1 /* packet-udp.c
2 * Routines for UDP/UDP-Lite packet disassembly
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * Richard Sharpe, 13-Feb-1999, added dispatch table support and
9 * support for tftp.
10 *
11 * SPDX-License-Identifier: GPL-2.0-or-later
12 */
13
14 #define NEW_PROTO_TREE_API
15
16 #include "config.h"
17
18
19 #include <epan/packet.h>
20 #include <epan/capture_dissectors.h>
21 #include <epan/addr_resolv.h>
22 #include <epan/ipproto.h>
23 #include <epan/in_cksum.h>
24 #include <epan/prefs.h>
25 #include <epan/follow.h>
26 #include <epan/expert.h>
27 #include <epan/exceptions.h>
28 #include <epan/show_exception.h>
29 #include <epan/proto_data.h>
30
31 #include <wsutil/utf8_entities.h>
32 #include <wsutil/pint.h>
33 #include <wsutil/str_util.h>
34
35 #include "packet-udp.h"
36
37 #include <epan/conversation.h>
38 #include <epan/conversation_table.h>
39 #include <epan/conversation_filter.h>
40 #include <epan/exported_pdu.h>
41 #include <epan/decode_as.h>
42
43 void proto_register_udp(void);
44 void proto_reg_handoff_udp(void);
45
46 static dissector_handle_t udp_handle;
47 static dissector_handle_t udplite_handle;
48
49 static int udp_tap = -1;
50 static int udp_follow_tap = -1;
51 static int exported_pdu_tap = -1;
52
53 static header_field_info *hfi_udp = NULL;
54 static header_field_info *hfi_udplite = NULL;
55
56 #define UDP_HFI_INIT HFI_INIT(proto_udp)
57 #define UDPLITE_HFI_INIT HFI_INIT(proto_udplite)
58
59 static header_field_info hfi_udp_srcport UDP_HFI_INIT =
60 { "Source Port", "udp.srcport", FT_UINT16, BASE_PT_UDP, NULL, 0x0,
61 NULL, HFILL };
62
63 static header_field_info hfi_udp_dstport UDP_HFI_INIT =
64 { "Destination Port", "udp.dstport", FT_UINT16, BASE_PT_UDP, NULL, 0x0,
65 NULL, HFILL };
66
67 static header_field_info hfi_udp_port UDP_HFI_INIT =
68 { "Source or Destination Port", "udp.port", FT_UINT16, BASE_PT_UDP, NULL, 0x0,
69 NULL, HFILL };
70
71 static header_field_info hfi_udp_stream UDP_HFI_INIT =
72 { "Stream index", "udp.stream", FT_UINT32, BASE_DEC, NULL, 0x0,
73 NULL, HFILL };
74
75 static header_field_info hfi_udp_length UDP_HFI_INIT =
76 { "Length", "udp.length", FT_UINT16, BASE_DEC, NULL, 0x0,
77 "Length in octets including this header and the data", HFILL };
78
79 static header_field_info hfi_udp_checksum UDP_HFI_INIT =
80 { "Checksum", "udp.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
81 "Details at: https://www.wireshark.org/docs/wsug_html_chunked/ChAdvChecksums.html", HFILL };
82
83 static header_field_info hfi_udp_checksum_calculated UDP_HFI_INIT =
84 { "Calculated Checksum", "udp.checksum_calculated", FT_UINT16, BASE_HEX, NULL, 0x0,
85 "The expected UDP checksum field as calculated from the UDP packet", HFILL };
86
87 static header_field_info hfi_udp_checksum_status UDP_HFI_INIT =
88 { "Checksum Status", "udp.checksum.status", FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,
89 NULL, HFILL };
90
91 static header_field_info hfi_udp_proc_src_uid UDP_HFI_INIT =
92 { "Source process user ID", "udp.proc.srcuid", FT_UINT32, BASE_DEC, NULL, 0x0,
93 NULL, HFILL};
94
95 static header_field_info hfi_udp_proc_src_pid UDP_HFI_INIT =
96 { "Source process ID", "udp.proc.srcpid", FT_UINT32, BASE_DEC, NULL, 0x0,
97 NULL, HFILL};
98
99 static header_field_info hfi_udp_proc_src_uname UDP_HFI_INIT =
100 { "Source process user name", "udp.proc.srcuname", FT_STRING, BASE_NONE, NULL, 0x0,
101 NULL, HFILL};
102
103 static header_field_info hfi_udp_proc_src_cmd UDP_HFI_INIT =
104 { "Source process name", "udp.proc.srccmd", FT_STRING, BASE_NONE, NULL, 0x0,
105 "Source process command name", HFILL};
106
107 static header_field_info hfi_udp_proc_dst_uid UDP_HFI_INIT =
108 { "Destination process user ID", "udp.proc.dstuid", FT_UINT32, BASE_DEC, NULL, 0x0,
109 NULL, HFILL};
110
111 static header_field_info hfi_udp_proc_dst_pid UDP_HFI_INIT =
112 { "Destination process ID", "udp.proc.dstpid", FT_UINT32, BASE_DEC, NULL, 0x0,
113 NULL, HFILL};
114
115 static header_field_info hfi_udp_proc_dst_uname UDP_HFI_INIT =
116 { "Destination process user name", "udp.proc.dstuname", FT_STRING, BASE_NONE, NULL, 0x0,
117 NULL, HFILL};
118
119 static header_field_info hfi_udp_proc_dst_cmd UDP_HFI_INIT =
120 { "Destination process name", "udp.proc.dstcmd", FT_STRING, BASE_NONE, NULL, 0x0,
121 "Destination process command name", HFILL};
122
123 static header_field_info hfi_udp_pdu_size UDP_HFI_INIT =
124 { "PDU Size", "udp.pdu.size", FT_UINT32, BASE_DEC, NULL, 0x0,
125 "The size of this PDU", HFILL };
126
127 static header_field_info hfi_udp_ts_relative UDP_HFI_INIT =
128 { "Time since first frame", "udp.time_relative", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
129 "Time relative to first frame in this UDP stream", HFILL };
130
131 static header_field_info hfi_udp_ts_delta UDP_HFI_INIT =
132 { "Time since previous frame", "udp.time_delta", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
133 "Time delta from previous frame in this UDP stream", HFILL };
134
135 static header_field_info hfi_udplite_checksum_coverage UDPLITE_HFI_INIT =
136 { "Checksum coverage", "udp.checksum_coverage", FT_UINT16, BASE_DEC, NULL, 0x0,
137 NULL, HFILL };
138
139 static header_field_info hfi_udp_payload UDP_HFI_INIT =
140 { "Payload", "udp.payload", FT_BYTES, BASE_NONE, NULL, 0x0,
141 NULL, HFILL };
142
143
144 static gint ett_udp = -1;
145 static gint ett_udp_checksum = -1;
146 static gint ett_udp_process_info = -1;
147 static gint ett_udp_timestamps = -1;
148
149 static expert_field ei_udp_possible_traceroute = EI_INIT;
150 static expert_field ei_udp_length_bad = EI_INIT;
151 static expert_field ei_udplite_checksum_coverage_bad = EI_INIT;
152 static expert_field ei_udp_checksum_zero = EI_INIT;
153 static expert_field ei_udp_checksum_bad = EI_INIT;
154 static expert_field ei_udp_length_bad_zero = EI_INIT;
155
156 /* Preferences */
157
158 /* Place UDP summary in proto tree */
159 static gboolean udp_summary_in_tree = TRUE;
160
161 /* Check UDP checksums */
162 static gboolean udp_check_checksum = FALSE;
163
164 /* Ignore zero-value UDP checksums over IPv6 */
165 static gboolean udp_ignore_ipv6_zero_checksum = FALSE;
166
167 /* Collect IPFIX process flow information */
168 static gboolean udp_process_info = FALSE;
169
170 /* Ignore an invalid checksum coverage field for UDP-Lite */
171 static gboolean udplite_ignore_checksum_coverage = TRUE;
172
173 /* Check UDP-Lite checksums */
174 static gboolean udplite_check_checksum = FALSE;
175
176 static dissector_table_t udp_dissector_table;
177 static heur_dissector_list_t heur_subdissector_list;
178 static guint32 udp_stream_count;
179
180 /* Determine if there is a sub-dissector and call it. This has been */
181 /* separated into a stand alone routine so other protocol dissectors */
182 /* can call to it, ie. socks */
183
184 static gboolean try_heuristic_first = FALSE;
185
186 static gboolean udp_calculate_ts = TRUE;
187 static gboolean udplite_calculate_ts = TRUE;
188
189 /* Per-packet-info for UDP */
190 typedef struct
191 {
192 heur_dtbl_entry_t *heur_dtbl_entry;
193 nstime_t ts_delta;
194 gboolean ts_delta_valid;
195 } udp_p_info_t;
196
197 static void
udp_src_prompt(packet_info * pinfo,gchar * result)198 udp_src_prompt(packet_info *pinfo, gchar *result)
199 {
200 guint32 port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hfi_udp_srcport.id, pinfo->curr_layer_num));
201
202 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "source (%u%s)", port, UTF8_RIGHTWARDS_ARROW);
203 }
204
205 static gpointer
udp_src_value(packet_info * pinfo)206 udp_src_value(packet_info *pinfo)
207 {
208 return p_get_proto_data(pinfo->pool, pinfo, hfi_udp_srcport.id, pinfo->curr_layer_num);
