/* reassemble.h * Declarations of outines for {fragment,segment} reassembly * * $Id: reassemble.h 24642 2008-03-15 20:14:29Z guy $ * * Wireshark - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* make sure that all flags that are set in a fragment entry is also set for * the flags field of fd_head !!! */ /* only in fd_head: packet is defragmented */ #define FD_DEFRAGMENTED 0x0001 /* there are overlapping fragments */ #define FD_OVERLAP 0x0002 /* overlapping fragments contain different data */ #define FD_OVERLAPCONFLICT 0x0004 /* more than one fragment which indicates end-of data */ #define FD_MULTIPLETAILS 0x0008 /* fragment contains data past the end of the datagram */ #define FD_TOOLONGFRAGMENT 0x0010 /* fragment data not alloced, fd->data pointing to fd_head->data+fd->offset */ #define FD_NOT_MALLOCED 0x0020 /* this flag is used to request fragment_add to continue the reassembly process */ #define FD_PARTIAL_REASSEMBLY 0x0040 /* fragment offset is indicated by sequence number and not byte offset into the defragmented packet */ #define FD_BLOCKSEQUENCE 0x0100 /* if REASSEMBLE_FLAGS_CHECK_DATA_PRESENT is set, and the first fragment is * incomplete, this flag is set in the flags word on the fd_head returned. * * It's all a fudge to preserve historical behaviour. */ #define FD_DATA_NOT_PRESENT 0x0200 /* This flag is set in the to denote that datalen has ben set to a valid value. * It's implied by FD_DEFRAGMENTED (we must know the total length of the * datagram if we have defragmented it...) */ #define FD_DATALEN_SET 0x0400 typedef struct _fragment_data { struct _fragment_data *next; guint32 frame; guint32 offset; guint32 len; guint32 datalen; /* Only valid in first item of list and when * flags&FD_DATALEN_SET is set; * number of bytes or (if flags&FD_BLOCKSEQUENCE set) * segments in the datagram */ guint32 reassembled_in; /* frame where this PDU was reassembled, only valid in the first item of the list and when FD_DEFRAGMENTED is set*/ guint32 flags; unsigned char *data; } fragment_data; /* * Flags for fragment_add_seq_* */ /* we don't have any sequence numbers - fragments are assumed to appear in * order */ #define REASSEMBLE_FLAGS_NO_FRAG_NUMBER 0x0001 /* a special fudge for the 802.11 dissector */ #define REASSEMBLE_FLAGS_802_11_HACK 0x0002 /* causes fragment_add_seq_key to check that all the fragment data is present * in the tvb, and if not, do something a bit odd. */ #define REASSEMBLE_FLAGS_CHECK_DATA_PRESENT 0x0004 /* a function for copying hash keys */ typedef void *(*fragment_key_copier)(const void *key); /* * Initialize a fragment table. */ extern void fragment_table_init(GHashTable **fragment_table); extern void dcerpc_fragment_table_init(GHashTable **fragment_table); /* * Initialize a reassembled-packet table. */ extern void reassembled_table_init(GHashTable **reassembled_table); /* * Free up all space allocated for fragment keys and data. */ void reassemble_init(void); /* * This function adds a new fragment to the fragment hash table. * If this is the first fragment seen for this datagram, a new entry * is created in the hash table, otherwise this fragment is just added * to the linked list of fragments for this packet. * The list of fragments for a specific datagram is kept sorted for * easier handling. * * Returns a pointer to the head of the fragment data list if we have all the * fragments, NULL otherwise. */ extern fragment_data *fragment_add(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id, GHashTable *fragment_table, guint32 frag_offset, guint32 frag_data_len, gboolean more_frags); extern fragment_data *fragment_add_multiple_ok(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id, GHashTable *fragment_table, guint32 frag_offset, guint32 frag_data_len, gboolean more_frags); /* * This routine extends fragment_add to use a "reassembled_table". * * If, after processing this fragment, we have all the fragments, they * remove that from the fragment hash table if necessary and add it * to the table of reassembled fragments, and return a pointer to the * head of the fragment list. */ extern fragment_data *fragment_add_check(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id, GHashTable *fragment_table, GHashTable *reassembled_table, guint32 frag_offset, guint32 frag_data_len, gboolean more_frags); /* same as fragment_add() but this one assumes frag_number is a block sequence number. note that frag_number is 0 for the first fragment. */ /* * These functions add a new fragment to the fragment hash table, * assuming that frag_number is a block sequence number (starting from zero for * the first fragment of each datagram). * * If this is the first fragment seen for this datagram, a new * "fragment_data" structure is allocated to refer to the reassembled * packet, and: * * if "more_frags" is false, and either we have no sequence numbers, or * are using the 802.11 hack, it is assumed that this is the only fragment * in the datagram. The structure is not added to the hash * table, and not given any fragments to refer to, but is just returned. * * In this latter case reassembly wasn't done (since there was only one * fragment in the packet); dissectors can check the 'next' pointer on the * returned list to see if this case was hit or not. * * Otherwise, this fragment is just added to the linked list of fragments * for this packet; the fragment_data is also added to the fragment hash if * necessary. * * If this packet completes assembly, these