Adding upstream version 4.2.2.upstream/4.2.2

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 1050 insertions, 0 deletions

diff --git a/epan/dissectors/packet-websocket.c b/epan/dissectors/packet-websocket.c
new file mode 100644
index 0000000..ea9c14f
--- /dev/null
+++ b/epan/dissectors/packet-websocket.c
@@ -0,0 +1,1050 @@
+/* packet-websocket.c
+ * Routines for WebSocket dissection
+ * Copyright 2012, Alexis La Goutte <alexis.lagoutte@gmail.com>
+ *           2015, Peter Wu <peter@lekensteyn.nl>
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+#include <wsutil/wslog.h>
+
+#include <epan/addr_resolv.h>
+#include <epan/conversation.h>
+#include <epan/follow.h>
+#include <epan/proto_data.h>
+#include <epan/packet.h>
+#include <epan/expert.h>
+#include <epan/prefs.h>
+#include <epan/reassemble.h>
+#include <wsutil/strtoi.h>
+
+#include "packet-http.h"
+#include "packet-tcp.h"
+
+#ifdef HAVE_ZLIB
+#define ZLIB_CONST
+#include <zlib.h>
+#endif
+
+/*
+ * The information used comes from:
+ * RFC6455: The WebSocket Protocol
+ * http://www.iana.org/assignments/websocket (last updated 2012-04-12)
+ */
+
+void proto_register_websocket(void);
+void proto_reg_handoff_websocket(void);
+
+static dissector_handle_t websocket_handle;
+static dissector_handle_t text_lines_handle;
+static dissector_handle_t json_handle;
+static dissector_handle_t sip_handle;
+
+#define WEBSOCKET_NONE 0
+#define WEBSOCKET_TEXT 1
+#define WEBSOCKET_JSON 2
+#define WEBSOCKET_SIP 3
+
+/* Use key values counting down from G_MAXUINT32 to avoid clash with pkt_info proto_data key */
+#define OPCODE_KEY (G_MAXUINT32 - 0)
+
+static gint  pref_text_type             = WEBSOCKET_NONE;
+static gboolean pref_decompress         = TRUE;
+
+typedef struct {
+  const char   *subprotocol;
+  guint16       server_port;
+  gboolean      permessage_deflate;
+#ifdef HAVE_ZLIB
+  gboolean      permessage_deflate_ok;
+  gint8         server_wbits;
+  gint8         client_wbits;
+  z_streamp     server_take_over_context;
+  z_streamp     client_take_over_context;
+#endif
+  guint32       frag_id;
+  gboolean      first_frag;
+  guint8        first_frag_opcode;
+  gboolean      first_frag_pmc;
+} websocket_conv_t;
+
+#ifdef HAVE_ZLIB
+typedef struct {
+  guint8 *decompr_payload;
+  guint decompr_len;
+} websocket_packet_t;
+#endif
+
+static int websocket_follow_tap = -1;
+
+/* Initialize the protocol and registered fields */
+static int proto_websocket = -1;
+static int proto_http = -1;
+
+static int hf_ws_fin = -1;
+static int hf_ws_reserved = -1;
+static int hf_ws_pmc = -1;
+static int hf_ws_opcode = -1;
+static int hf_ws_mask = -1;
+static int hf_ws_payload_length = -1;
+static int hf_ws_payload_length_ext_16 = -1;
+static int hf_ws_payload_length_ext_64 = -1;
+static int hf_ws_masking_key = -1;
+static int hf_ws_payload = -1;
+static int hf_ws_masked_payload = -1;
+static int hf_ws_payload_continue = -1;
+static int hf_ws_payload_text = -1;
+static int hf_ws_payload_close = -1;
+static int hf_ws_payload_close_status_code = -1;
+static int hf_ws_payload_close_reason = -1;
+static int hf_ws_payload_ping = -1;
+static int hf_ws_payload_pong = -1;
+static int hf_ws_payload_unknown = -1;
+static int hf_ws_fragments = -1;
+static int hf_ws_fragment = -1;
+static int hf_ws_fragment_overlap = -1;
+static int hf_ws_fragment_overlap_conflict = -1;
+static int hf_ws_fragment_multiple_tails = -1;
+static int hf_ws_fragment_too_long_fragment = -1;
+static int hf_ws_fragment_error = -1;
+static int hf_ws_fragment_count = -1;
+static int hf_ws_reassembled_length = -1;
+
+static gint ett_ws = -1;
+static gint ett_ws_pl = -1;
+static gint ett_ws_mask = -1;
+static gint ett_ws_control_close = -1;
+static gint ett_ws_fragments = -1;
+static gint ett_ws_fragment = -1;
+
+static expert_field ei_ws_payload_unknown = EI_INIT;
+static expert_field ei_ws_decompression_failed = EI_INIT;
+
