Add Apache JServ 1.3 dissector, from Christopher K. St. John.

svn path=/trunk/; revision=5782

1 files changed, 887 insertions, 0 deletions

diff --git a/packet-ajp13.c b/packet-ajp13.c
new file mode 100644
index 0000000000..89af2c1620
--- /dev/null
+++ b/packet-ajp13.c
@@ -0,0 +1,887 @@
+/* packet-ajp13.c
+ * Routines for AJP13 dissection
+ * Copyright 2002, Christopher K. St. John <cks@distributopia.com>
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+# include <netinet/in.h>
+#endif
+
+#include <glib.h>
+
+#ifdef NEED_SNPRINTF_H
+# include "snprintf.h"
+#endif
+
+#include <epan/packet.h>
+#include "packet-ajp13.h"
+#include "plugins/plugin_api.h"
+
+
+
+/* IMPORTANT IMPLEMENTATION NOTES
+ *
+ * You need to be looking at: jk/doc/AJP13.html in the
+ * jakarta-tomcat-connectors repository.
+ *
+ * If you're an ethereal dissector guru, then you can skip the rest of
+ * this. I'm writing it all down because I've written 3 dissectors so
+ * far and every time I've forgotten it all and had to re-learn it
+ * from scratch. Not this time, damnit.
+ *
+ * Dissector routines get called in two phases:
+ *
+ * The first phase is an in-order traversal of every incoming
+ * frame. Since we know it's in-order, we can set up a "conversational
+ * state" that records context-sensitive stuff like "was there a
+ * content-length in the previous request". During this first pass
+ * through the data, the "tree" parameter might be null, or not. For
+ * the regular gui-based ethereal, it's null, which means we don't
+ * actually display the dissected data in the gui quite yet. For the
+ * text based interface, we might do the parsing and display both in
+ * this first pass.
+ *
+ * The second phase happens when the data is actually displayed. In
+ * this pase the "tree" param is non-null, so you've got a hook to
+ * hang the parsed-out display data on. Since there might be gigabytes
+ * worth of capture data, the display code only calls the dissector
+ * for the stuff the user actually clicks on. So you have to assume
+ * the dissector is getting called on random frames, you can't depend
+ * on ordering anymore.
+ *
+ * But some parts of the AJP13 capture stream are context sensitive.
+ * That's no big deal during the first in-order pass, but the second
+ * phase requires us to display any random frame correctly. So during
+ * the first in-order phase we create a per-frame user data structure
+ * and attach it to the frame using p_add_proto_data.
+ *
+ * Since AJP13 is a TCP/IP based protocol, writing a dissector for it
+ * requires addressing several other issues:
+ * 
+ * 1) TCP/IP segments can get retransmitted or be sent out of
+ * order. Users don't normally care, because the low-level kernel
+ * networking code takes care of reassembling them properly. But we're
+ * looking at raw network packets, aren't we? The stuff on the
+ * wire. Ethereal has been getting better and better at helping
+ * dissectors with this. I'm a little fuzzy on the details, but my
+ * uderstanding is that ethereal now contains a fairly substantial
+ * user-space TCP/IP stack so it can re-assemble the data. But I might
+ * be wrong. Since AJP13 is going to be used either on the loopback
+ * interface or on a LAN, it isn't likely to be a big issues anyway.
+ *
+ * 2) AJP13 packets (PDU's or protocol data unit's in
+ * networking-speak) don't necessarily line up with TCP segments. That
+ * is, one TCP segment can have more than one AJP13 PDU, or one AJP13
+ * PDU can stretch across multiple TCP segments. Assembling them is
+ * obviously possible, but a royal pain. During the "phase one"
+ * in-order pass you have to keep track of a bunch of offsets and
+ * store which PDU goes with which TCP segment. Luckly, recent
+ * (0.9.4+) versions of ethereal provide the "tcp_dissect_pdus()"
+ * function that takes care of much of the work. See the comments in
+ * packet-tcp.c, the example code in packet-dns.c, or check the
+ * ethereal-dev archives for details.
