Wireshark  4.3.0
The Wireshark network protocol analyzer
packet-tcp.h
1 /* packet-tcp.h
2  *
3  * Wireshark - Network traffic analyzer
4  * By Gerald Combs <gerald@wireshark.org>
5  * Copyright 1998 Gerald Combs
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  */
9 
10 #ifndef __PACKET_TCP_H__
11 #define __PACKET_TCP_H__
12 
13 #include "ws_symbol_export.h"
14 
15 #include <epan/conversation.h>
16 #include <epan/reassemble.h>
17 #include <epan/wmem_scopes.h>
18 
19 #ifdef __cplusplus
20 extern "C" {
21 #endif /* __cplusplus */
22 
23 /* TCP flags */
24 #define TH_FIN 0x0001
25 #define TH_SYN 0x0002
26 #define TH_RST 0x0004
27 #define TH_PUSH 0x0008
28 #define TH_ACK 0x0010
29 #define TH_URG 0x0020
30 #define TH_ECE 0x0040
31 #define TH_CWR 0x0080
32 #define TH_AE 0x0100
33 #define TH_RES 0x0E00 /* 3 reserved bits */
34 #define TH_MASK 0x0FFF
35 
36 #define IS_TH_FIN(x) (x & TH_FIN)
37 #define IS_TH_URG(x) (x & TH_URG)
38 
39 /* Idea for gt: either x > y, or y is much bigger (assume wrap) */
40 #define GT_SEQ(x, y) ((gint32)((y) - (x)) < 0)
41 #define LT_SEQ(x, y) ((gint32)((x) - (y)) < 0)
42 #define GE_SEQ(x, y) ((gint32)((y) - (x)) <= 0)
43 #define LE_SEQ(x, y) ((gint32)((x) - (y)) <= 0)
44 #define EQ_SEQ(x, y) (x) == (y)
45 
46 /* mh as in mptcp header */
47 struct mptcpheader {
48 
49  gboolean mh_mpc; /* true if seen an mp_capable option */
50  gboolean mh_join; /* true if seen an mp_join option */
51  gboolean mh_dss; /* true if seen a dss */
52  gboolean mh_add; /* true if seen an MP_ADD */
53  gboolean mh_remove; /* true if seen an MP_REMOVE */
54  gboolean mh_prio; /* true if seen an MP_PRIO */
55  gboolean mh_fail; /* true if seen an MP_FAIL */
56  gboolean mh_fastclose; /* true if seen a fastclose */
57  gboolean mh_tcprst; /* true if seen a MP_TCPRST */
58 
59  guint8 mh_capable_flags; /* to get hmac version for instance */
60  guint8 mh_dss_flags; /* data sequence signal flag */
61  guint32 mh_dss_ssn; /* DSS Subflow Sequence Number */
62  guint64 mh_dss_rawdsn; /* DSS Data Sequence Number */
63  guint64 mh_dss_rawack; /* DSS raw data ack */
64  guint16 mh_dss_length; /* mapping/DSS length */
65 
66  guint64 mh_key; /* Sender key in MP_CAPABLE */
67  guint32 mh_token; /* seen in MP_JOIN. Should be a hash of the initial key */
68 
69  guint32 mh_stream; /* this stream index field is included to help differentiate when address/port pairs are reused */
70 
71  /* Data Sequence Number of the current segment. It needs to be computed from previous mappings
72  * and as such is not necessarily set
73  */
74  guint64 mh_rawdsn64;
75  /* DSN formatted according to the wireshark MPTCP options */
76  guint64 mh_dsn;
77 };
78 
79 /* the tcp header structure, passed to tap listeners */
80 typedef struct tcpheader {
81  guint32 th_rawseq; /* raw value */
82  guint32 th_seq; /* raw or relative value depending on tcp_relative_seq */
83 
84  guint32 th_rawack; /* raw value */
85  guint32 th_ack; /* raw or relative value depending on tcp_relative_seq */
86  gboolean th_have_seglen; /* TRUE if th_seglen is valid */
87  guint32 th_seglen; /* in bytes */
88  guint32 th_win; /* make it 32 bits so we can handle some scaling */
89  guint16 th_sport;
90  guint16 th_dport;
91  guint8 th_hlen;
92  gboolean th_use_ace;
93  guint16 th_flags;
94  guint32 th_stream; /* this stream index field is included to help differentiate when address/port pairs are reused */
95  address ip_src;
96  address ip_dst;
97 
98  /* This is the absolute maximum we could find in TCP options (RFC2018, section 3) */
99  #define MAX_TCP_SACK_RANGES 4
100  guint8 num_sack_ranges;
101  guint32 sack_left_edge[MAX_TCP_SACK_RANGES];
102  guint32 sack_right_edge[MAX_TCP_SACK_RANGES];
103 
104  /* header for TCP option Multipath Operation */
105  struct mptcpheader *th_mptcp;
106 } tcp_info_t;
107 
108 /*
109  * Private data passed from the TCP dissector to subdissectors.
