diff options
-rw-r--r-- | docbook/release-notes.asciidoc | 1 | ||||
-rw-r--r-- | epan/CMakeLists.txt | 1 | ||||
-rw-r--r-- | epan/dissectors/Makefile.common | 1 | ||||
-rw-r--r-- | epan/dissectors/packet-ath.c | 452 |
4 files changed, 455 insertions, 0 deletions
diff --git a/docbook/release-notes.asciidoc b/docbook/release-notes.asciidoc index 9caef904f4..9f257ac139 100644 --- a/docbook/release-notes.asciidoc +++ b/docbook/release-notes.asciidoc @@ -151,6 +151,7 @@ MACsec Key Agreement - EAPoL-MKA DJI UAV Drone Control Protocol ZVT Kassenschnittstelle ETSI Card Application Toolkit - Transport Protocol +Apache Tribes Heartbeat QNEX6 (QNET) Secure Socket Tunnel Protocol (SSTP) BGP Monitoring Prototol (BMP) diff --git a/epan/CMakeLists.txt b/epan/CMakeLists.txt index c0be675cfb..d745ec4d0f 100644 --- a/epan/CMakeLists.txt +++ b/epan/CMakeLists.txt @@ -393,6 +393,7 @@ set(DISSECTOR_SRC dissectors/packet-asterix.c dissectors/packet-at.c dissectors/packet-atalk.c + dissectors/packet-ath.c dissectors/packet-atm.c dissectors/packet-atmtcp.c dissectors/packet-auto_rp.c diff --git a/epan/dissectors/Makefile.common b/epan/dissectors/Makefile.common index 1d4895ff34..fd9ca0234c 100644 --- a/epan/dissectors/Makefile.common +++ b/epan/dissectors/Makefile.common @@ -309,6 +309,7 @@ DISSECTOR_SRC = \ packet-asterix.c \ packet-at.c \ packet-atalk.c \ + packet-ath.c \ packet-atm.c \ packet-atmtcp.c \ packet-auto_rp.c \ diff --git a/epan/dissectors/packet-ath.c b/epan/dissectors/packet-ath.c new file mode 100644 index 0000000000..5b636ffe94 --- /dev/null +++ b/epan/dissectors/packet-ath.c @@ -0,0 +1,452 @@ +/* packet-ath.c + * Routines for ATH (Apache Tribes Heartbeat) dissection + * Copyright 2015, Eugene Adell <eugene.adell@d2-si.eu> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "config.h" +#include <glib.h> +#include <epan/packet.h> +#include <epan/expert.h> +#include <epan/to_str.h> + +void proto_register_ath(void); +void proto_reg_handoff_ath(void); + +/* IMPORTANT IMPLEMENTATION NOTES + * + * You need to be looking at: + * + * http://tomcat.apache.org/tomcat-8.0-doc/cluster-howto.html + * + * Tomcat clustering uses two protocols : + * + * - UDP heartbeats to maintain a status of all the members of the cluster + * + * - TCP RMI to send data accross members + * + * This dissector is about UDP heartbeats, that we will call ATH, standing for + * Apache Tribes Heartbeat. Tribes is the name of the clustering libraries + * package of Apache Tomcat. + * + */ + +#define ATH_PORT 45564 + +static int proto_ath = -1; + +static int hf_ath_begin = -1; +static int hf_ath_length = -1; +static int hf_ath_alive = -1; +static int hf_ath_port = -1; +static int hf_ath_sport = -1; +static int hf_ath_uport = -1; +static int hf_ath_hlen = -1; +static int hf_ath_ipv4 = -1; +static int hf_ath_ipv6 = -1; +static int hf_ath_clen = -1; +static int hf_ath_comm = -1; +static int hf_ath_dlen = -1; +static int hf_ath_domain = -1; +static int hf_ath_unique = -1; +static int hf_ath_plen = -1; +static int hf_ath_payload= -1; +static int hf_ath_end = -1; + +static gint ett_ath = -1; + +static guint ett_length = 0; + +static expert_field ei_ath_hlen_invalid = EI_INIT; +static expert_field ei_ath_hmark_invalid = EI_INIT; + +static void +dissect_ath(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + + int offset = 0; + + /* various