/* packet-collectd.c * Routines for collectd (http://collectd.org/) network plugin dissection * * Copyright 2008 Bruno Premont * Copyright 2009-2013 Florian Forster * * Wireshark - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * SPDX-License-Identifier: GPL-2.0-or-later */ #include "config.h" #include #include #include #include #include #define STR_NONNULL(str) ((str) ? ((const char*)str) : "(null)") #define TYPE_HOST 0x0000 #define TYPE_TIME 0x0001 #define TYPE_TIME_HR 0x0008 #define TYPE_PLUGIN 0x0002 #define TYPE_PLUGIN_INSTANCE 0x0003 #define TYPE_TYPE 0x0004 #define TYPE_TYPE_INSTANCE 0x0005 #define TYPE_VALUES 0x0006 #define TYPE_INTERVAL 0x0007 #define TYPE_INTERVAL_HR 0x0009 #define TYPE_MESSAGE 0x0100 #define TYPE_SEVERITY 0x0101 #define TYPE_SIGN_SHA256 0x0200 #define TYPE_ENCR_AES256 0x0210 void proto_register_collectd(void); static dissector_handle_t collectd_handle; typedef struct value_data_s { const uint8_t *host; int host_off; int host_len; uint64_t time_value; int time_off; uint64_t interval; int interval_off; const uint8_t *plugin; int plugin_off; int plugin_len; const uint8_t *plugin_instance; int plugin_instance_off; int plugin_instance_len; const uint8_t *type; int type_off; int type_len; const uint8_t *type_instance; int type_instance_off; int type_instance_len; } value_data_t; typedef struct notify_data_s { const uint8_t *host; int host_off; int host_len; uint64_t time_value; int time_off; uint64_t severity; int severity_off; const uint8_t *message; int message_off; int message_len; } notify_data_t; struct string_counter_s; typedef struct string_counter_s string_counter_t; struct string_counter_s { const char *string; int count; string_counter_t *next; }; typedef struct tap_data_s { int values_num; string_counter_t *hosts; string_counter_t *plugins; string_counter_t *types; } tap_data_t; static const value_string part_names[] = { { TYPE_VALUES, "VALUES" }, { TYPE_TIME, "TIME" }, { TYPE_TIME_HR, "TIME_HR" }, { TYPE_INTERVAL, "INTERVAL" }, { TYPE_INTERVAL_HR, "INTERVAL_HR" }, { TYPE_HOST, "HOST" }, { TYPE_PLUGIN, "PLUGIN" }, { TYPE_PLUGIN_INSTANCE, "PLUGIN_INSTANCE" }, { TYPE_TYPE, "TYPE" }, { TYPE_TYPE_INSTANCE, "TYPE_INSTANCE" }, { TYPE_MESSAGE, "MESSAGE" }, { TYPE_SEVERITY, "SEVERITY" }, { TYPE_SIGN_SHA256, "SIGNATURE" }, { TYPE_ENCR_AES256, "ENCRYPTED_DATA" }, { 0, NULL } }; #define TYPE_VALUE_COUNTER 0x00 #define TYPE_VALUE_GAUGE 0x01 #define TYPE_VALUE_DERIVE 0x02 #define TYPE_VALUE_ABSOLUTE 0x03 static const value_string valuetypenames[] = { { TYPE_VALUE_COUNTER, "COUNTER" }, { TYPE_VALUE_GAUGE, "GAUGE" }, { TYPE_VALUE_DERIVE, "DERIVE" }, { TYPE_VALUE_ABSOLUTE, "ABSOLUTE" }, { 0, NULL } }; #define SEVERITY_FAILURE 0x01 #define SEVERITY_WARNING 0x02 #define SEVERITY_OKAY 0x04 static const val64_string severity_names[] = { { SEVERITY_FAILURE, "FAILURE" }, { SEVERITY_WARNING, "WARNING" }, { SEVERITY_OKAY, "OKAY" }, { 0, NULL } }; #define UDP_PORT_COLLECTD 25826 /* Not IANA registered */ static int proto_collectd; static int tap_collectd = -1; static int hf_collectd_type; static int hf_collectd_length; static int hf_collectd_data; static int hf_collectd_data_host; static int hf_collectd_data_time; static int hf_collectd_data_interval; static int hf_collectd_data_plugin; static int hf_collectd_data_plugin_inst; static int hf_collectd_data_type; static int hf_collectd_data_type_inst; static int hf_collectd_data_valcnt; static int hf_collectd_val_type; static int hf_collectd_val_counter; static int hf_collectd_val_gauge; static int hf_collectd_val_derive; static int hf_collectd_val_absolute; static int hf_collectd_val_unknown; static int hf_collectd_data_severity; static int hf_collectd_data_message; static int hf_collectd_data_sighash; static int hf_collectd_data_initvec; static int hf_collectd_data_username_len; static int hf_collectd_data_username; static int hf_collectd_data_encrypted; static int ett_collectd; static int ett_collectd_string; static int ett_collectd_integer; static int ett_collectd_part_value; static int ett_collectd_value; static int ett_collectd_valinfo; static int ett_collectd_signature; static int ett_collectd_encryption; static int ett_collectd_dispatch; static int ett_collectd_invalid_length; static int ett_collectd_unknown; static int st_collectd_packets = -1; static int st_collectd_values = -1; static int st_collectd_values_hosts = -1; static int st_collectd_values_plugins = -1; static int st_collectd_values_types = -1; static expert_field ei_collectd_type; static expert_field ei_collectd_invalid_length; static expert_field ei_collectd_data_valcnt; static expert_field ei_collectd_garbage; /* Prototype for the handoff