Ethereal-dev: Re: [ethereal-dev] AH protocol, newbie questions
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Johan Sultan <johans@xxxxxxxxxx>
Date: Mon, 15 Feb 1999 13:03:24 +0100 (CET)
On Thu, 11 Feb 1999, Brian Craft wrote:
> hey -- I was just hacking ethereal so I could browse AH
> packets (rfc2502).
>
> I don't really know what I'm doing, but I'm including a patch which
> sorta works (in transport mode) & a capture of a few pings over AH.
>
Seems like you missed my previous posting, I have a working implementation
of both ESP and AH. It has just been finished (I tested your dump too),
and it seems to be working. I have the patch down here, you can continue
on my code, or merge them or do whatever you want, just let me know
if you make any more progress, since I will be using IPSec in the near
future and need to be able to capture those packets.
What i think works: AH and ESP in both tunnel and transport mode
What does not work: You cannot "follow TCP stream" with ah-signed packets.
I noticed some small differences in our implementations, most notably the
names that are used for the fields (I used the names from the RFCs), but
other than that it seems we did it the same way.
/Johan Sultan
johan.sultan@xxxxxxxxxxx
diff -uNr ethereal-0.5.1/Makefile.am myeth/Makefile.am
--- ethereal-0.5.1/Makefile.am Mon Jan 4 02:13:01 1999
+++ myeth/Makefile.am Mon Feb 15 12:59:40 1999
@@ -29,6 +29,7 @@
packet-ip.c \
packet-ipv6.c \
packet-ipx.c \
+ packet-ipsec.c \
packet-nbipx.c \
packet-nbns.c \
packet-ncp.c \
@@ -61,6 +62,7 @@
packet-dns.h \
packet-ipv6.h \
packet-ipx.h \
+ packet-ipsec.h \
packet-ncp.h \
packet-ospf.h \
packet-rip.h \
diff -uNr ethereal-0.5.1/packet-ip.c myeth/packet-ip.c
--- ethereal-0.5.1/packet-ip.c Tue Dec 29 05:08:20 1998
+++ myeth/packet-ip.c Sun Jan 31 15:27:05 1999
@@ -390,6 +390,8 @@
{IP_PROTO_IGMP, "IGMP"},
{IP_PROTO_TCP, "TCP" },
{IP_PROTO_UDP, "UDP" },
+ {IP_PROTO_ESP, "ESP" },
+ {IP_PROTO_AH, "AH" },
{IP_PROTO_OSPF, "OSPF"},
{0, NULL } };
static const value_string precedence_vals[] = {
@@ -418,6 +420,8 @@
case IP_PROTO_IGMP:
case IP_PROTO_TCP:
case IP_PROTO_UDP:
+ case IP_PROTO_ESP:
+ case IP_PROTO_AH:
case IP_PROTO_OSPF:
/* Names are set in the associated dissect_* routines */
break;
@@ -550,6 +554,12 @@
break;
case IP_PROTO_UDP:
dissect_udp(pd, offset, fd, tree);
+ break;
+ case IP_PROTO_ESP:
+ dissect_esp(pd, offset, fd, tree);
+ break;
+ case IP_PROTO_AH:
+ dissect_ah(pd, offset, fd, tree);
break;
case IP_PROTO_OSPF:
dissect_ospf(pd, offset, fd, tree);
diff -uNr ethereal-0.5.1/packet-ipsec.c myeth/packet-ipsec.c
--- ethereal-0.5.1/packet-ipsec.c Thu Jan 1 01:00:00 1970
+++ myeth/packet-ipsec.c Mon Feb 15 09:47:20 1999
@@ -0,0 +1,144 @@
+/* packet-ipsec.c