+#define WS_CONTINUE 0x0
+#define WS_TEXT     0x1
+#define WS_BINARY   0x2
+#define WS_CLOSE    0x8
+#define WS_PING     0x9
+#define WS_PONG     0xA
+
+static const value_string ws_opcode_vals[] = {
+  { WS_CONTINUE, "Continuation" },
+  { WS_TEXT, "Text" },
+  { WS_BINARY, "Binary" },
+  { WS_CLOSE, "Connection Close" },
+  { WS_PING, "Ping" },
+  { WS_PONG, "Pong" },
+  { 0, NULL}
+};
+
+#define MASK_WS_FIN 0x80
+#define MASK_WS_RSV 0x70
+#define MASK_WS_RSV1 0x40
+#define MASK_WS_OPCODE 0x0F
+#define MASK_WS_MASK 0x80
+#define MASK_WS_PAYLOAD_LEN 0x7F
+
+static const value_string ws_close_status_code_vals[] = {
+  { 1000, "Normal Closure" },
+  { 1001, "Going Away" },
+  { 1002, "Protocol error" },
+  { 1003, "Unsupported Data" },
+  { 1004, "---Reserved----" },
+  { 1005, "No Status Rcvd" },
+  { 1006, "Abnormal Closure" },
+  { 1007, "Invalid frame payload data" },
+  { 1008, "Policy Violation" },
+  { 1009, "Message Too Big" },
+  { 1010, "Mandatory Ext." },
+  { 1011, "Internal Server" },
+  { 1015, "TLS handshake" },
+  { 0,    NULL}
+};
+
+static const fragment_items ws_frag_items = {
+    &ett_ws_fragments,
+    &ett_ws_fragment,
+
+    &hf_ws_fragments,
+    &hf_ws_fragment,
+    &hf_ws_fragment_overlap,
+    &hf_ws_fragment_overlap_conflict,
+    &hf_ws_fragment_multiple_tails,
+    &hf_ws_fragment_too_long_fragment,
+    &hf_ws_fragment_error,
+    &hf_ws_fragment_count,
+    NULL,
+    &hf_ws_reassembled_length,
+    /* Reassembled data field */
+    NULL,
+    "websocket fragments"
+};
+
+static dissector_table_t port_subdissector_table;
+static dissector_table_t protocol_subdissector_table;
+static heur_dissector_list_t heur_subdissector_list;
+
+static reassembly_table ws_reassembly_table;
+
+#define MAX_UNMASKED_LEN (1024 * 256)
+static tvbuff_t *
+tvb_unmasked(tvbuff_t *tvb, packet_info *pinfo, const guint offset, guint payload_length, const guint8 *masking_key)
+{
+
+  gchar        *data_unmask;
+  guint         i;
+  const guint8 *data_mask;
+  guint         unmasked_length = payload_length > MAX_UNMASKED_LEN ? MAX_UNMASKED_LEN : payload_length;
+
+  data_unmask = (gchar *)wmem_alloc(pinfo->pool, unmasked_length);
+  data_mask   = tvb_get_ptr(tvb, offset, unmasked_length);
+  /* Unmasked(XOR) Data... */
+  for(i=0; i < unmasked_length; i++) {
+    data_unmask[i] = data_mask[i] ^ masking_key[i%4];
+  }
+
+  return tvb_new_child_real_data(tvb, data_unmask, unmasked_length, payload_length);
+}
+
+#ifdef HAVE_ZLIB
+static gint8
+websocket_extract_wbits(const gchar *str)
+{
+  guint8 wbits;
+  const gchar *end;
+
+  if (str && ws_strtou8(str, &end, &wbits) &&
+      (*end == '\0' || strchr(";\t ", *end))) {
+    if (wbits < 8) {
+      wbits = 8;
+    } else if (wbits > 15) {
+      wbits = 15;
+    }
+  } else {
+    wbits = 15;
+  }
+  return -wbits;
+}
+
+static void *
+websocket_zalloc(void *opaque _U_, unsigned int items, unsigned int size)
+{
+  return wmem_alloc(wmem_file_scope(), items*size);
+}
+
+static void
+websocket_zfree(void *opaque _U_, void *addr)
+{
+  wmem_free(wmem_file_scope(), addr);
+}
+
+static z_streamp
+websocket_init_z_stream_context(gint8 wbits)
+{
+  z_streamp z_strm = wmem_new0(wmem_file_scope(), z_stream);
+
+  z_strm->zalloc = websocket_zalloc;
+  z_strm->zfree = websocket_zfree;
+
+  if (inflateInit2(z_strm, wbits) != Z_OK) {
+    inflateEnd(z_strm);
+    wmem_free(wmem_file_scope(), z_strm);
+    return NULL;
+  }
+  return z_strm;
+}
+
+/*
+ * Decompress the given buffer using the given zlib context. On success, the
+ * (possibly empty) buffer is stored as "proto data" and TRUE is returned.
+ * Otherwise FALSE is returned.
+ */
+static gboolean
+websocket_uncompress(tvbuff_t *tvb, packet_info *pinfo, z_streamp z_strm, tvbuff_t **uncompressed_tvb, guint32 key)
+{
+  /*
+   * Decompression a message: append "0x00 0x00 0xff 0xff" to the end of
+   * message, then apply DEFLATE to the result.
