Ethereal-dev: Fwd: [Ethereal-dev]Add OICQ dissector :)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: DuBingyao <dubingyao@xxxxxxxxx>
Date: Fri, 30 Dec 2005 00:53:37 +0800
When I sent Email, I get a reply of Symantec. Wow...... As follow.
Why?
Symantec AVF detected that you sent a message with a prohibited attachment name (SYM:41607566581136366991)  

---------- Forwarded message ----------
From: DuBingyao <dubingyao@xxxxxxxxx>
Date: 2005-12-30 上午12:33
Subject: [Ethereal-dev]Add OICQ dissector :)
To: ethereal-dev@xxxxxxxxxxxx

 
Hi list,

I write a dessector for OICQ,which is a popular IM software in China with over 15 millions users.
I hope it will be added in the next version.

This patch is source file and diff.
 
Thanks.
 
 
Enjoy.

 
Du Bingyao
 

/* packet-oicq.c
 * Routines for OICQ - IM software,popular in China - packet dissection
 * (c) Copyright DuBingyao <dubingyao@xxxxxxxxx>
 *
 * $Id$
 *
 * OICQ is an IM software,which is popular in China. And,
 * OICQ has more than 10 millions users at present.
 * The Protocol showed in this file, is found by investigating OICQ's 
 * Packets  as a black box.
 *
 * The OICQ client software is always changing,and the protocol of 
 * communication is also.
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@xxxxxxxxxxxx>
 * Copyright 1998 Gerald Combs
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 */

#ifdef HAVE_CONFIG_H
# include "config.h"
#endif

#include <stdio.h>

#include <string.h>
#include <time.h>
#include <math.h>
#include <glib.h>

#include <epan/packet.h>
#include <epan/addr_resolv.h>

/*
        Protocol Flag:     8bit unsigned
        Sender Flag:       16bit unsigned
        Command Number:    16bit unsigned
        Data:              Variable Length data
        
 *
 */

/* By default, but can be completely different */
#define UDP_PORT_OICQ	8000

static int proto_oicq = -1;

static int hf_oicq_flag = -1;
static int hf_oicq_sender = -1;
static int hf_oicq_command = -1;
static int hf_oicq_data = -1;


static gint ett_oicq = -1;

static const value_string oicq_flag_vals[] = {
	{ 0x02,	"Oicq packet" },
	{ 0,			NULL }
};
static const value_string oicq_sender_vals[] = {
	{ 0x0100,	"Sender is server" },
	{ 0x0e1b,	"Sender is client" },
	{ 0x0000,	"Initiazation message sent by server" },
	{ 0,			NULL }
};
static const value_string oicq_command_vals[] = {
	{ 0x0001,	"Log out" },
	{ 0x0002,	"Heart Message" },
	{ 0x0004,	"Update User information" },
	{ 0x0005,	"Search user" },
	{ 0x0006,	"Get User informationBroadcast" },
	{ 0x0009,	"Add friend no auth" },
	{ 0x000a,	"Delete user" },
	{ 0x000b,	"Add friend by auth" },
	{ 0x000d,	"Set status" },
	{ 0x0012,	"Confirmation of receiving message from server" },
	{ 0x0016,	"Send message" },
	{ 0x0017,	"Receive message" },
	{ 0x001a,	"Reserved " },
	{ 0x001c,	"Unkonwn command" },
	{ 0x0022,	"Log in" },
	{ 0x0026,	"Get friend list" },
	{ 0x0027,	"Get friend online" },
	{ 0x0030,	"Operation on group" },
	{ 0x0081,	"Get statur of friend" },
	{ 0,			NULL }
};
/* dissect_oicq - dissects oicq packet data
 * tvb - tvbuff for packet data (IN)
 * pinfo - packet info
 * proto_tree - resolved protocol tree
 */
static void
dissect_oicq(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
	proto_tree      *oicq_tree;
	proto_item	*ti;
	int offset = 0;
	int datalen = 0;
	nstime_t ts;
	
	if (check_col(pinfo->cinfo, COL_PROTOCOL))
		col_set_str(pinfo->cinfo, COL_PROTOCOL, "OICQ");

	if (check_col(pinfo->cinfo, COL_INFO))
	{
		col_clear(pinfo->cinfo, COL_INFO);
		col_set_str(pinfo->cinfo, COL_INFO, "OICQ Protocol ");
		
	}


	if (tree) {
		ti = proto_tree_add_item(tree, proto_oicq, tvb, 0, -1, FALSE);
		oicq_tree = proto_item_add_subtree(ti, ett_oicq);

		proto_tree_add_item(oicq_tree, hf_oicq_flag, tvb, offset, 1, FALSE);
		offset += 1;

		proto_tree_add_item(oicq_tree, hf_oicq_sender, tvb, offset, 2, FALSE);
		offset += 2;

		proto_tree_add_item(oicq_tree, hf_oicq_command, tvb, offset, 2, FALSE);
		offset += 2;

		proto_tree_add_item(oicq_tree, hf_oicq_data, tvb, offset, -1, FALSE);
		
		
	}
}

void
proto_register_oicq(void)
{
	static hf_register_info hf[] = {
		{ &hf_oicq_flag, {
			"Flag", "oicq.flag", FT_UINT8, BASE_HEX,
			VALS(oicq_flag_vals), 0, "Protocol Flag", HFILL }},
		{ &hf_oicq_sender, {
			"Sender", "oicq.sender", FT_UINT16, BASE_DEC,
			VALS(oicq_sender_vals), 0, "Sender", HFILL }},
		{ &hf_oicq_command, {
			"Command", "oicq.command", FT_UINT16, BASE_DEC,
			VALS(oicq_command_vals), 0, "Command", HFILL }},
		{ &hf_oicq_data, {
			"Data", "oicq.data", FT_STRING, 0,
			NULL, 0, "Data", HFILL }},
        };
	static gint *ett[] = {
		&ett_oicq,
	};

	proto_oicq = proto_register_protocol("OICQ - IM software, which is popular in China", "OICQ",
	    "oicq");
	proto_register_field_array(proto_oicq, hf, array_length(hf));
	proto_register_subtree_array(ett, array_length(ett));
}

void
proto_reg_handoff_oicq(void)
{
	dissector_handle_t oicq_handle;

	oicq_handle = create_dissector_handle(dissect_oicq, proto_oicq);
	dissector_add("udp.port", UDP_PORT_OICQ, oicq_handle);
}


--- Makefile.common.old	2005-12-29 23:40:34.000000000 +0800
+++ Makefile.common	2005-12-29 23:25:09.000000000 +0800
@@ -466,6 +466,7 @@
 	packet-ntp.c	\
 	packet-null.c	\
 	packet-ocsp.c	\
+	packet-oicq.c	\
 	packet-olsr.c	\
 	packet-osi-options.c	\
 	packet-osi.c	\


--- AUTHORS.old	2005-12-29 23:32:34.000000000 +0800
+++ AUTHORS	2005-12-29 23:32:12.000000000 +0800
@@ -136,6 +136,10 @@
 	Pseudo-real-time capture
 }
 
+Du Bingyao              <dubingyao[AT]gmail.com>  {
+        OICQ
+}
+
 Jeff Jahr               <jjahr[AT]shastanets.com> {
 	PPP over Ethernet (PPPoe)
 }