110  * NOTE: This structure is used by Export PDU functionality so
111  * make sure that handling is also updated if this structure
112  * changes!
113  */
114 struct tcpinfo {
115  guint32 seq; /* Sequence number of first byte in the data */
116  guint32 nxtseq; /* Sequence number of first byte after data */
117  guint32 lastackseq; /* Sequence number of last ack */
118  bool is_reassembled; /* This is reassembled data. */
119  guint16 flags; /* TCP flags */
120  guint16 urgent_pointer; /* Urgent pointer value for the current packet. */
121 };
122 
123 /*
124  * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
125  * consists of a fixed-length chunk of data that contains enough information
126  * to determine the length of the PDU, followed by rest of the PDU.
127  *
128  * The first three arguments are the arguments passed to the dissector
129  * that calls this routine.
130  *
131  * "proto_desegment" is the dissector's flag controlling whether it should
132  * desegment PDUs that cross TCP segment boundaries.
133  *
134  * "fixed_len" is the length of the fixed-length part of the PDU.
135  *
136  * "get_pdu_len()" is a routine called to get the length of the PDU from
137  * the fixed-length part of the PDU; it's passed "pinfo", "tvb", "offset" and
138  * "dissector_data".
139  *
140  * "dissect_pdu()" is the routine to dissect a PDU.
141  */
142 WS_DLL_PUBLIC void
143 tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
144  gboolean proto_desegment, guint fixed_len,
145  guint (*get_pdu_len)(packet_info *, tvbuff_t *, int, void*),
146  dissector_t dissect_pdu, void* dissector_data);
147 
148 extern const reassembly_table_functions
149 tcp_reassembly_table_functions;
150 
151 extern struct tcp_multisegment_pdu *
152 pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, guint32 seq, guint32 nxtpdu, wmem_tree_t *multisegment_pdus);
153 
154 typedef struct _tcp_unacked_t {
155  struct _tcp_unacked_t *next;
156  guint32 frame;
157  guint32 seq;
158  guint32 nextseq;
159  nstime_t ts;
160 } tcp_unacked_t;
161 
162 struct tcp_acked {
163  guint32 frame_acked;
164  nstime_t ts;
165 
166  guint32 rto_frame;
167  nstime_t rto_ts; /* Time since previous packet for
168  retransmissions. */
169  guint16 flags; /* see TCP_A_* in packet-tcp.c */
170  guint32 dupack_num; /* dup ack number */
171  guint32 dupack_frame; /* dup ack to frame # */
172  guint32 bytes_in_flight; /* number of bytes in flight */
173  guint32 push_bytes_sent; /* bytes since the last PSH flag */
174 
175  guint32 new_data_seq; /* For segments with old data,
176  where new data starts */
177  gboolean partial_ack; /* true when acknowledging data
178  and not a full segment */
179 };
180 
181 /* One instance of this structure is created for each pdu that spans across
182  * multiple tcp segments.
