diff options
author | jmayer <jmayer@f5534014-38df-0310-8fa8-9805f1628bb7> | 2007-02-14 13:22:55 +0000 |
---|---|---|
committer | jmayer <jmayer@f5534014-38df-0310-8fa8-9805f1628bb7> | 2007-02-14 13:22:55 +0000 |
commit | c93ecfab7604bfc29ee4dca71c6c01f1773928db (patch) | |
tree | 9f5284665b179e5ed0f95ec0257c9639743548e4 /epan | |
parent | 7a85b9509b3111f5efa5042fd9548f81f23c4e89 (diff) |
Dissect the Cisco proprietary encapsulation of IPSEC/ISAKMP
in TCP (incomplete).
Add preference to select the tcp port (default: 10000)
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@20809 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/Makefile.common | 1 | ||||
-rw-r--r-- | epan/dissectors/packet-ipsec-tcp.c | 129 | ||||
-rw-r--r-- | epan/dissectors/packet-udp.c | 1 |
3 files changed, 131 insertions, 0 deletions
diff --git a/epan/dissectors/Makefile.common b/epan/dissectors/Makefile.common index 87182910f7..f3ccb924ef 100644 --- a/epan/dissectors/Makefile.common +++ b/epan/dissectors/Makefile.common @@ -387,6 +387,7 @@ DISSECTOR_SRC = \ packet-ipfc.c \ packet-ipmi.c \ packet-ipp.c \ + packet-ipsec-tcp.c \ packet-ipsec-udp.c \ packet-ipsec.c \ packet-ipv6.c \ diff --git a/epan/dissectors/packet-ipsec-tcp.c b/epan/dissectors/packet-ipsec-tcp.c new file mode 100644 index 0000000000..707b78c8c6 --- /dev/null +++ b/epan/dissectors/packet-ipsec-tcp.c @@ -0,0 +1,129 @@ +/* + * Routines for the disassembly of the proprietary Cisco IPSEC in + * TCP encapsulation protocol + * + * $Id$ + * + * Copyright 2007 Joerg Mayer (see AUTHORS file) + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* TODO: + * - Find out the meaning of the (unknown) trailer + * - UDP checksum is wrong + * - Currently doesn't handle AH (lack of sample trace) + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include <glib.h> +#include <epan/packet.h> +#include <epan/prefs.h> + +static int hf_tcpencap_unknown = -1; + +static int proto_tcpencap = -1; +static gint ett_tcpencap = -1; + +#define TCP_CISCO_IPSEC 10000 +static guint global_tcpencap_tcp_port = TCP_CISCO_IPSEC; + +static dissector_handle_t esp_handle; +static dissector_handle_t udp_handle; + +/* + * TCP Encapsulation of IPsec Packets + * as supported by the cisco vpn3000 concentrator series + */ +static void +dissect_tcpencap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + proto_tree *tcpencap_tree = NULL; + proto_item *ti = NULL; + tvbuff_t *next_tvb; + guint32 reported_length = tvb_reported_length(tvb); + + if (check_col(pinfo->cinfo, COL_PROTOCOL)) + col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCPENCAP"); + if (check_col(pinfo->cinfo, COL_INFO)) + col_clear(pinfo->cinfo, COL_INFO); + + if (tree) { + ti = proto_tree_add_item(tree, proto_tcpencap, tvb, 0, -1, FALSE); + tcpencap_tree = proto_item_add_subtree(ti, ett_tcpencap); + } + + /* Dissect the trailer following the encapsulated IPSEC/ISAKMP packet */ + proto_tree_add_item(tcpencap_tree, hf_tcpencap_unknown, tvb, + reported_length - 16, 16, FALSE); + + /* If the first 4 bytes are 0x01f401f4 (udp src and dst port = 500) + we most likely have UDP (isakmp) traffic */ + + /* Create the tvbuffer for the next dissector */ + next_tvb = tvb_new_subset(tvb, 0, reported_length - 16 , -1); + if (tvb_get_ntohl(tvb, 0) == 0x01f401f4) { + call_dissector(udp_handle, next_tvb, pinfo, tree); + } else { /* Hopefully ESP */ + call_dissector(esp_handle, next_tvb, pinfo, tree); + } +} + +void +proto_reg_handoff_tcpencap(void) +{ + dissector_handle_t tcpencap_handle; + + esp_handle = find_dissector("esp"); + udp_handle = find_dissector("udp"); + + tcpencap_handle = create_dissector_handle(dissect_tcpencap, proto_tcpencap); + dissector_add("tcp.port", global_tcpencap_tcp_port, tcpencap_handle); +} + +void +proto_register_tcpencap(void) +{ + static hf_register_info hf[] = { + + { &hf_tcpencap_unknown, + { "Unknown Trailer", "tcpencap.unknown", FT_BYTES, BASE_NONE, NULL, + 0x0, "", HFILL }}, + }; + + static gint *ett[] = { + &ett_tcpencap, + }; + + module_t *tcpencap_module; + + proto_tcpencap = proto_register_protocol( + "TCP Encapsulation of IPsec Packets", "TCPENCAP", "tcpencap"); + proto_register_field_array(proto_tcpencap, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + tcpencap_module = prefs_register_protocol(proto_tcpencap, proto_reg_handoff_tcpencap); + prefs_register_uint_preference(tcpencap_module, "tcp.port", "IPSEC TCP Port", + "Set the port for IPSEC/ISAKMP messages" + "If other than the default of 10000)", + 10, &global_tcpencap_tcp_port); +} + diff --git a/epan/dissectors/packet-udp.c b/epan/dissectors/packet-udp.c index 2818eb58e0..e8decf6e15 100644 --- a/epan/dissectors/packet-udp.c +++ b/epan/dissectors/packet-udp.c @@ -481,6 +481,7 @@ proto_register_udp(void) proto_udp = proto_register_protocol("User Datagram Protocol", "UDP", "udp"); + register_dissector("udp", dissect_udp, proto_udp); proto_udplite = proto_register_protocol("Lightweight User Datagram Protocol", "UDPlite", "udplite"); proto_register_field_array(proto_udp, hf, array_length(hf)); |