1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
/* packet-oicq.c
* Routines for OICQ - IM software,popular in China - packet dissection
* (c) Copyright Secfire <secfire@gmail.com>
*
* OICQ is an IM software,which is popular in China. And,
* OICQ has more than 10 millions users at present.
* The Protocol showed in this file, is found by investigating OICQ's
* Packets as a black box.
*
* The OICQ client software is always changing,and the protocol of
* communication is also.
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "config.h"
#include <epan/packet.h>
void proto_register_oicq(void);
void proto_reg_handoff_oicq(void);
static dissector_handle_t oicq_handle;
/*
Protocol Flag: 8bit unsigned
Sender Flag: 16bit unsigned
Command Number: 16bit unsigned
Sequence Number: 16bit unsigned
OICQ Number: 32bit unsigned
Data: Variable Length data
*
*/
/* By default, but can be completely different */
#define UDP_PORT_OICQ 8000 /* Not IANA regisrered */
static int proto_oicq = -1;
static int hf_oicq_flag = -1;
static int hf_oicq_version = -1;
static int hf_oicq_command = -1;
static int hf_oicq_seq = -1;
static int hf_oicq_qqid = -1;
static int hf_oicq_data = -1;
static gint ett_oicq = -1;
static const value_string oicq_flag_vals[] = {
{ 0x02, "Oicq packet" },
{ 0, NULL }
};
static const value_string oicq_command_vals[] = {
{ 0x0001, "Log out" },
{ 0x0002, "Heart Message" },
{ 0x0004, "Update User information" },
{ 0x0005, "Search user" },
{ 0x0006, "Get User informationBroadcast" },
{ 0x0009, "Add friend no auth" },
{ 0x000a, "Delete user" },
{ 0x000b, "Add friend by auth" },
{ 0x000d, "Set status" },
{ 0x0012, "Confirmation of receiving message from server" },
{ 0x0016, "Send message" },
{ 0x0017, "Receive message" },
{ 0x0018, "Retrieve information" },
{ 0x001a, "Reserved " },
{ 0x001c, "Delete Me" },
{ 0x001d, "Request KEY" },
{ 0x0021, "Cell Phone" },
{ 0x0022, "Log in" },
{ 0x0026, "Get friend list" },
{ 0x0027, "Get friend online" },
{ 0x0029, "Cell PHONE" },
{ 0x0030, "Operation on group" },
{ 0x0031, "Log in test" },
{ 0x003c, "Group name operation" },
{ 0x003d, "Upload group friend" },
{ 0x003e, "MEMO Operation" },
{ 0x0058, "Download group friend" },
{ 0x005c, "Get level" },
{ 0x0062, "Request login" },
{ 0x0065, "Request extra information" },
{ 0x0067, "Signature operation" },
{ 0x0080, "Receive system message" },
{ 0x0081, "Get status of friend" },
{ 0x00b5, "Get friend's status of group" },
{ 0x03f7, "Withdraw message" },
{ 0, NULL }
};
/* dissect_oicq - dissects oicq packet data
* tvb - tvbuff for packet data (IN)
* pinfo - packet info
* proto_tree - resolved protocol tree
*/
static int
dissect_oicq(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
proto_tree *oicq_tree;
proto_item *ti;
int offset = 0;
/* Make sure this packet is for us. */
/* heuristic: OICQ iff (([0] == STX) && ([3/4] == <valid_command>) ) */
/* (Supposedly each OICQ message ends with an ETX so a test for */
/* same could also be part of the heuristic). */
if ( (try_val_to_str(tvb_get_guint8(tvb, 0), oicq_flag_vals) == NULL) ||
(try_val_to_str(tvb_get_ntohs(tvb, 3), oicq_command_vals) == NULL) )
return 0;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "OICQ");
col_set_str(pinfo->cinfo, COL_INFO, "OICQ Protocol ");
if (tree) {
ti = proto_tree_add_item(tree, proto_oicq, tvb, 0, -1, ENC_NA);
oicq_tree = proto_item_add_subtree(ti, ett_oicq);
proto_tree_add_item(oicq_tree, hf_oicq_flag, tvb, offset, 1, ENC_BIG_ENDIAN);
offset += 1;
proto_tree_add_item(oicq_tree, hf_oicq_version, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(oicq_tree, hf_oicq_command, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(oicq_tree, hf_oicq_seq, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(oicq_tree, hf_oicq_qqid, tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
proto_tree_add_item(oicq_tree, hf_oicq_data, tvb, offset, -1, ENC_ASCII);
}
return tvb_captured_length(tvb);
}
void
proto_register_oicq(void)
{
static hf_register_info hf[] = {
{ &hf_oicq_flag, {
"Flag", "oicq.flag", FT_UINT8, BASE_HEX,
VALS(oicq_flag_vals), 0, "Protocol Flag", HFILL }},
{ &hf_oicq_version, {
"Version", "oicq.version", FT_UINT16, BASE_HEX,
NULL, 0, "Version-zz", HFILL }},
{ &hf_oicq_command, {
"Command", "oicq.command", FT_UINT16, BASE_DEC,
VALS(oicq_command_vals), 0, NULL, HFILL }},
{ &hf_oicq_seq, {
"Sequence", "oicq.seq", FT_UINT16, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_oicq_qqid, {
"Data(OICQ Number,if sender is client)", "oicq.qqid", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_oicq_data, {
"Data", "oicq.data", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
};
static gint *ett[] = {
&ett_oicq,
};
proto_oicq = proto_register_protocol("OICQ - IM software, popular in China", "OICQ", "oicq");
proto_register_field_array(proto_oicq, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
oicq_handle = register_dissector("oicq", dissect_oicq, proto_oicq);
}
void
proto_reg_handoff_oicq(void)
{
dissector_add_uint_with_preference("udp.port", UDP_PORT_OICQ, oicq_handle);
}
/*
* Editor modelines - https://www.wireshark.org/tools/modelines.html
*
* Local variables:
* c-basic-offset: 8
* tab-width: 8
* indent-tabs-mode: t
* End:
*
* vi: set shiftwidth=8 tabstop=8 noexpandtab:
* :indentSize=8:tabSize=8:noTabs=false:
*/
|