Wireshark 4.5.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
packet-tcp.h
1/* packet-tcp.h
2 *
3 * Wireshark - Network traffic analyzer
4 * By Gerald Combs <[email protected]>
5 * Copyright 1998 Gerald Combs
6 *
7 * SPDX-License-Identifier: GPL-2.0-or-later
8 */
9
10#ifndef __PACKET_TCP_H__
11#define __PACKET_TCP_H__
12
13#include "ws_symbol_export.h"
14
15#include <epan/conversation.h>
16#include <epan/reassemble.h>
17#include <epan/wmem_scopes.h>
18
19#ifdef __cplusplus
20extern "C" {
21#endif /* __cplusplus */
22
23/* TCP flags */
24#define TH_FIN 0x0001
25#define TH_SYN 0x0002
26#define TH_RST 0x0004
27#define TH_PUSH 0x0008
28#define TH_ACK 0x0010
29#define TH_URG 0x0020
30#define TH_ECE 0x0040
31#define TH_CWR 0x0080
32#define TH_AE 0x0100
33#define TH_RES 0x0E00 /* 3 reserved bits */
34#define TH_MASK 0x0FFF
35
36#define IS_TH_FIN(x) (x & TH_FIN)
37#define IS_TH_URG(x) (x & TH_URG)
38
39/* Idea for gt: either x > y, or y is much bigger (assume wrap) */
40#define GT_SEQ(x, y) ((int32_t)((y) - (x)) < 0)
41#define LT_SEQ(x, y) ((int32_t)((x) - (y)) < 0)
42#define GE_SEQ(x, y) ((int32_t)((y) - (x)) <= 0)
43#define LE_SEQ(x, y) ((int32_t)((x) - (y)) <= 0)
44#define EQ_SEQ(x, y) (x) == (y)
45
46/* mh as in mptcp header */
48
49 bool mh_mpc; /* true if seen an mp_capable option */
50 bool mh_join; /* true if seen an mp_join option */
51 bool mh_dss; /* true if seen a dss */
52 bool mh_add; /* true if seen an MP_ADD */
53 bool mh_remove; /* true if seen an MP_REMOVE */
54 bool mh_prio; /* true if seen an MP_PRIO */
55 bool mh_fail; /* true if seen an MP_FAIL */
56 bool mh_fastclose; /* true if seen a fastclose */
57 bool mh_tcprst; /* true if seen a MP_TCPRST */
58
59 uint8_t mh_capable_flags; /* to get hmac version for instance */
60 uint8_t mh_dss_flags; /* data sequence signal flag */
61 uint32_t mh_dss_ssn; /* DSS Subflow Sequence Number */
62 uint64_t mh_dss_rawdsn; /* DSS Data Sequence Number */
63 uint64_t mh_dss_rawack; /* DSS raw data ack */
64 uint16_t mh_dss_length; /* mapping/DSS length */
65
66 uint64_t mh_key; /* Sender key in MP_CAPABLE */
67 uint32_t mh_token; /* seen in MP_JOIN. Should be a hash of the initial key */
68
69 uint32_t mh_stream; /* this stream index field is included to help differentiate when address/port pairs are reused */
70
71 /* Data Sequence Number of the current segment. It needs to be computed from previous mappings
72 * and as such is not necessarily set
73 */
74 uint64_t mh_rawdsn64;
75 /* DSN formatted according to the wireshark MPTCP options */
76 uint64_t mh_dsn;
77};
78
79/* the tcp header structure, passed to tap listeners */
80typedef struct tcpheader {
81 uint32_t th_rawseq; /* raw value */
82 uint32_t th_seq; /* raw or relative value depending on tcp_relative_seq */
83
84 uint32_t th_rawack; /* raw value */
85 uint32_t th_ack; /* raw or relative value depending on tcp_relative_seq */
86 bool th_have_seglen; /* true if th_seglen is valid */
87 uint32_t th_seglen; /* in bytes */
88 uint32_t th_win; /* make it 32 bits so we can handle some scaling */
89 uint16_t th_sport;
90 uint16_t th_dport;
91 uint8_t th_hlen;
92 bool th_use_ace;
93 uint16_t th_flags;
94 uint32_t th_stream; /* this stream index field is included to help differentiate when address/port pairs are reused */
95 address ip_src;
96 address ip_dst;
97
98 /* This is the absolute maximum we could find in TCP options (RFC2018, section 3) */
99 #define MAX_TCP_SACK_RANGES 4
100 uint8_t num_sack_ranges;
101 uint32_t sack_left_edge[MAX_TCP_SACK_RANGES];
102 uint32_t sack_right_edge[MAX_TCP_SACK_RANGES];
103
104 /* header for TCP option Multipath Operation */
105 struct mptcpheader *th_mptcp;
106} tcp_info_t;
107
108/*
109 * Private data passed from the TCP dissector to subdissectors.
110 * NOTE: This structure is used by Export PDU functionality so
111 * make sure that handling is also updated if this structure
112 * changes!
113 */
114struct tcpinfo {
115 uint32_t seq; /* Sequence number of first byte in the data */
116 uint32_t nxtseq; /* Sequence number of first byte after data */
117 uint32_t lastackseq; /* Sequence number of last ack */
118 bool is_reassembled; /* This is reassembled data. */
119 uint16_t flags; /* TCP flags */
120 uint16_t urgent_pointer; /* Urgent pointer value for the current packet. */
121 uint32_t stream; /* Stream id passed to export PDU */
122};
123
124/*
125 * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
126 * consists of a fixed-length chunk of data that contains enough information
127 * to determine the length of the PDU, followed by rest of the PDU.
128 *
129 * The first three arguments are the arguments passed to the dissector
130 * that calls this routine.
131 *
132 * "proto_desegment" is the dissector's flag controlling whether it should
133 * desegment PDUs that cross TCP segment boundaries.
134 *
135 * "fixed_len" is the length of the fixed-length part of the PDU.
136 *
137 * "get_pdu_len()" is a routine called to get the length of the PDU from
138 * the fixed-length part of the PDU; it's passed "pinfo", "tvb", "offset" and
139 * "dissector_data".
140 *
141 * "dissect_pdu()" is the routine to dissect a PDU.
142 */
143WS_DLL_PUBLIC void
144tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
145 bool proto_desegment, unsigned fixed_len,
146 unsigned (*get_pdu_len)(packet_info *, tvbuff_t *, int, void*),
147 dissector_t dissect_pdu, void* dissector_data);
148
150tcp_reassembly_table_functions;
151
152extern struct tcp_multisegment_pdu *
153pdu_store_sequencenumber_of_next_pdu(packet_info *pinfo, uint32_t seq, uint32_t nxtpdu, wmem_tree_t *multisegment_pdus);
154
155typedef struct _tcp_unacked_t {
156 struct _tcp_unacked_t *next;
157 uint32_t frame;
158 uint32_t seq;
159 uint32_t nextseq;
160 nstime_t ts;
162
163struct tcp_acked {
164 uint32_t frame_acked;
165 nstime_t ts;
166
167 uint32_t rto_frame;
168 nstime_t rto_ts; /* Time since previous packet for
169 retransmissions. */
170 uint16_t flags; /* see TCP_A_* in packet-tcp.c */
171 uint32_t dupack_num; /* dup ack number */
172 uint32_t dupack_frame; /* dup ack to frame # */
173 uint32_t bytes_in_flight; /* number of bytes in flight */
174 uint32_t push_bytes_sent; /* bytes since the last PSH flag */
175
176 uint32_t new_data_seq; /* For segments with old data,
177 where new data starts */
178 bool partial_ack; /* true when acknowledging data
179 and not a full segment */
180};
181
182/* One instance of this structure is created for each pdu that spans across
183 * multiple tcp segments.