209 }
210
211 static void
udp_dst_prompt(packet_info * pinfo,gchar * result)212 udp_dst_prompt(packet_info *pinfo, gchar *result)
213 {
214 guint32 port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hfi_udp_dstport.id, pinfo->curr_layer_num));
215
216 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, port);
217 }
218
219 static gpointer
udp_dst_value(packet_info * pinfo)220 udp_dst_value(packet_info *pinfo)
221 {
222 return p_get_proto_data(pinfo->pool, pinfo, hfi_udp_dstport.id, pinfo->curr_layer_num);
223 }
224
225 static void
udp_both_prompt(packet_info * pinfo,gchar * result)226 udp_both_prompt(packet_info *pinfo, gchar *result)
227 {
228 guint32 srcport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hfi_udp_srcport.id, pinfo->curr_layer_num)),
229 dstport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hfi_udp_dstport.id, pinfo->curr_layer_num));
230 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "Both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, dstport);
231 }
232
233 /* Conversation and process code originally copied from packet-tcp.c */
234 static struct udp_analysis *
init_udp_conversation_data(packet_info * pinfo)235 init_udp_conversation_data(packet_info *pinfo)
236 {
237 struct udp_analysis *udpd;
238
239 /* Initialize the udp protocol data structure to add to the udp conversation */
240 udpd = wmem_new0(wmem_file_scope(), struct udp_analysis);
241 /*
242 udpd->flow1.username = NULL;
243 udpd->flow1.command = NULL;
244 udpd->flow2.username = NULL;
245 udpd->flow2.command = NULL;
246 */
247
248 udpd->stream = udp_stream_count++;
249 udpd->ts_first = pinfo->abs_ts;
250 udpd->ts_prev = pinfo->abs_ts;
251
252 return udpd;
253 }
254
255 struct udp_analysis *
get_udp_conversation_data(conversation_t * conv,packet_info * pinfo)256 get_udp_conversation_data(conversation_t *conv, packet_info *pinfo)
257 {
258 int direction;
259 struct udp_analysis *udpd=NULL;
260
261 /* Did the caller supply the conversation pointer? */
262 if (conv == NULL)
263 conv = find_or_create_conversation(pinfo);
264
265 /* Get the data for this conversation */
266 udpd=(struct udp_analysis *)conversation_get_proto_data(conv, hfi_udp->id);
267
268 /* If the conversation was just created or it matched a
269 * conversation with template options, udpd will not
270 * have been initialized. So, initialize
271 * a new udpd structure for the conversation.
272 */
273 if (!udpd) {
274 udpd = init_udp_conversation_data(pinfo);
275 conversation_add_proto_data(conv, hfi_udp->id, udpd);
276 }
277
278 if (!udpd) {
279 return NULL;
280 }
281
282 /* check direction and get ua lists */
283 direction=cmp_address(&pinfo->src, &pinfo->dst);
284 /* if the addresses are equal, match the ports instead */
285 if (direction == 0) {
286 direction= (pinfo->srcport > pinfo->destport) ? 1 : -1;
287 }
288 if (direction >= 0) {
289 udpd->fwd=&(udpd->flow1);
290 udpd->rev=&(udpd->flow2);
291 } else {
292 udpd->fwd=&(udpd->flow2);
293 udpd->rev=&(udpd->flow1);
294 }
295
296 return udpd;
297 }
298
udp_conv_get_filter_type(conv_item_t * conv,conv_filter_type_e filter)299 static const char* udp_conv_get_filter_type(conv_item_t* conv, conv_filter_type_e filter)
300 {
301 if (filter == CONV_FT_SRC_PORT)
302 return "udp.srcport";
303
304 if (filter == CONV_FT_DST_PORT)
305 return "udp.dstport";
306
307 if (filter == CONV_FT_ANY_PORT)
308 return "udp.port";
309
310 if(!conv) {
311 return CONV_FILTER_INVALID;
312 }
313
314 if (filter == CONV_FT_SRC_ADDRESS) {
315 if (conv->src_address.type == AT_IPv4)
316 return "ip.src";
317 if (conv->src_address.type == AT_IPv6)
318 return "ipv6.src";
319 }
320
321 if (filter == CONV_FT_DST_ADDRESS) {
322 if (conv->dst_address.type == AT_IPv4)
323 return "ip.dst";
324 if (conv->dst_address.type == AT_IPv6)
325 return "ipv6.dst";
326 }
327
328 if (filter == CONV_FT_ANY_ADDRESS) {
329 if (conv->src_address.type == AT_IPv4)
330 return "ip.addr";
331 if (conv->src_address.type == AT_IPv6)
332 return "ipv6.addr";
333 }
334
335 return CONV_FILTER_INVALID;
336 }
337
338 static ct_dissector_info_t udp_ct_dissector_info = {&udp_conv_get_filter_type};
339
340 static tap_packet_status
udpip_conversation_packet(void * pct,packet_info * pinfo,epan_dissect_t * edt _U_,const void * vip)341 udpip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
342 {
343 conv_hash_t *hash = (conv_hash_t*) pct;
344 const e_udphdr *udphdr=(const e_udphdr *)vip;
345
346 add_conversation_table_data_with_conv_id(hash, &udphdr->ip_src, &udphdr->ip_dst, udphdr->uh_sport, udphdr->uh_dport, (conv_id_t) udphdr->uh_stream, 1, pinfo->fd->pkt_len, &pinfo->rel_ts, &pinfo->abs_ts, &udp_ct_dissector_info, ENDPOINT_UDP);
347
348 return TAP_PACKET_REDRAW;
349 }
350
udp_host_get_filter_type(hostlist_talker_t * host,conv_filter_type_e filter)351 static const char* udp_host_get_filter_type(hostlist_talker_t* host, conv_filter_type_e filter)
352 {
353
354 if (filter == CONV_FT_SRC_PORT)
355 return "udp.srcport";
356
357 if (filter == CONV_FT_DST_PORT)
358 return "udp.dstport";
359
360 if (filter == CONV_FT_ANY_PORT)
361 return "udp.port";
362
363 if(!host) {
364 return CONV_FILTER_INVALID;
365 }
366
367
368 if (filter == CONV_FT_SRC_ADDRESS) {
369 if (host->myaddress.type == AT_IPv4)
370 return "ip.src";
371 if (host->myaddress.type == AT_IPv6)
372 return "ipv6.src";
373 }
374
375 if (filter == CONV_FT_DST_ADDRESS) {
376 if (host->myaddress.type == AT_IPv4)
377 return "ip.dst";
378 if (host->myaddress.type == AT_IPv6)
379 return "ipv6.dst";
380 }
381
382 if (filter == CONV_FT_ANY_ADDRESS) {
383 if (host->myaddress.type == AT_IPv4)
384 return "ip.addr";
385 if (host->myaddress.type == AT_IPv6)
386 return "ipv6.addr";
387 }
388
389 return CONV_FILTER_INVALID;
390 }
391
392 static hostlist_dissector_info_t udp_host_dissector_info = {&udp_host_get_filter_type};
393
394 static tap_packet_status
udpip_hostlist_packet(void * pit,packet_info * pinfo,epan_dissect_t * edt _U_,const void * vip)395 udpip_hostlist_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
396 {
397 conv_hash_t *hash = (conv_hash_t*) pit;
398 const e_udphdr *udphdr=(const e_udphdr *)vip;
399
400 /* Take two "add" passes per packet, adding for each direction, ensures that all
401 packets are counted properly (even if address is sending to itself)
402 XXX - this could probably be done more efficiently inside hostlist_table */
403 add_hostlist_table_data(hash, &udphdr->ip_src, udphdr->uh_sport, TRUE, 1, pinfo->fd->pkt_len, &udp_host_dissector_info, ENDPOINT_UDP);
404 add_hostlist_table_data(hash, &udphdr->ip_dst, udphdr->uh_dport, FALSE, 1, pinfo->fd->pkt_len, &udp_host_dissector_info, ENDPOINT_UDP);
405
406 return TAP_PACKET_REDRAW;
407 }
408
409 static gboolean
udp_filter_valid(packet_info * pinfo)410 udp_filter_valid(packet_info *pinfo)
411 {
412 return proto_is_frame_protocol(pinfo->layers, "udp");
413 }
414
415 static gchar*
udp_build_filter(packet_info * pinfo)416 udp_build_filter(packet_info *pinfo)
417 {
418 if( pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4 ) {
419 /* UDP over IPv4 */
420 return g_strdup_printf("(ip.addr eq %s and ip.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
421 address_to_str(pinfo->pool, &pinfo->net_src),
422 address_to_str(pinfo->pool, &pinfo->net_dst),
423 pinfo->srcport, pinfo->destport );
424 }
425
426 if( pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6 ) {
427 /* UDP over IPv6 */
428 return g_strdup_printf("(ipv6.addr eq %s and ipv6.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
429 address_to_str(pinfo->pool, &pinfo->net_src),
430 address_to_str(pinfo->pool, &pinfo->net_dst),
431 pinfo->srcport, pinfo->destport );
432 }
433
434 return NULL;
435 }
436