+ *
+ * 3) Ethereal isn't guaranteed to see all the data. I'm a little
+ * unclear on all the possible failure modes, but it comes down to: a)
+ * Not your fault: it's an imperfect world, we're eavesdroppers, and
+ * stuff happens. We might totally miss packets or get garbled
+ * data. Or b) Totally your fault: you turn on the capture during the
+ * middle of an AJP13 conversation and the capture starts out with
+ * half an AJP13 PDU. This code doesn't currently handle either case
+ * very well, but you can get arbitrarily clever. Like: put in tests
+ * to see if this packet has reasonable field values, and if it
+ * doesn't, walk the offset ahead until we see a matching magic number
+ * field, then re-test. But we don't do that now, and since we're
+ * using tcp_dissect_pdu's, I'm not sure how to do it.
+ *
+ */
+
+
+/*
+ * Request/response header codes. Common headers are stored as ints in
+ * an effort to improve performance. Why can't we just have one big
+ * list?
+ */
+
+static const value_string req_header_codes[] = {
+  { 0x01, "accept" },
+  { 0x02, "accept-charset" },
+  { 0x03, "accept-encoding" },
+  { 0x04, "accept-language" },
+  { 0x05, "authorization" },
+  { 0x06, "connection" },
+  { 0x07, "content-type" },
+  { 0x08, "content-length" },
+  { 0x09, "cookie" },
+  { 0x0A, "cookie2" },
+  { 0x0B, "host" },
+  { 0x0C, "pragma" },
+  { 0x0D, "referer" },
+  { 0x0E, "user-agent" },
+};
+
+
+static const value_string rsp_header_codes[] = {
+  { 0x01, "Content-Type" },
+  { 0x02, "Content-Language" },
+  { 0x03, "Content-Length" },
+  { 0x04, "Date" },
+  { 0x05, "Last-Modified" },
+  { 0x06, "Location" },
+  { 0x07, "Set-Cookie" },
+  { 0x08, "Set-Cookie2" },
+  { 0x09, "Servlet-Engine" },
+  { 0x0A, "Status" },
+  { 0x0B, "WWW-Authenticate" },
+};
+
+
+static const value_string mtype_codes[] = {
+  { 0, "BAD" },
+  { 1, "BAD" },
+  { 2, "FORWARD REQUEST" },
+  { 3, "SEND BODY CHUNK" },
+  { 4, "SEND HEADERS" },
+  { 5, "END RESPONSE" },
+  { 6, "GET BODY CHUNK" },
+  { 7, "SHUTDOWN" },
+};
+
+
+static const value_string http_method_codes[] = {
+  { 1, "OPTIONS" },
+  { 2, "GET" },
+  { 3, "HEAD" },
+  { 4, "POST" },
+  { 5, "PUT" },
+  { 6, "DELETE" },
+  { 7, "TRACE" },
+  { 8, "PROPFIND" },
+  { 9, "PROPPATCH" },
+  { 10, "MKCOL" },
+  { 11, "COPY" },
+  { 12, "MOVE" },
+  { 13, "LOCK" },
+  { 14, "UNLOCK" },
+  { 15, "ACL" },
+  { 16, "REPORT" },
+  { 17, "VERSION-CONTROL" },
+  { 18, "CHECKIN" },
+  { 19, "CHECKOUT" },
+  { 20, "UNCHECKOUT" },
+  { 21, "SEARCH" },
+};
+
+
+
+static int proto_ajp13     = -1;
+static int hf_ajp13_magic  = -1;
+static int hf_ajp13_len    = -1;
+static int hf_ajp13_code   = -1;
+static int hf_ajp13_method = -1;
+static int hf_ajp13_ver    = -1;
+static int hf_ajp13_uri    = -1;
+static int hf_ajp13_raddr  = -1;
+static int hf_ajp13_rhost  = -1;
+static int hf_ajp13_srv    = -1;
+static int hf_ajp13_port   = -1;
+static int hf_ajp13_sslp   = -1;
+static int hf_ajp13_nhdr   = -1;
+static int hf_ajp13_hname  = -1;
+static int hf_ajp13_hval   = -1;
+static int hf_ajp13_rlen   = -1;
+static int hf_ajp13_reusep = -1;
+static int hf_ajp13_rstatus= -1;
+static int hf_ajp13_rsmsg  = -1;
+static int hf_ajp13_data   = -1;
+static gint ett_ajp13 = -1;
+
+
+typedef struct ajp13_conv_data {
+  int content_length;
+  int was_get_body_chunk;
+} ajp13_conv_data;
+
+
+typedef struct ajp13_frame_data {
+  int is_request_body;
+} ajp13_frame_data;
+
+
+
+/* ajp13, in sort of a belt-and-suspenders move, encodes strings with
+ * both a leading length field, and a trailing null. Mostly, see
+ * AJPv13.html. The returned length _includes_ the trailing null, if
+ * there is one.
