1 /* packet-transum.h
2  * Header file for the TRANSUM response time analyzer post-dissector
3  * By Paul Offord <paul.offord@advance7.com>
4  * Copyright 2016 Advance Seven Limited
5  *
6  * Wireshark - Network traffic analyzer
7  * By Gerald Combs <gerald@wireshark.org>
8  * Copyright 1998 Gerald Combs
9  *
10  * SPDX-License-Identifier: GPL-2.0-or-later
11  */
12 
13 #define ETH_TYPE_IPV4 0x0800
14 #define ETH_TYPE_IPV6 0x86dd
15 
16 #define IP_PROTO_TCP 6
17 #define IP_PROTO_UDP 17
18 
19 #define RTE_CALC_SYN    1
20 #define RTE_CALC_GTCP   2
21 #define RTE_CALC_GUDP   3
22 #define RTE_CALC_SMB1   4
23 #define RTE_CALC_SMB2   5
24 #define RTE_CALC_DCERPC 6
25 #define RTE_CALC_DNS    7
26 
27 #define MAX_SUBPKTS_PER_PACKET 16
28 
29 /*
30     An RR pair is identified by a Fully Qualified Message ID (RRPD)
31 */
32 
33 typedef struct _RRPD
34 {
35     /*
36         When a c2s is set TRUE it means that the associated packet is going from
37         client-to-service.  If this value is false the associated packet is going
38         from service-to-client.
39 
40         This value is only valid for RRPDs imbedded in subpacket structures.
41      */
42     gboolean c2s;
43 
44     guint8   ip_proto;
45     guint32  stream_no;
46     guint64  session_id;
47     guint64  msg_id;
48 
49     /*
50         Some request-response pairs are demarked simple by a change in direction on a
51         TCP or UDP stream from s2c to c2s.  This is true for the GTCP and GUDP
52         calculations.  Other calculations (such as DCERPC) use application protocol
53         values to detect the start and end of APDUs.  In this latter case decode_based
54         is set to true.
55      */
56     gboolean decode_based;
57 
58     gboolean is_retrans;
59 
60     guint32  req_first_frame;
61     nstime_t req_first_rtime;
62     guint32  req_last_frame;
63     nstime_t req_last_rtime;
64 
65     guint32  rsp_first_frame;
66     nstime_t rsp_first_rtime;
67     guint32  rsp_last_frame;
68     nstime_t rsp_last_rtime;
69 
70     guint    calculation;
71 
72     /* The following numbers are for tuning purposes */
73     guint32  req_search_total;  /* The total number of steps back through the rrpd_list when matching requests to this entry */
74     guint32  rsp_search_total;  /* The total number of steps back through the rrpd_list when matching responses to this entry */
75 } RRPD;
76 
77 typedef struct _PKT_INFO
78 {
79     int frame_number;
80     nstime_t relative_time;
81 
82     gboolean tcp_retran;  /* tcp.analysis.retransmission */
83     gboolean tcp_keep_alive;  /* tcp.analysis.keep_alive */
84     gboolean tcp_flags_syn;  /* tcp.flags.syn */
85     gboolean tcp_flags_ack;  /* tcp.flags.ack */
86     gboolean tcp_flags_reset;  /* tcp.flags.reset */
87     guint32 tcp_flags_urg;  /* tcp.urgent_pointer */
88     guint32 tcp_seq;  /* tcp.seq */
89 
90     /* Generic transport values */
91     guint16 srcport;  /* tcp.srcport or udp.srcport*/
92     guint16 dstport;  /* tcp.dstport or udp.dstport*/
93     guint16 len;  /* tcp.len or udp.len */
94 
95     guint8  ssl_content_type;  /*tls.record.content_type */
96 
97     guint8  tds_type;  /*tds.type */
98     guint16 tds_length;  /* tds.length */
99 
100     guint16 smb_mid;  /* smb.mid */
101 
102     guint64 smb2_sesid;  /* smb2.sesid */
103     guint64 smb2_msg_id;  /* smb2.msg_id */
104     guint16 smb2_cmd;  /* smb2.cmd */
105 
106     guint8 dcerpc_ver;  /* dcerpc.ver */
107     guint8 dcerpc_pkt_type;  /* dcerpc.pkt_type */
108     guint32 dcerpc_cn_call_id;  /* dcerpc.cn_call_id */
109     guint16 dcerpc_cn_ctx_id;  /* dcerpc.cn_ctx_id */
110 
111     guint16 dns_id;  /* dns.id */
112 
113     /* The following values are calculated */
114     gboolean pkt_of_interest;
115 
116     /* RRPD data for this packet */
117     /* Complete this based on the detected protocol */
118     RRPD rrpd;
119 
120 } PKT_INFO;
121 
122 typedef enum {
123     HF_INTEREST_IP_PROTO = 0,
124     HF_INTEREST_IPV6_NXT,
125 
126     HF_INTEREST_TCP_RETRAN,
127     HF_INTEREST_TCP_KEEP_ALIVE,
128     HF_INTEREST_TCP_FLAGS_SYN,
129     HF_INTEREST_TCP_FLAGS_ACK,
130     HF_INTEREST_TCP_FLAGS_RESET,
131     HF_INTEREST_TCP_FLAGS_URG,
132     HF_INTEREST_TCP_SEQ,
133     HF_INTEREST_TCP_SRCPORT,
134     HF_INTEREST_TCP_DSTPORT,
135     HF_INTEREST_TCP_STREAM,
136     HF_INTEREST_TCP_LEN,
137 
138     HF_INTEREST_UDP_SRCPORT,
139     HF_INTEREST_UDP_DSTPORT,
140     HF_INTEREST_UDP_STREAM,
141     HF_INTEREST_UDP_LENGTH,
142 
143     HF_INTEREST_SSL_CONTENT_TYPE,
144 
145     HF_INTEREST_TDS_TYPE,
146     HF_INTEREST_TDS_LENGTH,
147 
148     HF_INTEREST_SMB_MID,
149 
150     HF_INTEREST_SMB2_SES_ID,
151     HF_INTEREST_SMB2_MSG_ID,
152     HF_INTEREST_SMB2_CMD,
153 
154     HF_INTEREST_DCERPC_VER,
155     HF_INTEREST_DCERPC_PKT_TYPE,
156     HF_INTEREST_DCERPC_CN_CALL_ID,
157     HF_INTEREST_DCERPC_CN_CTX_ID,
158 
159     HF_INTEREST_DNS_ID,
160 
161     HF_INTEREST_END_OF_LIST
162 } ehf_of_interest;
163 
164 typedef struct _HF_OF_INTEREST_INFO
165 {
166     int hf;
167     const char* proto_name;
168 
169 } HF_OF_INTEREST_INFO;
170 
171 extern HF_OF_INTEREST_INFO hf_of_interest[HF_INTEREST_END_OF_LIST];
172 
173 void add_detected_tcp_svc(guint16 port);
174 extern gboolean is_dcerpc_context_zero(guint32 pkt_type);
175 extern gboolean is_dcerpc_req_pkt_type(guint32 pkt_type);
176 
177 
178 /*
179  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
180  *
181  * Local variables:
182  * c-basic-offset: 4
183  * tab-width: 8
184  * indent-tabs-mode: nil
185  * End:
186  *
187  * vi: set shiftwidth=4 tabstop=8 expandtab:
188  * :indentSize=4:tabSize=8:noTabs=true:
189  */
190