udp_follow_conv_filter(epan_dissect_t * edt _U_,packet_info * pinfo,guint * stream,guint * sub_stream _U_)437 static gchar *udp_follow_conv_filter(epan_dissect_t *edt _U_, packet_info *pinfo, guint *stream, guint *sub_stream _U_)
438 {
439 conversation_t *conv;
440 struct udp_analysis *udpd;
441
442 if( ((pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4) ||
443 (pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6))
444 && (conv=find_conversation_pinfo(pinfo, 0)) != NULL )
445 {
446 /* UDP over IPv4/6 */
447 udpd=get_udp_conversation_data(conv, pinfo);
448 if (udpd == NULL)
449 return NULL;
450
451 *stream = udpd->stream;
452 return g_strdup_printf("udp.stream eq %u", udpd->stream);
453 }
454
455 return NULL;
456 }
457
udp_follow_index_filter(guint stream,guint sub_stream _U_)458 static gchar *udp_follow_index_filter(guint stream, guint sub_stream _U_)
459 {
460 return g_strdup_printf("udp.stream eq %u", stream);
461 }
462
udp_follow_address_filter(address * src_addr,address * dst_addr,int src_port,int dst_port)463 static gchar *udp_follow_address_filter(address *src_addr, address *dst_addr, int src_port, int dst_port)
464 {
465 const gchar *ip_version = src_addr->type == AT_IPv6 ? "v6" : "";
466 gchar src_addr_str[WS_INET6_ADDRSTRLEN];
467 gchar dst_addr_str[WS_INET6_ADDRSTRLEN];
468
469 address_to_str_buf(src_addr, src_addr_str, sizeof(src_addr_str));
470 address_to_str_buf(dst_addr, dst_addr_str, sizeof(dst_addr_str));
471
472 return g_strdup_printf("((ip%s.src eq %s and udp.srcport eq %d) and "
473 "(ip%s.dst eq %s and udp.dstport eq %d))"
474 " or "
475 "((ip%s.src eq %s and udp.srcport eq %d) and "
476 "(ip%s.dst eq %s and udp.dstport eq %d))",
477 ip_version, src_addr_str, src_port,
478 ip_version, dst_addr_str, dst_port,
479 ip_version, dst_addr_str, dst_port,
480 ip_version, src_addr_str, src_port);
481 }
482
483
484 /* Attach process info to a flow */
485 /* XXX - We depend on the UDP dissector finding the conversation first */
486 void
add_udp_process_info(guint32 frame_num,address * local_addr,address * remote_addr,guint16 local_port,guint16 remote_port,guint32 uid,guint32 pid,gchar * username,gchar * command)487 add_udp_process_info(guint32 frame_num, address *local_addr, address *remote_addr, guint16 local_port, guint16 remote_port, guint32 uid, guint32 pid, gchar *username, gchar *command) {
488 conversation_t *conv;
489 struct udp_analysis *udpd;
490 udp_flow_t *flow = NULL;
491
492 if (!udp_process_info) {
493 return;
494 }
495
496 conv = find_conversation(frame_num, local_addr, remote_addr, ENDPOINT_UDP, local_port, remote_port, 0);
497 if (!conv) {
498 return;
499 }
500
501 udpd = (struct udp_analysis *)conversation_get_proto_data(conv, hfi_udp->id);
502 if (!udpd) {
503 return;
504 }
505
506 if ((cmp_address(local_addr, conversation_key_addr1(conv->key_ptr)) == 0) && (local_port == conversation_key_port1(conv->key_ptr))) {
507 flow = &udpd->flow1;
508 } else if ((cmp_address(remote_addr, conversation_key_addr1(conv->key_ptr)) == 0) && (remote_port == conversation_key_port1(conv->key_ptr))) {
509 flow = &udpd->flow2;
510 }
511 if (!flow || flow->command) {
512 return;
513 }
514
515 flow->process_uid = uid;
516 flow->process_pid = pid;
517 flow->username = wmem_strdup(wmem_file_scope(), username);
518 flow->command = wmem_strdup(wmem_file_scope(), command);
519 }
520
521
522 /* Return the current stream count */
get_udp_stream_count(void)523 guint32 get_udp_stream_count(void)
524 {
525 return udp_stream_count;
526 }
527
528 static void
handle_export_pdu_dissection_table(packet_info * pinfo,tvbuff_t * tvb,guint32 port)529 handle_export_pdu_dissection_table(packet_info *pinfo, tvbuff_t *tvb, guint32 port)
530 {
531 if (have_tap_listener(exported_pdu_tap)) {
532 exp_pdu_data_item_t exp_pdu_data_table_value = {exp_pdu_data_dissector_table_num_value_size, exp_pdu_data_dissector_table_num_value_populate_data, NULL};
533
534 const exp_pdu_data_item_t *udp_exp_pdu_items[] = {
535 &exp_pdu_data_src_ip,
536 &exp_pdu_data_dst_ip,
537 &exp_pdu_data_port_type,
538 &exp_pdu_data_src_port,
539 &exp_pdu_data_dst_port,
540 &exp_pdu_data_orig_frame_num,
541 &exp_pdu_data_table_value,
542 NULL
543 };
544
545 exp_pdu_data_t *exp_pdu_data;
546
547 exp_pdu_data_table_value.data = GUINT_TO_POINTER(port);
548
549 exp_pdu_data = export_pdu_create_tags(pinfo, "udp.port", EXP_PDU_TAG_DISSECTOR_TABLE_NAME, udp_exp_pdu_items);
550 exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
551 exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
552 exp_pdu_data->pdu_tvb = tvb;
553
554 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
555 }
556 }
557
558 static void
handle_export_pdu_heuristic(packet_info * pinfo,tvbuff_t * tvb,heur_dtbl_entry_t * hdtbl_entry)559 handle_export_pdu_heuristic(packet_info *pinfo, tvbuff_t *tvb, heur_dtbl_entry_t *hdtbl_entry)
560 {
561 exp_pdu_data_t *exp_pdu_data = NULL;
562
563 if (have_tap_listener(exported_pdu_tap)) {
564 if ((!hdtbl_entry->enabled) ||
565 (hdtbl_entry->protocol != NULL && !proto_is_protocol_enabled(hdtbl_entry->protocol))) {
566 exp_pdu_data = export_pdu_create_common_tags(pinfo, "data", EXP_PDU_TAG_PROTO_NAME);
567 } else if (hdtbl_entry->protocol != NULL) {
568 exp_pdu_data = export_pdu_create_common_tags(pinfo, hdtbl_entry->short_name, EXP_PDU_TAG_HEUR_PROTO_NAME);
569 }
570
571 if (exp_pdu_data != NULL) {
572 exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
573 exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
574 exp_pdu_data->pdu_tvb = tvb;
575
576 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
577 }
578 }
579 }
580
581 static void
handle_export_pdu_conversation(packet_info * pinfo,tvbuff_t * tvb,int uh_dport,int uh_sport)582 handle_export_pdu_conversation(packet_info *pinfo, tvbuff_t *tvb, int uh_dport, int uh_sport)
583 {
584 if (have_tap_listener(exported_pdu_tap)) {
585 conversation_t *conversation = find_conversation(pinfo->num, &pinfo->dst, &pinfo->src, ENDPOINT_UDP, uh_dport, uh_sport, 0);
586 if (conversation != NULL)
587 {
588 dissector_handle_t handle = (dissector_handle_t)wmem_tree_lookup32_le(conversation->dissector_tree, pinfo->num);
589 if (handle != NULL)
590 {
591 exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, dissector_handle_get_dissector_name(handle), EXP_PDU_TAG_PROTO_NAME);
592 exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
593 exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
594 exp_pdu_data->pdu_tvb = tvb;
595
596 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
597 }
598 }
599 }
600 }
601
602 void
decode_udp_ports(tvbuff_t * tvb,int offset,packet_info * pinfo,proto_tree * udp_tree,int uh_sport,int uh_dport,int uh_ulen)603 decode_udp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,
604 proto_tree *udp_tree, int uh_sport, int uh_dport, int uh_ulen)
605 {
606 tvbuff_t *next_tvb;
607 int low_port, high_port;
608 gint len, reported_len;
609 udp_p_info_t *udp_p_info;
610 /* Save curr_layer_num as it might be changed by subdissector */
611 guint8 curr_layer_num = pinfo->curr_layer_num;
612 heur_dtbl_entry_t *hdtbl_entry;
613 exp_pdu_data_t *exp_pdu_data;
614 proto_tree* tree = proto_tree_get_root(udp_tree);
615
616 /* populate per packet data variable */
617 udp_p_info = (udp_p_info_t*)p_get_proto_data(wmem_file_scope(), pinfo, hfi_udp->id, pinfo->curr_layer_num);
618
619 len = tvb_captured_length_remaining(tvb, offset);
620 reported_len = tvb_reported_length_remaining(tvb, offset);
621 if (uh_ulen != -1) {
622 /* This is the length from the UDP header; the payload should be cut
623 off at that length. (If our caller passed a value here, they
624 are assumed to have checked that it's >= 8, and hence >= offset.)