+ */
+static guint16 
+get_nstring(tvbuff_t *tvb, gint offset, guint8* cbuf)
+{
+  guint16 len;
+  guint8* ptr;
+  gint i;
+  /*printf("ajp13:get_nstring()\n");*/
+  len = tvb_get_ntohs(tvb, offset);
+  /*printf("ajp13:get_nstring():len=%d\n", len);*/
+  if (len == 0xffff) {
+    cbuf[0] = '\0';
+    len = 0;
+  } else {
+    ptr = tvb_get_ptr(tvb, offset+2, len);
+    for(i=0; i<len; i++) {
+      /*printf("%d:%c\n", i, ptr[i]);*/
+      cbuf[i] = ptr[i];
+    }
+    cbuf[i] = '\0';
+    len++;
+  }
+  return len;
+}
+
+
+
+/* dissect a response. more work to do here.
+ */
+static void
+display_rsp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ajp13_tree)
+{
+  gchar* msg_code = NULL;
+  int pos = 0;
+  guint8 mcode = 0;
+  char mcode_buf[1024];
+  int i;
+
+  /*printf("ajp13:dissect_ajp13():SC->WS\n");*/
+
+  /* MAGIC
+   */
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_magic, tvb, pos, 2, 0);
+  pos+=2;
+
+  /* PDU LENGTH
+   */
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_len,   tvb, pos, 2, 0);
+  pos+=2;
+
+  /* MESSAGE TYPE CODE
+   */
+  mcode = tvb_get_guint8(tvb, pos);
+  msg_code = val_to_str(mcode, mtype_codes, "UNKNOWN");
+  sprintf(mcode_buf, "(%d) %s", mcode, msg_code);
+  if (ajp13_tree)
+    proto_tree_add_string(ajp13_tree, hf_ajp13_code, tvb, pos, 1, mcode_buf);
+  pos+=1;
+
+  if(check_col(pinfo->cinfo, COL_INFO))
+    col_append_str(pinfo->cinfo, COL_INFO, msg_code);
+
+  if (mcode == 5) {
+
+    guint8 len = tvb_get_guint8(tvb, pos);
+    if (ajp13_tree)
+      proto_tree_add_item(ajp13_tree, hf_ajp13_reusep, tvb, pos, 1, 0);
+    pos+=1;
+
+  } else if (mcode == 4) {
+
+    guint8 rsmsg_bytes[8*1024]; /* DANGER WILL ROBINSON */
+    guint16 rsmsg_len;
+    guint16 nhdr;
+    guint16 rcode_num;
+
+    /* HTTP RESPONSE STATUS CODE
+     */
+    rcode_num = tvb_get_ntohs(tvb, pos);
+    if (ajp13_tree)
+      proto_tree_add_item(ajp13_tree, hf_ajp13_rstatus, tvb, pos, 2, 0);
+    pos+=2;
+    if(check_col(pinfo->cinfo, COL_INFO))
+      col_append_fstr(pinfo->cinfo, COL_INFO, ":%d", rcode_num);
+
+    /* HTTP RESPONSE STATUS MESSAGE
+     */
+    rsmsg_len = get_nstring(tvb, pos, rsmsg_bytes);
+    pos+=2;
+    if (ajp13_tree)
+      proto_tree_add_item(ajp13_tree, hf_ajp13_rsmsg, tvb, pos, rsmsg_len, 0);
+    pos+=rsmsg_len;
+    /* dangerous assumption that we can just %s out raw bytes */
+    if(check_col(pinfo->cinfo, COL_INFO))
+      col_append_fstr(pinfo->cinfo, COL_INFO, " %s", rsmsg_bytes);
+    
+    /* NUMBER OF HEADERS
+     */
+    nhdr = tvb_get_ntohs(tvb, pos);
+    if (ajp13_tree)
+      proto_tree_add_item(ajp13_tree, hf_ajp13_nhdr, tvb, pos, 2, 0);
+    pos+=2;
+
+    /* HEADERS
+     */
+    for(i=0; i<nhdr; i++) {
+
+      guint8 hcd;
+      guint8 hid;
+      char hval[8192];
+      guint16 hval_len;
+      int orig_pos = pos;
+      gchar* hname = NULL;
+      int dp = 0;
+      int cl = 0;
+      guint8 hname_bytes[1024];
+      gchar hname_value[8*1024];
+