184 */
186 uint32_t seq;
187 uint32_t nxtpdu;
188 uint32_t first_frame; /* The frame where this MSP was created (used as key in reassembly tables). */
189 uint32_t last_frame;
190 nstime_t last_frame_time;
191 uint32_t first_frame_with_seq; /* The frame that contains the first frame that matches 'seq'
192 (same as 'first_frame', larger than 'first_frame' for OoO segments) */
193 uint32_t flags;
194#define MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT 0x00000001
195/* Whether this MSP is finished and no more segments can be added. */
196#define MSP_FLAGS_GOT_ALL_SEGMENTS 0x00000002
197/* Whether the first segment of this MSP was not yet seen. */
198#define MSP_FLAGS_MISSING_FIRST_SEGMENT 0x00000004
199};
200
201
202/* Represents the MPTCP DSS option mapping part
203 It allows to map relative subflow sequence number (ssn) to global MPTCP sequence numbers
204 under their 64 bits form
205*/
206typedef struct _mptcp_dss_mapping_t {
207
208/* In DSS, SSN are enumerated with relative seq_nb, i.e. starting from 0 */
209
210 uint32_t ssn_low;
211 uint32_t ssn_high;
212
213/* Ideally the dsn should always be registered with the extended version
214 * but it may not be possible if we don't know the 32 MSB of the base_dsn
215 */
216 bool extended_dsn; /* true if MPTCP_DSS_FLAG_DATA_8BYTES */
217
218 uint64_t rawdsn; /* matches the low member of range
219 should be converted to the 64 bits version before being registered
220 */
221/* to check if mapping was sent before or after packet */
222uint32_t frame;
224
225
226/* Structure used in mptcp meta member 'dsn_map'
227 */
229 uint32_t frame; /* packet to look into PINFO_FD_NUM */
230 struct tcp_analysis* subflow; /* in order to get statistics */
232
233
234/* Should basically look like a_tcp_flow_t but for mptcp with 64bit sequence number.
235The meta is specific to a direction of the communication and aggregates information of
236all the subflows
237*/
238typedef struct _mptcp_meta_flow_t {
239
240 uint8_t static_flags; /* remember which fields are set */
241
242 /* flags exchanged between hosts during 3WHS. Gives checksum/extensibility/hmac information */
243 uint8_t flags;
244 uint64_t base_dsn; /* first data seq number (used by relative sequence numbers) seen. */
245 uint64_t nextseq; /* highest seen nextseq */
246 uint64_t dfin; /* data fin */
247
248 uint8_t version; /* negotiated mptcp version */
249
250 uint64_t key; /* if it was set */
251
252 /* expected token sha1 digest of keys, truncated to 32 most significant bits
253 derived from key. Stored to speed up subflow/MPTCP connection mapping */
254 uint32_t token;
255
256 uint32_t nextseqframe; /* frame number for segment with highest sequence number */
257
258 /* highest seen continuous seq number (without hole in the stream) */
259 uint64_t maxseqtobeacked;
260
261 uint64_t fin; /* frame number of the final dataFIN */
262
263 /* first addresses registered */
264 address ip_src;
265 address ip_dst;
266 uint32_t sport;
267 uint32_t dport;
269
270/* MPTCP data specific to this subflow direction */
272 uint8_t static_flags; /* flags stating which of the flow */
273 uint32_t nonce; /* used only for MP_JOIN */
274 uint8_t address_id; /* sent during an MP_JOIN */
275
276
277 /* map DSN to packets
278 * Used when looking for reinjections across subflows
279 */
280 wmem_itree_t *dsn2packet_map;
281
282 /* Map SSN to a DSS mappings
283 * a DSS can map DSN to SSNs possibily over several packets,
284 * hence some packets may have been mapped by previous DSS,
285 * whence the necessity to be able to look for SSN -> DSN */
286 wmem_itree_t *ssn2dsn_mappings;
287 /* meta flow to which it is attached. Helps setting forward and backward meta flow */
288 mptcp_meta_flow_t *meta;
289};
290
291
292typedef enum {
293 MPTCP_HMAC_NOT_SET = 0,
294 /* this is either SHA1 for MPTCP v0 or sha256 for MPTCP v1 */
295 MPTCP_HMAC_SHA = 1,
296 MPTCP_HMAC_LAST
297} mptcp_hmac_algorithm_t;
298
299
300#define MPTCP_CAPABLE_CRYPTO_MASK 0x3F
301
302#define MPTCP_CHECKSUM_MASK 0x80
303
304/* Information in a flow that is only used when tcp_analyze_seq preference
305 * is enabled, so save the memory when it isn't
306 */
308 tcp_unacked_t *segments;/* List of segments for which we haven't seen an ACK */
309 uint16_t segment_count; /* How many unacked segments we're currently storing */
310 uint32_t lastack; /* Last seen ack for the reverse flow */
311 nstime_t lastacktime; /* Time of the last ack packet */
312 uint32_t lastnondupack; /* frame number of last seen non dupack */
313 uint32_t dupacknum; /* dupack number */
314 uint32_t nextseq; /* highest seen nextseq */
315 uint32_t maxseqtobeacked;/* highest seen continuous seq number (without hole in the stream) from the fwd party,
316 * this is the maximum seq number that can be acked by the rev party in normal case.