625
626 XXX - what if it's *greater* than the reported length? */
627 if ((uh_ulen - offset) < reported_len)
628 reported_len = uh_ulen - offset;
629 if (len > reported_len)
630 len = reported_len;
631 }
632
633 // proto_tree_add_item(udp_tree, &hfi_udp_payload, tvb, offset, len, ENC_NA);
634 proto_tree_add_bytes_format(udp_tree, &hfi_udp_payload, tvb, offset,
635 -1, NULL, "UDP payload (%u byte%s)", len,
636 plurality(len, "", "s"));
637
638 next_tvb = tvb_new_subset_length_caplen(tvb, offset, len, reported_len);
639
640 /* If the user has a "Follow UDP Stream" window loading, pass a pointer
641 * to the payload tvb through the tap system. */
642 if (have_tap_listener(udp_follow_tap))
643 tap_queue_packet(udp_follow_tap, pinfo, next_tvb);
644
645 if (PINFO_FD_VISITED(pinfo)) {
646 if (udp_p_info && udp_p_info->heur_dtbl_entry != NULL) {
647 call_heur_dissector_direct(udp_p_info->heur_dtbl_entry, next_tvb, pinfo, tree, NULL);
648 handle_export_pdu_heuristic(pinfo, next_tvb, udp_p_info->heur_dtbl_entry);
649 return;
650 }
651 }
652
653 /* determine if this packet is part of a conversation and call dissector */
654 /* for the conversation if available */
655 if (try_conversation_dissector(&pinfo->dst, &pinfo->src, ENDPOINT_UDP,
656 uh_dport, uh_sport, next_tvb, pinfo, tree, NULL, NO_ADDR_B|NO_PORT_B)) {
657 handle_export_pdu_conversation(pinfo, next_tvb, uh_dport, uh_sport);
658 return;
659 }
660
661 if (try_heuristic_first) {
662 /* Do lookup with the heuristic subdissector table */
663 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, NULL)) {
664 if (!udp_p_info) {
665 udp_p_info = wmem_new0(wmem_file_scope(), udp_p_info_t);
666 p_add_proto_data(wmem_file_scope(), pinfo, hfi_udp->id, curr_layer_num, udp_p_info);
667 }
668
669 udp_p_info->heur_dtbl_entry = hdtbl_entry;
670
671 handle_export_pdu_heuristic(pinfo, next_tvb, udp_p_info->heur_dtbl_entry);
672 return;
673 }
674 }
675
676 /* Do lookups with the subdissector table.
677 We try the port number with the lower value first, followed by the
678 port number with the higher value. This means that, for packets
679 where a dissector is registered for *both* port numbers:
680
681 1) we pick the same dissector for traffic going in both directions;
682
683 2) we prefer the port number that's more likely to be the right
684 one (as that prefers well-known ports to reserved ports);
685
686 although there is, of course, no guarantee that any such strategy
687 will always pick the right port number.
688
689 XXX - we ignore port numbers of 0, as some dissectors use a port
690 number of 0 to disable the port, and as RFC 768 says that the source
691 port in UDP datagrams is optional and is 0 if not used. */
692 if (uh_sport > uh_dport) {
693 low_port = uh_dport;
694 high_port = uh_sport;
695 } else {
696 low_port = uh_sport;
697 high_port = uh_dport;
698 }
699 if ((low_port != 0) &&
700 dissector_try_uint(udp_dissector_table, low_port, next_tvb, pinfo, tree)) {
701 handle_export_pdu_dissection_table(pinfo, next_tvb, low_port);
702 return;
703 }
704 if ((high_port != 0) &&
705 dissector_try_uint(udp_dissector_table, high_port, next_tvb, pinfo, tree)) {
706 handle_export_pdu_dissection_table(pinfo, next_tvb, high_port);
707 return;
708 }
709
710 if (!try_heuristic_first) {
711 /* Do lookup with the heuristic subdissector table */
712 if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree, &hdtbl_entry, NULL)) {
713 if (!udp_p_info) {
714 udp_p_info = wmem_new0(wmem_file_scope(), udp_p_info_t);
715 p_add_proto_data(wmem_file_scope(), pinfo, hfi_udp->id, curr_layer_num, udp_p_info);
716 }
717
718 udp_p_info->heur_dtbl_entry = hdtbl_entry;
719
720 handle_export_pdu_heuristic(pinfo, next_tvb, udp_p_info->heur_dtbl_entry);
721 return;
722 }
723 }
724
725 call_data_dissector(next_tvb, pinfo, tree);
726
727 if (have_tap_listener(exported_pdu_tap)) {
728 exp_pdu_data = export_pdu_create_common_tags(pinfo, "data", EXP_PDU_TAG_PROTO_NAME);
729 exp_pdu_data->tvb_captured_length = tvb_captured_length(next_tvb);
730 exp_pdu_data->tvb_reported_length = tvb_reported_length(next_tvb);
731 exp_pdu_data->pdu_tvb = next_tvb;
732
733 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
734 }
735 }
736
737 int
udp_dissect_pdus(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint fixed_len,gboolean (* heuristic_check)(packet_info *,tvbuff_t *,int,void *),guint (* get_pdu_len)(packet_info *,tvbuff_t *,int,void *),dissector_t dissect_pdu,void * dissector_data)738 udp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
739 guint fixed_len, gboolean (*heuristic_check)(packet_info *, tvbuff_t *, int, void*),
740 guint (*get_pdu_len)(packet_info *, tvbuff_t *, int, void*),
741 dissector_t dissect_pdu, void* dissector_data)
742 {
743 volatile int offset = 0;
744 int offset_before;
745 guint captured_length_remaining;
746 volatile guint plen;
747 guint length;
748 tvbuff_t *next_tvb;
749 proto_item *item=NULL;
750 const char *saved_proto;
751 guint8 curr_layer_num;
752 wmem_list_frame_t *frame;
753
754 while (tvb_reported_length_remaining(tvb, offset) > 0) {
755 /*
756 * We use "tvb_ensure_captured_length_remaining()" to make
757 * sure there actually *is* data remaining. The protocol
758 * we're handling could conceivably consists of a sequence of
759 * fixed-length PDUs, and therefore the "get_pdu_len" routine
760 * might not actually fetch anything from the tvbuff, and thus
761 * might not cause an exception to be thrown if we've run past
762 * the end of the tvbuff.
763 *
764 * This means we're guaranteed that "captured_length_remaining" is positive.
765 */
766 captured_length_remaining = tvb_ensure_captured_length_remaining(tvb, offset);
767
768 /*
769 * If there is a heuristic function, check it
770 */
771 if ((heuristic_check != NULL) &&
772 ((*heuristic_check)(pinfo, tvb, offset, dissector_data) == FALSE)) {
773 return offset;
774 }
775
776 /*
777 * Get the length of the PDU.
778 */
779 plen = (*get_pdu_len)(pinfo, tvb, offset, dissector_data);
780 if (plen == 0) {
781 /*
782 * Either protocol has variable length (which isn't supposed by UDP)
783 * or packet doesn't belong to protocol
784 */
785 return offset;
786 }
787
788 if (plen < fixed_len) {
789 /*
790 * Either:
791 *
792 * 1) the length value extracted from the fixed-length portion
793 * doesn't include the fixed-length portion's length, and
794 * was so large that, when the fixed-length portion's
795 * length was added to it, the total length overflowed;
796 *
797 * 2) the length value extracted from the fixed-length portion
798 * includes the fixed-length portion's length, and the value
799 * was less than the fixed-length portion's length, i.e. it
800 * was bogus.
801 *
802 * Report this as a bounds error.
803 */
804 show_reported_bounds_error(tvb, pinfo, tree);
805 return offset;
806 }
807
808 curr_layer_num = pinfo->curr_layer_num-1;
809 frame = wmem_list_frame_prev(wmem_list_tail(pinfo->layers));
810 while (frame && (hfi_udp->id != (gint) GPOINTER_TO_UINT(wmem_list_frame_data(frame)))) {
811 frame = wmem_list_frame_prev(frame);
812 curr_layer_num--;
813 }
814
815 /*
816 * Display the PDU length as a field
817 */
818 item=proto_tree_add_uint((proto_tree *)p_get_proto_data(pinfo->pool, pinfo, hfi_udp->id, curr_layer_num),
819 &hfi_udp_pdu_size,
820 tvb, offset, plen, plen);
821 proto_item_set_generated(item);
822
823 /*
824 * Construct a tvbuff containing the amount of the payload we have
825 * available. Make its reported length the amount of data in the PDU.
826 */
827 length = captured_length_remaining;
828 if (length > plen)
829 length = plen;
830 next_tvb = tvb_new_subset_length_caplen(tvb, offset, length, plen);
831
832 /*
833 * Dissect the PDU.
834 *
835 * If it gets an error that means there's no point in
836 * dissecting any more PDUs, rethrow the exception in
837 * question.
838 *
839 * If it gets any other error, report it and continue, as that
840 * means that PDU got an error, but that doesn't mean we should
841 * stop dissecting PDUs within this frame or chunk of reassembled
842 * data.
843 */
844 saved_proto = pinfo->current_proto;
845 TRY {
846 (*dissect_pdu)(next_tvb, pinfo, tree, dissector_data);
847 }
848 CATCH_NONFATAL_ERRORS {
849 /* Restore the private_data structure in case one of the
850 * called dissectors modified it (and, due to the exception,
851 * was unable to restore it).
852 */
853 show_exception(tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
854
855 /*
856 * Restore the saved protocol as well; we do this after
857 * show_exception(), so that the "Malformed packet" indication
858 * shows the protocol for which dissection failed.
859 */
860 pinfo->current_proto = saved_proto;
861 }
862 ENDTRY;
863
864 /*
865 * Step to the next PDU.
866 * Make sure we don't overflow.
867 */
868 offset_before = offset;
869 offset += plen;
870 if (offset <= offset_before)
871 break;
872 }
873
874 return offset;
875 }
876
877 static gboolean
capture_udp(const guchar * pd _U_,int offset _U_,int len _U_,capture_packet_info_t * cpinfo,const union wtap_pseudo_header * pseudo_header _U_)878 capture_udp(const guchar *pd _U_, int offset _U_, int len _U_, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header _U_)
879 {
880 guint16 src_port, dst_port, low_port, high_port;
881
882 if (!BYTES_ARE_IN_FRAME(offset, len, 4))
883 return FALSE;
884
885 capture_dissector_increment_count(cpinfo, hfi_udp->id);
886
887 src_port = pntoh16(&pd[offset]);
888 dst_port = pntoh16(&pd[offset+2]);
889
890 if (src_port > dst_port) {
891 low_port = dst_port;
892 high_port = src_port;
893 } else {
894 low_port = src_port;
895 high_port = dst_port;
896 }
897
898 if (low_port != 0 &&
899 try_capture_dissector("udp.port", low_port, pd, offset+20, len, cpinfo, pseudo_header))
900 return TRUE;
901
902 if (high_port != 0 &&
903 try_capture_dissector("udp.port", high_port, pd, offset+20, len, cpinfo, pseudo_header))
904 return TRUE;
905
906 /* We've at least identified one type of packet, so this shouldn't be "other" */
907 return TRUE;
908 }
909
910 /* Calculate the timestamps relative to this conversation */
911 static void
udp_compute_timestamps(packet_info * pinfo,struct udp_analysis * udp_data,int proto)912 udp_compute_timestamps(packet_info *pinfo, struct udp_analysis *udp_data, int proto)
913 {
914 if (!udp_data)
915 return;
916
917 /* get per packet date for UDP/UDP-Lite based on protocol id */
918 udp_p_info_t *udp_per_packet_data = (udp_p_info_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto, pinfo->curr_layer_num);
919
920 if(!udp_per_packet_data) {
921 udp_per_packet_data = wmem_new0(wmem_file_scope(), udp_p_info_t);
922 p_add_proto_data(wmem_file_scope(), pinfo, proto, pinfo->curr_layer_num, udp_per_packet_data);
923 }
924
925 nstime_delta(&udp_per_packet_data->ts_delta, &pinfo->abs_ts, &udp_data->ts_prev);
926 udp_per_packet_data->ts_delta_valid = TRUE;
927
928 udp_data->ts_prev = pinfo->abs_ts;
929 }
930
931 /* Add a subtree with the timestamps relative to this conversation */
932 static void
udp_print_timestamps(packet_info * pinfo,tvbuff_t * tvb,proto_tree * parent_tree,struct udp_analysis * udp_data,int proto)933 udp_print_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *parent_tree, struct udp_analysis *udp_data, int proto)
934 {
935 proto_item *item;
936 proto_tree *tree;
937 nstime_t ts;
938
939 if (!udp_data)
940 return;
941
942 /* get per packet date for UDP/UDP-Lite based on protocol id */
943 udp_p_info_t *udp_per_packet_data = (udp_p_info_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto, pinfo->curr_layer_num);
944
945 tree = proto_tree_add_subtree(parent_tree, tvb, 0, 0, ett_udp_timestamps, &item, "Timestamps");
946 proto_item_set_generated(item);
947
948 nstime_delta(&ts, &pinfo->abs_ts, &udp_data->ts_first);
949 item = proto_tree_add_time(tree, &hfi_udp_ts_relative, tvb, 0, 0, &ts);
950 proto_item_set_generated(item);
951
952 if (udp_per_packet_data && udp_per_packet_data->ts_delta_valid) {
953 item = proto_tree_add_time(tree, &hfi_udp_ts_delta, tvb, 0, 0,
954 &udp_per_packet_data->ts_delta);
955 proto_item_set_generated(item);
956 }
957 }
958
959 static void
udp_handle_timestamps(packet_info * pinfo,tvbuff_t * tvb,proto_tree * tree,struct udp_analysis * udp_data,guint32 ip_proto)960 udp_handle_timestamps(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, struct udp_analysis *udp_data, guint32 ip_proto)
961 {
962 int proto_id = (ip_proto == IP_PROTO_UDP ? hfi_udp->id : hfi_udplite->id);
963
964 /*
965 * Calculate the timestamps relative to this conversation (but only on the
966 * first run when frames are accessed sequentially)
967 */
968 if (!PINFO_FD_VISITED(pinfo))
969 udp_compute_timestamps(pinfo, udp_data, proto_id);
970
971 /* handle conversation timestamps */
972 udp_print_timestamps(pinfo, tvb, tree, udp_data, proto_id);
973 }
974
975 static void
dissect(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint32 ip_proto)976 dissect(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 ip_proto)
977 {
978 proto_tree *udp_tree = NULL;
979 proto_item *ti, *item, *hidden_item, *calc_item;
980 proto_item *src_port_item, *dst_port_item, *len_cov_item;
981 guint len;
982 guint reported_len;
983 vec_t cksum_vec[4];
984 guint32 phdr[2];
985 guint16 computed_cksum;
986 int offset = 0;
987 e_udphdr *udph;
988 proto_tree *checksum_tree;
989 conversation_t *conv = NULL;
990 struct udp_analysis *udpd = NULL;
991 proto_tree *process_tree;
992 gboolean udp_jumbogram = FALSE;