+      /* HEADER CODE/NAME
+       */
+      hcd = tvb_get_guint8(tvb, pos);
+      /*printf("ajp13:dissect_ajp13():%d:hcd=%d\n", i, hcd);*/
+      if (hcd == 0xA0) {
+        pos+=1;
+        hid = tvb_get_guint8(tvb, pos);
+        pos+=1;
+        /*printf("ajp13:dissect_ajp13():hid=%d\n", hid);*/
+        hname = val_to_str(hid, rsp_header_codes, "UNKNOWN");
+        /* Content-Length header (encoded by 0x08) is special */
+        if (hid == 0x08)
+          cl = 1;
+      } else {
+        int hname_len = get_nstring(tvb, pos, hname_bytes);
+        /*printf("ajp13:dissect_ajp13():hname_len=%d\n", hname_len);*/
+        pos+=hname_len+2;
+        hname = (gchar*)hname_bytes; /* VERY EVIL */
+      }
+
+      /*printf("ajp13:dissect_ajp13():hname=%s\n", hname);*/
+      dp = pos-orig_pos;
+      /*printf("ajp13:dissect_ajp13():name:dp=%d\n", dp);*/
+
+      /*if (ajp13_tree)
+       * proto_tree_add_string(ajp13_tree, hf_ajp13_hname, tvb, orig_pos, dp, hname);
+       */
+
+      /* HEADER VALUE
+       */
+      orig_pos = pos;
+      hval_len = get_nstring(tvb, pos, hval);
+      /*printf("ajp13:dissect_ajp13():hval_len=%d\n", hval_len);*/
+      pos+=hval_len+2;
+      dp = pos - orig_pos;
+      if (ajp13_tree) {
+        sprintf(hname_value, "%s : %s", hname, hval);
+        proto_tree_add_string(ajp13_tree, hf_ajp13_hval, tvb, orig_pos, dp, hname_value);
+      }
+    }
+
+  } else if (mcode == 6) {
+    guint16 len = tvb_get_ntohs(tvb, pos);
+    if (ajp13_tree)
+      proto_tree_add_item(ajp13_tree, hf_ajp13_rlen, tvb, pos, 2, 0);
+    pos+=2;
+
+  } else {
+    /* MESSAGE DATA (COPOUT)
+     */
+    if (ajp13_tree)
+      proto_tree_add_item(ajp13_tree, hf_ajp13_data,  tvb, pos+2, -1, 0);
+  }
+}
+
+
+
+/* dissect a request body. see AJPv13.html, but the idea is that these
+ * packets, unlike all other packets, have no type field. you just
+ * sort of have to know that they're coming based on the previous
+ * packets.
+ */
+static void
+display_req_body(tvbuff_t *tvb, packet_info *pinfo,
+                 proto_tree *ajp13_tree)
+{
+  /*printf("ajp13:display_req_body()\n");*/
+
+  if (ajp13_tree) {
+
+    guint8 body_bytes[128*1024]; /* DANGER WILL ROBINSON */
+    int pos = 0;
+    guint16 body_len;
+
+    /* MAGIC
+     */
+    proto_tree_add_item(ajp13_tree, hf_ajp13_magic, tvb, pos, 2, 0);
+    pos+=2;
+
+    /* PACKET LENGTH
+     */
+    proto_tree_add_item(ajp13_tree, hf_ajp13_len, tvb, pos, 2, 0);
+    pos+=2;
+    
+    /* BODY (AS STRING)
+     */
+    body_len = get_nstring(tvb, pos, body_bytes);
+    proto_tree_add_item(ajp13_tree, hf_ajp13_data, tvb, pos+2, body_len-1, 0);
+  }
+}
+
+
+
+/* note that even if ajp13_tree is null on the first pass, we still
+ * need to dissect the packet in order to determine if there is a
+ * content-length, and thus if there is a subsequent automatic
+ * request-body transmitted in the next request packet. if there is a
+ * content-length, we record the fact in the conversation context.