+   * https://tools.ietf.org/html/rfc7692#section-7.2.2
+   */
+  guint8   *decompr_payload = NULL;
+  guint     decompr_len = 0;
+  guint     compr_len, decompr_buf_len;
+  guint8   *compr_payload, *decompr_buf;
+  gint      err;
+
+  compr_len = tvb_captured_length(tvb) + 4;
+  compr_payload = (guint8 *)wmem_alloc(pinfo->pool, compr_len);
+  tvb_memcpy(tvb, compr_payload, 0, compr_len-4);
+  compr_payload[compr_len-4] = compr_payload[compr_len-3] = 0x00;
+  compr_payload[compr_len-2] = compr_payload[compr_len-1] = 0xff;
+  decompr_buf_len = 2*compr_len;
+  decompr_buf = (guint8 *)wmem_alloc(pinfo->pool, decompr_buf_len);
+
+  z_strm->next_in = compr_payload;
+  z_strm->avail_in = compr_len;
+  /* Decompress all available data. */
+  do {
+    z_strm->next_out = decompr_buf;
+    z_strm->avail_out = decompr_buf_len;
+
+    err = inflate(z_strm, Z_SYNC_FLUSH);
+
+    if (err == Z_OK || err == Z_STREAM_END || err == Z_BUF_ERROR) {
+      guint avail_bytes = decompr_buf_len - z_strm->avail_out;
+      if (avail_bytes) {
+        decompr_payload = (guint8 *)wmem_realloc(wmem_file_scope(), decompr_payload,
+                                                 decompr_len + avail_bytes);
+        memcpy(&decompr_payload[decompr_len], decompr_buf, avail_bytes);
+        decompr_len += avail_bytes;
+      }
+    }
+  } while (err == Z_OK);
+
+  if (err == Z_STREAM_END || err == Z_BUF_ERROR) {
+    /* Data was (partially) uncompressed. */
+    websocket_packet_t *pkt_info = wmem_new0(wmem_file_scope(), websocket_packet_t);
+    if (decompr_len > 0) {
+      pkt_info->decompr_payload = decompr_payload;
+      pkt_info->decompr_len = decompr_len;
+      *uncompressed_tvb = tvb_new_child_real_data(tvb, decompr_payload, decompr_len, decompr_len);
+    }
+    p_add_proto_data(wmem_file_scope(), pinfo, proto_websocket, key, pkt_info);
+    return TRUE;
+  } else {
+    /* decompression failed */
+    wmem_free(wmem_file_scope(), decompr_payload);
+    return FALSE;
+  }
+}
+#endif
+
+static void
+dissect_websocket_control_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 opcode)
+{
+  proto_item         *ti;
+  proto_tree         *subtree;
+  const guint         offset = 0, length = tvb_reported_length(tvb);
+
+  switch (opcode) {
+    case WS_CLOSE: /* Close */
+      ti = proto_tree_add_item(tree, hf_ws_payload_close, tvb, offset, length, ENC_NA);
+      subtree = proto_item_add_subtree(ti, ett_ws_control_close);
+      /* Close frame MAY contain a body. */
+      if (length >= 2) {
+        proto_tree_add_item(subtree, hf_ws_payload_close_status_code, tvb, offset, 2, ENC_BIG_ENDIAN);
+        if (length > 2)
+          proto_tree_add_item(subtree, hf_ws_payload_close_reason, tvb, offset+2, length-2, ENC_UTF_8);
+      }
+      break;
+
+    case WS_PING: /* Ping */
+      proto_tree_add_item(tree, hf_ws_payload_ping, tvb, offset, length, ENC_NA);
+      break;
+
+    case WS_PONG: /* Pong */
+      proto_tree_add_item(tree, hf_ws_payload_pong, tvb, offset, length, ENC_NA);
+      break;
+
+    default: /* Unknown */
+      ti = proto_tree_add_item(tree, hf_ws_payload_unknown, tvb, offset, length, ENC_NA);
+      expert_add_info_format(pinfo, ti, &ei_ws_payload_unknown, "Dissector for Websocket Opcode (%d)"
+        " code not implemented, Contact Wireshark developers"
+        " if you want this supported", opcode);
+      break;
+  }
+}
+
+static void
+dissect_websocket_data_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *pl_tree, guint8 opcode, websocket_conv_t *websocket_conv, gint raw_offset _U_)
+{
+  proto_item         *ti;
+  dissector_handle_t  handle = NULL;
+  heur_dtbl_entry_t  *hdtbl_entry;
+
+  if (pinfo->fragmented) {
+    /* Skip dissecting fragmented payload data. */
+    return;
+  }
+
+  /* try to find a dissector which accepts the data. */
+  if (websocket_conv->subprotocol) {
+    handle = dissector_get_string_handle(protocol_subdissector_table, websocket_conv->subprotocol);
+  } else if (websocket_conv->server_port) {
+    handle = dissector_get_uint_handle(port_subdissector_table, websocket_conv->server_port);
+  }
+
+#ifdef HAVE_ZLIB
+  if (websocket_conv->permessage_deflate_ok && websocket_conv->first_frag_pmc) {
+    tvbuff_t   *uncompressed = NULL;
+    gboolean    uncompress_ok = FALSE;
+
+    if (!PINFO_FD_VISITED(pinfo)) {
+      z_streamp z_strm;
+      gint8 wbits;
+
+      if (pinfo->destport == websocket_conv->server_port) {
+        z_strm = websocket_conv->server_take_over_context;
+        wbits = websocket_conv->server_wbits;
+      } else {
+        z_strm = websocket_conv->client_take_over_context;
+        wbits = websocket_conv->client_wbits;
+      }
+
+      if (z_strm) {
+        uncompress_ok = websocket_uncompress(tvb, pinfo, z_strm, &uncompressed, raw_offset);
+      } else {
+        /* no context take over, initialize a new context */
+        z_strm = wmem_new0(pinfo->pool, z_stream);
+        if (inflateInit2(z_strm, wbits) == Z_OK) {
+          uncompress_ok = websocket_uncompress(tvb, pinfo, z_strm, &uncompressed, raw_offset);
+        }
+        inflateEnd(z_strm);
+      }
+    } else {
+      websocket_packet_t *pkt_info =
+          (websocket_packet_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_websocket, raw_offset);
+      if (pkt_info) {
+        uncompress_ok = TRUE;
+        if (pkt_info->decompr_len > 0) {
+          uncompressed = tvb_new_child_real_data(tvb, pkt_info->decompr_payload, pkt_info->decompr_len, pkt_info->decompr_len);
+        }
+      }
+    }
+
+    if (!uncompress_ok) {
+      proto_tree_add_expert(tree, pinfo, &ei_ws_decompression_failed, tvb, 0, -1);
+      return;
+    }
+    if (uncompressed) {
+      add_new_data_source(pinfo, uncompressed, "Decompressed payload");
+      tvb = uncompressed;
+    }
+  }
+#endif
+
+  if (have_tap_listener(websocket_follow_tap)) {
+    tap_queue_packet(websocket_follow_tap, pinfo, tvb);
+  }
+
+  if (handle) {
+    call_dissector_only(handle, tvb, pinfo, tree, NULL);
+    return; /* handle found, assume dissector took care of it. */
+  } else if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, tree, &hdtbl_entry, NULL)) {
+    return; /* heuristics dissector handled it. */
+  }
+
+  /* no dissector wanted it, try to print something appropriate. */
+  switch (opcode) {
+    case WS_TEXT: /* Text */
+    {
+      proto_tree_add_item(pl_tree, hf_ws_payload_text, tvb, 0, -1, ENC_UTF_8);
+      const gchar  *saved_match_string = pinfo->match_string;
+
+      pinfo->match_string = NULL;
+      switch (pref_text_type) {
+      case WEBSOCKET_TEXT:
+      case WEBSOCKET_NONE:
+      default:
+        /* Assume that most text protocols are line-based. */
+        call_dissector(text_lines_handle, tvb, pinfo, tree);
+        break;
+      case WEBSOCKET_JSON:
+        call_dissector(json_handle, tvb, pinfo, tree);
+        break;
+      case WEBSOCKET_SIP:
+        call_dissector(sip_handle, tvb, pinfo, tree);
+        break;
+      }
+      pinfo->match_string = saved_match_string;
+    }
+    break;
+
+    case WS_BINARY: /* Binary */
+      call_data_dissector(tvb, pinfo, tree);
+      break;
+
+    default: /* Unknown */
+      ti = proto_tree_add_item(pl_tree, hf_ws_payload_unknown, tvb, 0, -1, ENC_NA);
+      expert_add_info_format(pinfo, ti, &ei_ws_payload_unknown, "Dissector for Websocket Opcode (%d)"
+        " code not implemented, Contact Wireshark developers"
+        " if you want this supported", opcode);
+      break;
+  }
+}
+
+static void
+websocket_parse_extensions(websocket_conv_t *websocket_conv, const char *str)
+{
+  /*
+   * Grammar for the header:
+   *
+   *    Sec-WebSocket-Extensions = extension-list
+   *    extension-list = 1#extension
+   *    extension = extension-token *( ";" extension-param )
+   *    extension-token = registered-token
+   *    registered-token = token
+   *    extension-param = token [ "=" (token | quoted-string) ]
+   */
+
+  /*
+   * RFC 7692 permessage-deflate parsing.
+   * "x-webkit-deflate-frame" is an alias used by some versions of Safari browser
+   */
+
+  websocket_conv->permessage_deflate = !!strstr(str, "permessage-deflate")
+      || !!strstr(str, "x-webkit-deflate-frame");
+#ifdef HAVE_ZLIB
+  websocket_conv->permessage_deflate_ok = pref_decompress &&
+       websocket_conv->permessage_deflate;
+  if (websocket_conv->permessage_deflate_ok) {
+    websocket_conv->server_wbits =
+        websocket_extract_wbits(strstr(str, "server_max_window_bits="));
+    if (!strstr(str, "server_no_context_takeover")) {
+      websocket_conv->server_take_over_context =
+          websocket_init_z_stream_context(websocket_conv->server_wbits);
+    }
+    websocket_conv->client_wbits =
+        websocket_extract_wbits(strstr(str, "client_max_window_bits="));
+    if (!strstr(str, "client_no_context_takeover")) {
+      websocket_conv->client_take_over_context =
+          websocket_init_z_stream_context(websocket_conv->client_wbits);
+    }
+  }
+#endif
+}
+
+static void
+dissect_websocket_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *ws_tree, guint8 fin, guint8 opcode, websocket_conv_t *websocket_conv, gint raw_offset)
+{
+  const guint         offset = 0, length = tvb_reported_length(tvb);
+  proto_item         *ti;
+  proto_tree         *pl_tree;
+  tvbuff_t           *tvb_appdata;
+  tvbuff_t           *frag_tvb = NULL;
+
+  /* Payload */
+  ti = proto_tree_add_item(ws_tree, hf_ws_payload, tvb, offset, length, ENC_NA);
+  pl_tree = proto_item_add_subtree(ti, ett_ws_pl);
+
+  /* Extension Data */
+  /* TODO: Add dissector of Extension (not extension available for the moment...) */
+
+  if (opcode & 8) { /* Control frames have MSB set. */
+    dissect_websocket_control_frame(tvb, pinfo, pl_tree, opcode);
+    return;
+  }
+
+  bool save_fragmented = pinfo->fragmented;
+
+  if (!fin || opcode == WS_CONTINUE) {
+    /* Fragmented data frame */
+    fragment_head *frag_msg;
+
+    pinfo->fragmented = TRUE;
+
+    frag_msg = fragment_add_seq_next(&ws_reassembly_table, tvb, offset,
+              pinfo, websocket_conv->frag_id,
+              NULL, tvb_captured_length_remaining(tvb, offset),
+              !fin);
+    frag_tvb = process_reassembled_data(tvb, offset, pinfo,
+      "Reassembled Message", frag_msg, &ws_frag_items,
+      NULL, tree);
+  }
+
+  if (!PINFO_FD_VISITED(pinfo) && frag_tvb) {
+    /* First time fragments fully reassembled, store opcode from first fragment */
+    p_add_proto_data(wmem_file_scope(), pinfo, proto_websocket, OPCODE_KEY,
+        GUINT_TO_POINTER(websocket_conv->first_frag_opcode));
+  }
+
+  if (frag_tvb) {
+    /* Fragments were fully reassembled. */
+    tvb_appdata = frag_tvb;
+
+    /* Lookup opcode from first fragment */
+    guint first_frag_opcode = GPOINTER_TO_UINT(
+        p_get_proto_data(wmem_file_scope(),pinfo, proto_websocket, OPCODE_KEY));
+    opcode = (guint8)first_frag_opcode;
+  } else {
+    /* Right now this is exactly the same, this may change when exts. are added.