lengths as reported in the packet itself */ + guint8 hlen = 0; + gint32 clen = 0; + gint32 dlen = 0; + gint32 plen = 0; + + /* detect the Tribes (Tomcat) version */ + gint tribes_version_mark = 0; + + /* store the info */ + const gchar *info_srcaddr = ""; + const gchar *info_domain = ""; + const gchar *info_command = ""; + + proto_item *ti, *hlen_item; + proto_tree *ath_tree; + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "ATH"); + + /* Clear out stuff in the info column */ + col_clear(pinfo->cinfo,COL_INFO); + + ti = proto_tree_add_item(tree, proto_ath, tvb, 0, -1, ENC_NA); + ath_tree = proto_item_add_subtree(ti, ett_ath); + + /* Determine the Tribes version, which means determining the Tomcat version. + * There are 2 versions : one for Tomcat 6, and one for Tomcat 7/8 + * We know that Tomcat 6 packets end with "-E" (Ox2d 0x45 or 11589 in decimal) + * and Tomcat 7/8 packets end with "Ox01 0x00" (256 in decimal) + * This is why we read these 2 last bytes of the packet + */ + tribes_version_mark = tvb_get_ntohs( tvb, tvb_reported_length(tvb)-2 ); + + /* dissecting a Tomcat 6 packet + */ + if( tribes_version_mark == 11589 ) { + + /* BEGIN + */ + proto_tree_add_item(ath_tree, hf_ath_begin, tvb, offset, 8, ENC_ASCII|ENC_NA); + offset+=8; + + /* LENGTH + */ + proto_tree_add_item(ath_tree, hf_ath_length, tvb, offset, 4, ENC_BIG_ENDIAN); + offset+=4; + + /* ALIVE TIME + */ + proto_tree_add_item(ath_tree, hf_ath_alive, tvb, offset, 8, ENC_BIG_ENDIAN); + offset+=8; + + /* PORT + */ + proto_tree_add_item(ath_tree, hf_ath_port, tvb, offset, 4, ENC_BIG_ENDIAN); + offset+=4; + + /* SECURE PORT + */ + proto_tree_add_item(ath_tree, hf_ath_sport, tvb, offset, 4, ENC_BIG_ENDIAN); + offset+=4; + + /* HOST LENGTH + */ + hlen_item = proto_tree_add_item(ath_tree, hf_ath_hlen, tvb, offset, 1, ENC_BIG_ENDIAN); + hlen = tvb_get_guint8(tvb, offset); + offset+=1; + + /* HOST + */ + if(hlen == 4) { + proto_tree_add_item(ath_tree, hf_ath_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN); + info_srcaddr = tvb_ip_to_str(tvb, offset); + } else if(hlen == 6) { + proto_tree_add_item(ath_tree, hf_ath_ipv6, tvb, offset, 6, ENC_NA); + info_srcaddr = tvb_ip6_to_str(tvb, offset); + } else { + expert_add_info(pinfo, hlen_item, &ei_ath_hlen_invalid); + } + offset+=hlen; + + /* COMMAND LENGTH + */ + proto_tree_add_item_ret_int(ath_tree, hf_ath_clen, tvb, offset, 4, ENC_BIG_ENDIAN, &clen); + offset+=4; + + /* COMMAND + */ + proto_tree_add_item(ath_tree, hf_ath_comm, tvb, offset, clen, ENC_ASCII|ENC_NA); + if (clen != -1) + info_command = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, clen, ENC_ASCII); + offset+=clen; + + /* DOMAIN LENGTH + */ + proto_tree_add_item_ret_int(ath_tree, hf_ath_dlen, tvb, offset, 4, ENC_BIG_ENDIAN, &dlen); + offset+=4; + + /* DOMAIN + */ + proto_tree_add_item(ath_tree, hf_ath_domain, tvb, offset, dlen, ENC_ASCII|ENC_NA); + if (dlen != 0) + info_domain = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, dlen, ENC_ASCII); + offset+=dlen; + + /* UNIQUEID + */ + proto_tree_add_item(ath_tree, hf_ath_unique, tvb, offset, 16, ENC_NA); + offset+=16; + + /* PAYLOAD LENGTH + */ + proto_tree_add_item_ret_int(ath_tree, hf_ath_plen, tvb, offset, 4, ENC_BIG_ENDIAN, &plen); + offset+=4; + + /* PAYLOAD + */ + proto_tree_add_item(ath_tree, hf_ath_payload, tvb, offset, plen, ENC_ASCII|ENC_NA); + offset+=plen; + + /* END + */ + proto_tree_add_item(ath_tree, hf_ath_end, tvb, offset, 8, ENC_ASCII|ENC_NA); + } + + /* dissecting a Tomcat 7/8 packet + */ + else if (tribes_version_mark == 256) { + + /* BEGIN + */ + proto_tree_add_item(ath_tree, hf_ath_begin, tvb, offset, 8, ENC_ASCII|ENC_NA); + offset+=8; + + /* LENGTH + */ + proto_tree_add_item(ath_tree, hf_ath_length, tvb, offset, 4, ENC_BIG_ENDIAN); + offset+=4; + + /* ALIVE TIME + */ + proto_tree_add_item(ath_tree, hf_ath_alive, tvb, offset, 8, ENC_BIG_ENDIAN); + offset+=8; + + /* PORT + */ + proto_tree_add_item(ath_tree, hf_ath_port, tvb, offset, 4, ENC_BIG_ENDIAN); + offset+=4; + + /* SECURE PORT + */ + proto_tree_add_item(ath_tree, hf_ath_sport, tvb, offset, 4, ENC_BIG_ENDIAN); + offset+=4; + + /* UDP PORT, only in Tomcat 7/8 + */ + proto_tree_add_item(ath_tree, hf_ath_uport, tvb, offset, 4, ENC_BIG_ENDIAN); + offset+=4; + + /* HOST LENGTH + */ + proto_tree_add_item(ath_tree, hf_ath_hlen, tvb, offset, 1, ENC_BIG_ENDIAN); + hlen = tvb_get_guint8(tvb, offset); + offset+=1; + + /* HOST + */ + if(hlen == 4) { + proto_tree_add_item(ath_tree, hf_ath_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN); + info_srcaddr = tvb_ip_to_str(tvb, offset); + } else if(hlen == 6) { + proto_tree_add_item(ath_tree, hf_ath_ipv6, tvb, offset, 6, ENC_NA); + info_srcaddr = tvb_ip6_to_str(tvb, offset); + } + offset+=hlen; + + /* COMMAND LENGTH + */ + proto_tree_add_item_ret_int(ath_tree, hf_ath_clen, tvb, offset, 4, ENC_BIG_ENDIAN, &clen); + offset+=4; + + /* COMMAND + */ + proto_tree_add_item(ath_tree, hf_ath_comm, tvb, offset, clen, ENC_ASCII|ENC_NA); + if (clen != -1) + info_command = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, clen, ENC_ASCII); + offset+=clen; + + /* DOMAIN LENGTH + */ + proto_tree_add_item_ret_int(ath_tree, hf_ath_dlen, tvb, offset, 4, ENC_BIG_ENDIAN, &dlen); + offset+=4; + + /* DOMAIN + */ + proto_tree_add_item(ath_tree, hf_ath_domain, tvb, offset, dlen, ENC_ASCII|ENC_NA); + if (dlen != 0) + info_domain = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, dlen, ENC_ASCII); + offset+=dlen; + + /* UNIQUEID + */ + proto_tree_add_item(ath_tree, hf_ath_unique, tvb, offset, 16, ENC_NA); + offset+=16; + + /* PAYLOAD LENGTH + */ + proto_tree_add_item_ret_int(ath_tree, hf_ath_plen, tvb, offset, 4, ENC_BIG_ENDIAN, &plen); + offset+=4; + + /* PAYLOAD + */ + proto_tree_add_item(ath_tree, hf_ath_payload, tvb, offset, plen, ENC_ASCII|ENC_NA); + offset+=plen; + + /* END + */ + proto_tree_add_item(ath_tree, hf_ath_end, tvb, offset, 8, ENC_ASCII|ENC_NA); + + } else { + proto_tree_add_expert(tree, pinfo, &ei_ath_hmark_invalid, tvb, offset, -1); + return; + } + + /* set the INFO column, and we're done ! + */ + if( strcmp(info_command, "") != 0 ) { + if( strcmp(info_command, "BABY-ALEX") == 0 ) { + if( strcmp(info_domain, "") != 0 ) { + col_append_fstr(pinfo->cinfo, COL_INFO, "%s is leaving domain %s", info_srcaddr, info_domain); + } else { + col_append_fstr(pinfo->cinfo, COL_INFO, "%s is leaving default domain", info_srcaddr); + } + } else { + if( strcmp(info_domain, "") != 0 ) { + col_append_fstr(pinfo->cinfo, COL_INFO, "Heartbeat from %s to domain %s", info_srcaddr, info_domain); + } else { + col_append_fstr(pinfo->cinfo, COL_INFO, "Heartbeat from %s to default domain", info_srcaddr); + } + } + } else { + if( strcmp(info_domain, "") != 