functions return the head of the * fragment data; otherwise, they return null. */ /* "key" should be an arbitrary key used for indexing the fragment hash; * "key_copier" is called to copy the key to a more appropriate store before * inserting a new entry to the hash. */ extern fragment_data * fragment_add_seq_key(tvbuff_t *tvb, int offset, packet_info *pinfo, void *key, fragment_key_copier key_copier, GHashTable *fragment_table, guint32 frag_number, guint32 frag_data_len, gboolean more_frags, guint32 flags); /* a wrapper for fragment_add_seq_key - uses a key of source, dest and frame number */ extern fragment_data *fragment_add_seq(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id, GHashTable *fragment_table, guint32 frag_number, guint32 frag_data_len, gboolean more_frags); /* another wrapper for fragment_add_seq_key - uses a key of source, dest, frame * number and act_id */ extern fragment_data * fragment_add_dcerpc_dg(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id, void *act_id, GHashTable *fragment_table, guint32 frag_number, guint32 frag_data_len, gboolean more_frags); /* * These routines extend fragment_add_seq_key to use a "reassembled_table". * * If, after processing this fragment, we have all the fragments, they * remove that from the fragment hash table if necessary and add it * to the table of reassembled fragments, and return a pointer to the * head of the fragment list. */ extern fragment_data * fragment_add_seq_check(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id, GHashTable *fragment_table, GHashTable *reassembled_table, guint32 frag_number, guint32 frag_data_len, gboolean more_frags); extern fragment_data * fragment_add_seq_802_11(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id, GHashTable *fragment_table, GHashTable *reassembled_table, guint32 frag_number, guint32 frag_data_len, gboolean more_frags); extern fragment_data * fragment_add_seq_next(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id, GHashTable *fragment_table, GHashTable *reassembled_table, guint32 frag_data_len, gboolean more_frags); extern void fragment_start_seq_check(packet_info *pinfo, guint32 id, GHashTable *fragment_table, guint32 tot_len); extern fragment_data * fragment_end_seq_next(packet_info *pinfo, guint32 id, GHashTable *fragment_table, GHashTable *reassembled_table); /* to specify how much to reassemble, for fragmentation where last fragment can not be * identified by flags or such. * note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment. * i.e. since the block numbers start at 0, if we specify tot_len==2, that * actually means we want to defragment 3 blocks, block 0, 1 and 2. * */ extern void fragment_set_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table, guint32 tot_len); /* to resad whatever totlen previously set */ extern guint32 fragment_get_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table); /* * This function will set the partial reassembly flag(FD_PARTIAL_REASSEMBLY) for a fh. * When this function is called, the fh MUST already exist, i.e. * the fh MUST be created by the initial call to fragment_add() before * this function is called. Also note that this function MUST be called to indicate * a fh will be extended (increase the already stored data). After calling this function, * and if FD_DEFRAGMENTED is set, the reassembly process will be continued. */ extern void fragment_set_partial_reassembly(packet_info *pinfo, guint32 id, GHashTable *fragment_table); /* This function is used to check if there is partial or completed reassembly state * matching this packet. I.e. Are there reassembly going on or not for this packet? */ extern fragment_data * fragment_get(packet_info *pinfo, guint32 id, GHashTable *fragment_table); /* The same for the reassemble table */ /* id *must* be the frame number for this to work! */ extern fragment_data * fragment_get_reassembled(packet_info *pinfo, guint32 id, GHashTable *reassembled_table); extern fragment_data * fragment_get_reassembled_id(packet_info *pinfo, guint32 id, GHashTable *reassembled_table); /* This will free up all resources and delete reassembly state for this PDU. * Except if the PDU is completely reassembled, then it would NOT deallocate the * buffer holding the reassembled data but instead return the pointer to that * buffer. * * So, if you call fragment_delete and it returns non-NULL, YOU are responsible to * g_free() that buffer. */ extern unsigned char * fragment_delete(packet_info *pinfo, guint32 id, GHashTable *fragment_table); /* hf_fragment, hf_fragment_error, and hf_reassembled_in should be FT_FRAMENUM, the others should be FT_BOOLEAN */ typedef struct _fragment_items { gint *ett_fragment; gint *ett_fragments; int *hf_fragments; int *hf_fragment; int *hf_fragment_overlap; int *hf_fragment_overlap_conflict; int *hf_fragment_multiple_tails; int *hf_fragment_too_long_fragment; int *hf_fragment_error; int *hf_reassembled_in; const char *tag; } fragment_items; extern tvbuff_t * process_reassembled_data(tvbuff_t *tvb, int offset, packet_info *pinfo, const char *name, fragment_data *fd_head, const fragment_items *fit, gboolean *update_col_infop, proto_tree *tree); extern gboolean show_fragment_tree(fragment_data *ipfd_head, const fragment_items *fit, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi); extern gboolean show_fragment_seq_tree(fragment_data *ipfd_head, const fragment_items *fit, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi);