WHOIS is a plain text protocol, why not decode it.

With txtproto_print() this has become trivial. Add a test.

diff --git a/print-tcp.c b/print-tcp.c
index c9b50feedb1570932c55003fec9052e340d660e3..35df59c3906cdcf6474aa45d8c0756a817ae8876 100644 (file)
--- a/print-tcp.c
+++ b/print-tcp.c
@@ -687,6 +687,9 @@ tcp_print(netdissect_options *ndo,
         } else if (IS_SRC_OR_DST_PORT(SMTP_PORT)) {
                 ND_PRINT((ndo, ": "));
                 smtp_print(ndo, bp, length);
+        } else if (IS_SRC_OR_DST_PORT(WHOIS_PORT)) {
+                ND_PRINT((ndo, ": "));
+                txtproto_print(ndo, bp, length, "whois", NULL, 0); /* RFC 3912 */
         } else if (IS_SRC_OR_DST_PORT(BGP_PORT))
                 bgp_print(ndo, bp, length);
         else if (IS_SRC_OR_DST_PORT(PPTP_PORT))

diff --git a/tcp.h b/tcp.h
index 912b5e820ca6de542d51b4f5ba0f90086eb40188..d9ffd0df28581fa41bd9dd40ffc8bb2fc3fcd004 100644 (file)
--- a/tcp.h
+++ b/tcp.h
@@ -104,6 +104,9 @@ struct tcphdr {
 #ifndef SMTP_PORT
 #define SMTP_PORT              25
 #endif
+#ifndef WHOIS_PORT
+#define WHOIS_PORT             43
+#endif
 #ifndef NAMESERVER_PORT
 #define NAMESERVER_PORT                53
 #endif

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 2268728f623ba4be6f3134005725ec468ebea7c3..6dfc090963b3f7b5cc17afda7cf87cfafdbc9da2 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -379,6 +379,10 @@ resp_1 resp_1_benchmark.pcap resp_1.out
 resp_2 resp_2_inline.pcap    resp_2.out
 resp_3 resp_3_malicious.pcap resp_3.out
 
+# WHOIS tests
+whois                  whois.pcap              whois.out
+whois-v                whois.pcap              whois-v.out     -v
+
 # HNCP tests
 hncp hncp.pcap hncp.out -vvv
 

diff --git a/tests/whois-v.out b/tests/whois-v.out
new file mode 100644 (file)
index 0000000..757656d
--- /dev/null
+++ b/tests/whois-v.out
@@ -0,0 +1,34 @@
+IP (tos 0x0, ttl 64, id 32393, offset 0, flags [DF], proto TCP (6), length 60)
+    10.0.2.15.44188 > 192.0.47.59.43: Flags [S], cksum 0xfb78 (incorrect -> 0xcc94), seq 2239453442, win 29200, options [mss 1460,sackOK,TS val 2943013729 ecr 0,nop,wscale 6], length 0
+IP (tos 0x0, ttl 64, id 18525, offset 0, flags [none], proto TCP (6), length 44)
+    192.0.47.59.43 > 10.0.2.15.44188: Flags [S.], cksum 0xb2ed (correct), seq 9920001, ack 2239453443, win 65535, options [mss 1460], length 0
+IP (tos 0x0, ttl 64, id 32394, offset 0, flags [DF], proto TCP (6), length 40)
+    10.0.2.15.44188 > 192.0.47.59.43: Flags [.], cksum 0xfb64 (incorrect -> 0x589a), ack 1, win 29200, length 0
+IP (tos 0x0, ttl 64, id 32395, offset 0, flags [DF], proto TCP (6), length 53)
+    10.0.2.15.44188 > 192.0.47.59.43: Flags [P.], cksum 0xfb71 (incorrect -> 0xe187), seq 1:14, ack 1, win 29200, length 13: WHOIS, length: 13
+       example.com
+IP (tos 0x0, ttl 64, id 18526, offset 0, flags [none], proto TCP (6), length 40)
+    192.0.47.59.43 > 10.0.2.15.44188: Flags [.], cksum 0xca9d (correct), ack 14, win 65535, length 0
+IP (tos 0x0, ttl 64, id 18527, offset 0, flags [none], proto TCP (6), length 273)
+    192.0.47.59.43 > 10.0.2.15.44188: Flags [P.], cksum 0x4a0c (correct), seq 1:234, ack 14, win 65535, length 233: WHOIS, length: 233
+       % IANA WHOIS server
+       % for more information on IANA, visit http://www.iana.org
+       % This query returned 1 object
+       
+       domain:       EXAMPLE.COM
+       
+       organisation: Internet Assigned Numbers Authority
+       
+       created:      1992-01-01
+       source:       IANA
+       
+IP (tos 0x0, ttl 64, id 32396, offset 0, flags [DF], proto TCP (6), length 40)
+    10.0.2.15.44188 > 192.0.47.59.43: Flags [.], cksum 0xfb64 (incorrect -> 0x5474), ack 234, win 30016, length 0
+IP (tos 0x0, ttl 64, id 18528, offset 0, flags [none], proto TCP (6), length 40)
+    192.0.47.59.43 > 10.0.2.15.44188: Flags [F.], cksum 0xc9b3 (correct), seq 234, ack 14, win 65535, length 0
+IP (tos 0x0, ttl 64, id 32397, offset 0, flags [DF], proto TCP (6), length 40)
+    10.0.2.15.44188 > 192.0.47.59.43: Flags [.], cksum 0xfb64 (incorrect -> 0x5473), ack 235, win 30016, length 0
+IP (tos 0x0, ttl 64, id 32398, offset 0, flags [DF], proto TCP (6), length 40)
+    10.0.2.15.44188 > 192.0.47.59.43: Flags [F.], cksum 0xfb64 (incorrect -> 0x5472), seq 14, ack 235, win 30016, length 0
+IP (tos 0x0, ttl 64, id 18529, offset 0, flags [none], proto TCP (6), length 40)
+    192.0.47.59.43 > 10.0.2.15.44188: Flags [.], cksum 0xc9b2 (correct), ack 15, win 65535, length 0

diff --git a/tests/whois.out b/tests/whois.out
new file mode 100644 (file)
index 0000000..d2e8acb
--- /dev/null
+++ b/tests/whois.out
@@ -0,0 +1,11 @@
+IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [S], seq 2239453442, win 29200, options [mss 1460,sackOK,TS val 2943013729 ecr 0,nop,wscale 6], length 0
+IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [S.], seq 9920001, ack 2239453443, win 65535, options [mss 1460], length 0
+IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [.], ack 1, win 29200, length 0
+IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [P.], seq 1:14, ack 1, win 29200, length 13: WHOIS: example.com
+IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [.], ack 14, win 65535, length 0
+IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [P.], seq 1:234, ack 14, win 65535, length 233: WHOIS: % IANA WHOIS server
+IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [.], ack 234, win 30016, length 0
+IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [F.], seq 234, ack 14, win 65535, length 0
+IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [.], ack 235, win 30016, length 0
+IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [F.], seq 14, ack 235, win 30016, length 0
+IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [.], ack 15, win 65535, length 0

diff --git a/tests/whois.pcap b/tests/whois.pcap
new file mode 100644 (file)
index 0000000..76a003b
Binary files /dev/null and b/tests/whois.pcap differ