function */ void proto_reg_handoff_collectd (void); static nstime_t collectd_time_to_nstime (uint64_t t) { nstime_t nstime = NSTIME_INIT_ZERO; nstime.secs = (time_t) (t / 1073741824); nstime.nsecs = (int) (((double) (t % 1073741824)) / 1.073741824); return (nstime); } static void collectd_stats_tree_init (stats_tree *st) { st_collectd_packets = stats_tree_create_node (st, "Packets", 0, STAT_DT_INT, false); st_collectd_values = stats_tree_create_node (st, "Values", 0, STAT_DT_INT, true); st_collectd_values_hosts = stats_tree_create_pivot (st, "By host", st_collectd_values); st_collectd_values_plugins = stats_tree_create_pivot (st, "By plugin", st_collectd_values); st_collectd_values_types = stats_tree_create_pivot (st, "By type", st_collectd_values); } /* void collectd_stats_tree_init */ static tap_packet_status collectd_stats_tree_packet (stats_tree *st, packet_info *pinfo _U_, epan_dissect_t *edt _U_, const void *user_data, tap_flags_t flags _U_) { const tap_data_t *td; string_counter_t *sc; td = (const tap_data_t *)user_data; if (td == NULL) return (TAP_PACKET_DONT_REDRAW); tick_stat_node (st, "Packets", 0, false); increase_stat_node (st, "Values", 0, true, td->values_num); for (sc = td->hosts; sc != NULL; sc = sc->next) { int i; for (i = 0; i < sc->count; i++) stats_tree_tick_pivot (st, st_collectd_values_hosts, sc->string); } for (sc = td->plugins; sc != NULL; sc = sc->next) { int i; for (i = 0; i < sc->count; i++) stats_tree_tick_pivot (st, st_collectd_values_plugins, sc->string); } for (sc = td->types; sc != NULL; sc = sc->next) { int i; for (i = 0; i < sc->count; i++) stats_tree_tick_pivot (st, st_collectd_values_types, sc->string); } return (TAP_PACKET_REDRAW); } /* int collectd_stats_tree_packet */ static void collectd_stats_tree_register (void) { stats_tree_register ("collectd", "collectd", "Collectd", 0, collectd_stats_tree_packet, collectd_stats_tree_init, NULL); } /* void register_collectd_stat_trees */ static void collectd_proto_tree_add_assembled_metric (tvbuff_t *tvb, int offset, int length, value_data_t const *vdispatch, proto_tree *root) { proto_item *root_item; proto_tree *subtree; nstime_t nstime; subtree = proto_tree_add_subtree(root, tvb, offset + 6, length - 6, ett_collectd_dispatch, &root_item, "Assembled metric"); proto_item_set_generated (root_item); proto_tree_add_string (subtree, hf_collectd_data_host, tvb, vdispatch->host_off, vdispatch->host_len, STR_NONNULL (vdispatch->host)); proto_tree_add_string (subtree, hf_collectd_data_plugin, tvb, vdispatch->plugin_off, vdispatch->plugin_len, STR_NONNULL (vdispatch->plugin)); if (vdispatch->plugin_instance) proto_tree_add_string (subtree, hf_collectd_data_plugin_inst, tvb, vdispatch->plugin_instance_off, vdispatch->plugin_instance_len, vdispatch->plugin_instance); proto_tree_add_string (subtree, hf_collectd_data_type, tvb, vdispatch->type_off, vdispatch->type_len, STR_NONNULL (vdispatch->type)); if (vdispatch->type_instance) proto_tree_add_string (subtree, hf_collectd_data_type_inst, tvb, vdispatch->type_instance_off, vdispatch->type_instance_len, vdispatch->type_instance); nstime = collectd_time_to_nstime (vdispatch->time_value); proto_tree_add_time (subtree, hf_collectd_data_time, tvb, vdispatch->time_off, /* length = */ 8, &nstime); nstime = collectd_time_to_nstime (vdispatch->interval); proto_tree_add_time (subtree, hf_collectd_data_interval, tvb, vdispatch->interval_off, /* length = */ 8, &nstime); } static void collectd_proto_tree_add_assembled_notification (tvbuff_t *tvb, int offset, int length, notify_data_t const *ndispatch, proto_tree *root) { proto_item *root_item; proto_tree *subtree; nstime_t nstime; subtree = proto_tree_add_subtree(root, tvb, offset + 6, length - 6, ett_collectd_dispatch, &root_item, "Assembled notification"); proto_item_set_generated (root_item); proto_tree_add_string (subtree, hf_collectd_data_host, tvb, ndispatch->host_off, ndispatch->host_len, STR_NONNULL (ndispatch->host)); nstime = collectd_time_to_nstime (ndispatch->time_value); proto_tree_add_time (subtree, hf_collectd_data_time, tvb, ndispatch->time_off, /* length = */ 8, &nstime); proto_tree_add_uint64 (subtree, hf_collectd_data_severity, tvb, ndispatch->severity_off, /* length = */ 8, ndispatch->severity); proto_tree_add_string (subtree, hf_collectd_data_message, tvb, ndispatch->message_off, ndispatch->message_len, ndispatch->message); } static int dissect_collectd_string (tvbuff_t *tvb, packet_info *pinfo, int type_hf, int offset, int *ret_offset, int *ret_length, const uint8_t **ret_string, proto_tree *tree_root, proto_item **ret_item) { proto_tree *pt; proto_item *pi; int type; int length; int size; size = tvb_reported_length_remaining (tvb, offset); if (size < 4) { /* This should never happen, because `dissect_collectd' checks * for this condition already. */ return (-1); } type = tvb_get_ntohs(tvb, offset); length = tvb_get_ntohs(tvb, offset + 2); pt = proto_tree_add_subtree_format(tree_root, tvb, offset, length, ett_collectd_string, &pi, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); if (length > size) { proto_item_append_text(pt, "Length = %i ", length); expert_add_info_format(pinfo, pt, &ei_collectd_invalid_length, "String part with invalid part length: " "Part is longer than rest of package."); return (-1); } *ret_offset = offset + 4; *ret_length = length - 4; proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); proto_tree_add_item_ret_string (pt, type_hf, tvb, *ret_offset, *ret_length, ENC_ASCII|ENC_NA, pinfo->pool, ret_string); proto_item_append_text(pt, "\"%s\"", *ret_string); if (ret_item != NULL) *ret_item = pi; return 0; } /* int dissect_collectd_string */ static int dissect_collectd_integer (tvbuff_t *tvb, packet_info *pinfo, int type_hf, int offset, int *ret_offset, uint64_t *ret_value, proto_tree *tree_root, proto_item **ret_item) { proto_tree *pt; proto_item *pi; int type; int length; int size; size = tvb_reported_length_remaining (tvb, offset); if (size < 4) { /* This should never happen, because `dissect_collectd' checks * for this condition already. */ return (-1); } type = tvb_get_ntohs(tvb, offset); length = tvb_get_ntohs(tvb, offset + 2); if (size < 12) { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, -1, ett_collectd_integer, NULL, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); proto_tree_add_expert_format(pt, pinfo, &ei_collectd_garbage, tvb, offset + 4, -1, "Garbage at end of packet: Length = %i ", size - 4); return (-1); } if (length != 12) { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, -1, ett_collectd_integer, &pi, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); pi = proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); expert_add_info_format(pinfo, pi, &ei_collectd_invalid_length, "Invalid length field for an integer part."); return (-1); } *ret_offset = offset + 4; *ret_value = tvb_get_ntoh64 (tvb, offset + 4); /* Convert the version 4.* time format to the version 5.* time format. */ if ((type == TYPE_TIME) || (type == TYPE_INTERVAL)) *ret_value *= 1073741824; /* Create an entry in the protocol tree for this part. The value is * printed depending on the "type" variable: TIME{,_HR} as absolute * time, INTERVAL{,_HR} as relative time, uint64 otherwise. */ if ((type == TYPE_TIME) || (type == TYPE_TIME_HR)) { nstime_t nstime; char *strtime; nstime = collectd_time_to_nstime (*ret_value); strtime = abs_time_to_str (pinfo->pool, &nstime, ABSOLUTE_TIME_LOCAL, /* show_zone = */ true); pt = proto_tree_add_subtree_format(tree_root, tvb, offset, length, ett_collectd_integer, &pi, "collectd %s segment: %s", val_to_str_const (type, part_names, "UNKNOWN"), STR_NONNULL (strtime)); } else if ((type == TYPE_INTERVAL) || (type == TYPE_INTERVAL_HR)) { nstime_t nstime; char *strtime; nstime = collectd_time_to_nstime (*ret_value); strtime = rel_time_to_str (pinfo->pool, &nstime); pt = proto_tree_add_subtree_format(tree_root, tvb, offset, length, ett_collectd_integer, &pi, "collectd %s segment: %s", val_to_str_const (type, part_names, "UNKNOWN"), strtime); } else { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, length, ett_collectd_integer, &pi, "collectd %s segment: %"PRIu64, val_to_str_const (type, part_names, "UNKNOWN"), *ret_value); } if (ret_item != NULL) *ret_item = pi; proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); if ((type == TYPE_TIME) || (type == TYPE_INTERVAL) || (type == TYPE_TIME_HR) || (type == TYPE_INTERVAL_HR)) { nstime_t nstime; nstime = collectd_time_to_nstime (*ret_value); proto_tree_add_time (pt, type_hf, tvb, offset + 4, 8, &nstime); } else { proto_tree_add_item (pt, type_hf, tvb, offset + 4, 8, ENC_BIG_ENDIAN); } return 0; } /* int dissect_collectd_integer */ static void dissect_collectd_values(tvbuff_t *tvb, int msg_off, int val_cnt, proto_tree *collectd_tree) { proto_tree *values_tree, *value_tree; int i; values_tree = proto_tree_add_subtree_format(collectd_tree, tvb, msg_off + 6, val_cnt * 9, ett_collectd_value, NULL, "%d value%s", val_cnt, plurality (val_cnt, "", "s")); for (i = 0; i < val_cnt; i++) { int value_offset; int value_type_offset; uint8_t value_type; /* Calculate the offsets of the type byte and the actual value. */ value_offset = msg_off + 6 + val_cnt /* value types */ + (i * 8); /* previous values */ value_type_offset = msg_off + 6 + i; value_type = tvb_get_uint8 (tvb, value_type_offset); switch (value_type) { case TYPE_VALUE_COUNTER: { uint64_t val64; val64 = tvb_get_ntoh64 (tvb, value_offset); value_tree = proto_tree_add_subtree_format(values_tree, tvb, msg_off + 6, val_cnt * 9, ett_collectd_valinfo, NULL, "Counter: %"PRIu64, val64); proto_tree_add_item (value_tree, hf_collectd_val_type, tvb, value_type_offset, 1, ENC_BIG_ENDIAN); proto_tree_add_item (value_tree, hf_collectd_val_counter, tvb, value_offset, 8, ENC_BIG_ENDIAN); break; } case TYPE_VALUE_GAUGE: { double val; val = tvb_get_letohieee_double (tvb, value_offset); value_tree = proto_tree_add_subtree_format(values_tree, tvb, msg_off + 6, val_cnt * 9, ett_collectd_valinfo, NULL, "Gauge: %g", val); proto_tree_add_item (value_tree, hf_collectd_val_type, tvb, value_type_offset, 1, ENC_BIG_ENDIAN); /* Set the `little endian' flag to true here, because * collectd stores doubles in x86 representation. */ proto_tree_add_item (value_tree, hf_collectd_val_gauge, tvb, value_offset, 8, ENC_LITTLE_ENDIAN); break; } case TYPE_VALUE_DERIVE: { int64_t val64; val64 = tvb_get_ntoh64 (tvb, value_offset); value_tree = proto_tree_add_subtree_format(values_tree, tvb, msg_off + 6, val_cnt * 9, ett_collectd_valinfo, NULL, "Derive: %"PRIi64, val64); proto_tree_add_item (value_tree, hf_collectd_val_type, tvb, value_type_offset, 1, ENC_BIG_ENDIAN); proto_tree_add_item (value_tree, hf_collectd_val_derive, tvb, value_offset, 8, ENC_BIG_ENDIAN); break; } case TYPE_VALUE_ABSOLUTE: { uint64_t val64; val64 = tvb_get_ntoh64 (tvb, value_offset); value_tree = proto_tree_add_subtree_format(values_tree, tvb, msg_off + 6, val_cnt * 9, ett_collectd_valinfo, NULL, "Absolute: %"PRIu64, val64); proto_tree_add_item (value_tree, hf_collectd_val_type, tvb, value_type_offset, 1, ENC_BIG_ENDIAN); proto_tree_add_item (value_tree, hf_collectd_val_absolute, tvb, value_offset, 8, ENC_BIG_ENDIAN); break; } default: { uint64_t val64; val64 = tvb_get_ntoh64 (tvb, value_offset); value_tree = proto_tree_add_subtree_format(values_tree, tvb, msg_off + 6, val_cnt * 9, ett_collectd_valinfo, NULL, "Unknown: %"PRIx64, val64); proto_tree_add_item (value_tree, hf_collectd_val_type, tvb, value_type_offset, 1, ENC_BIG_ENDIAN); proto_tree_add_item (value_tree, hf_collectd_val_unknown, tvb, value_offset, 8, ENC_BIG_ENDIAN); break; } } /* switch (value_type) */ } /* for (i = 0; i < val_cnt; i++) */ } /* void dissect_collectd_values */ static int dissect_collectd_part_values (tvbuff_t *tvb, packet_info *pinfo, int offset, value_data_t *vdispatch, proto_tree *tree_root) { proto_tree *pt; proto_item *pi; int type; int length; int size; int values_count; int corrected_values_count; size = tvb_reported_length_remaining (tvb, offset); if (size < 4) { /* This should never happen, because `dissect_collectd' checks * for this condition already. */ return (-1); } type = tvb_get_ntohs (tvb, offset); length = tvb_get_ntohs (tvb, offset + 2); if (size < 15) { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, -1, ett_collectd_part_value, NULL, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); proto_tree_add_expert_format(pt, pinfo, &ei_collectd_garbage, tvb, offset + 4, -1, "Garbage at end of packet: Length = %i ", size - 4); return (-1); } if ((length < 15) || ((length % 9) != 6)) { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, -1, ett_collectd_part_value, &pi, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); pi = proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); expert_add_info_format(pinfo, pi, &ei_collectd_invalid_length, "Invalid length field for a values part."); return (-1); } values_count = tvb_get_ntohs (tvb, offset + 4); corrected_values_count = (length - 6) / 9; if (values_count != corrected_values_count) { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, length, ett_collectd_part_value, NULL, "collectd %s segment: %d (%d) value%s ", val_to_str_const (type, part_names, "UNKNOWN"), values_count, corrected_values_count, plurality(values_count, "", "s")); } else { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, length, ett_collectd_part_value, NULL, "collectd %s segment: %d value%s", val_to_str_const (type, part_names, "UNKNOWN"), values_count, plurality(values_count, "", "s")); } proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); pi = proto_tree_add_item (pt, hf_collectd_data_valcnt, tvb, offset + 4, 2, ENC_BIG_ENDIAN); if (values_count != corrected_values_count) expert_add_info(pinfo, pi, &ei_collectd_data_valcnt); values_count = corrected_values_count; dissect_collectd_values (tvb, offset, values_count, pt); collectd_proto_tree_add_assembled_metric (tvb, offset + 6, length - 6, vdispatch, pt); return 0; } /* void dissect_collectd_part_values */ static int dissect_collectd_signature (tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *tree_root) { proto_item *pi; proto_tree *pt; int type; int length; int size; size = tvb_reported_length_remaining (tvb, offset); if (size < 4) { /* This should never happen, because `dissect_collectd' checks * for this condition already. */ return (-1); } type = tvb_get_ntohs (tvb, offset); length = tvb_get_ntohs (tvb, offset + 2); if (size < 36) /* remaining packet size too small for signature */ { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, -1, ett_collectd_signature, NULL, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); proto_tree_add_expert_format(pt, pinfo, &ei_collectd_garbage, tvb, offset + 4, -1, "Garbage at end of packet: Length = %i ", size - 4); return (-1); } if (length < 36) { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, -1, ett_collectd_signature, NULL, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); pi = proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); expert_add_info_format(pinfo, pi, &ei_collectd_invalid_length, "Invalid length field for a signature part."); return (-1); } pt = proto_tree_add_subtree_format(tree_root, tvb, offset, length, ett_collectd_signature, NULL, "collectd %s segment: HMAC-SHA-256", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); proto_tree_add_item (pt, hf_collectd_data_sighash, tvb, offset + 4, 32, ENC_NA); proto_tree_add_item (pt, hf_collectd_data_username, tvb, offset + 36, length - 36, ENC_ASCII); return 0; } /* int dissect_collectd_signature */ static int dissect_collectd_encrypted (tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *tree_root) { proto_item *pi; proto_tree *pt; int type; int length; int size; int username_length; size = tvb_reported_length_remaining (tvb, offset); if (size < 4) { /* This should never happen, because `dissect_collectd' checks * for this condition already. */ return (-1); } type = tvb_get_ntohs (tvb, offset); length = tvb_get_ntohs (tvb, offset + 2); if (size < 42) /* remaining packet size too small for signature */ { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, -1, ett_collectd_encryption, NULL, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); proto_tree_add_expert_format(pt, pinfo, &ei_collectd_garbage, tvb, offset + 4, -1, "Garbage at end of packet: Length = %i ", size - 4); return (-1); } if (length < 42) { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, -1, ett_collectd_encryption, NULL, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); pi = proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); expert_add_info_format(pinfo, pi, &ei_collectd_invalid_length, "Invalid length field for an encryption part."); return (-1); } username_length = tvb_get_ntohs (tvb, offset + 4); if (username_length > (length - 42)) { pt = proto_tree_add_subtree_format(tree_root, tvb, offset, -1, ett_collectd_encryption, NULL, "collectd %s segment: ", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); pi = proto_tree_add_uint (pt, hf_collectd_data_username_len, tvb, offset + 4, 2, length); expert_add_info_format(pinfo, pi, &ei_collectd_invalid_length, "Invalid username length field for an encryption part."); return (-1); } pt = proto_tree_add_subtree_format(tree_root, tvb, offset, length, ett_collectd_encryption, NULL, "collectd %s segment: AES-256", val_to_str_const (type, part_names, "UNKNOWN")); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, length); proto_tree_add_uint (pt, hf_collectd_data_username_len, tvb, offset + 4, 2, username_length); proto_tree_add_item (pt, hf_collectd_data_username, tvb, offset + 6, username_length, ENC_ASCII); proto_tree_add_item (pt, hf_collectd_data_initvec, tvb, offset + (6 + username_length), 16, ENC_NA); proto_tree_add_item (pt, hf_collectd_data_encrypted, tvb, offset + (22 + username_length), length - (22 + username_length), ENC_NA); return 0; } /* int dissect_collectd_encrypted */ static int stats_account_string (wmem_allocator_t *scope, string_counter_t **ret_list, const char *new_value) { string_counter_t *entry; if (ret_list == NULL) return (-1); if (new_value == NULL) new_value = "(null)"; for (entry = *ret_list; entry != NULL; entry = entry->next) if (strcmp (new_value, entry->string) == 0) { entry->count++; return 0; } entry = (string_counter_t *)wmem_alloc0 (scope, sizeof (*entry)); entry->string = wmem_strdup (scope, new_value); entry->count = 1; entry->next = *ret_list; *ret_list = entry; return 0; } static int dissect_collectd (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) { static tap_data_t tap_data; int offset; int size; const