317 * If the rev party sends an ACK beyond this seq number it indicates TCP_A_ACK_LOST_PACKET condition */
318 uint32_t nextseqframe; /* frame number for segment with highest
319 * sequence number
320 */
321 nstime_t nextseqtime; /* Time of the nextseq packet so we can
322 * distinguish between retransmission,
323 * fast retransmissions and outoforder
324 */
325
326 uint8_t lastacklen; /* length of the last fwd ACK packet - 0 means pure ACK */
327
328 /*
329 * Handling of SACK blocks
330 * Copied from tcpheader
331 */
332 uint8_t num_sack_ranges;
333 uint32_t sack_left_edge[MAX_TCP_SACK_RANGES];
334 uint32_t sack_right_edge[MAX_TCP_SACK_RANGES];
335
337
338 /* Process info, currently discovered via IPFIX */
339typedef struct tcp_process_info_t {
340 uint32_t process_uid; /* UID of local process */
341 uint32_t process_pid; /* PID of local process */
342 char *username; /* Username of the local process */
343 char *command; /* Local process name + path + args */
344
346
347typedef struct _tcp_flow_t {
348 uint8_t static_flags; /* true if base seq set */
349 uint32_t base_seq; /* base seq number (used by relative sequence numbers)*/
350#define TCP_MAX_UNACKED_SEGMENTS 10000 /* The most unacked segments we'll store */
351 uint32_t fin; /* frame number of the final FIN */
352 uint32_t window; /* last seen window */
353 int16_t win_scale; /* -1 is we don't know, -2 is window scaling is not used */
354 bool scps_capable; /* flow advertised scps capabilities */
355 uint16_t maxsizeacked; /* 0 if not yet known */
356 bool valid_bif; /* if lost pkts, disable BiF until ACK is recvd */
357 uint32_t push_bytes_sent; /* bytes since the last PSH flag */
358 bool push_set_last; /* tracking last time PSH flag was set */
359 uint8_t mp_operations; /* tracking of the MPTCP operations */
360 bool is_first_ack; /* indicates if this is the first ACK */
361 bool closing_initiator; /* tracking who is responsible of the connection end */
362
363 tcp_analyze_seq_flow_info_t* tcp_analyze_seq_info;
364
365/* This tcp flow/session contains only one single PDU and should
366 * be reassembled until the final FIN segment.
367 */
368#define TCP_FLOW_REASSEMBLE_UNTIL_FIN 0x0001
369 uint16_t flags;
370
371 /* see TCP_A_* in packet-tcp.c */
372 uint32_t lastsegmentflags;
373
374 /* The next (largest) sequence number after all segments seen so far.
375 * Valid only on the first pass and used to handle out-of-order segments
376 * during reassembly. */
377 uint32_t maxnextseq;
378
379 /* The number of data flows seen in that direction */
380 uint16_t flow_count;
381
382 /* This tree is indexed by sequence number and keeps track of all
383 * all pdus spanning multiple segments for this flow.
384 */
385 wmem_tree_t *multisegment_pdus;
386
387 /* A sorted list of pending out-of-order segments. */
388 wmem_list_t *ooo_segments;
389
390 /* Process info, currently discovered via IPFIX */
391 tcp_process_info_t* process_info;
392
393 /* MPTCP subflow intel */
395} tcp_flow_t;
396
397/* Stores common information between both hosts of the MPTCP connection*/
399
400 uint16_t mp_flags; /* MPTCP meta analysis related, see MPTCP_META_* in packet-tcp.c */
401
402 /*
403 * For other subflows, they link the meta via mptcp_subflow_t::meta_flow
404 * according to the validity of the token.
405 */
406 mptcp_meta_flow_t meta_flow[2];
407
408 uint32_t stream; /* Keep track of unique mptcp stream (per MP_CAPABLE handshake) */
409 uint8_t hmac_algo; /* hmac decided after negotiation */
410 wmem_list_t* subflows; /* List of subflows (tcp_analysis) */
411
412 /* identifier of the tcp stream that saw the initial 3WHS with MP_CAPABLE option */
413 struct tcp_analysis *master;
414
415 /* Keep track of the last TCP operations seen in order to avoid false DUP ACKs */
416 uint8_t mp_operations;
417};
418
420 /* These two structs are managed based on comparing the source
421 * and destination addresses and, if they're equal, comparing
422 * the source and destination ports.
423 *
424 * If the source is greater than the destination, then stuff
425 * sent from src is in ual1.
426 *
427 * If the source is less than the destination, then stuff
428 * sent from src is in ual2.
429 *
430 * XXX - if the addresses and ports are equal, we don't guarantee
431 * the behavior.
432 */
433 tcp_flow_t flow1;
434 tcp_flow_t flow2;
435
436 /* These pointers are set by get_tcp_conversation_data()
437 * fwd point in the same direction as the current packet
438 * and rev in the reverse direction
439 */
440 tcp_flow_t *fwd;
441 tcp_flow_t *rev;
442
443 /* This pointer is NULL or points to a tcp_acked struct if this
444 * packet has "interesting" properties such as being a KeepAlive or
445 * similar
446 */
447 struct tcp_acked *ta;
448 /* This structure contains a tree containing all the various ta's
449 * keyed by frame number.
450 */
451 wmem_tree_t *acked_table;
452
453 /* Remember the timestamp of the first frame seen in this tcp
454 * conversation to be able to calculate a relative time compared
455 * to the start of this conversation
456 */
457 nstime_t ts_first;
458
459 /* Remember the timestamp of the most recent SYN in this conversation in
460 * order to calculate the first_rtt below. Not necessarily ts_first, if
461 * the SYN is retransmitted. */
462 nstime_t ts_mru_syn;
463
464 /* If we have the handshake, remember the RTT between the initial SYN
465 * and ACK for use detecting out-of-order segments. */
466 nstime_t ts_first_rtt;
467
468 /* Remember the timestamp of the frame that was last seen in this
469 * tcp conversation to be able to calculate a delta time compared
470 * to previous frame in this conversation
471 */
472 nstime_t ts_prev;
473
474 /* Keep track of tcp stream numbers instead of using the conversation
475 * index (as how it was done before). This prevents gaps in the
476 * stream index numbering
477 */
478 uint32_t stream;
479
480 /* Keep track of packet number within the TCP stream */
481 uint32_t pnum;
482
483 /* Remembers the server port on the SYN (or SYN|ACK) packet to
484 * help determine which dissector to call
485 */
486 uint16_t server_port;
487 /* Set when the client sends a SYN with data and the cookie in the Fast Open
488 * option.
489 */
490 bool tfo_syn_data;
491
492 /* Remembers which side is currently sending data. */
493 int8_t flow_direction : 2;
494
495 /* allocated only when mptcp enabled
496 * several tcp_analysis may refer to the same mptcp_analysis
497 * can exist without any meta
498 */
500
501 /* Track the TCP conversation completeness, as the capture might
502 * contain all parts of a TCP flow (establishment, data, clearing) or
503 * just some parts if we jumped on the bandwagon of an already established
504 * connection or left before it was terminated explicitly
505 */
506 uint8_t conversation_completeness;
507
508 /* Stores the value as a String to be displayed in the appropriate field */
509 char *conversation_completeness_str;
510
511 /* Track AccECN support */
512 bool had_acc_ecn_setup_syn;
513 bool had_acc_ecn_setup_syn_ack;
514 bool had_acc_ecn_option;
515};
516
517/* Structure that keeps per packet data. First used to be able
518 * to calculate the time_delta from the last seen frame in this
519 * TCP conversation. Can be extended for future use.
520 */
522 nstime_t ts_del;
523 uint32_t pnum;
524 uint8_t tcp_snd_manual_analysis;
525};
526
527/* Structure that keeps per packet data. Some operations are cpu-intensive and are
528 * best cached into this structure
529 */
531
532 /* Mapping that covers this packet content */
533 mptcp_dss_mapping_t *mapping;
534
536
537
538WS_DLL_PUBLIC void dissect_tcp_payload(tvbuff_t *tvb, packet_info *pinfo, int offset,
539 uint32_t seq, uint32_t nxtseq, uint32_t sport,
540 uint32_t dport, proto_tree *tree,
541 proto_tree *tcp_tree,
542 struct tcp_analysis *tcpd, struct tcpinfo *tcpinfo);
543
544WS_DLL_PUBLIC struct tcp_analysis *get_tcp_conversation_data(conversation_t *conv,
545 packet_info *pinfo);
546
551WS_DLL_PUBLIC struct tcp_analysis *get_tcp_conversation_data_idempotent(conversation_t *conv);
552
553WS_DLL_PUBLIC bool decode_tcp_ports(tvbuff_t *, int, packet_info *, proto_tree *, int, int, struct tcp_analysis *, struct tcpinfo *);
554
567extern void add_tcp_process_info(uint32_t frame_num, address *local_addr, address *remote_addr, uint16_t local_port, uint16_t remote_port, uint32_t uid, uint32_t pid, char *username, char *command);
568
573WS_DLL_PUBLIC uint32_t get_tcp_stream_count(void);
574
579WS_DLL_PUBLIC uint32_t get_mptcp_stream_count(void);
580
581/* Follow Stream functionality shared with HTTP (and SSL?) */
582extern char *tcp_follow_conv_filter(epan_dissect_t *edt, packet_info *pinfo, unsigned *stream, unsigned *sub_stream);
583extern char *tcp_follow_index_filter(unsigned stream, unsigned sub_stream);
584extern char *tcp_follow_address_filter(address *src_addr, address *dst_addr, int src_port, int dst_port);
585
586#ifdef __cplusplus
587}
588#endif /* __cplusplus */
589
590#endif
Definition address.h:56
Definition packet-tcp.h:228
Definition packet-tcp.h:206
Definition packet-tcp.h:238
Definition packet_info.h:43
Definition proto.h:903
Definition packet-tcp.h:347
Definition packet-tcp.h:155
Definition wmem_list.c:23
Definition wmem_tree-int.h:48
Definition conversation.h:223
Definition epan_dissect.h:28
Definition packet-tcp.h:398
Definition packet-tcp.h:530
Definition packet-tcp.h:271
Definition packet-tcp.h:47
Definition nstime.h:26
Definition reassemble.h:149
Definition stream.c:41
Definition packet-tcp.h:163
Definition packet-tcp.h:419
Definition packet-tcp.h:307
Definition packet-tcp.h:185
Definition packet-tcp.h:521
Definition packet-tcp.h:339
Definition packet-tcp.h:80
Definition packet-tcp.h:114
Definition tvbuff-int.h:35