993
994 udph = wmem_new0(pinfo->pool, e_udphdr);
995 udph->uh_sport = tvb_get_ntohs(tvb, offset);
996 udph->uh_dport = tvb_get_ntohs(tvb, offset + 2);
997 copy_address_shallow(&udph->ip_src, &pinfo->src);
998 copy_address_shallow(&udph->ip_dst, &pinfo->dst);
999
1000 col_set_str(pinfo->cinfo, COL_PROTOCOL, (ip_proto == IP_PROTO_UDP) ? "UDP" : "UDP-Lite");
1001 col_clear(pinfo->cinfo, COL_INFO);
1002 col_append_ports(pinfo->cinfo, COL_INFO, PT_UDP, udph->uh_sport, udph->uh_dport);
1003
1004 reported_len = tvb_reported_length(tvb);
1005 len = tvb_captured_length(tvb);
1006
1007 ti = proto_tree_add_item(tree, (ip_proto == IP_PROTO_UDP) ? hfi_udp : hfi_udplite, tvb, offset, 8, ENC_NA);
1008 if (udp_summary_in_tree) {
1009 proto_item_append_text(ti, ", Src Port: %s, Dst Port: %s",
1010 port_with_resolution_to_str(pinfo->pool, PT_UDP, udph->uh_sport),
1011 port_with_resolution_to_str(pinfo->pool, PT_UDP, udph->uh_dport));
1012 }
1013 udp_tree = proto_item_add_subtree(ti, ett_udp);
1014 p_add_proto_data(pinfo->pool, pinfo, hfi_udp->id, pinfo->curr_layer_num, udp_tree);
1015
1016 src_port_item = proto_tree_add_item(udp_tree, &hfi_udp_srcport, tvb, offset, 2, ENC_BIG_ENDIAN);
1017 dst_port_item = proto_tree_add_item(udp_tree, &hfi_udp_dstport, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1018
1019 p_add_proto_data(pinfo->pool, pinfo, hfi_udp_srcport.id, pinfo->curr_layer_num, GUINT_TO_POINTER(udph->uh_sport));
1020 p_add_proto_data(pinfo->pool, pinfo, hfi_udp_dstport.id, pinfo->curr_layer_num, GUINT_TO_POINTER(udph->uh_dport));
1021
1022 hidden_item = proto_tree_add_item(udp_tree, &hfi_udp_port, tvb, offset, 2, ENC_BIG_ENDIAN);
1023 proto_item_set_hidden(hidden_item);
1024 hidden_item = proto_tree_add_item(udp_tree, &hfi_udp_port, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1025 proto_item_set_hidden(hidden_item);
1026
1027 /* The beginning port number, 32768 + 666 (33434), is from LBL's traceroute.c source code and this code
1028 * further assumes that 3 attempts are made per hop */
1029 if ((udph->uh_sport > (32768 + 666)) && (udph->uh_sport <= (32768 + 666 + 30))) {
1030 expert_add_info_format(pinfo, src_port_item, &ei_udp_possible_traceroute, "Possible traceroute: hop #%u, attempt #%u",
1031 ((udph->uh_sport - 32768 - 666 - 1) / 3) + 1,
1032 ((udph->uh_sport - 32768 - 666 - 1) % 3) + 1);
1033 }
1034 if ((udph->uh_dport > (32768 + 666)) && (udph->uh_dport <= (32768 + 666 + 30))) {
1035 expert_add_info_format(pinfo, dst_port_item, &ei_udp_possible_traceroute, "Possible traceroute: hop #%u, attempt #%u",
1036 ((udph->uh_dport - 32768 - 666 - 1) / 3) + 1,
1037 ((udph->uh_dport - 32768 - 666 - 1) % 3) + 1);
1038 }
1039
1040 udph->uh_ulen = udph->uh_sum_cov = tvb_get_ntohs(tvb, offset + 4);
1041 if (ip_proto == IP_PROTO_UDP) {
1042 len_cov_item = proto_tree_add_item(udp_tree, &hfi_udp_length, tvb, offset + 4, 2, ENC_BIG_ENDIAN);
1043 if (udph->uh_ulen == 0 && pinfo->src.type == AT_IPv6) {
1044 /* RFC 2675 (section 4) - UDP Jumbograms */
1045 udph->uh_ulen = udph->uh_sum_cov = reported_len;
1046 udp_jumbogram = TRUE;
1047 }
1048 if (udph->uh_ulen < 8) {
1049 /* Bogus length - it includes the header, so it must be >= 8. */
1050 proto_item_append_text(len_cov_item, " (bogus, must be >= 8)");
1051 expert_add_info_format(pinfo, len_cov_item, &ei_udp_length_bad, "Bad length value %u < 8", udph->uh_ulen);
1052 col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD UDP LENGTH %u < 8]", udph->uh_ulen);
1053 return;
1054 }
1055 if ((udph->uh_ulen > reported_len) && (!pinfo->fragmented) && (!pinfo->flags.in_error_pkt)) {
1056 /* Bogus length - it goes past the end of the IP payload */
1057 proto_item_append_text(len_cov_item, " (bogus, payload length %u)", reported_len);
1058 expert_add_info_format(pinfo, len_cov_item, &ei_udp_length_bad, "Bad length value %u > IP payload length", udph->uh_ulen);
1059 col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD UDP LENGTH %u > IP PAYLOAD LENGTH]", udph->uh_ulen);
1060 /*return;*/
1061 }
1062 if (udp_jumbogram && (udph->uh_ulen < 65536)) {
1063 expert_add_info(pinfo, len_cov_item, &ei_udp_length_bad_zero);
1064 }
1065 } else {
1066 len_cov_item = proto_tree_add_item(udp_tree, &hfi_udplite_checksum_coverage, tvb, offset + 4, 2, ENC_BIG_ENDIAN);
1067 udph->uh_ulen = reported_len;
1068 if (udph->uh_sum_cov == 0) {
1069 udph->uh_sum_cov = reported_len;
1070 }
1071 item = proto_tree_add_uint(udp_tree, &hfi_udp_length, tvb, offset + 4, 0, udph->uh_ulen);
1072 proto_item_set_generated(item);
1073 if ((udph->uh_sum_cov < 8) || (udph->uh_sum_cov > udph->uh_ulen)) {
1074 /* Bogus coverage - it includes the header, so it must be >= 8, and no larger then the IP payload size. */
1075 proto_item_append_text(len_cov_item, " (bogus, must be >= 8 and <= %u)", udph->uh_ulen);
1076 expert_add_info_format(pinfo, len_cov_item, &ei_udplite_checksum_coverage_bad, "Bad checksum coverage length value %u < 8 or > %u",
1077 udph->uh_sum_cov, udph->uh_ulen);
1078 col_append_fstr(pinfo->cinfo, COL_INFO, " [BAD LIGHTWEIGHT UDP CHECKSUM COVERAGE LENGTH %u < 8 or > %u]",
1079 udph->uh_sum_cov, udph->uh_ulen);
1080 if (!udplite_ignore_checksum_coverage) {
1081 return;
1082 }
1083 }
1084 }
1085
1086 col_append_str_uint(pinfo->cinfo, COL_INFO, "Len", udph->uh_ulen - 8, " "); /* Payload length */
1087 if (udp_jumbogram)
1088 col_append_str(pinfo->cinfo, COL_INFO, " [Jumbogram]");
1089
1090 udph->uh_sum = tvb_get_ntohs(tvb, offset + 6);
1091 if (udph->uh_sum == 0) {
1092 /* No checksum supplied in the packet. */
1093
1094 gboolean ignore_zero_checksum = (ip_proto == IP_PROTO_UDP) &&
1095 ((pinfo->src.type == AT_IPv4) || ((pinfo->src.type == AT_IPv6) && udp_ignore_ipv6_zero_checksum));
1096 proto_checksum_enum_e checksum_status;
1097
1098 item = proto_tree_add_item(udp_tree, &hfi_udp_checksum, tvb, offset + 6, 2, ENC_BIG_ENDIAN);
1099 if (ignore_zero_checksum || pinfo->flags.in_error_pkt) {
1100 proto_item_append_text(item, " [zero-value ignored]");
1101 checksum_status = PROTO_CHECKSUM_E_NOT_PRESENT;
1102 } else {
1103 proto_item_append_text(item, " [zero-value illegal]");
1104 checksum_status = PROTO_CHECKSUM_E_ILLEGAL;
1105 expert_add_info(pinfo, item, &ei_udp_checksum_zero);
1106 col_append_str(pinfo->cinfo, COL_INFO, " [ILLEGAL CHECKSUM (0)]");
1107 }
1108 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
1109 item = proto_tree_add_uint(checksum_tree, &hfi_udp_checksum_status, tvb, offset + 6, 2, checksum_status);
1110 proto_item_set_generated(item);
1111 } else if (!pinfo->fragmented && (len >= reported_len) &&
1112 (len >= udph->uh_sum_cov) && (reported_len >= udph->uh_sum_cov) &&
1113 (udph->uh_sum_cov >= 8)) {
1114 /* The packet isn't part of a fragmented datagram and isn't
1115 truncated, so we can checksum it.