uint8_t *pkt_host = NULL; int pkt_plugins = 0, pkt_values = 0, pkt_messages = 0, pkt_unknown = 0, pkt_errors = 0; value_data_t vdispatch; notify_data_t ndispatch; int status; proto_item *pi; proto_tree *collectd_tree; proto_tree *pt; memset(&vdispatch, '\0', sizeof(vdispatch)); memset(&ndispatch, '\0', sizeof(ndispatch)); col_set_str(pinfo->cinfo, COL_PROTOCOL, "collectd"); col_clear(pinfo->cinfo, COL_INFO); offset = 0; size = tvb_reported_length(tvb); /* create the collectd protocol tree */ pi = proto_tree_add_item(tree, proto_collectd, tvb, 0, -1, ENC_NA); collectd_tree = proto_item_add_subtree(pi, ett_collectd); memset (&tap_data, 0, sizeof (tap_data)); status = 0; while ((size > 0) && (status == 0)) { int part_type; int part_length; /* Let's handle the easy case first real quick: All we do here * is extract a host name and count the number of values, * plugins and notifications. The payload is not checked at * all, but the same checks are run on the part_length stuff - * it's important to keep an eye on that. */ if (!tree) { /* Check for garbage at end of packet. */ if (size < 4) { pkt_errors++; break; } part_type = tvb_get_ntohs (tvb, offset); part_length = tvb_get_ntohs (tvb, offset+2); /* Check if part_length is in the valid range. */ if ((part_length < 4) || (part_length > size)) { pkt_errors++; break; } switch (part_type) { case TYPE_HOST: vdispatch.host = tvb_get_string_enc(pinfo->pool, tvb, offset + 4, part_length - 4, ENC_ASCII); if (pkt_host == NULL) pkt_host = vdispatch.host; break; case TYPE_TIME: case TYPE_TIME_HR: break; case TYPE_PLUGIN: vdispatch.plugin = tvb_get_string_enc(pinfo->pool, tvb, offset + 4, part_length - 4, ENC_ASCII); pkt_plugins++; break; case TYPE_PLUGIN_INSTANCE: break; case TYPE_TYPE: vdispatch.type = tvb_get_string_enc(pinfo->pool, tvb, offset + 4, part_length - 4, ENC_ASCII); break; case TYPE_TYPE_INSTANCE: break; case TYPE_INTERVAL: case TYPE_INTERVAL_HR: break; case TYPE_VALUES: { pkt_values++; tap_data.values_num++; stats_account_string (pinfo->pool, &tap_data.hosts, vdispatch.host); stats_account_string (pinfo->pool, &tap_data.plugins, vdispatch.plugin); stats_account_string (pinfo->pool, &tap_data.types, vdispatch.type); break; } case TYPE_MESSAGE: pkt_messages++; break; case TYPE_SEVERITY: break; default: pkt_unknown++; } offset += part_length; size -= part_length; continue; } /* if (!tree) */ /* Now we do the same steps again, but much more thoroughly. */ /* Check if there are at least four bytes left first. * Four bytes are used to read the type and the length * of the next part. If there's less, there's some garbage * at the end of the packet. */ if (size < 4) { proto_tree_add_expert_format(pi, pinfo, &ei_collectd_garbage, tvb, offset, -1, "Garbage at end of packet: Length = %i ", size); pkt_errors++; break; } /* dissect a message entry */ part_type = tvb_get_ntohs (tvb, offset); part_length = tvb_get_ntohs (tvb, offset + 2); /* Check if the length of the part is in the valid range. Don't * confuse this with the above: Here we check the information * provided in the packet.. */ if ((part_length < 4) || (part_length > size)) { pt = proto_tree_add_subtree_format(collectd_tree, tvb, offset, part_length, ett_collectd_invalid_length, NULL, "collectd %s segment: Length = %i ", val_to_str_const (part_type, part_names, "UNKNOWN"), part_length); proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, part_type); pi = proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, part_length); if (part_length < 4) expert_add_info_format(pinfo, pi, &ei_collectd_invalid_length, "Bad part length: Is %i, expected at least 4", part_length); else expert_add_info_format(pinfo, pi, &ei_collectd_invalid_length, "Bad part length: Larger than remaining packet size."); pkt_errors++; break; } /* The header information looks okay, let's tend to the actual * payload in this part. */ switch (part_type) { case TYPE_HOST: { status = dissect_collectd_string (tvb, pinfo, hf_collectd_data_host, offset, &vdispatch.host_off, &vdispatch.host_len, &vdispatch.host, collectd_tree, /* item = */ NULL); if (status != 0) pkt_errors++; else { if (pkt_host == NULL) pkt_host = vdispatch.host; ndispatch.host_off = vdispatch.host_off; ndispatch.host_len = vdispatch.host_len; ndispatch.host = vdispatch.host; } break; } case TYPE_PLUGIN: { status = dissect_collectd_string (tvb, pinfo, hf_collectd_data_plugin, offset, &vdispatch.plugin_off, &vdispatch.plugin_len, &vdispatch.plugin, collectd_tree, /* item = */ NULL); if (status != 0) pkt_errors++; else pkt_plugins++; break; } case TYPE_PLUGIN_INSTANCE: { status = dissect_collectd_string (tvb, pinfo, hf_collectd_data_plugin_inst, offset, &vdispatch.plugin_instance_off, &vdispatch.plugin_instance_len, &vdispatch.plugin_instance, collectd_tree, /* item = */ NULL); if (status != 0) pkt_errors++; break; } case TYPE_TYPE: { status = dissect_collectd_string (tvb, pinfo, hf_collectd_data_type, offset, &vdispatch.type_off, &vdispatch.type_len, &vdispatch.type, collectd_tree, /* item = */ NULL); if (status != 0) pkt_errors++; break; } case TYPE_TYPE_INSTANCE: { status = dissect_collectd_string (tvb, pinfo, hf_collectd_data_type_inst, offset, &vdispatch.type_instance_off, &vdispatch.type_instance_len, &vdispatch.type_instance, collectd_tree, /* item = */ NULL); if (status != 0) pkt_errors++; break; } case TYPE_TIME: case TYPE_TIME_HR: { pi = NULL; status = dissect_collectd_integer (tvb, pinfo, hf_collectd_data_time, offset, &vdispatch.time_off, &vdispatch.time_value, collectd_tree, &pi); if (status != 0) pkt_errors++; break; } case TYPE_INTERVAL: case TYPE_INTERVAL_HR: { status = dissect_collectd_integer (tvb, pinfo, hf_collectd_data_interval, offset, &vdispatch.interval_off, &vdispatch.interval, collectd_tree, /* item = */ NULL); if (status != 0) pkt_errors++; break; } case TYPE_VALUES: { status = dissect_collectd_part_values (tvb, pinfo, offset, &vdispatch, collectd_tree); if (status != 0) pkt_errors++; else pkt_values++; tap_data.values_num++; stats_account_string (pinfo->pool, &tap_data.hosts, vdispatch.host); stats_account_string (pinfo->pool, &tap_data.plugins, vdispatch.plugin); stats_account_string (pinfo->pool, &tap_data.types, vdispatch.type); break; } case TYPE_MESSAGE: { pi = NULL; status = dissect_collectd_string (tvb, pinfo, hf_collectd_data_message, offset, &ndispatch.message_off, &ndispatch.message_len, &ndispatch.message, collectd_tree, &pi); if (status != 0) { pkt_errors++; break; } pkt_messages++; pt = proto_item_get_subtree (pi); collectd_proto_tree_add_assembled_notification (tvb, offset + 4, part_length - 1, &ndispatch, pt); break; } case TYPE_SEVERITY: { pi = NULL; status = dissect_collectd_integer (tvb, pinfo, hf_collectd_data_severity, offset, &ndispatch.severity_off, &ndispatch.severity, collectd_tree, &pi); if (status != 0) pkt_errors++; else { proto_item_set_text (pi, "collectd SEVERITY segment: " "%s (%"PRIu64")", val64_to_str_const (ndispatch.severity, severity_names, "UNKNOWN"), ndispatch.severity); } break; } case TYPE_SIGN_SHA256: { status = dissect_collectd_signature (tvb, pinfo, offset, collectd_tree); if (status != 0) pkt_errors++; break; } case TYPE_ENCR_AES256: { status = dissect_collectd_encrypted (tvb, pinfo, offset, collectd_tree); if (status != 0) pkt_errors++; break; } default: { pkt_unknown++; pt = proto_tree_add_subtree_format(collectd_tree, tvb, offset, part_length, ett_collectd_unknown, NULL, "collectd %s segment: %i bytes", val_to_str_const(part_type, part_names, "UNKNOWN"), part_length); pi = proto_tree_add_uint (pt, hf_collectd_type, tvb, offset, 2, part_type); proto_tree_add_uint (pt, hf_collectd_length, tvb, offset + 2, 2, part_length); proto_tree_add_item (pt, hf_collectd_data, tvb, offset + 4, part_length - 4, ENC_NA); expert_add_info_format(pinfo, pi, &ei_collectd_type, "Unknown part type %#x. Cannot decode data.", part_type); } } /* switch (part_type) */ offset += part_length; size -= part_length; } /* while ((size > 4) && (status == 0)) */ if (pkt_errors && pkt_unknown) col_add_fstr (pinfo->cinfo, COL_INFO, "Host=%s, %2d value%s for %d plugin%s %d message%s %d unknown, %d error%s", pkt_host, pkt_values, plurality (pkt_values, " ", "s"), pkt_plugins, plurality (pkt_plugins, ", ", "s,"), pkt_messages, plurality (pkt_messages, ", ", "s,"), pkt_unknown, pkt_errors, plurality (pkt_errors, "", "s")); else if (pkt_errors) col_add_fstr (pinfo->cinfo, COL_INFO, "Host=%s, %2d value%s for %d plugin%s %d message%s %d error%s", pkt_host, pkt_values, plurality (pkt_values, " ", "s"), pkt_plugins, plurality (pkt_plugins, ", ", "s,"), pkt_messages, plurality (pkt_messages, ", ", "s,"), pkt_errors, plurality (pkt_errors, "", "s")); else if (pkt_unknown) col_add_fstr (pinfo->cinfo, COL_INFO, "Host=%s, %2d value%s for %d plugin%s %d message%s %d unknown", pkt_host, pkt_values, plurality (pkt_values, " ", "s"), pkt_plugins, plurality (pkt_plugins, ", ", "s,"), pkt_messages, plurality (pkt_messages, ", ", "s,"), pkt_unknown); else col_add_fstr (pinfo->cinfo, COL_INFO, "Host=%s, %2d value%s for %d plugin%s %d message%s", pkt_host, pkt_values, plurality (pkt_values, " ", "s"), pkt_plugins, plurality (pkt_plugins, ", ", "s,"), pkt_messages, plurality (pkt_messages, "", "s")); /* Dispatch tap data. */ tap_queue_packet (tap_collectd, pinfo, &tap_data); return tvb_captured_length(tvb); } /* void