+ * ref the top of this file for comments explaining the multi-pass
+ * thing.
+*/
+static void
+display_req_forward(tvbuff_t *tvb, packet_info *pinfo,
+                    proto_tree *ajp13_tree,
+                    ajp13_conv_data* cd)
+{
+  int pos = 0;
+  guint8 meth;
+  guint8 cod;
+  guint8 ver[1024];
+  guint16 ver_len;
+  guint8 uri[4096];
+  guint16 uri_len;
+  guint8 raddr[4096];
+  guint16 raddr_len;
+  guint8 rhost[4096];
+  guint16 rhost_len;
+  guint8 srv[4096];
+  guint16 srv_len;
+  guint nhdr;
+  int i;
+
+  /*printf("ajp13:display_req_forward()\n");*/
+
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_magic, tvb, pos, 2, 0);
+  pos+=2;
+
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_len, tvb, pos, 2, 0);
+  pos+=2;
+
+  /* PACKET CODE
+   */
+  cod = tvb_get_guint8(tvb, 4);
+  if (ajp13_tree) {
+    gchar* msg_code = NULL;
+    guint8 mcode = 0;
+    char mcode_buf[1024];
+    msg_code = val_to_str(cod, mtype_codes, "UNKNOWN");
+    sprintf(mcode_buf, "(%d) %s", cod, msg_code);
+    proto_tree_add_string(ajp13_tree, hf_ajp13_code, tvb, pos, 1, mcode_buf);
+  }
+  pos+=1;
+
+  /* HTTP METHOD (ENCODED AS INTEGER)
+   */
+  {
+    gchar* meth_code = NULL;
+    guint8 mcode = 0;
+    meth = tvb_get_guint8(tvb, pos);
+    meth_code = val_to_str(meth, http_method_codes, "UNKNOWN");
+    if (ajp13_tree) {
+      char mcode_buf[1024];
+      sprintf(mcode_buf, "(%d) %s", meth, meth_code);
+      proto_tree_add_string(ajp13_tree, hf_ajp13_method, tvb, pos, 1, mcode_buf);
+    }
+    if(check_col(pinfo->cinfo, COL_INFO))
+      col_append_str(pinfo->cinfo, COL_INFO, meth_code);
+    pos+=1;
+  }
+
+  /* HTTP VERSION STRING
+   */
+  ver_len = get_nstring(tvb, pos, ver);
+  pos+=2; // skip over size 
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_ver, tvb, pos, ver_len, 0);
+  pos=pos+ver_len;  /* skip over chars + trailing null */
+
+  /* URI
+   */
+  uri_len = get_nstring(tvb, pos, uri);
+  pos+=2; // skip over size
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_uri, tvb, pos, uri_len, 0);
+  pos=pos+uri_len;  /* skip over chars + trailing null */
+
+
+  if(check_col(pinfo->cinfo, COL_INFO))
+    col_append_fstr(pinfo->cinfo, COL_INFO, " %s %s", uri, ver);
+
+
+  /* REMOTE ADDRESS
+   */
+  raddr_len = get_nstring(tvb, pos, raddr);
+  pos+=2; // skip over size
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_raddr, tvb, pos, raddr_len, 0);
+  pos=pos+raddr_len;  // skip over chars + trailing null
+
+  /* REMOTE HOST
+   */
+  rhost_len = get_nstring(tvb, pos, rhost);
+  pos+=2; // skip over size
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_rhost, tvb, pos, rhost_len, 0);
+  pos=pos+rhost_len;  // skip over chars + trailing null
+
+  /* SERVER NAME
+   */
+  srv_len = get_nstring(tvb, pos, srv);
+  pos+=2; // skip over size
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_srv, tvb, pos, srv_len, 0);
+  pos=pos+srv_len;  // skip over chars + trailing null
+
+  /* SERVER PORT
+   */
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_port, tvb, pos, 2, 0);
+  pos+=2;
+
+  /* IS SSL?