1116 XXX - make a bigger scatter-gather list once we do fragment
1117 reassembly? */
1118
1119 if (((ip_proto == IP_PROTO_UDP) && udp_check_checksum) ||
1120 ((ip_proto == IP_PROTO_UDPLITE) && udplite_check_checksum)) {
1121 /* Set up the fields of the pseudo-header. */
1122 SET_CKSUM_VEC_PTR(cksum_vec[0], (const guint8 *)pinfo->src.data, pinfo->src.len);
1123 SET_CKSUM_VEC_PTR(cksum_vec[1], (const guint8 *)pinfo->dst.data, pinfo->dst.len);
1124 switch (pinfo->src.type) {
1125
1126 case AT_IPv4:
1127 if (ip_proto == IP_PROTO_UDP)
1128 phdr[0] = g_htonl((ip_proto<<16) | udph->uh_ulen);
1129 else
1130 phdr[0] = g_htonl((ip_proto<<16) | reported_len);
1131 SET_CKSUM_VEC_PTR(cksum_vec[2], (const guint8 *)&phdr, 4);
1132 break;
1133
1134 case AT_IPv6:
1135 if (ip_proto == IP_PROTO_UDP)
1136 phdr[0] = g_htonl(udph->uh_ulen);
1137 else
1138 phdr[0] = g_htonl(reported_len);
1139 phdr[1] = g_htonl(ip_proto);
1140 SET_CKSUM_VEC_PTR(cksum_vec[2], (const guint8 *)&phdr, 8);
1141 break;
1142
1143 default:
1144 /* UDP runs only atop IPv4 and IPv6.... */
1145 DISSECTOR_ASSERT_NOT_REACHED();
1146 break;
1147 }
1148 SET_CKSUM_VEC_TVB(cksum_vec[3], tvb, offset, udph->uh_sum_cov);
1149 computed_cksum = in_cksum(&cksum_vec[0], 4);
1150
1151 item = proto_tree_add_checksum(udp_tree, tvb, offset + 6, &hfi_udp_checksum, hfi_udp_checksum_status.id, &ei_udp_checksum_bad,
1152 pinfo, computed_cksum, ENC_BIG_ENDIAN, PROTO_CHECKSUM_VERIFY|PROTO_CHECKSUM_IN_CKSUM);
1153 checksum_tree = proto_item_add_subtree(item, ett_udp_checksum);
1154
1155 /*
1156 * in_cksum() should never return 0xFFFF here, because, to quote
1157 * RFC 1624 section 3 "Discussion":
1158 *
1159 * In one's complement, there are two representations of
1160 * zero: the all zero and the all one bit values, often
1161 * referred to as +0 and -0. One's complement addition
1162 * of non-zero inputs can produce -0 as a result, but
1163 * never +0. Since there is guaranteed to be at least
1164 * one non-zero field in the IP header, and the checksum
1165 * field in the protocol header is the complement of the
1166 * sum, the checksum field can never contain ~(+0), which
1167 * is -0 (0xFFFF). It can, however, contain ~(-0), which
1168 * is +0 (0x0000).
1169 *
1170 * RFC 1624 is discussing the checksum of the *IPv4* header,
1171 * where the "version" field is 4, ensuring that, in a valid
1172 * IPv4 header, there is at least one non-zero field, but it
1173 * also applies to a UDP datagram, because the length includes
1174 * the length of the UDP header, so at least one field in a UDP
1175 * datagram is non-zero.
1176 *
1177 * in_cksum() returns the negation of the one's-complement
1178 * sum of all the data handed to it, and that data won't be
1179 * all zero, so the sum won't be 0 (+0), and thus the negation
1180 * won't be -0, i.e. won't be 0xFFFF.
1181 */
1182 if (computed_cksum != 0) {
1183 proto_item_append_text(item, " (maybe caused by \"UDP checksum offload\"?)");
1184 col_append_str(pinfo->cinfo, COL_INFO, " [UDP CHECKSUM INCORRECT]");
1185 calc_item = proto_tree_add_uint(checksum_tree, &hfi_udp_checksum_calculated,
1186 tvb, offset + 6, 2, in_cksum_shouldbe(udph->uh_sum, computed_cksum));
1187 } else {
1188 calc_item = proto_tree_add_uint(checksum_tree, &hfi_udp_checksum_calculated,
1189 tvb, offset + 6, 2, udph->uh_sum);
1190 }
1191 proto_item_set_generated(calc_item);
1192
1193 } else {
1194 proto_tree_add_checksum(udp_tree, tvb, offset + 6, &hfi_udp_checksum, hfi_udp_checksum_status.id, &ei_udp_checksum_bad, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
1195 }
1196 } else {
1197 proto_tree_add_checksum(udp_tree, tvb, offset + 6, &hfi_udp_checksum, hfi_udp_checksum_status.id, &ei_udp_checksum_bad, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
1198 }
1199
1200 /* Skip over header */
1201 offset += 8;
1202
1203 pinfo->ptype = PT_UDP;
1204 pinfo->srcport = udph->uh_sport;
1205 pinfo->destport = udph->uh_dport;
1206
1207 /* find(or create if needed) the conversation for this udp session */
1208 conv = find_or_create_conversation(pinfo);
1209 udpd = get_udp_conversation_data(conv, pinfo);
1210 if (udpd) {
1211 item = proto_tree_add_uint(udp_tree, &hfi_udp_stream, tvb, offset, 0, udpd->stream);
1212 proto_item_set_generated(item);
1213
1214 /* Copy the stream index into the header as well to make it available
1215 * to tap listeners.
1216 */
1217 udph->uh_stream = udpd->stream;
1218 }
1219
1220 tap_queue_packet(udp_tap, pinfo, udph);
1221
1222 if (udpd && ((udpd->fwd && udpd->fwd->command) || (udpd->rev && udpd->rev->command))) {
1223 process_tree = proto_tree_add_subtree(udp_tree, tvb, offset, 0, ett_udp_process_info, &ti, "Process Information");
1224 proto_item_set_generated(ti);
1225 if (udpd->fwd && udpd->fwd->command) {
1226 proto_tree_add_uint(process_tree, &hfi_udp_proc_dst_uid, tvb, 0, 0, udpd->fwd->process_uid);
1227 proto_tree_add_uint(process_tree, &hfi_udp_proc_dst_pid, tvb, 0, 0, udpd->fwd->process_pid);
1228 proto_tree_add_string(process_tree, &hfi_udp_proc_dst_uname, tvb, 0, 0, udpd->fwd->username);
1229 proto_tree_add_string(process_tree, &hfi_udp_proc_dst_cmd, tvb, 0, 0, udpd->fwd->command);
1230 }
1231 if (udpd->rev->command) {
1232 proto_tree_add_uint(process_tree, &hfi_udp_proc_src_uid, tvb, 0, 0, udpd->rev->process_uid);
1233 proto_tree_add_uint(process_tree, &hfi_udp_proc_src_pid, tvb, 0, 0, udpd->rev->process_pid);
1234 proto_tree_add_string(process_tree, &hfi_udp_proc_src_uname, tvb, 0, 0, udpd->rev->username);
1235 proto_tree_add_string(process_tree, &hfi_udp_proc_src_cmd, tvb, 0, 0, udpd->rev->command);
1236 }
1237 }
1238
1239 if (udph->uh_ulen == 8) {
1240 /* Empty UDP payload, nothing left to do. */
1241 return;
1242 }
1243
1244 /* Do we need to calculate timestamps relative to the udp-stream? */
1245 /* Different boolean preferences have to be checked. */
1246 /* If the protocol is UDP then the UDP preference */
1247 if (!pinfo->flags.in_error_pkt &&
1248 ((ip_proto == IP_PROTO_UDP && udp_calculate_ts)
1249 /* Otherwise the UDP-Lite preference */
1250 || (ip_proto == IP_PROTO_UDPLITE && udplite_calculate_ts))) {
1251 udp_handle_timestamps(pinfo, tvb, udp_tree, udpd, ip_proto);
1252 }
1253
1254 /*
1255 * Call sub-dissectors.
1256 *
1257 * XXX - should we do this if this is included in an error packet?
1258 * It might be nice to see the details of the packet that caused the
1259 * ICMP error, but it might not be nice to have the dissector update
1260 * state based on it.
1261 * Also, we probably don't want to run UDP taps on those packets.
1262 *
1263 * We definitely don't want to do it for an error packet if there's
1264 * nothing left in the packet.
