diff options
author | Jeff Morriss <jeff.morriss@ulticom.com> | 2007-04-10 07:01:59 +0000 |
---|---|---|
committer | Jeff Morriss <jeff.morriss@ulticom.com> | 2007-04-10 07:01:59 +0000 |
commit | 38b1e3f2857531183e8b3cbcb4e2652070cde7ec (patch) | |
tree | a23692f3fbd5f827de472d0bf2a74f5da9c362f0 /epan/dissectors/packet-symantec.c | |
parent | c150904c6a4495b84b081b3521b194abdca5409b (diff) |
From David Kennedy via bug 1464:
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1464
Support for Symantec SGS v3 files.
svn path=/trunk/; revision=21362
Diffstat (limited to 'epan/dissectors/packet-symantec.c')
-rw-r--r-- | epan/dissectors/packet-symantec.c | 88 |
1 files changed, 69 insertions, 19 deletions
diff --git a/epan/dissectors/packet-symantec.c b/epan/dissectors/packet-symantec.c index 49206ae914..c2bf929d5a 100644 --- a/epan/dissectors/packet-symantec.c +++ b/epan/dissectors/packet-symantec.c @@ -1,6 +1,7 @@ /* packet-symantec.c * Routines for dissection of packets from the Axent Raptor firewall/ - * Symantec Enterprise Firewall + * Symantec Enterprise Firewall/Symantec Gateway Security appliance + * v2/Symantec Gateway Security appliance v3. * * $Id$ * @@ -46,33 +47,82 @@ dissect_symantec(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { proto_item *ti; proto_tree *symantec_tree = NULL; - guint16 etype; + guint16 etypev2, etypev3; tvbuff_t *next_tvb; /* + * Symantec records come in two variants: + * + * The older variant, dating from Axent days and continuing until + * the SGS v2.0.1 code level, is 44 bytes long. * The first 4 bytes are the IPv4 address of the interface that * captured the data, followed by 2 bytes of 0, then an Ethernet * type, followed by 36 bytes of 0. + * + * The newer variant, introduced either in SGS v3.0 or v3.0.1 + * (possibly in concert with VLAN support), is 56 bytes long. + * The first 4 bytes are the IPv4 address of the interface that + * captured the data, followed by 6 bytes of 0, then an Ethernet + * type, followed by 44 bytes of 0. + * + * Unfortunately, there is no flag to distiguish between the two + * flavours. The only indication of which flavour you have is the + * offset of the ETHERTYPE field. Fortunately, Symantec didn't + * use ETHERTYPE_UNK as a valid value. */ + + etypev2 = tvb_get_ntohs(tvb, 6); + etypev3 = tvb_get_ntohs(tvb, 10); + + /* a valid packet can't be both v2 and v3 or neither v2 nor v3, */ + if ((etypev2 == 0) == (etypev3 == 0)) + return; + if (check_col(pinfo->cinfo, COL_PROTOCOL)) col_add_str(pinfo->cinfo, COL_PROTOCOL, "Symantec"); - if (check_col(pinfo->cinfo, COL_INFO)) - col_add_fstr(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall"); - if (tree) { - ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb, - 0, 44, "Symantec firewall"); - symantec_tree = proto_item_add_subtree(ti, ett_symantec); + + if (etypev3 == 0) { /* SEF and SGS v2 processing */ + if (check_col(pinfo->cinfo, COL_INFO)) + col_add_str(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall"); + if (tree) { + ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb, + 0, 44, "Symantec firewall"); + symantec_tree = proto_item_add_subtree(ti, ett_symantec); + } + if (tree) { + proto_tree_add_item(symantec_tree, hf_symantec_if, tvb, + 0, 4, FALSE); + proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb, + 6, 2, etypev2); + } + next_tvb = tvb_new_subset(tvb, 44, -1, -1); + dissector_try_port(ethertype_dissector_table, etypev2, next_tvb, pinfo, + tree); } - etype = tvb_get_ntohs(tvb, 6); - if (tree) { - proto_tree_add_item(symantec_tree, hf_symantec_if, tvb, - 0, 4, FALSE); - proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb, - 6, 2, etype); + + if (etypev2 == 0) { /* SGS v3 processing */ + if (check_col(pinfo->cinfo, COL_INFO)) + col_add_str(pinfo->cinfo, COL_INFO, "Symantec SGS v3"); + if (tree) { + ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb, + 0, 56, "Symantec SGSv3"); + symantec_tree = proto_item_add_subtree(ti, ett_symantec); + } + if (tree) { + proto_tree_add_item(symantec_tree, hf_symantec_if, tvb, + 0, 4, FALSE); + proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb, + 10, 2, etypev3); + } + /* + * Dissection of VLAN information will have to wait until + * availability of a capture file from an SGSv3 box using VLAN + * tagging. + */ + next_tvb = tvb_new_subset(tvb, 56, -1, -1); + dissector_try_port(ethertype_dissector_table, etypev3, next_tvb, pinfo, + tree); } - next_tvb = tvb_new_subset(tvb, 44, -1, -1); - dissector_try_port(ethertype_dissector_table, etype, next_tvb, pinfo, - tree); } void @@ -80,10 +130,10 @@ proto_register_symantec(void) { static hf_register_info hf[] = { { &hf_symantec_if, - { "Interface", "symantec.if", FT_IPv4, BASE_NONE, NULL, 0x0, + { "Interface", "symantec.if", FT_IPv4, BASE_NONE, NULL, 0x0, "Interface", HFILL }}, { &hf_symantec_etype, - { "Type", "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0, + { "Type", "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0, "", HFILL }}, }; static gint *ett[] = { |