+   */
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_sslp, tvb, pos, 1, 0);
+  pos+=1;
+
+  /* NUM HEADERS
+   */
+  nhdr = tvb_get_ntohs(tvb, pos);
+  /*printf("ajp13:dissect_ajp13():nhdr=%d\n", nhdr);*/
+  if (ajp13_tree)
+    proto_tree_add_item(ajp13_tree, hf_ajp13_nhdr, tvb, pos, 2, 0);
+  pos+=2;
+  cd->content_length = 0;
+      
+  /* HEADERS
+   */
+  for(i=0; i<nhdr; i++) {
+
+    guint8 hcd;
+    guint8 hid;
+    char hval[8192];
+    guint16 hval_len;
+    int orig_pos = pos;
+    gchar* hname = NULL;
+    int dp = 0;
+    int cl = 0;
+    guint8 hname_bytes[1024];
+    gchar hname_value[8*1024];
+
+    /* HEADER CODE/NAME
+     */
+    hcd = tvb_get_guint8(tvb, pos);
+    /*printf("ajp13:dissect_ajp13():%d:hcd=%d\n", i, hcd);*/
+    if (hcd == 0xA0) {
+      pos+=1;
+      hid = tvb_get_guint8(tvb, pos);
+      pos+=1;
+      /*printf("ajp13:dissect_ajp13():hid=%d\n", hid);*/
+      hname = val_to_str(hid, req_header_codes, "UNKNOWN");
+      if (hid == 0x08)
+        cl = 1;
+    } else {
+      int hname_len = get_nstring(tvb, pos, hname_bytes);
+      /*printf("ajp13:dissect_ajp13():hname_len=%d\n", hname_len);*/
+      pos+=hname_len+2;
+      hname = (gchar*)hname_bytes; /* VERY EVIL */
+    }
+    /*printf("ajp13:dissect_ajp13():hname=%s\n", hname);*/
+    dp = pos-orig_pos;
+    /*printf("ajp13:dissect_ajp13():name:dp=%d\n", dp);*/
+
+    /*if (ajp13_tree)
+     * proto_tree_add_string(ajp13_tree, hf_ajp13_hname, tvb, orig_pos,
+     * dp, hname);
+     */
+
+    /* HEADER VALUE
+     */
+    orig_pos = pos;
+    hval_len = get_nstring(tvb, pos, hval);
+    /*printf("ajp13:dissect_ajp13():hval_len=%d\n", hval_len);*/
+    pos+=hval_len+2;
+    dp = pos - orig_pos;
+    if (ajp13_tree) {
+      /*sprintf(hname_value, "%s : %s", hname, hval);*/
+      proto_tree_add_string_format(ajp13_tree, hf_ajp13_hval,
+                                   tvb, orig_pos, dp, hname,
+                                   "%s: %s", hname, hval);
+    }
+    if (cl) {
+      cl = atoi(hval);
+      /*printf("ajp13:dissect_ajp13():CONTENT_LENGTH=%d\n", cl);*/
+      cd->content_length = cl;
+    }
+  }
+}
+
+
+
+/* main dissector function. ethereal calls it for segments in both
+ * directions.
+ */
+static void
+dissect_ajp13_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+  guint16 mag;
+  guint16 len;
+  conversation_t *conv = NULL;
+  ajp13_conv_data *cd = NULL;
+  int i = 0;
+  proto_tree *ajp13_tree = NULL;
+  ajp13_frame_data* fd = NULL;
+
+  /*printf("ajp13:dissect_ajp13_common()\n");*/
+
+  /* conversational state really only does us good during the first
+   * in-order traversal
+   */
+  conv = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
+                           pinfo->srcport, pinfo->destport, 0);
+  if (!conv) {
+    /*printf("ajp13:dissect_ajp13():no conv\n");*/
+    conv = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
+                            pinfo->srcport, pinfo->destport, 0);
+    cd = (ajp13_conv_data*)malloc(sizeof(ajp13_conv_data));
+    cd->content_length = 0;
+    cd->was_get_body_chunk = 0;
+    conversation_add_proto_data(conv, proto_ajp13, cd);
+  } else {
+    /*printf("ajp13:dissect_ajp13():found conv\n");*/
+    cd = (ajp13_conv_data*)conversation_get_proto_data(conv, proto_ajp13);
+  }
+  /*printf("ajp13:dissect_ajp13():cd->content_length=%d\n", cd->content_length);*/
+
+
+  /* we use the per segment user data to record the conversational
+   * state for use later on when we're called out of order (see
+   * comments at top of this file)
+   */
+  fd = (ajp13_frame_data*)p_get_proto_data(pinfo->fd, proto_ajp13);
+  if (!fd) {
+    /*printf("ajp13:dissect_ajp13_common():no frame data, adding");*/
+    /* since there's no per-packet user data, this must be the first
+     * time we've see the packet, and it must be the first "in order"
+     * pass through the data.