1265 */
1266 if (!pinfo->flags.in_error_pkt || (tvb_captured_length_remaining(tvb, offset) > 0))
1267 decode_udp_ports(tvb, offset, pinfo, udp_tree, udph->uh_sport, udph->uh_dport, udph->uh_ulen);
1268 }
1269
1270 static int
dissect_udp(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)1271 dissect_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1272 {
1273 dissect(tvb, pinfo, tree, IP_PROTO_UDP);
1274 return tvb_captured_length(tvb);
1275 }
1276
1277 static int
dissect_udplite(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)1278 dissect_udplite(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1279 {
1280 dissect(tvb, pinfo, tree, IP_PROTO_UDPLITE);
1281 return tvb_captured_length(tvb);
1282 }
1283
1284 static void
udp_init(void)1285 udp_init(void)
1286 {
1287 udp_stream_count = 0;
1288 }
1289
1290 void
proto_register_udp(void)1291 proto_register_udp(void)
1292 {
1293 module_t *udp_module;
1294 module_t *udplite_module;
1295 expert_module_t* expert_udp;
1296
1297 #ifndef HAVE_HFI_SECTION_INIT
1298 static header_field_info *hfi[] = {
1299 &hfi_udp_srcport,
1300 &hfi_udp_dstport,
1301 &hfi_udp_port,
1302 &hfi_udp_stream,
1303 &hfi_udp_length,
1304 &hfi_udp_checksum,
1305 &hfi_udp_checksum_calculated,
1306 &hfi_udp_checksum_status,
1307 &hfi_udp_proc_src_uid,
1308 &hfi_udp_proc_src_pid,
1309 &hfi_udp_proc_src_uname,
1310 &hfi_udp_proc_src_cmd,
1311 &hfi_udp_proc_dst_uid,
1312 &hfi_udp_proc_dst_pid,
1313 &hfi_udp_proc_dst_uname,
1314 &hfi_udp_proc_dst_cmd,
1315 &hfi_udp_pdu_size,
1316 &hfi_udp_ts_relative,
1317 &hfi_udp_ts_delta,
1318 &hfi_udp_payload
1319 };
1320
1321 static header_field_info *hfi_lite[] = {
1322 &hfi_udplite_checksum_coverage,
1323 };
1324 #endif
1325
1326 static gint *ett[] = {
1327 &ett_udp,
1328 &ett_udp_checksum,
1329 &ett_udp_process_info,
1330 &ett_udp_timestamps
1331 };
1332
1333 static ei_register_info ei[] = {
1334 { &ei_udp_possible_traceroute, { "udp.possible_traceroute", PI_SEQUENCE, PI_CHAT, "Possible traceroute", EXPFILL }},
1335 { &ei_udp_length_bad, { "udp.length.bad", PI_MALFORMED, PI_ERROR, "Bad length value", EXPFILL }},
1336 { &ei_udplite_checksum_coverage_bad, { "udplite.checksum_coverage.bad", PI_MALFORMED, PI_ERROR, "Bad checksum coverage length value", EXPFILL }},
1337 { &ei_udp_checksum_zero, { "udp.checksum.zero", PI_CHECKSUM, PI_ERROR, "Illegal checksum value (0)", EXPFILL }},
1338 { &ei_udp_checksum_bad, { "udp.checksum.bad", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
1339 { &ei_udp_length_bad_zero, { "udp.length.bad_zero", PI_PROTOCOL, PI_WARN, "Length is zero but payload < 65536", EXPFILL }},
1340 };
1341
1342 static build_valid_func udp_da_src_values[1] = {udp_src_value};
1343 static build_valid_func udp_da_dst_values[1] = {udp_dst_value};
1344 static build_valid_func udp_da_both_values[2] = {udp_src_value, udp_dst_value};
1345 static decode_as_value_t udp_da_values[3] = {{udp_src_prompt, 1, udp_da_src_values}, {udp_dst_prompt, 1, udp_da_dst_values}, {udp_both_prompt, 2, udp_da_both_values}};
1346 static decode_as_t udp_da = {"udp", "udp.port", 3, 2, udp_da_values, "UDP", "port(s) as",
1347 decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL};
1348
1349 int proto_udp, proto_udplite;
1350
1351 proto_udp = proto_register_protocol("User Datagram Protocol",
1352 "UDP", "udp");
1353 hfi_udp = proto_registrar_get_nth(proto_udp);
1354 udp_handle = register_dissector("udp", dissect_udp, proto_udp);
1355 expert_udp = expert_register_protocol(proto_udp);
1356 proto_register_fields(proto_udp, hfi, array_length(hfi));
1357
1358 proto_udplite = proto_register_protocol("Lightweight User Datagram Protocol",
1359 "UDP-Lite", "udplite");
1360 udplite_handle = create_dissector_handle(dissect_udplite, proto_udplite);
1361 hfi_udplite = proto_registrar_get_nth(proto_udplite);
1362 proto_register_fields(proto_udplite, hfi_lite, array_length(hfi_lite));
1363
1364 proto_register_subtree_array(ett, array_length(ett));
1365 expert_register_field_array(expert_udp, ei, array_length(ei));
1366
1367 /* subdissector code */
1368 udp_dissector_table = register_dissector_table("udp.port",
1369 "UDP port", proto_udp, FT_UINT16, BASE_DEC);
1370 heur_subdissector_list = register_heur_dissector_list("udp", proto_udp);
1371
1372 register_capture_dissector_table("udp.port", "UDP");
1373
1374 /* Register configuration preferences */
1375 udp_module = prefs_register_protocol(proto_udp, NULL);
1376 prefs_register_bool_preference(udp_module, "summary_in_tree",
1377 "Show UDP summary in protocol tree",
1378 "Whether the UDP summary line should be shown in the protocol tree",
1379 &udp_summary_in_tree);
1380 prefs_register_bool_preference(udp_module, "try_heuristic_first",
1381 "Try heuristic sub-dissectors first",
1382 "Try to decode a packet using an heuristic sub-dissector"
1383 " before using a sub-dissector registered to a specific port",
1384 &try_heuristic_first);
1385 prefs_register_bool_preference(udp_module, "check_checksum",
1386 "Validate the UDP checksum if possible",
1387 "Whether to validate the UDP checksum",
1388 &udp_check_checksum);
1389 prefs_register_bool_preference(udp_module, "ignore_ipv6_zero_checksum",
1390 "Ignore zero-value UDP checksums over IPv6",
1391 "Whether to ignore zero-value UDP checksums over IPv6",
1392 &udp_ignore_ipv6_zero_checksum);
1393 prefs_register_bool_preference(udp_module, "process_info",
1394 "Collect process flow information",
1395 "Collect process flow information from IPFIX",
1396 &udp_process_info);
1397 prefs_register_bool_preference(udp_module, "calculate_timestamps",
1398 "Calculate conversation timestamps",
1399 "Calculate timestamps relative to the first frame and the previous frame in the udp conversation",
1400 &udp_calculate_ts);
1401
1402 udplite_module = prefs_register_protocol(proto_udplite, NULL);
1403 prefs_register_bool_preference(udplite_module, "ignore_checksum_coverage",
1404 "Ignore UDP-Lite checksum coverage",
1405 "Ignore an invalid checksum coverage field and continue dissection",
1406 &udplite_ignore_checksum_coverage);
1407 prefs_register_bool_preference(udplite_module, "check_checksum",
1408 "Validate the UDP-Lite checksum if possible",
1409 "Whether to validate the UDP-Lite checksum",
1410 &udplite_check_checksum);
1411 prefs_register_bool_preference(udplite_module, "calculate_timestamps",
1412 "Calculate conversation timestamps",
1413 "Calculate timestamps relative to the first frame and the previous frame in the udp-lite conversation",
1414 &udplite_calculate_ts);
1415
1416 register_decode_as(&udp_da);
1417 register_conversation_table(proto_udp, FALSE, udpip_conversation_packet, udpip_hostlist_packet);
1418 register_conversation_filter("udp", "UDP", udp_filter_valid, udp_build_filter);
1419 register_follow_stream(proto_udp, "udp_follow", udp_follow_conv_filter, udp_follow_index_filter, udp_follow_address_filter,
1420 udp_port_to_display, follow_tvb_tap_listener);
1421
1422 register_init_routine(udp_init);
1423
1424 }
1425
1426 void
proto_reg_handoff_udp(void)1427 proto_reg_handoff_udp(void)
1428 {
1429 capture_dissector_handle_t udp_cap_handle;
1430
1431 dissector_add_uint("ip.proto", IP_PROTO_UDP, udp_handle);
1432 dissector_add_uint("ip.proto", IP_PROTO_UDPLITE, udplite_handle);
1433
1434 udp_cap_handle = create_capture_dissector_handle(capture_udp, hfi_udp->id);
1435 capture_dissector_add_uint("ip.proto", IP_PROTO_UDP, udp_cap_handle);
1436 udp_cap_handle = create_capture_dissector_handle(capture_udp, hfi_udplite->id);
1437 capture_dissector_add_uint("ip.proto", IP_PROTO_UDPLITE, udp_cap_handle);
1438
1439 udp_tap = register_tap("udp");
1440 udp_follow_tap = register_tap("udp_follow");
1441 exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_4);
1442 }
1443
1444 /*
1445 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1446 *
1447 * Local variables:
1448 * c-basic-offset: 2
1449 * tab-width: 8
1450 * indent-tabs-mode: nil
1451 * End:
1452 *
1453 * vi: set shiftwidth=2 tabstop=8 expandtab:
1454 * :indentSize=2:tabSize=8:noTabs=true:
1455 */
1456