183  */
185  guint32 seq;
186  guint32 nxtpdu;
187  guint32 first_frame; /* The frame where this MSP was created (used as key in reassembly tables). */
188  guint32 last_frame;
189  nstime_t last_frame_time;
190  guint32 first_frame_with_seq; /* The frame that contains the first frame that matches 'seq'
191  (same as 'first_frame', larger than 'first_frame' for OoO segments) */
192  guint32 flags;
193 #define MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT 0x00000001
194 /* Whether this MSP is finished and no more segments can be added. */
195 #define MSP_FLAGS_GOT_ALL_SEGMENTS 0x00000002
196 /* Whether the first segment of this MSP was not yet seen. */
197 #define MSP_FLAGS_MISSING_FIRST_SEGMENT 0x00000004
198 };
199 
200 
201 /* Represents the MPTCP DSS option mapping part
202  It allows to map relative subflow sequence number (ssn) to global MPTCP sequence numbers
203  under their 64 bits form
204 */
205 typedef struct _mptcp_dss_mapping_t {
206 
207 /* In DSS, SSN are enumeratad with relative seq_nb, i.e. starting from 0 */
208 
209  guint32 ssn_low;
210  guint32 ssn_high;
211 
212 /* Ideally the dsn should always be registered with the extended version
213  * but it may not be possible if we don't know the 32 MSB of the base_dsn
214  */
215  gboolean extended_dsn; /* TRUE if MPTCP_DSS_FLAG_DATA_8BYTES */
216 
217  guint64 rawdsn; /* matches the low member of range
218  should be converted to the 64 bits version before being registered
219  */
220 /* to check if mapping was sent before or after packet */
221 guint32 frame;
223 
224 
225 /* Structure used in mptcp meta member 'dsn_map'
226  */
228  guint32 frame; /* packet to look into PINFO_FD_NUM */
229  struct tcp_analysis* subflow; /* in order to get statistics */
231 
232 
233 /* Should basically look like a_tcp_flow_t but for mptcp with 64bit sequence number.
234 The meta is specific to a direction of the communication and aggregates information of
235 all the subflows
236 */
237 typedef struct _mptcp_meta_flow_t {
238 
239  guint8 static_flags; /* remember which fields are set */
240 
241  /* flags exchanged between hosts during 3WHS. Gives checksum/extensiblity/hmac information */
242  guint8 flags;
243  guint64 base_dsn; /* first data seq number (used by relative sequence numbers) seen. */
244  guint64 nextseq; /* highest seen nextseq */
245  guint64 dfin; /* data fin */
246 
247  guint8 version; /* negociated mptcp version */
248 
249  guint64 key; /* if it was set */
250 
251  /* expected token sha1 digest of keys, truncated to 32 most significant bits
252  derived from key. Stored to speed up subflow/MPTCP connection mapping */
253  guint32 token;
254 
255  guint32 nextseqframe; /* frame number for segment with highest sequence number */
256 
257  /* highest seen continuous seq number (without hole in the stream) */
258  guint64 maxseqtobeacked;
259 
260  guint64 fin; /* frame number of the final dataFIN */
261 
262  /* first addresses registered */
263  address ip_src;
264  address ip_dst;
265  guint32 sport;
266  guint32 dport;
268 
269 /* MPTCP data specific to this subflow direction */
271  guint8 static_flags; /* flags stating which of the flow */
272  guint32 nonce; /* used only for MP_JOIN */
273  guint8 address_id; /* sent during an MP_JOIN */
274 
275 
276  /* map DSN to packets
277  * Used when looking for reinjections across subflows
278  */
279  wmem_itree_t *dsn2packet_map;
280 
281  /* Map SSN to a DSS mappings
282  * a DSS can map DSN to SSNs possibily over several packets,
283  * hence some packets may have been mapped by previous DSS,
284  * whence the necessity to be able to look for SSN -> DSN */
285  wmem_itree_t *ssn2dsn_mappings;
286  /* meta flow to which it is attached. Helps setting forward and backward meta flow */
287  mptcp_meta_flow_t *meta;
288 };
289 
290 
291 typedef enum {
292  MPTCP_HMAC_NOT_SET = 0,
293  /* this is either SHA1 for MPTCP v0 or sha256 for MPTCP v1 */
294  MPTCP_HMAC_SHA = 1,
295  MPTCP_HMAC_LAST
296 } mptcp_hmac_algorithm_t;
297 
298 
299 #define MPTCP_CAPABLE_CRYPTO_MASK 0x3F
300 
301 #define MPTCP_CHECKSUM_MASK 0x80
302 
303 /* Information in a flow that is only used when tcp_analyze_seq preference
304  * is enabled, so save the memory when it isn't
305  */
307  tcp_unacked_t *segments;/* List of segments for which we haven't seen an ACK */
308  guint16 segment_count; /* How many unacked segments we're currently storing */
309  guint32 lastack; /* Last seen ack for the reverse flow */
310  nstime_t lastacktime; /* Time of the last ack packet */
311  guint32 lastnondupack; /* frame number of last seen non dupack */
312  guint32 dupacknum; /* dupack number */
313  guint32 nextseq; /* highest seen nextseq */
314  guint32 maxseqtobeacked;/* highest seen continuous seq number (without hole in the stream) from the fwd party,
315  * this is the maximum seq number that can be acked by the rev party in normal case.