+     */
+    fd = (ajp13_frame_data*)malloc(sizeof(ajp13_frame_data));
+    p_add_proto_data(pinfo->fd, proto_ajp13, fd);
+    fd->is_request_body = 0;
+    if (cd->content_length) {
+      /* this is screwy, see AJPv13.html. the idea is that if the
+       * request has a body (as determined by the content-length
+       * header), then there's always an immediate follow-up PDU with
+       * no GET_BODY_CHUNK from the container.
+       */
+      fd->is_request_body = 1;
+      /*printf("ajp13:dissect_ajp13_common():we are a request body");*/
+    }
+  }
+
+  if (check_col(pinfo->cinfo, COL_INFO))
+    col_clear(pinfo->cinfo, COL_INFO);
+  
+  mag = tvb_get_ntohs(tvb, 0);
+  len = tvb_get_ntohs(tvb, 2);
+
+  if (check_col(pinfo->cinfo, COL_PROTOCOL))
+    col_set_str(pinfo->cinfo, COL_PROTOCOL, "AJP13");
+  if (check_col(pinfo->cinfo, COL_INFO))
+    if (mag == 0x1234 && !fd->is_request_body)
+      col_append_fstr(pinfo->cinfo, COL_INFO, "%d:REQ:", conv->index);
+    else if (mag == 0x1234 && fd->is_request_body)
+      col_append_fstr(pinfo->cinfo, COL_INFO, "%d:REQ:Body", conv->index);
+    else if (mag == 0x4142)
+      col_append_fstr(pinfo->cinfo, COL_INFO, "%d:RSP:", conv->index);
+    else 
+      col_set_str(pinfo->cinfo, COL_INFO, "AJP13 Error?");
+
+  if (tree) {
+    proto_item *ti;
+    ti = proto_tree_add_item(tree, proto_ajp13, tvb, 0, tvb_length(tvb), FALSE);
+    ajp13_tree = proto_item_add_subtree(ti, ett_ajp13);
+  }
+
+  if (mag == 0x1234) {
+
+    if (fd->is_request_body)
+      display_req_body(tvb, pinfo, ajp13_tree);
+    else
+      display_req_forward(tvb, pinfo, ajp13_tree, cd);
+
+  } else if (mag == 0x4142) {
+
+    display_rsp(tvb, pinfo, ajp13_tree);
+
+  }
+}
+
+
+
+/* given the first chunk of the AJP13 pdu, extract out and return the
+ * packet length. see comments in packet-tcp.c:tcp_dissect_pdus().
+ */
+static guint
+get_ajp13_pdu_len(tvbuff_t *tvb, int offset)
+{
+  guint16 magic;
+  guint16 plen;
+  magic = tvb_get_ntohs(tvb, offset);
+  plen = tvb_get_ntohs(tvb, offset+2);
+  plen += 4;
+  /*printf("ajp13:get_ajp13_pdu_len():magic=%x\n", magic);*/
+  /*printf("ajp13:get_ajp13_pdu_len()=%d\n", plen);*/
+  return plen;
+}
+
+
+
+/* Code to actually dissect the packets. 
