dissector_handle_t gnutella_handle; gnutella_handle = create_dissector_handle(dissect_gnutella, proto_gnutella); dissector_add("tcp.port", GNUTELLA_TCP_PORT, gnutella_handle); }