316  * If the rev party sends an ACK beyond this seq number it indicates TCP_A_ACK_LOST_PACKET condition */
317  guint32 nextseqframe; /* frame number for segment with highest
318  * sequence number
319  */
320  nstime_t nextseqtime; /* Time of the nextseq packet so we can
321  * distinguish between retransmission,
322  * fast retransmissions and outoforder
323  */
324 
325  guint8 lastacklen; /* length of the last fwd ACK packet - 0 means pure ACK */
326 
327  /*
328  * Handling of SACK blocks
329  * Copied from tcpheader
330  */
331  guint8 num_sack_ranges;
332  guint32 sack_left_edge[MAX_TCP_SACK_RANGES];
333  guint32 sack_right_edge[MAX_TCP_SACK_RANGES];
334 
336 
337  /* Process info, currently discovered via IPFIX */
338 typedef struct tcp_process_info_t {
339  guint32 process_uid; /* UID of local process */
340  guint32 process_pid; /* PID of local process */
341  gchar *username; /* Username of the local process */
342  gchar *command; /* Local process name + path + args */
343 
345 
346 typedef struct _tcp_flow_t {
347  guint8 static_flags; /* true if base seq set */
348  guint32 base_seq; /* base seq number (used by relative sequence numbers)*/
349 #define TCP_MAX_UNACKED_SEGMENTS 10000 /* The most unacked segments we'll store */
350  guint32 fin; /* frame number of the final FIN */
351  guint32 window; /* last seen window */
352  gint16 win_scale; /* -1 is we don't know, -2 is window scaling is not used */
353  gint16 scps_capable; /* flow advertised scps capabilities */
354  guint16 maxsizeacked; /* 0 if not yet known */
355  gboolean valid_bif; /* if lost pkts, disable BiF until ACK is recvd */
356  guint32 push_bytes_sent; /* bytes since the last PSH flag */
357  gboolean push_set_last; /* tracking last time PSH flag was set */
358  guint8 mp_operations; /* tracking of the MPTCP operations */
359  gboolean is_first_ack; /* indicates if this is the first ACK */
360  gboolean closing_initiator; /* tracking who is responsible of the connection end */
361 
362  tcp_analyze_seq_flow_info_t* tcp_analyze_seq_info;
363 
364 /* This tcp flow/session contains only one single PDU and should
365  * be reassembled until the final FIN segment.
366  */
367 #define TCP_FLOW_REASSEMBLE_UNTIL_FIN 0x0001
368  guint16 flags;
369 
370  /* see TCP_A_* in packet-tcp.c */
371  guint32 lastsegmentflags;
372 
373  /* The next (largest) sequence number after all segments seen so far.
374  * Valid only on the first pass and used to handle out-of-order segments
375  * during reassembly. */
376  guint32 maxnextseq;
377 
378  /* The number of data flows seen in that direction */
379  guint16 flow_count;
380 
381  /* This tree is indexed by sequence number and keeps track of all
382  * all pdus spanning multiple segments for this flow.
