/* packet-http.c * Routines for HTTP packet disassembly * * Guy Harris * * Copyright 2002, Tim Potter * Copyright 1999, Andrew Tridgell * * $Id: packet-http.c,v 1.66 2003/09/02 22:47:57 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include #include #include #include #include #include "util.h" #include "packet-http.h" typedef enum _http_type { HTTP_REQUEST, HTTP_RESPONSE, HTTP_NOTIFICATION, HTTP_OTHERS } http_type_t; #include "tap.h" static int http_tap = -1; static int proto_http = -1; static int hf_http_notification = -1; static int hf_http_response = -1; static int hf_http_request = -1; static int hf_http_basic = -1; static int hf_http_request_method = -1; static int hf_http_response_method = -1; static gint ett_http = -1; static gint ett_http_ntlmssp = -1; static gint ett_http_request = -1; static dissector_handle_t data_handle; static dissector_handle_t http_handle; #define TCP_PORT_HTTP 80 #define TCP_PORT_PROXY_HTTP 3128 #define TCP_PORT_PROXY_ADMIN_HTTP 3132 #define TCP_ALT_PORT_HTTP 8080 /* * SSDP is implemented atop HTTP (yes, it really *does* run over UDP). */ #define TCP_PORT_SSDP 1900 #define UDP_PORT_SSDP 1900 /* * Protocols implemented atop HTTP. */ typedef enum { PROTO_HTTP, /* just HTTP */ PROTO_SSDP /* Simple Service Discovery Protocol */ } http_proto_t; typedef void (*RequestDissector)(tvbuff_t*, proto_tree*, int); static int is_http_request_or_reply(const guchar *data, int linelen, http_type_t *type, RequestDissector *req_dissector, int *req_strlen); static dissector_table_t subdissector_table; static heur_dissector_list_t heur_subdissector_list; static dissector_handle_t ntlmssp_handle=NULL; /* Return a tvb that contains the binary representation of a base64 string */ static tvbuff_t * base64_to_tvb(const char *base64) { tvbuff_t *tvb; char *data = g_strdup(base64); size_t len; len = base64_decode(data); tvb = tvb_new_real_data(data, len, len); tvb_set_free_cb(tvb, g_free); return tvb; } static void dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, const char *line) { tvbuff_t *ntlmssp_tvb; ntlmssp_tvb = base64_to_tvb(line); tvb_set_child_real_data_tvbuff(tvb, ntlmssp_tvb); add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP Data"); call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree); } /* * Some headers that we dissect more deeply: * * Microsoft's abomination called NTLMSSP over HTTP * HTTP Basic authorization */ static gboolean check_auth(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo, const char *text) { static const char *ntlm_headers[] = { "Authorization: NTLM ", "Authorization: Negotiate ", "WWW-Authenticate: NTLM ", "WWW-Authenticate: Negotiate ", "Proxy-Authenticate: NTLM ", "Proxy-Authorization: NTLM ", NULL }; static const char *basic_headers[] = { "Authorization: Basic ", "Proxy-Authorization: Basic ", "Proxy-authorization: Basic ", NULL }; const char **header; size_t hdrlen; proto_tree *hdr_tree; char *data; size_t len; for (header = &ntlm_headers[0]; *header != NULL; header++) { hdrlen = strlen(*header); if (strncmp(text, *header, hdrlen) == 0) { if (hdr_item != NULL) { hdr_tree = proto_item_add_subtree(hdr_item, ett_http_ntlmssp); } else hdr_tree = NULL; text += hdrlen; dissect_http_ntlmssp(tvb, pinfo, hdr_tree, text); return TRUE; } } for (header = &basic_headers[0]; *header != NULL; header++) { hdrlen = strlen(*header); if (strncmp(text, *header, hdrlen) == 0) { if (hdr_item != NULL) { hdr_tree = proto_item_add_subtree(hdr_item, ett_http_ntlmssp); } else hdr_tree = NULL; text += hdrlen; data = g_strdup(text); len = base64_decode(data); data[len] = '\0'; proto_tree_add_string(hdr_tree, hf_http_basic, tvb, 0, 0, data); g_free(data); return TRUE; } } return FALSE; } /* TODO: remove this ugly global variable */ http_info_value_t *stat_info; static void dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { http_proto_t proto; char *proto_tag; proto_tree *http_tree = NULL; proto_item *ti = NULL; gint offset = 