0 ) { + col_append_fstr(pinfo->cinfo, COL_INFO, "Heartbeat from %s to domain %s", info_srcaddr, info_domain); + } else { + col_append_fstr(pinfo->cinfo, COL_INFO, "Heartbeat from %s to default domain", info_srcaddr); + } + } + +} + +void +proto_register_ath(void) +{ + + expert_module_t* expert_ath; + + static hf_register_info hf[] = { + { &hf_ath_begin, + { "Begin", "ath.begin", FT_STRING, BASE_NONE, NULL, 0x0, "Begin mark", + HFILL } + }, + { &hf_ath_length, + { "Length", "ath.length", FT_UINT32, BASE_DEC, NULL, 0x0, "Data Length", + HFILL } + }, + { &hf_ath_alive, + { "Alive Time", "ath.alive", FT_UINT64, BASE_DEC, NULL, 0x0, "Alive Time counter", + HFILL } + }, + { &hf_ath_port, + { "Port", "ath.port", FT_UINT32, BASE_DEC, NULL, 0x0, "RMI Port", + HFILL } + }, + { &hf_ath_sport, + { "Secure Port", "ath.sport", FT_INT32, BASE_DEC, NULL, 0x0, "RMI Secure Port", + HFILL } + }, + { &hf_ath_uport, + { "UDP Port", "ath.uport", FT_INT32, BASE_DEC, NULL, 0x0, "RMI UDP Port", + HFILL } + }, + { &hf_ath_hlen, + { "Host Length", "ath.hlen", FT_INT8, BASE_DEC, NULL, 0x0, "Host IP Length", + HFILL } + }, + { &hf_ath_ipv4, + { "Host", "ath.ipv4", FT_IPv4, BASE_NONE, NULL, 0x0, "IPv4 Host", + HFILL } + }, + { &hf_ath_ipv6, + { "Host", "ath.ipv6", FT_IPv6, BASE_NONE, NULL, 0x0, "IPv6 Host", + HFILL } + }, + { &hf_ath_clen, + { "Command Length", "ath.clen", FT_INT32, BASE_DEC, NULL, 0x0, "Command Length for members", + HFILL } + }, + { &hf_ath_comm, + { "Command", "ath.comm", FT_STRING, BASE_NONE, NULL, 0x0, "Command for members", + HFILL } + }, + { &hf_ath_dlen, + { "Domain Length", "ath.dlen", FT_INT32, BASE_DEC, NULL, 0x0, "Cluster Domain Length", + HFILL } + }, + { &hf_ath_domain, + { "Domain", "ath.domain", FT_STRING, BASE_NONE, NULL, 0x0, "Cluster Domain", + HFILL } + }, + { &hf_ath_unique, + { "uniqueId", "ath.unique", FT_BYTES, BASE_NONE, NULL, 0x0, "UniqueID identifier", + HFILL } + }, + { &hf_ath_plen, + { "Payload Length", "ath.plen", FT_INT32, BASE_DEC, NULL, 0x0, "Packet Payload Length", + HFILL } + }, + { &hf_ath_payload, + { "Payload", "ath.payload", FT_STRING, BASE_NONE, NULL, 0x0, "Packet Payload", + HFILL } + }, + { &hf_ath_end, + { "End", "ath.end", FT_STRING, BASE_NONE, NULL, 0x0, "End mark", + HFILL } + }, + }; + + static ei_register_info ei[] = { + { &ei_ath_hlen_invalid, { "ath.hlen.invalid", PI_MALFORMED, PI_ERROR, "Decode aborted: invalid IP length", EXPFILL }}, + { &ei_ath_hmark_invalid, { "ath.hmark.invalid", PI_MALFORMED, PI_ERROR, "Decode aborted: not an ATH packet", EXPFILL }}, + }; + + static gint *ett[] = { + &ett_ath, + }; + + ett_length = array_length(ett); + + proto_ath = proto_register_protocol("Apache Tribes Heartbeat Protocol", "ATH", "ath"); + proto_register_field_array(proto_ath, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + expert_ath = expert_register_protocol(proto_ath); + expert_register_field_array(expert_ath, ei, array_length(ei)); + +} + +void +proto_reg_handoff_ath(void) +{ + static dissector_handle_t ath_handle; + + ath_handle = create_dissector_handle(dissect_ath, proto_ath); + dissector_add_uint("udp.port", ATH_PORT, ath_handle); +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 2 + * tab-width: 2 + * indent-tabs-mode: nil + * End: + * + * vi: set shiftwidth=2 tabstop=2 expandtab: + * :indentSize=2:tabSize=2:noTabs=true: + */ |