383  */
384  wmem_tree_t *multisegment_pdus;
385 
386  /* A sorted list of pending out-of-order segments. */
387  wmem_list_t *ooo_segments;
388 
389  /* Process info, currently discovered via IPFIX */
390  tcp_process_info_t* process_info;
391 
392  /* MPTCP subflow intel */
394 } tcp_flow_t;
395 
396 /* Stores common information between both hosts of the MPTCP connection*/
398 
399  guint16 mp_flags; /* MPTCP meta analysis related, see MPTCP_META_* in packet-tcp.c */
400 
401  /*
402  * For other subflows, they link the meta via mptcp_subflow_t::meta_flow
403  * according to the validity of the token.
404  */
405  mptcp_meta_flow_t meta_flow[2];
406 
407  guint32 stream; /* Keep track of unique mptcp stream (per MP_CAPABLE handshake) */
408  guint8 hmac_algo; /* hmac decided after negotiation */
409  wmem_list_t* subflows; /* List of subflows (tcp_analysis) */
410 
411  /* identifier of the tcp stream that saw the initial 3WHS with MP_CAPABLE option */
412  struct tcp_analysis *master;
413 
414  /* Keep track of the last TCP operations seen in order to avoid false DUP ACKs */
415  guint8 mp_operations;
416 };
417 
418 struct tcp_analysis {
419  /* These two structs are managed based on comparing the source
420  * and destination addresses and, if they're equal, comparing
421  * the source and destination ports.
422  *
423  * If the source is greater than the destination, then stuff
424  * sent from src is in ual1.
425  *
426  * If the source is less than the destination, then stuff
427  * sent from src is in ual2.
428  *
429  * XXX - if the addresses and ports are equal, we don't guarantee
430  * the behavior.
431  */
432  tcp_flow_t flow1;
433  tcp_flow_t flow2;
434 
435  /* These pointers are set by get_tcp_conversation_data()
436  * fwd point in the same direction as the current packet
437  * and rev in the reverse direction
438  */
439  tcp_flow_t *fwd;
440  tcp_flow_t *rev;
441 
442  /* This pointer is NULL or points to a tcp_acked struct if this
443  * packet has "interesting" properties such as being a KeepAlive or
444  * similar
445  */
446  struct tcp_acked *ta;
447  /* This structure contains a tree containing all the various ta's
448  * keyed by frame number.
449  */
450  wmem_tree_t *acked_table;
451 
452  /* Remember the timestamp of the first frame seen in this tcp
453  * conversation to be able to calculate a relative time compared
454  * to the start of this conversation
455  */
456  nstime_t ts_first;
457 
458  /* Remember the timestamp of the most recent SYN in this conversation in
459  * order to calculate the first_rtt below. Not necessarily ts_first, if
460  * the SYN is retransmitted. */
461  nstime_t ts_mru_syn;
462 
463  /* If we have the handshake, remember the RTT between the initial SYN
464  * and ACK for use detecting out-of-order segments. */
465  nstime_t ts_first_rtt;
466 
467  /* Remember the timestamp of the frame that was last seen in this
468  * tcp conversation to be able to calculate a delta time compared
469  * to previous frame in this conversation
470  */
471  nstime_t ts_prev;
472 
473  /* Keep track of tcp stream numbers instead of using the conversation
474  * index (as how it was done before). This prevents gaps in the
475  * stream index numbering
476  */
477  guint32 stream;
478 
479  /* Keep track of packet number within the TCP stream */
480  uint32_t pnum;
481 
482  /* Remembers the server port on the SYN (or SYN|ACK) packet to
483  * help determine which dissector to call
484  */
485  guint16 server_port;
486 
487  /* Set when the client sends a SYN with data and the cookie in the Fast Open
488  * option.