0; const guchar *line; gint next_offset; const guchar *linep, *lineend; int linelen; guchar c; http_type_t http_type; int datalen; char *text; proto_item *hdr_item; RequestDissector req_dissector; int req_strlen; proto_tree *req_tree; stat_info =g_malloc( sizeof(http_info_value_t)); stat_info->response_method = 0; stat_info->request_method = NULL; switch (pinfo->match_port) { case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */ proto = PROTO_SSDP; proto_tag = "SSDP"; break; default: proto = PROTO_HTTP; proto_tag = "HTTP"; break; } if (check_col(pinfo->cinfo, COL_PROTOCOL)) col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag); if (check_col(pinfo->cinfo, COL_INFO)) { /* * Put the first line from the buffer into the summary * if it's an HTTP request or reply (but leave out the * line terminator). * Otherwise, just call it a continuation. * * Note that "tvb_find_line_end()" will return a value that * is not longer than what's in the buffer, so the * "tvb_get_ptr()" call won't throw an exception. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); line = tvb_get_ptr(tvb, offset, linelen); http_type = HTTP_OTHERS; /* type not known yet */ if (is_http_request_or_reply(line, linelen, &http_type, NULL, NULL)) col_add_str(pinfo->cinfo, COL_INFO, format_text(line, linelen)); else col_set_str(pinfo->cinfo, COL_INFO, "Continuation"); } if (tree) { ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1, FALSE); http_tree = proto_item_add_subtree(ti, ett_http); } /* * Process the packet data, a line at a time. */ http_type = HTTP_OTHERS; /* type not known yet */ while (tvb_offset_exists(tvb, offset)) { /* * Find the end of the line. */ linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* * Get a buffer that refers to the line. */ line = tvb_get_ptr(tvb, offset, linelen); lineend = line + linelen; /* * OK, does it look like an HTTP request or response? */ req_dissector = NULL; if (is_http_request_or_reply(line, linelen, &http_type, &req_dissector, &req_strlen)) goto is_http; /* * No. Does it look like a blank line (as would appear * at the end of an HTTP request)? */ if (linelen == 0) goto is_http; /* * No. Does it look like a MIME header? */ linep = line; while (linep < lineend) { c = *linep++; /* * This must be a CHAR to be part of a token; that * means it must be ASCII. */ if (!isascii(c)) break; /* not ASCII, thus not a CHAR */ /* * This mustn't be a CTL to be part of a token; * that means it must be printable. */ if (!isprint(c)) break; /* not printable, not a MIME header */ /* * This mustn't be a SEP to be part of a token; * a ':' ends the token, everything else is an * indication that this isn't a header. */ switch (c) { case '(': case ')': case '<': case '>': case '@': case ',': case ';': case '\\': case '"': case '/': case '[': case ']': case '?': case '=': case '{': case '}': case ' ': /* * It's a separator, so it's not part of a * token, so it's not a field name for the * beginning of a MIME header. * * (We don't have to check for HT; that's * already been ruled out by "isprint()".) */ goto not_http; case ':': /* * This ends the token; we consider this * to be a MIME header. */ goto is_http; } } not_http: /* * We don't consider this part of an HTTP request or * reply, so we don't display it. * (Yeah, that means we don't display, say, a text/http * page, but you can get that from the data pane.) */ break; is_http: /* * Put this line. */ text = tvb_format_text(tvb, offset, next_offset - offset); if (tree) { hdr_item = proto_tree_add_text(http_tree, tvb, offset, next_offset - offset, "%s", text); if (req_dissector) { req_tree = proto_item_add_subtree(hdr_item, ett_http_request); req_dissector(tvb, req_tree, req_strlen); } } else hdr_item = NULL; check_auth(hdr_item, tvb, pinfo, text); offset = next_offset; } if (tree) { switch (http_type) { case HTTP_NOTIFICATION: proto_tree_add_boolean_hidden(http_tree, hf_http_notification, tvb, 0, 0, 1); break; case HTTP_RESPONSE: proto_tree_add_boolean_hidden(http_tree, hf_http_response, tvb, 0, 0, 1); break; case HTTP_REQUEST: proto_tree_add_boolean_hidden(http_tree, hf_http_request, tvb, 0, 0, 1); break; case HTTP_OTHERS: default: break; } } datalen = tvb_length_remaining(tvb, offset); if (datalen > 0) { tvbuff_t *next_tvb = tvb_new_subset(tvb, offset, -1, -1); /* * OK, has some subdissector asked that they be called * if something was on some particular port? */ if (dissector_try_port(subdissector_table, pinfo->match_port, next_tvb, pinfo, tree)) { /* * Yes. Fix up the top-level item so that it * doesn't include the stuff for that protocol. */ if (ti != NULL) proto_item_set_len(ti, offset); } else if(dissector_try_heuristic(heur_subdissector_list, next_tvb,pinfo,tree)){ /* * Yes. Fix up the top-level item so that it * doesn't include the stuff for that protocol. */ if (ti != NULL) proto_item_set_len(ti, offset); } else { call_dissector(data_handle, tvb_new_subset(tvb, offset, -1, -1), pinfo, http_tree); } } tap_queue_packet( http_tap, pinfo, stat_info) ; } /* This can be used to dissect an HTTP request until such time * that a more complete dissector is written for that HTTP request. * This simple dissectory only puts http.request_method into a sub-tree. */ static void basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int req_strlen) { proto_tree_add_item(tree, hf_http_request_method, tvb, 0, req_strlen, FALSE); } static void response_method_request_dissector(tvbuff_t *tvb, proto_tree *tree, int req_strlen _U_ ) { const guchar *data; int minor, major, status_code; data = tvb_get_ptr(tvb, 0, 12); if (sscanf(data, "HTTP/%d.%d %d", &minor, &major, &status_code)==3) { proto_tree_add_uint(tree, hf_http_response_method, tvb, 9, 3, status_code); stat_info->response_method = status_code; } } /* * XXX - this won't handle HTTP 0.9 replies, but they're all data * anyway. */ static int is_http_request_or_reply(const guchar *data, int linelen, http_type_t *type, RequestDissector *req_dissector, int *req_strlen) { int isHttpRequestOrReply = FALSE; int prefix_len = 0; /* * From RFC 2774 - An HTTP Extension Framework * * Support the command prefix that identifies the presence of * a "mandatory" header. */ if (linelen >= 2 && strncmp(data, "M-", 2) == 0) { data += 2; linelen -= 2; prefix_len = 2; } /* * From draft-cohen-gena-client-01.txt, available from the uPnP forum: * NOTIFY, SUBSCRIBE, UNSUBSCRIBE * * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft: * SEARCH */ if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) { *type = HTTP_RESPONSE; isHttpRequestOrReply = TRUE; /* response */ if (req_dissector && (linelen >= 12) ) { *req_dissector = response_method_request_dissector ; *req_strlen = 3; } else if (req_dissector) { *req_dissector = NULL; /* no dissector for this yet. */ } } else { const guchar * ptr = (const guchar *)data; int index = 0; /* Look for the space following the Method */ while (index < linelen) { if (*ptr == ' ') break; else { ptr++; index++; } } /* Check the methods that have same length */ switch (index) { case 3: if (strncmp(data, "GET", index) == 0 || strncmp(data, "PUT", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 4: if (strncmp(data, "COPY", index) == 0 || strncmp(data, "HEAD", index) == 0 || strncmp(data, "LOCK", index) == 0 || strncmp(data, "MOVE", index) == 0 || strncmp(data, "POLL", index) == 0 || strncmp(data, "POST", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 5: if (strncmp(data, "BCOPY", index) == 0 || strncmp(data, "BMOVE", index) == 0 || strncmp(data, "MKCOL", index) == 0 || strncmp(data, "TRACE", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 6: if (strncmp(data, "DELETE", index) == 0 || strncmp(data, "SEARCH", index) == 0 || strncmp(data, "UNLOCK", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } else if (strncmp(data, "NOTIFY", index) == 0) { *type = HTTP_NOTIFICATION; isHttpRequestOrReply = TRUE; } break; case 7: if (strncmp(data, "BDELETE", index) == 