+ */
+static void
+dissect_ajp13(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+  /* Set up structures needed to add the protocol subtree and manage it
+   */
+  int offset = 0;
+  guint32 value = 666;
+  ajp13_conv_data *cd = (ajp13_conv_data*)0;
+
+  /*printf("ajp13:dissect_ajp13()\n");*/
+
+  tcp_dissect_pdus(tvb, pinfo, tree,
+                   TRUE,                   /* desegment or not   */
+                   4,                      /* magic + length */
+                   get_ajp13_pdu_len,      /* use first 4, calc data len */
+                   dissect_ajp13_tcp_pdu); /* the naive dissector */
+}
+
+
+
+void
+proto_register_ajp13(void)
+{                 
+  static hf_register_info hf[] = {
+    { &hf_ajp13_magic,
+      { "Magic",  "ajp13.magic", FT_BYTES, BASE_HEX, NULL, 0x0, "Magic Number" }
+    },
+    { &hf_ajp13_len,
+      { "Length",  "ajp13.len", FT_UINT16, BASE_DEC, NULL, 0x0, "Data Length" }
+    },
+    { &hf_ajp13_code,
+      { "Code",  "ajp13.code", FT_STRING, BASE_DEC, NULL, 0x0, "Type Code" }
+    },
+    { &hf_ajp13_method,
+      { "Method",  "ajp13.method", FT_STRING, BASE_DEC, NULL, 0x0, "HTTP Method" }
+    },
+    { &hf_ajp13_ver,
+      { "Version",  "ajp13.ver", FT_STRING, BASE_DEC, NULL, 0x0, "HTTP Version" }
+    },
+    { &hf_ajp13_uri,
+      { "URI",  "ajp13.uri", FT_STRING, BASE_DEC, NULL, 0x0, "HTTP URI" }
+    },
+    { &hf_ajp13_raddr,
+      { "RADDR",  "ajp13.raddr", FT_STRING, BASE_DEC, NULL, 0x0, "Remote Address" }
+    },
+    { &hf_ajp13_rhost,
+      { "RHOST",  "ajp13.rhost", FT_STRING, BASE_DEC, NULL, 0x0, "Remote Host" }
+    },
+    { &hf_ajp13_srv,
+      { "SRV",  "ajp13.srv", FT_STRING, BASE_DEC, NULL, 0x0, "Server" }
+    },
+    { &hf_ajp13_port,
+      { "PORT",  "ajp13.port", FT_UINT16, BASE_DEC, NULL, 0x0, "Port" }
+    },
+    { &hf_ajp13_sslp,
+      { "SSLP",  "ajp13.sslp", FT_UINT8, BASE_DEC, NULL, 0x0, "Is SSL?" }
+    },
+    { &hf_ajp13_nhdr,
+      { "NHDR",  "ajp13.nhdr", FT_UINT16, BASE_DEC, NULL, 0x0, "Num Headers" }
+    },
+    { &hf_ajp13_hname,
+      { "HNAME",  "ajp13.hname", FT_STRING, BASE_DEC, NULL, 0x0, "Header Name" }
+    },
+    { &hf_ajp13_hval,
+      { "HVAL",  "ajp13.hval", FT_STRING, BASE_DEC, NULL, 0x0, "Header Value" }
+    },
+    { &hf_ajp13_rlen,
+      { "RLEN",  "ajp13.rlen", FT_UINT16, BASE_DEC, NULL, 0x0, "Requested Length" }
+    },
+    { &hf_ajp13_reusep,
+      { "REUSEP",  "ajp13.reusep", FT_UINT8, BASE_DEC, NULL, 0x0, "Reuse Connection?" }
+    },
+    { &hf_ajp13_rstatus,
+      { "RSTATUS",  "ajp13.rstatus", FT_UINT16, BASE_DEC, NULL, 0x0, "HTTP Status Code" }
+    },
+    { &hf_ajp13_rsmsg,
+      { "RSMSG",  "ajp13.rmsg", FT_STRING, BASE_DEC, NULL, 0x0, "HTTP Status Message" }
+    },
+    { &hf_ajp13_data,
+      { "Data",  "ajp13.data", FT_STRING, BASE_DEC, NULL, 0x0, "Data" }
+    },
+  };
+
+  static gint *ett[] = {
+    &ett_ajp13,
+  };
+
+  /*printf("ajp13:proto_register_ajp13()\n");*/
+  /*fflush(stdout);*/
+
+  /* Register the protocol name and description
+   */
+  proto_ajp13 = proto_register_protocol("Apache JServ Protocol v1.3", "AJP13", "ajp13");
+
+  proto_register_field_array(proto_ajp13, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+}
+
+
+
+void
+proto_reg_handoff_ajp13(void)
+{
+  dissector_handle_t ajp13_handle;
+  /*printf("ajp13.proto_reg_handoff_ajp13()\n");*/
+  ajp13_handle = create_dissector_handle(dissect_ajp13, proto_ajp13);
+  dissector_add("tcp.port", 8009, ajp13_handle);
+}