+    tvb_appdata = tvb_new_subset_length(tvb, offset, length);
+    */
+    tvb_appdata = tvb;
+  }
+
+  /* Application Data */
+
+  if (pinfo->fragmented && opcode == WS_CONTINUE) {
+    /* Not last fragment, dissect continue fragment as is */
+    proto_tree_add_item(tree, hf_ws_payload_continue, tvb_appdata, offset, length, ENC_NA);
+    return;
+  }
+
+  dissect_websocket_data_frame(tvb_appdata, pinfo, tree, pl_tree, opcode, websocket_conv, raw_offset);
+  pinfo->fragmented = save_fragmented;
+}
+
+static int
+dissect_websocket_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
+{
+  static guint32 frag_id_counter = 0;
+  proto_item   *ti, *ti_len;
+  guint8        fin, opcode;
+  gboolean      mask;
+  guint         short_length, payload_length;
+  guint         payload_offset, mask_offset;
+  proto_tree   *ws_tree;
+  const guint8 *masking_key = NULL;
+  tvbuff_t     *tvb_payload;
+  conversation_t *conv;
+  websocket_conv_t *websocket_conv;
+
+  /*
+   * If this is a new Websocket session, try to parse HTTP Sec-Websocket-*
+   * headers once.
+   */
+  conv = find_or_create_conversation(pinfo);
+  websocket_conv = (websocket_conv_t *)conversation_get_proto_data(conv, proto_websocket);
+  if (!websocket_conv) {
+    websocket_conv = wmem_new0(wmem_file_scope(), websocket_conv_t);
+    websocket_conv->first_frag = TRUE;
+    websocket_conv->frag_id = ++frag_id_counter;
+
+    http_conv_t *http_conv = (http_conv_t *)conversation_get_proto_data(conv, proto_http);
+    if (http_conv) {
+      websocket_conv->subprotocol = http_conv->websocket_protocol;
+      websocket_conv->server_port = http_conv->server_port;
+      if ( http_conv->websocket_extensions) {
+        websocket_parse_extensions(websocket_conv, http_conv->websocket_extensions);
+      }
+    }
+
+    conversation_add_proto_data(conv, proto_websocket, websocket_conv);
+  } else {
+    websocket_conv->first_frag = FALSE;
+  }
+
+  short_length = tvb_get_guint8(tvb, 1) & MASK_WS_PAYLOAD_LEN;
+  mask_offset = 2;
+  if (short_length == 126) {
+    payload_length = tvb_get_ntohs(tvb, 2);
+    mask_offset += 2;
+  } else if (short_length == 127) {
+    /* warning C4244: '=' : conversion from 'guint64' to 'guint ', possible loss of data */
+    payload_length = (guint)tvb_get_ntoh64(tvb, 2);
+    mask_offset += 8;
+  } else {
+    payload_length = short_length;
+  }
+
+  /* Mask */
+  mask = (tvb_get_guint8(tvb, 1) & MASK_WS_MASK) != 0;
+  payload_offset = mask_offset + (mask ? 4 : 0);
+
+  col_set_str(pinfo->cinfo, COL_PROTOCOL, "WebSocket");
+  col_set_str(pinfo->cinfo, COL_INFO, "WebSocket");
+
+  ti = proto_tree_add_item(tree, proto_websocket, tvb, 0, payload_offset, ENC_NA);
+  ws_tree = proto_item_add_subtree(ti, ett_ws);
+
+  /* Flags */
+  proto_tree_add_item(ws_tree, hf_ws_fin, tvb, 0, 1, ENC_NA);
+  fin = (tvb_get_guint8(tvb, 0) & MASK_WS_FIN) >> 4;
+  proto_tree_add_item(ws_tree, hf_ws_reserved, tvb, 0, 1, ENC_BIG_ENDIAN);
+  if (websocket_conv->permessage_deflate) {
+    /* RSV1 is Per-Message Compressed bit (RFC 7692). */
+    if (websocket_conv->first_frag) {
+      /* First fragment, save pmc flag needed for decompressing continuation fragments */
+      websocket_conv->first_frag_pmc = !!(tvb_get_guint8(tvb, 0) & MASK_WS_RSV1);
+    }
+    proto_tree_add_item(ws_tree, hf_ws_pmc, tvb, 0, 1, ENC_BIG_ENDIAN);
+  }
+
+  /* Opcode */
+  proto_tree_add_item(ws_tree, hf_ws_opcode, tvb, 0, 1, ENC_BIG_ENDIAN);
+  opcode = tvb_get_guint8(tvb, 0) & MASK_WS_OPCODE;
+  if (websocket_conv->first_frag) {
+    /* First fragment, save opcode needed when dissecting the reassembled frame */
+    websocket_conv->first_frag_opcode = opcode;
+  }
+  col_append_fstr(pinfo->cinfo, COL_INFO, " %s", val_to_str_const(opcode, ws_opcode_vals, "Unknown Opcode"));
+  col_append_str(pinfo->cinfo, COL_INFO, fin ? " [FIN]" : "[FRAGMENT] ");
+
+  /* Add Mask bit to the tree */