0 || strncmp(data, "CONNECT", index) == 0 || strncmp(data, "OPTIONS", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 8: if (strncmp(data, "PROPFIND", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 9: if (strncmp(data, "SUBSCRIBE", index) == 0) { *type = HTTP_NOTIFICATION; isHttpRequestOrReply = TRUE; } else if (strncmp(data, "PROPPATCH", index) == 0 || strncmp(data, "BPROPFIND", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 10: if (strncmp(data, "BPROPPATCH", index) == 0) { *type = HTTP_REQUEST; isHttpRequestOrReply = TRUE; } break; case 11: if (strncmp(data, "UNSUBSCRIBE", index) == 0) { *type = HTTP_NOTIFICATION; isHttpRequestOrReply = TRUE; } break; default: break; } if (isHttpRequestOrReply && req_dissector) { *req_dissector = basic_request_dissector; *req_strlen = index + prefix_len; } if (isHttpRequestOrReply && req_dissector) { if (!stat_info->request_method) stat_info->request_method = g_malloc( index+1 ); strncpy( stat_info->request_method, data, index); stat_info->request_method[index] = '\0'; } } return isHttpRequestOrReply; } void proto_register_http(void) { static hf_register_info hf[] = { { &hf_http_notification, { "Notification", "http.notification", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "TRUE if HTTP notification", HFILL }}, { &hf_http_response, { "Response", "http.response", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "TRUE if HTTP response", HFILL }}, { &hf_http_request, { "Request", "http.request", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "TRUE if HTTP request", HFILL }}, { &hf_http_basic, { "Credentials", "http.authbasic", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_http_request_method, { "Request Method", "http.request.method", FT_STRING, BASE_NONE, NULL, 0x0, "HTTP Request Method", HFILL }}, { &hf_http_response_method, { "Response Method", "http.response.method", FT_UINT16, BASE_DEC, NULL, 0x0, "HTTP Response Method", HFILL }}, }; static gint *ett[] = { &ett_http, &ett_http_ntlmssp, &ett_http_request, }; proto_http = proto_register_protocol("Hypertext Transfer Protocol", "HTTP", "http"); proto_register_field_array(proto_http, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); register_dissector("http", dissect_http, proto_http); http_handle = find_dissector("http"); /* * Dissectors shouldn't register themselves in this table; * instead, they should call "http_dissector_add()", and * we'll register the port number they specify as a port * for HTTP, and register them in our subdissector table. * * This only works for protocols such as IPP that run over * HTTP on a specific non-HTTP port. */ subdissector_table = register_dissector_table("http.port", "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC); /* * Heuristic dissectors SHOULD register themselves in * this table using the standard heur_dissector_add() * function. */ register_heur_dissector_list("http",&heur_subdissector_list); /* * Register for tapping */ http_tap = register_tap("http"); } /* * Called by dissectors for protocols that run atop HTTP/TCP. */ void http_dissector_add(guint32 port, dissector_handle_t handle) { /* * Register ourselves as the handler for that port number * over TCP. */ dissector_add("tcp.port", port, http_handle); /* * And register them in *our* table for that port. */ dissector_add("http.port", port, handle); } void proto_reg_handoff_http(void) { data_handle = find_dissector("data"); dissector_add("tcp.port", TCP_PORT_HTTP, http_handle); dissector_add("tcp.port", TCP_ALT_PORT_HTTP, http_handle); dissector_add("tcp.port", TCP_PORT_PROXY_HTTP, http_handle); dissector_add("tcp.port", TCP_PORT_PROXY_ADMIN_HTTP, http_handle); /* * XXX - is there anything to dissect in the body of an SSDP * request or reply? I.e., should there be an SSDP dissector? */ dissector_add("tcp.port", TCP_PORT_SSDP, http_handle); dissector_add("udp.port", UDP_PORT_SSDP, http_handle); ntlmssp_handle = find_dissector("ntlmssp"); }