dissect_collectd */ void proto_register_collectd(void) { expert_module_t* expert_collectd; /* Setup list of header fields */ static hf_register_info hf[] = { { &hf_collectd_type, { "Type", "collectd.type", FT_UINT16, BASE_HEX, VALS(part_names), 0x0, NULL, HFILL } }, { &hf_collectd_length, { "Length", "collectd.len", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data, { "Payload", "collectd.data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_host, { "Host name", "collectd.data.host", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_interval, { "Interval", "collectd.data.interval", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_time, { "Timestamp", "collectd.data.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_plugin, { "Plugin", "collectd.data.plugin", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_plugin_inst, { "Plugin instance", "collectd.data.plugin.inst", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_type, { "Type", "collectd.data.type", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_type_inst, { "Type instance", "collectd.data.type.inst", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_valcnt, { "Value count", "collectd.data.valcnt", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_val_type, { "Value type", "collectd.val.type", FT_UINT8, BASE_HEX, VALS(valuetypenames), 0x0, NULL, HFILL } }, { &hf_collectd_val_counter, { "Counter value", "collectd.val.counter", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_val_gauge, { "Gauge value", "collectd.val.gauge", FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_val_derive, { "Derive value", "collectd.val.derive", FT_INT64, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_val_absolute, { "Absolute value", "collectd.val.absolute", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_val_unknown, { "Value of unknown type", "collectd.val.unknown", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_severity, { "Severity", "collectd.data.severity", FT_UINT64, BASE_HEX | BASE_VAL64_STRING, VALS64(severity_names), 0x0, NULL, HFILL } }, { &hf_collectd_data_message, { "Message", "collectd.data.message", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_sighash, { "Signature", "collectd.data.sighash", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_initvec, { "Init vector", "collectd.data.initvec", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_username_len, { "Username length", "collectd.data.username_length", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_username, { "Username", "collectd.data.username", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_collectd_data_encrypted, { "Encrypted data", "collectd.data.encrypted", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } }, }; /* Setup protocol subtree array */ static int *ett[] = { &ett_collectd, &ett_collectd_string, &ett_collectd_integer, &ett_collectd_part_value, &ett_collectd_value, &ett_collectd_valinfo, &ett_collectd_signature, &ett_collectd_encryption, &ett_collectd_dispatch, &ett_collectd_invalid_length, &ett_collectd_unknown, }; static ei_register_info ei[] = { { &ei_collectd_invalid_length, { "collectd.invalid_length", PI_MALFORMED, PI_ERROR, "Invalid length", EXPFILL }}, { &ei_collectd_garbage, { "collectd.garbage", PI_MALFORMED, PI_ERROR, "Garbage at end of packet", EXPFILL }}, { &ei_collectd_data_valcnt, { "collectd.data.valcnt.mismatch", PI_MALFORMED, PI_WARN, "Number of values and length of part do not match. Assuming length is correct.", EXPFILL }}, { &ei_collectd_type, { "collectd.type.unknown", PI_UNDECODED, PI_NOTE, "Unknown part type", EXPFILL }}, }; /* Register the protocol name and description */ proto_collectd = proto_register_protocol("collectd network data", "collectd", "collectd"); /* Required function calls to register the header fields and subtrees used */ proto_register_field_array(proto_collectd, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); expert_collectd = expert_register_protocol(proto_collectd); expert_register_field_array(expert_collectd, ei, array_length(ei)); tap_collectd = register_tap ("collectd"); collectd_handle = register_dissector("collectd", dissect_collectd, proto_collectd); } void proto_reg_handoff_collectd (void) { dissector_add_uint_with_preference("udp.port", UDP_PORT_COLLECTD, collectd_handle); collectd_stats_tree_register (); } /* void proto_reg_handoff_collectd */ /* * Editor modelines - https://www.wireshark.org/tools/modelines.html * * Local variables: * c-basic-offset: 8 * tab-width: 8 * indent-tabs-mode: t * End: * * vi: set shiftwidth=8 tabstop=8 noexpandtab: * :indentSize=8:tabSize=8:noTabs=false: */