+  proto_tree_add_item(ws_tree, hf_ws_mask, tvb, 1, 1, ENC_NA);
+  col_append_str(pinfo->cinfo, COL_INFO, mask ? " [MASKED]" : " ");
+
+  /* (Extended) Payload Length */
+  ti_len = proto_tree_add_item(ws_tree, hf_ws_payload_length, tvb, 1, 1, ENC_BIG_ENDIAN);
+  if (short_length == 126) {
+    proto_item_append_text(ti_len, " Extended Payload Length (16 bits)");
+    proto_tree_add_item(ws_tree, hf_ws_payload_length_ext_16, tvb, 2, 2, ENC_BIG_ENDIAN);
+  }
+  else if (short_length == 127) {
+    proto_item_append_text(ti_len, " Extended Payload Length (64 bits)");
+    proto_tree_add_item(ws_tree, hf_ws_payload_length_ext_64, tvb, 2, 8, ENC_BIG_ENDIAN);
+  }
+
+  /* Masking-key */
+  if (mask) {
+    proto_tree_add_item(ws_tree, hf_ws_masking_key, tvb, mask_offset, 4, ENC_NA);
+    masking_key = tvb_get_ptr(tvb, mask_offset, 4);
+  }
+
+  if (payload_length > 0) {
+    /* Always unmask payload data before analysing it. */
+    if (mask) {
+      proto_tree_add_item(ws_tree, hf_ws_masked_payload, tvb, payload_offset, payload_length, ENC_NA);
+      tvb_payload = tvb_unmasked(tvb, pinfo, payload_offset, payload_length, masking_key);
+      add_new_data_source(pinfo, tvb_payload, "Unmasked data");
+    } else {
+      tvb_payload = tvb_new_subset_length(tvb, payload_offset, payload_length);
+    }
+    dissect_websocket_payload(tvb_payload, pinfo, tree, ws_tree, fin, opcode, websocket_conv, tvb_raw_offset(tvb));
+  }
+
+  return tvb_captured_length(tvb);
+}
+
+static guint
+get_websocket_frame_length(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_)
+{
+  guint         frame_length, payload_length;
+  gboolean      mask;
+
+  frame_length = 2;                 /* flags, opcode and Payload length */
+  mask = tvb_get_guint8(tvb, offset + 1) & MASK_WS_MASK;
+
+  payload_length = tvb_get_guint8(tvb, offset + 1) & MASK_WS_PAYLOAD_LEN;
+  offset += 2; /* Skip flags, opcode and Payload length */
+
+  /* Check for Extended Payload Length. */
+  if (payload_length == 126) {
+    if (tvb_reported_length_remaining(tvb, offset) < 2)
+      return 0; /* Need more data. */
+
+    payload_length = tvb_get_ntohs(tvb, offset);
+    frame_length += 2;              /* Extended payload length */
+  } else if (payload_length == 127) {
+    if (tvb_reported_length_remaining(tvb, offset) < 8)
+      return 0; /* Need more data. */
+
+    payload_length = (guint)tvb_get_ntoh64(tvb, offset);
+    frame_length += 8;              /* Extended payload length */
+  }
+
+  if (mask)
+    frame_length += 4;              /* Masking-key */
+  frame_length += payload_length;   /* Payload data */
+  return frame_length;
+}
+
+static int
+dissect_websocket(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+{
+  /* Need at least two bytes for flags, opcode and Payload length. */
+  tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 2,
+                   get_websocket_frame_length, dissect_websocket_frame, data);
+  return tvb_captured_length(tvb);
+}
+
+static gboolean
+test_websocket(packet_info* pinfo _U_, tvbuff_t* tvb, int offset _U_, void* data _U_)
+{
+  guint buffer_length = tvb_captured_length(tvb);
+
+  // At least 2 bytes are required for a websocket header
+  if (buffer_length < 2)
+  {
+    return FALSE;
+  }
+  guint8 first_byte = tvb_get_guint8(tvb, 0);
+  guint8 second_byte = tvb_get_guint8(tvb, 1);
+
+  // Reserved bits RSV1, RSV2 and RSV3 need to be 0
+  if ((first_byte & 0x70) > 0)
+  {
+    return FALSE;
+  }
+
+  guint8 op_code = first_byte & 0x0F;
+
+  // op_code must be one of WS_CONTINUE, WS_TEXT, WS_BINARY, WS_CLOSE, WS_PING or WS_PONG
+  if (!(op_code == WS_CONTINUE || op_code == WS_TEXT || op_code == WS_BINARY || op_code == WS_CLOSE || op_code == WS_PING || op_code == WS_PONG))
+  {
+    return FALSE;
+  }
+
+  // It is necessary to prevent that HTTP connection setups are treated as websocket.
+  // If HTTP catches and it upgrades to websocket then HTTP takes care that websocket dissector gets called for this stream.
+  // If first two byte start with printable characters from the alphabet it's likely that it is part of a HTTP connection setup.
+  if (((first_byte >= 'a' && first_byte <= 'z') || (first_byte >= 'A' && first_byte <= 'Z')) &&
+    ((second_byte >= 'a' && second_byte <= 'z') || (second_byte >= 'A' && second_byte <= 'Z')))
+  {
+    return FALSE;
+  }
+
+  return TRUE;
+}
+
+static gboolean
+dissect_websocket_heur_tcp(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* data)
+{
+  if (!test_websocket(pinfo, tvb, 0, data))
+  {
+    return FALSE;
+  }
+  conversation_t* conversation = find_or_create_conversation(pinfo);
+  conversation_set_dissector(conversation, websocket_handle);
+
+  tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 2, get_websocket_frame_length, dissect_websocket_frame, data);
+  return TRUE;
+}
+
+void
+proto_register_websocket(void)
+{
+
+  static hf_register_info hf[] = {
+    { &hf_ws_fin,
+      { "Fin", "websocket.fin",
+      FT_BOOLEAN, 8, NULL, MASK_WS_FIN,
+      "Indicates that this is the final fragment in a message", HFILL }
+    },
+    { &hf_ws_reserved,
+      { "Reserved", "websocket.rsv",
+      FT_UINT8, BASE_HEX, NULL, MASK_WS_RSV,
+      "Must be zero", HFILL }
+    },
+    { &hf_ws_pmc,
+      { "Per-Message Compressed", "websocket.pmc",
+      FT_BOOLEAN, 8, NULL, MASK_WS_RSV1,
+      "Whether a message is compressed or not", HFILL }
+    },
+    { &hf_ws_opcode,
+      { "Opcode", "websocket.opcode",
+      FT_UINT8, BASE_DEC, VALS(ws_opcode_vals), MASK_WS_OPCODE,
+      "Defines the interpretation of the Payload data", HFILL }
+    },
+    { &hf_ws_mask,
+      { "Mask", "websocket.mask",
+      FT_BOOLEAN, 8, NULL, MASK_WS_MASK,
+      "Defines whether the Payload data is masked", HFILL }
+    },
+    { &hf_ws_payload_length,
+      { "Payload length", "websocket.payload_length",
+      FT_UINT8, BASE_DEC, NULL, MASK_WS_PAYLOAD_LEN,
+      "The length of the Payload data", HFILL }
+    },
+    { &hf_ws_payload_length_ext_16,
+      { "Extended Payload length (16 bits)", "websocket.payload_length_ext_16",
+      FT_UINT16, BASE_DEC, NULL, 0x0,
+      "The length (16 bits) of the Payload data", HFILL }
+    },
+    { &hf_ws_payload_length_ext_64,
+      { "Extended Payload length (64 bits)", "websocket.payload_length_ext_64",
+      FT_UINT64, BASE_DEC, NULL, 0x0,
+      "The length (64 bits) of the Payload data", HFILL }
+    },
+    { &hf_ws_masking_key,
+      { "Masking-Key", "websocket.masking_key",
+      FT_BYTES, BASE_NONE, NULL, 0x0,
+      "All frames sent from the client to the server are masked by a 32-bit value that is contained within the frame", HFILL }
+    },
+    { &hf_ws_payload,
+      { "Payload", "websocket.payload",
+      FT_NONE, BASE_NONE, NULL, 0x0,
+      "Payload (after unmasking)", HFILL }
+    },
+    { &hf_ws_masked_payload,
+      { "Masked payload", "websocket.masked_payload",
+      FT_NONE, BASE_NONE, NULL, 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_payload_continue,
+      { "Continue", "websocket.payload.continue",
+      FT_BYTES, BASE_NONE, NULL, 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_payload_text,
+      { "Text", "websocket.payload.text",
+      FT_STRING, BASE_NONE, NULL, 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_payload_close,
+      { "Close", "websocket.payload.close",
+      FT_NONE, BASE_NONE, NULL, 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_payload_close_status_code,
+      { "Status code", "websocket.payload.close.status_code",
+      FT_UINT16, BASE_DEC, VALS(ws_close_status_code_vals), 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_payload_close_reason,
+      { "Reason", "websocket.payload.close.reason",
+      FT_STRING, BASE_NONE, NULL, 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_payload_ping,
+      { "Ping", "websocket.payload.ping",
+      FT_BYTES, BASE_NONE, NULL, 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_payload_pong,
+      { "Pong", "websocket.payload.pong",
+      FT_BYTES, BASE_NONE, NULL, 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_payload_unknown,
+      { "Unknown", "websocket.payload.unknown",
+      FT_BYTES, BASE_NONE, NULL, 0x0,
+      NULL, HFILL }
+    },
+    /* Reassembly */
+    { &hf_ws_fragments,
+      { "Reassembled websocket Fragments", "websocket.fragments",
+      FT_NONE, BASE_NONE, NULL, 0x0,
+      "Fragments", HFILL }
+    },
+    { &hf_ws_fragment,
+      { "Websocket Fragment", "websocket.fragment",
+      FT_FRAMENUM, BASE_NONE, NULL, 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_fragment_overlap,
+      { "Fragment overlap", "websocket.fragment.overlap",
+      FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+      "Fragment overlaps with other fragments", HFILL }
+    },
+    { &hf_ws_fragment_overlap_conflict,
+      { "Conflicting data in fragment overlap", "websocket.fragment.overlap.conflict",
+      FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+      "Overlapping fragments contained conflicting data", HFILL }
+    },
+    { &hf_ws_fragment_multiple_tails,
+      { "Multiple tail fragments found", "websocket.fragment.multipletails",
+      FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+      "Several tails were found when defragmenting the packet", HFILL }
+    },
+    { &hf_ws_fragment_too_long_fragment,
+      { "Fragment too long", "websocket.fragment.toolongfragment",
+      FT_BOOLEAN, BASE_NONE, NULL, 0x0,
+      "Fragment contained data past end of packet", HFILL }
+    },
+    { &hf_ws_fragment_error,
+      { "Defragmentation error", "websocket.fragment.error",
+      FT_FRAMENUM, BASE_NONE, NULL, 0x0,
+      "Defragmentation error due to illegal fragments", HFILL }
+    },
+    { &hf_ws_fragment_count,
+      { "Fragment count", "websocket.fragment.count",
+      FT_UINT32, BASE_DEC, NULL, 0x0,
+      NULL, HFILL }
+    },
+    { &hf_ws_reassembled_length,
+      { "Reassembled websocket Payload length", "websocket.reassembled.length",
+      FT_UINT32, BASE_DEC, NULL, 0x0,
+      "The total length of the reassembled payload", HFILL }
+    },
+  };
+
+
+  static gint *ett[] = {
+    &ett_ws,
+    &ett_ws_pl,
+    &ett_ws_mask,
+    &ett_ws_control_close,
+    &ett_ws_fragment,
+    &ett_ws_fragments,
+  };
+
+  static ei_register_info ei[] = {
+    { &ei_ws_payload_unknown, { "websocket.payload.unknown.expert", PI_UNDECODED, PI_NOTE, "Dissector for Websocket Opcode", EXPFILL }},
+    { &ei_ws_decompression_failed, { "websocket.decompression.failed.expert", PI_PROTOCOL, PI_WARN, "Decompression failed", EXPFILL }},
+  };
+
+  static const enum_val_t text_types[] = {
+      {"None",            "No subdissection", WEBSOCKET_NONE},
+      {"Line based text", "Line based text",  WEBSOCKET_TEXT},
+      {"As JSON",         "As json",          WEBSOCKET_JSON},
+      {"As SIP",         "As SIP",          WEBSOCKET_SIP},
+      {NULL, NULL, -1}
+  };
+
+  module_t *websocket_module;
+  expert_module_t* expert_websocket;
+
+  proto_websocket = proto_register_protocol("WebSocket", "WebSocket", "websocket");
+
+  /*
+   * Heuristic dissectors SHOULD register themselves in
+   * this table using the standard heur_dissector_add()
+   * function.
+   */
+  heur_subdissector_list = register_heur_dissector_list("ws", proto_websocket);
+
+  port_subdissector_table = register_dissector_table("ws.port",
+      "TCP port for protocols using WebSocket", proto_websocket, FT_UINT16, BASE_DEC);
+
+  protocol_subdissector_table = register_dissector_table("ws.protocol",
+      "Negotiated WebSocket protocol", proto_websocket, FT_STRING, STRING_CASE_SENSITIVE);
+
+  reassembly_table_register(&ws_reassembly_table, &addresses_reassembly_table_functions);
+
+  websocket_follow_tap = register_tap("websocket_follow"); /* websocket follow tap */
+  register_follow_stream(proto_websocket, "websocket_follow", tcp_follow_conv_filter, tcp_follow_index_filter,
+                         tcp_follow_address_filter,	tcp_port_to_display, follow_tvb_tap_listener,
+                         get_tcp_stream_count, NULL);
+
+  proto_register_field_array(proto_websocket, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+  expert_websocket = expert_register_protocol(proto_websocket);
+  expert_register_field_array(expert_websocket, ei, array_length(ei));
+
+  websocket_handle = register_dissector("websocket", dissect_websocket, proto_websocket);
+
+  websocket_module = prefs_register_protocol(proto_websocket, NULL);
+
+  prefs_register_enum_preference(websocket_module, "text_type",
+        "Dissect websocket text as",
+        "Select dissector for websocket text",
+        &pref_text_type, text_types, WEBSOCKET_NONE);
+
+  prefs_register_bool_preference(websocket_module, "decompress",
+        "Try to decompress permessage-deflate payload", NULL, &pref_decompress);
+}
+
+void
+proto_reg_handoff_websocket(void)
+{
+  dissector_add_string("http.upgrade", "websocket", websocket_handle);
+
+  dissector_add_for_decode_as("tcp.port", websocket_handle);
+
+  heur_dissector_add("tcp", dissect_websocket_heur_tcp, "WebSocket Heuristic", "websocket_tcp", proto_websocket, HEURISTIC_DISABLE);
+
+  text_lines_handle = find_dissector_add_dependency("data-text-lines", proto_websocket);
+  json_handle = find_dissector_add_dependency("json", proto_websocket);
+  sip_handle = find_dissector_add_dependency("sip", proto_websocket);
+
+  proto_http = proto_get_id_by_filter_name("http");
+}
+/*
+ * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 2
+ * tab-width: 8
+ * indent-tabs-mode: nil
+ * End:
+ *
+ * vi: set shiftwidth=2 tabstop=8 expandtab:
+ * :indentSize=2:tabSize=8:noTabs=true:
+ */