From: Denis Ovsienko Date: Sat, 7 Oct 2017 17:41:42 +0000 (+0100) Subject: WHOIS is a plain text protocol, why not decode it. X-Git-Tag: tcpdump-4.99-bp~1810 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/185b7ce04b182d2d7e490f23a3f0c7b9ea5916e4 WHOIS is a plain text protocol, why not decode it. With txtproto_print() this has become trivial. Add a test. --- diff --git a/print-tcp.c b/print-tcp.c index c9b50fee..35df59c3 100644 --- a/print-tcp.c +++ b/print-tcp.c @@ -687,6 +687,9 @@ tcp_print(netdissect_options *ndo, } else if (IS_SRC_OR_DST_PORT(SMTP_PORT)) { ND_PRINT((ndo, ": ")); smtp_print(ndo, bp, length); + } else if (IS_SRC_OR_DST_PORT(WHOIS_PORT)) { + ND_PRINT((ndo, ": ")); + txtproto_print(ndo, bp, length, "whois", NULL, 0); /* RFC 3912 */ } else if (IS_SRC_OR_DST_PORT(BGP_PORT)) bgp_print(ndo, bp, length); else if (IS_SRC_OR_DST_PORT(PPTP_PORT)) diff --git a/tcp.h b/tcp.h index 912b5e82..d9ffd0df 100644 --- a/tcp.h +++ b/tcp.h @@ -104,6 +104,9 @@ struct tcphdr { #ifndef SMTP_PORT #define SMTP_PORT 25 #endif +#ifndef WHOIS_PORT +#define WHOIS_PORT 43 +#endif #ifndef NAMESERVER_PORT #define NAMESERVER_PORT 53 #endif diff --git a/tests/TESTLIST b/tests/TESTLIST index 2268728f..6dfc0909 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -379,6 +379,10 @@ resp_1 resp_1_benchmark.pcap resp_1.out resp_2 resp_2_inline.pcap resp_2.out resp_3 resp_3_malicious.pcap resp_3.out +# WHOIS tests +whois whois.pcap whois.out +whois-v whois.pcap whois-v.out -v + # HNCP tests hncp hncp.pcap hncp.out -vvv diff --git a/tests/whois-v.out b/tests/whois-v.out new file mode 100644 index 00000000..757656da --- /dev/null +++ b/tests/whois-v.out @@ -0,0 +1,34 @@ +IP (tos 0x0, ttl 64, id 32393, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.2.15.44188 > 192.0.47.59.43: Flags [S], cksum 0xfb78 (incorrect -> 0xcc94), seq 2239453442, win 29200, options [mss 1460,sackOK,TS val 2943013729 ecr 0,nop,wscale 6], length 0 +IP (tos 0x0, ttl 64, id 18525, offset 0, flags [none], proto TCP (6), length 44) + 192.0.47.59.43 > 10.0.2.15.44188: Flags [S.], cksum 0xb2ed (correct), seq 9920001, ack 2239453443, win 65535, options [mss 1460], length 0 +IP (tos 0x0, ttl 64, id 32394, offset 0, flags [DF], proto TCP (6), length 40) + 10.0.2.15.44188 > 192.0.47.59.43: Flags [.], cksum 0xfb64 (incorrect -> 0x589a), ack 1, win 29200, length 0 +IP (tos 0x0, ttl 64, id 32395, offset 0, flags [DF], proto TCP (6), length 53) + 10.0.2.15.44188 > 192.0.47.59.43: Flags [P.], cksum 0xfb71 (incorrect -> 0xe187), seq 1:14, ack 1, win 29200, length 13: WHOIS, length: 13 + example.com +IP (tos 0x0, ttl 64, id 18526, offset 0, flags [none], proto TCP (6), length 40) + 192.0.47.59.43 > 10.0.2.15.44188: Flags [.], cksum 0xca9d (correct), ack 14, win 65535, length 0 +IP (tos 0x0, ttl 64, id 18527, offset 0, flags [none], proto TCP (6), length 273) + 192.0.47.59.43 > 10.0.2.15.44188: Flags [P.], cksum 0x4a0c (correct), seq 1:234, ack 14, win 65535, length 233: WHOIS, length: 233 + % IANA WHOIS server + % for more information on IANA, visit http://www.iana.org + % This query returned 1 object + + domain: EXAMPLE.COM + + organisation: Internet Assigned Numbers Authority + + created: 1992-01-01 + source: IANA + +IP (tos 0x0, ttl 64, id 32396, offset 0, flags [DF], proto TCP (6), length 40) + 10.0.2.15.44188 > 192.0.47.59.43: Flags [.], cksum 0xfb64 (incorrect -> 0x5474), ack 234, win 30016, length 0 +IP (tos 0x0, ttl 64, id 18528, offset 0, flags [none], proto TCP (6), length 40) + 192.0.47.59.43 > 10.0.2.15.44188: Flags [F.], cksum 0xc9b3 (correct), seq 234, ack 14, win 65535, length 0 +IP (tos 0x0, ttl 64, id 32397, offset 0, flags [DF], proto TCP (6), length 40) + 10.0.2.15.44188 > 192.0.47.59.43: Flags [.], cksum 0xfb64 (incorrect -> 0x5473), ack 235, win 30016, length 0 +IP (tos 0x0, ttl 64, id 32398, offset 0, flags [DF], proto TCP (6), length 40) + 10.0.2.15.44188 > 192.0.47.59.43: Flags [F.], cksum 0xfb64 (incorrect -> 0x5472), seq 14, ack 235, win 30016, length 0 +IP (tos 0x0, ttl 64, id 18529, offset 0, flags [none], proto TCP (6), length 40) + 192.0.47.59.43 > 10.0.2.15.44188: Flags [.], cksum 0xc9b2 (correct), ack 15, win 65535, length 0 diff --git a/tests/whois.out b/tests/whois.out new file mode 100644 index 00000000..d2e8acbb --- /dev/null +++ b/tests/whois.out @@ -0,0 +1,11 @@ +IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [S], seq 2239453442, win 29200, options [mss 1460,sackOK,TS val 2943013729 ecr 0,nop,wscale 6], length 0 +IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [S.], seq 9920001, ack 2239453443, win 65535, options [mss 1460], length 0 +IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [.], ack 1, win 29200, length 0 +IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [P.], seq 1:14, ack 1, win 29200, length 13: WHOIS: example.com +IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [.], ack 14, win 65535, length 0 +IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [P.], seq 1:234, ack 14, win 65535, length 233: WHOIS: % IANA WHOIS server +IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [.], ack 234, win 30016, length 0 +IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [F.], seq 234, ack 14, win 65535, length 0 +IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [.], ack 235, win 30016, length 0 +IP 10.0.2.15.44188 > 192.0.47.59.43: Flags [F.], seq 14, ack 235, win 30016, length 0 +IP 192.0.47.59.43 > 10.0.2.15.44188: Flags [.], ack 15, win 65535, length 0 diff --git a/tests/whois.pcap b/tests/whois.pcap new file mode 100644 index 00000000..76a003b3 Binary files /dev/null and b/tests/whois.pcap differ