+ * Routines for IPSec packet disassembly
+ *
+ * Johan Sultan <johan.sultan@xxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <gtk/gtk.h>
+
+#include <stdio.h>
+
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+# include <netinet/in.h>
+#endif
+
+#include "ethereal.h"
+#include "packet.h"
+#include "packet-ipsec.h"
+#include "resolv.h"
+
+void
+dissect_esp(const u_char *pd, int offset, frame_data *fd, GtkTree *tree) {
+ esp_h eh;
+ guint32 spi,seq;
+
+ GtkWidget *esp_tree, *ti;
+
+ memcpy(&eh, &pd[offset], sizeof(esp_h));
+ spi = ntohl(eh.spi);
+ seq = ntohl(eh.seq_nr);
+
+ if (check_col(fd, COL_PROTOCOL))
+ col_add_str(fd, COL_PROTOCOL, "ESP");
+ if (check_col(fd, COL_INFO))
+ col_add_fstr(fd, COL_INFO, "SPI: %u SEQ: %u", spi,seq);
+
+ if (tree) {
+ ti = add_item_to_tree(GTK_WIDGET(tree), offset, 8,
+ "Encapsulating Security Payload");
+ esp_tree = gtk_tree_new();
+ add_subtree(ti, esp_tree, ETT_ESP);
+ add_item_to_tree(esp_tree,offset,4, "Security parameters index: %u", spi);
+ add_item_to_tree(esp_tree,offset+4,4, "Sequence number: %u", seq);
+ }
+
+ dissect_data(pd, offset+8, fd, tree);
+}
+
+
+void
+dissect_ah(const u_char *pd, int offset, frame_data *fd, GtkTree *tree) {
+ ah_h ah;
+ guint32 spi,seq;
+ guint8 nh,pl;
+
+ static const value_string proto_vals[] = { {IP_PROTO_ICMP, "ICMP"},
+ {IP_PROTO_IGMP, "IGMP"},
+ {IP_PROTO_TCP, "TCP" },
+ {IP_PROTO_UDP, "UDP" },
+ {IP_PROTO_ESP, "ESP" },
+ {IP_PROTO_AH, "AH" },
+ {IP_PROTO_OSPF, "OSPF"},
+ {0, NULL } };
+
+
+ GtkWidget *ah_tree, *ti;
+
+ memcpy(&ah, &pd[offset], sizeof(ah_h));
+ spi = ntohl(ah.spi);
+ seq = ntohl(ah.seq_nr);
+ nh = ah.next_header;
+ pl = ah.payload_len;
+
+ if (check_col(fd, COL_PROTOCOL))
+ col_add_str(fd, COL_PROTOCOL, "AH");
+ if (check_col(fd, COL_INFO))
+ col_add_fstr(fd, COL_INFO, "SPI: %u SEQ: %u", spi,seq);
+
+ if (tree) {
+ ti = add_item_to_tree(GTK_WIDGET(tree), offset, (pl+2)*4,
+ "Authentication Header");
+ ah_tree = gtk_tree_new();
+ add_subtree(ti, ah_tree, ETT_AH);
+ add_item_to_tree(ah_tree,offset,1, "Next header: %s (%u)",
+ val_to_str(nh, proto_vals, "Unknown (%u)"),nh);
+ add_item_to_tree(ah_tree,offset+1,1, "Payload length: %u", nh);
+ add_item_to_tree(ah_tree,offset+4,4, "Security parameters index: %u", spi);
+ add_item_to_tree(ah_tree,offset+8,4, "Sequence number: %u", seq);
+ add_item_to_tree(ah_tree,offset+12,(pl-1)*4, "Authentication data");
+ }
+
+
+ offset+=12+(pl-1)*4;
+
+ switch (nh) {
+ case IP_PROTO_IP: /* Tunnel mode */
+ dissect_ip(pd, offset, fd, tree);
+ break;
+ case IP_PROTO_ICMP:
+ dissect_icmp(pd, offset, fd, tree);
+ break;
+ case IP_PROTO_IGMP:
+ dissect_igmp(pd, offset, fd, tree);
+ break;
+ case IP_PROTO_TCP:
+ dissect_tcp(pd, offset, fd, tree);
+ break;
+ case IP_PROTO_UDP:
+ dissect_udp(pd, offset, fd, tree);
+ break;
+ case IP_PROTO_ESP:
+ dissect_esp(pd, offset, fd, tree);
+ break;
+ case IP_PROTO_AH: /* Is this allowed? */
+ dissect_ah(pd, offset, fd, tree);
+ break;
+ case IP_PROTO_OSPF:
+ dissect_ospf(pd, offset, fd, tree);
+ break;
+ default:
+ dissect_data(pd, offset, fd, tree);
+ }
+}
diff -uNr ethereal-0.5.1/packet-ipsec.h myeth/packet-ipsec.h
--- ethereal-0.5.1/packet-ipsec.h Thu Jan 1 01:00:00 1970
+++ myeth/packet-ipsec.h Mon Feb 15 09:44:13 1999
@@ -0,0 +1,31 @@
+/*
+ * Routines for IPSec packet disassembly
+ * Johan Sultan (johan.sultan@xxxxxxxxxxx)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+typedef struct _ip_esp_h {
+ guint32 spi;
+ guint32 seq_nr;
+ } esp_h;
+
+typedef struct _ip_ah_h {
+ guint8 next_header;
+ guint8 payload_len;
+ guint16 reserved;
+ guint32 spi;
+ guint32 seq_nr;
+ } ah_h;
diff -uNr ethereal-0.5.1/packet.h myeth/packet.h
--- ethereal-0.5.1/packet.h Sat Jan 2 22:22:32 1999
+++ myeth/packet.h Sun Jan 31 17:11:03 1999
@@ -277,8 +277,11 @@
#define IP_PROTO_ICMP 1
#define IP_PROTO_IGMP 2
+#define IP_PROTO_IP 4 /* IP in IP encapsulation */
#define IP_PROTO_TCP 6
#define IP_PROTO_UDP 17
+#define IP_PROTO_ESP 50 /* Encapsulating security payload (rfc2406) */
+#define IP_PROTO_AH 51 /* Authentication header (rfc2402) */
#define IP_PROTO_OSPF 89
/* Null/loopback structs and definitions */
@@ -401,6 +404,8 @@
ETT_IP_OPTION_TIMESTAMP,
ETT_IP_TOS,
ETT_IP_OFF,
+ ETT_ESP,
+ ETT_AH,
ETT_UDP,
ETT_TCP,
ETT_TCP_OPTIONS,
@@ -541,12 +546,14 @@
* They should never modify the packet data.
*/
void dissect_aarp(const u_char *, int, frame_data *, GtkTree *);
+void dissect_ah(const u_char *, int, frame_data *, GtkTree *);
void dissect_arp(const u_char *, int, frame_data *, GtkTree *);
void dissect_bootp(const u_char *, int, frame_data *, GtkTree *);
void dissect_cdp(const u_char *, int, frame_data *, GtkTree *);
void dissect_data(const u_char *, int, frame_data *, GtkTree *);
void dissect_ddp(const u_char *, int, frame_data *, GtkTree *);
void dissect_dns(const u_char *, int, frame_data *, GtkTree *);
+void dissect_esp(const u_char *, int, frame_data *, GtkTree *);
void dissect_giop(const u_char *, int, frame_data *, GtkTree *);
void dissect_icmp(const u_char *, int, frame_data *, GtkTree *);
void dissect_igmp(const u_char *, int, frame_data *, GtkTree *);
- References:
- [ethereal-dev] AH protocol, newbie questions
- From: Brian Craft
- [ethereal-dev] AH protocol, newbie questions
- Prev by Date: Re: [ethereal-dev] SMTP Dissect routine
- Next by Date: [ethereal-dev] Ethereal and tftp
- Previous by thread: Re: [ethereal-dev] AH protocol, newbie questions
- Next by thread: [ethereal-dev] A first cut at HTTP decoding checked in
- Index(es):
