diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
commit | e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch) | |
tree | 68cb5ef9081156392f1dd62a00c6ccc1451b93df /epan/dissectors/packet-ipsec-tcp.c | |
parent | Initial commit. (diff) | |
download | wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip |
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'epan/dissectors/packet-ipsec-tcp.c')
-rw-r--r-- | epan/dissectors/packet-ipsec-tcp.c | 242 |
1 files changed, 242 insertions, 0 deletions
diff --git a/epan/dissectors/packet-ipsec-tcp.c b/epan/dissectors/packet-ipsec-tcp.c new file mode 100644 index 00000000..82f834de --- /dev/null +++ b/epan/dissectors/packet-ipsec-tcp.c @@ -0,0 +1,242 @@ +/* + * Routines for the disassembly of the proprietary Cisco IPSEC in + * TCP encapsulation protocol + * + * Copyright 2007 Joerg Mayer (see AUTHORS file) + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +/* TODO: + * - Find out the meaning of the (unknown) trailer + * - UDP checksum is wrong + * - Currently doesn't handle AH (lack of sample trace) + */ + +#include "config.h" + +#include <epan/packet.h> +#include "packet-ndmp.h" + +void proto_register_tcpencap(void); +void proto_reg_handoff_tcpencap(void); + +static dissector_handle_t tcpencap_handle; + +static int hf_tcpencap_unknown = -1; +static int hf_tcpencap_zero = -1; +static int hf_tcpencap_seq = -1; +static int hf_tcpencap_ike_direction = -1; +static int hf_tcpencap_esp_zero = -1; +static int hf_tcpencap_magic = -1; +static int hf_tcpencap_proto = -1; +static int hf_tcpencap_magic2 = -1; + +static int proto_tcpencap = -1; +static gint ett_tcpencap = -1; +static gint ett_tcpencap_unknown = -1; + +static const value_string tcpencap_ikedir_vals[] = { + { 0x0000, "Server to client" }, + { 0x4000, "Client to server" }, + + { 0, NULL } +}; + +static const value_string tcpencap_proto_vals[] = { + { 0x11, "ISAKMP" }, + { 0x32, "ESP" }, + + { 0, NULL } +}; + +#define TRAILERLENGTH 16 +#define TCP_CISCO_IPSEC 10000 + +static dissector_handle_t esp_handle; +static dissector_handle_t udp_handle; + +#define TCP_ENCAP_P_ESP 1 +#define TCP_ENCAP_P_UDP 2 + + +static int +packet_is_tcpencap(tvbuff_t *tvb, packet_info *pinfo, guint32 offset) +{ + if ( /* Must be zero */ + tvb_get_ntohl(tvb, offset + 0) != 0 || + /* Lower 12 bits must be zero */ + (tvb_get_ntohs(tvb, offset + 6) & 0xfff) != 0 || + /* Protocol must be UDP or ESP */ + (tvb_get_guint8(tvb, offset + 13) != 17 && + tvb_get_guint8(tvb, offset + 13) != 50) + ) { + return FALSE; + } + + if(check_if_ndmp(tvb, pinfo)){ + return FALSE; + } + + return TRUE; +} + +/* + * TCP Encapsulation of IPsec Packets + * as supported by the cisco vpn3000 concentrator series + */ +static int +dissect_tcpencap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + proto_tree *tcpencap_tree = NULL; + proto_tree *tcpencap_unknown_tree = NULL; + + proto_item *tree_item = NULL; + proto_item *unknown_item = NULL; + tvbuff_t *next_tvb; + guint32 reported_length = tvb_reported_length(tvb); + guint32 offset; + guint8 protocol; + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "TCPENCAP"); + col_clear(pinfo->cinfo, COL_INFO); + + /* If the first 4 bytes are 0x01f401f4 (udp src and dst port = 500) + we most likely have UDP (isakmp) traffic */ + + if (tvb_get_ntohl(tvb, 0) == 0x01f401f4) { /* UDP means ISAKMP */ + protocol = TCP_ENCAP_P_UDP; + } else { /* Hopefully ESP */ + protocol = TCP_ENCAP_P_ESP; + } + + if (tree) { + tree_item = proto_tree_add_item(tree, proto_tcpencap, tvb, 0, -1, ENC_NA); + tcpencap_tree = proto_item_add_subtree(tree_item, ett_tcpencap); + + /* Dissect the trailer following the encapsulated IPSEC/ISAKMP packet */ + offset = reported_length - TRAILERLENGTH; + unknown_item = proto_tree_add_item(tcpencap_tree, hf_tcpencap_unknown, tvb, + offset, TRAILERLENGTH, ENC_NA); + /* Try to guess the contents of the trailer */ + tcpencap_unknown_tree = proto_item_add_subtree(unknown_item, ett_tcpencap_unknown); + proto_tree_add_item(tcpencap_unknown_tree, hf_tcpencap_zero, tvb, offset + 0, 4, ENC_NA); + proto_tree_add_item(tcpencap_unknown_tree, hf_tcpencap_seq, tvb, offset + 4, 2, ENC_BIG_ENDIAN); + if (protocol == TCP_ENCAP_P_UDP) { + proto_tree_add_item(tcpencap_unknown_tree, hf_tcpencap_ike_direction, tvb, offset + 6, 2, ENC_BIG_ENDIAN); + } else { + proto_tree_add_item(tcpencap_unknown_tree, hf_tcpencap_esp_zero, tvb, offset + 6, 2, ENC_BIG_ENDIAN); + } + proto_tree_add_item(tcpencap_unknown_tree, hf_tcpencap_magic, tvb, offset + 8, 5, ENC_NA); + proto_tree_add_item(tcpencap_unknown_tree, hf_tcpencap_proto, tvb, offset + 13, 1, ENC_BIG_ENDIAN); + proto_tree_add_item(tcpencap_unknown_tree, hf_tcpencap_magic2, tvb, offset + 14, 2, ENC_NA); + } + + /* Create the tvbuffer for the next dissector */ + next_tvb = tvb_new_subset_length_caplen(tvb, 0, reported_length - TRAILERLENGTH , -1); + if (protocol == TCP_ENCAP_P_UDP) { + call_dissector(udp_handle, next_tvb, pinfo, tree); + } else { /* Hopefully ESP */ + call_dissector(esp_handle, next_tvb, pinfo, tree); + } + + return tvb_captured_length(tvb); +} + +static gboolean +dissect_tcpencap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +{ + guint32 reported_length = tvb_reported_length(tvb); + guint32 captured_length = tvb_captured_length(tvb); + + if (reported_length <= TRAILERLENGTH + 8 || + /* Ensure we have enough bytes for packet_is_tcpencap analysis */ + (reported_length - captured_length) > (TRAILERLENGTH - 13) || + !packet_is_tcpencap(tvb, pinfo, reported_length - TRAILERLENGTH) ) { + return FALSE; + } + + dissect_tcpencap(tvb, pinfo, tree, data); + return TRUE; +} + +void +proto_register_tcpencap(void) +{ + static hf_register_info hf[] = { + + { &hf_tcpencap_unknown, + { "Unknown trailer", "tcpencap.unknown", FT_BYTES, BASE_NONE, NULL, + 0x0, NULL, HFILL }}, + + { &hf_tcpencap_zero, + { "All zero", "tcpencap.zero", FT_BYTES, BASE_NONE, NULL, + 0x0, NULL, HFILL }}, + + { &hf_tcpencap_seq, + { "Sequence number", "tcpencap.seq", FT_UINT16, BASE_HEX, NULL, + 0x0, NULL, HFILL }}, + + { &hf_tcpencap_esp_zero, + { "ESP zero", "tcpencap.espzero", FT_UINT16, BASE_HEX, NULL, + 0x0, NULL, HFILL }}, + + { &hf_tcpencap_ike_direction, + { "ISAKMP traffic direction", "tcpencap.ikedirection", FT_UINT16, BASE_HEX, VALS(tcpencap_ikedir_vals), + 0x0, NULL, HFILL }}, + + { &hf_tcpencap_magic, + { "Magic number", "tcpencap.magic", FT_BYTES, BASE_NONE, NULL, + 0x0, NULL, HFILL }}, + + { &hf_tcpencap_proto, + { "Protocol", "tcpencap.proto", FT_UINT8, BASE_HEX, VALS(tcpencap_proto_vals), + 0x0, NULL, HFILL }}, + + { &hf_tcpencap_magic2, + { "Magic 2", "tcpencap.magic2", FT_BYTES, BASE_NONE, NULL, + 0x0, NULL, HFILL }}, + + }; + + static gint *ett[] = { + &ett_tcpencap, + &ett_tcpencap_unknown, + }; + + proto_tcpencap = proto_register_protocol("TCP Encapsulation of IPsec Packets", "TCPENCAP", "tcpencap"); + + proto_register_field_array(proto_tcpencap, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + tcpencap_handle = register_dissector("tcpencap", dissect_tcpencap, proto_tcpencap); +} + +void +proto_reg_handoff_tcpencap(void) +{ + esp_handle = find_dissector_add_dependency("esp", proto_tcpencap); + udp_handle = find_dissector_add_dependency("udp", proto_tcpencap); + + heur_dissector_add("tcp", dissect_tcpencap_heur, "TCP Encapsulation of IPsec Packets", "ipsec_tcp", proto_tcpencap, HEURISTIC_ENABLE); + + /* Register TCP port for dissection */ + dissector_add_for_decode_as_with_preference("tcp.port", tcpencap_handle); +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 8 + * tab-width: 8 + * indent-tabs-mode: t + * End: + * + * vi: set shiftwidth=8 tabstop=8 noexpandtab: + * :indentSize=8:tabSize=8:noTabs=false: + */ |