489  */
490  guint8 tfo_syn_data : 1;
491 
492  /* Remembers which side is currently sending data. */
493  gint8 flow_direction : 2;
494 
495  /* allocated only when mptcp enabled
496  * several tcp_analysis may refer to the same mptcp_analysis
497  * can exist without any meta
498  */
500 
501  /* Track the TCP conversation completeness, as the capture might
502  * contain all parts of a TCP flow (establishment, data, clearing) or
503  * just some parts if we jumped on the bandwagon of an already established
504  * connection or left before it was terminated explicitly
505  */
506  guint8 conversation_completeness;
507 
508  /* Stores the value as a String to be displayed in the appropriate field */
509  gchar *conversation_completeness_str;
510 
511  /* Track AccECN support */
512  gboolean had_acc_ecn_setup_syn;
513  gboolean had_acc_ecn_setup_syn_ack;
514  gboolean had_acc_ecn_option;
515 };
516 
517 /* Structure that keeps per packet data. First used to be able
518  * to calculate the time_delta from the last seen frame in this
519  * TCP conversation. Can be extended for future use.
520  */
522  nstime_t ts_del;
523  uint32_t pnum;
524  guint8 tcp_snd_manual_analysis;
525 };
526 
527 /* Structure that keeps per packet data. Some operations are cpu-intensive and are
528  * best cached into this structure
529  */
530 typedef struct mptcp_per_packet_data_t_ {
531 
532  /* Mapping that covers this packet content */
533  mptcp_dss_mapping_t *mapping;
534 
536 
537 
538 WS_DLL_PUBLIC void dissect_tcp_payload(tvbuff_t *tvb, packet_info *pinfo, int offset,
539  guint32 seq, guint32 nxtseq, guint32 sport,
540  guint32 dport, proto_tree *tree,
541  proto_tree *tcp_tree,
542  struct tcp_analysis *tcpd, struct tcpinfo *tcpinfo);
543 
544 WS_DLL_PUBLIC struct tcp_analysis *get_tcp_conversation_data(conversation_t *conv,
545  packet_info *pinfo);
546 
551 WS_DLL_PUBLIC struct tcp_analysis *get_tcp_conversation_data_idempotent(conversation_t *conv);
552 
553 WS_DLL_PUBLIC gboolean decode_tcp_ports(tvbuff_t *, int, packet_info *, proto_tree *, int, int, struct tcp_analysis *, struct tcpinfo *);
554 
567 extern void add_tcp_process_info(guint32 frame_num, address *local_addr, address *remote_addr, guint16 local_port, guint16 remote_port, guint32 uid, guint32 pid, gchar *username, gchar *command);
568 
573 WS_DLL_PUBLIC guint32 get_tcp_stream_count(void);
574 
579 WS_DLL_PUBLIC guint32 get_mptcp_stream_count(void);
580 
581 /* Follow Stream functionality shared with HTTP (and SSL?) */
582 extern gchar *tcp_follow_conv_filter(epan_dissect_t *edt, packet_info *pinfo, guint *stream, guint *sub_stream);
583 extern gchar *tcp_follow_index_filter(guint stream, guint sub_stream);
584 extern gchar *tcp_follow_address_filter(address *src_addr, address *dst_addr, int src_port, int dst_port);
585 
586 #ifdef __cplusplus
587 }
588 #endif /* __cplusplus */
589 
590 #endif
Definition: address.h:56
Definition: packet-tcp.h:227
Definition: packet-tcp.h:205
Definition: packet-tcp.h:237
Definition: packet_info.h:44
Definition: proto.h:904
Definition: packet-tcp.h:346
Definition: packet-tcp.h:154
Definition: wmem_list.c:23
Definition: wmem_tree-int.h:48
Definition: conversation.h:220
Definition: epan_dissect.h:28
Definition: packet-tcp.h:397
Definition: packet-tcp.h:530
Definition: packet-tcp.h:270
Definition: packet-tcp.h:47
Definition: nstime.h:26
Definition: reassemble.h:149
Definition: stream.c:41
Definition: packet-tcp.h:162
Definition: packet-tcp.h:418
Definition: packet-tcp.h:306
Definition: packet-tcp.h:184
Definition: packet-tcp.h:521
Definition: packet-tcp.h:338
Definition: packet-tcp.h:80
Definition: packet-tcp.h:114
Definition: tvbuff-int.h:35