diff options
author | Guy Harris <guy@alum.mit.edu> | 2004-11-12 10:03:53 +0000 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2004-11-12 10:03:53 +0000 |
commit | 52893913003366bf2f2542846d1cf3c6cd29844c (patch) | |
tree | 32f8bf86d89ffd997079f3c9c0455c71fd6e3f71 /epan/dissectors/packet-ipsec.c | |
parent | f7042f6a52ff4ec32f2ec8ececc7374cbe0b2bfe (diff) |
From Mark Phillips: optionally support decoding the payload of ESP
packets using null encryption (with a heuristic to detect null
encryption).
svn path=/trunk/; revision=12513
Diffstat (limited to 'epan/dissectors/packet-ipsec.c')
-rw-r--r-- | epan/dissectors/packet-ipsec.c | 77 |
1 files changed, 74 insertions, 3 deletions
diff --git a/epan/dissectors/packet-ipsec.c b/epan/dissectors/packet-ipsec.c index fd1cc8d961..76b974dee7 100644 --- a/epan/dissectors/packet-ipsec.c +++ b/epan/dissectors/packet-ipsec.c @@ -38,6 +38,8 @@ /* Place AH payload in sub tree */ static gboolean g_ah_payload_in_subtree = FALSE; +/* Default ESP payload decode to off (only works if payload is NULL encrypted) */ +static gboolean g_esp_enable_null_encryption_decode_heuristic = FALSE; static int proto_ah = -1; static int hf_ah_spi = -1; @@ -45,6 +47,8 @@ static int hf_ah_sequence = -1; static int proto_esp = -1; static int hf_esp_spi = -1; static int hf_esp_sequence = -1; +static int hf_esp_pad = -1; +static int hf_esp_protocol = -1; static int proto_ipcomp = -1; static int hf_ipcomp_flags = -1; static int hf_ipcomp_cpi = -1; @@ -214,6 +218,9 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) * (ie none) */ if(tree) { + int len, pad, encapsulated_protocol; + gboolean auth_decode_ok = FALSE; + ti = proto_tree_add_item(tree, proto_esp, tvb, 0, -1, FALSE); esp_tree = proto_item_add_subtree(ti, ett_esp); proto_tree_add_uint(esp_tree, hf_esp_spi, tvb, @@ -222,9 +229,60 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) proto_tree_add_uint(esp_tree, hf_esp_sequence, tvb, offsetof(struct newesp, esp_seq), 4, (guint32)g_ntohl(esp.esp_seq)); - call_dissector(data_handle, - tvb_new_subset(tvb, sizeof(struct newesp), -1, -1), - pinfo, esp_tree); + + if(g_esp_enable_null_encryption_decode_heuristic) + { + /* Get length of whole ESP packet. */ + len = tvb_reported_length(tvb); + + /* Make sure the packet is not truncated before the fields + * we need to read to determine the encapsulated protocol */ + if(tvb_bytes_exist(tvb, len - 14, 2)) + { + pad = tvb_get_guint8(tvb, len - 14); + encapsulated_protocol = tvb_get_guint8(tvb, len - 13); + + if(dissector_try_port(ip_dissector_table, + encapsulated_protocol, + tvb_new_subset(tvb, + sizeof(struct newesp), + -1, + len - sizeof(struct newesp) - 14 - pad), + pinfo, + esp_tree)) + { + auth_decode_ok = TRUE; + } + } + } + + if(auth_decode_ok) + { + proto_tree_add_uint(esp_tree, hf_esp_pad, tvb, + len - 14, 1, + pad); + proto_tree_add_uint(esp_tree, hf_esp_protocol, tvb, + len - 13, 1, + encapsulated_protocol); + /* Make sure we have the auth trailer data */ + if(tvb_bytes_exist(tvb, len - 12, 12)) + { + proto_tree_add_text(esp_tree, tvb, len - 12, 12, + "Authentication Data"); + } + else + { + /* Truncated so just display what we have */ + proto_tree_add_text(esp_tree, tvb, len - 12, 12 - (len - tvb_length(tvb)), + "Authentication Data (truncated)"); + } + } + else + { + call_dissector(data_handle, + tvb_new_subset(tvb, sizeof(struct newesp), -1, -1), + pinfo, esp_tree); + } } } @@ -299,6 +357,12 @@ proto_register_ipsec(void) "", HFILL }}, { &hf_esp_sequence, { "Sequence", "esp.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, + "", HFILL }}, + { &hf_esp_pad, + { "Pad Length", "esp.pad", FT_UINT8, BASE_DEC, NULL, 0x0, + "", HFILL }}, + { &hf_esp_protocol, + { "Next Header", "esp.protocol", FT_UINT8, BASE_HEX, NULL, 0x0, "", HFILL }} }; @@ -317,6 +381,7 @@ proto_register_ipsec(void) }; module_t *ah_module; + module_t *esp_module; proto_ah = proto_register_protocol("Authentication Header", "AH", "ah"); proto_register_field_array(proto_ah, hf_ah, array_length(hf_ah)); @@ -338,6 +403,12 @@ proto_register_ipsec(void) "Whether the AH payload decode should be placed in a subtree", &g_ah_payload_in_subtree); + esp_module = prefs_register_protocol(proto_esp, NULL); + prefs_register_bool_preference(esp_module, "enable_null_encryption_decode_heuristic", + "Attempt to detect/decode NULL encrypted ESP payloads", +"Assumes a 12 byte auth (SHA1/MD5) and attempts decode based on the ethertype 13 bytes from packet end", + &g_esp_enable_null_encryption_decode_heuristic); + register_dissector("esp", dissect_esp, proto_esp); register_dissector("ah", dissect_ah, proto_ah); } |