From David Kennedy via bug 1464:

http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1464 Support for Symantec SGS v3 files. svn path=/trunk/; revision=21362
author: Jeff Morriss <jeff.morriss@ulticom.com> 2007-04-10 07:01:59 +0000
committer: Jeff Morriss <jeff.morriss@ulticom.com> 2007-04-10 07:01:59 +0000
commit: 38b1e3f2857531183e8b3cbcb4e2652070cde7ec (patch)
tree: a23692f3fbd5f827de472d0bf2a74f5da9c362f0 /epan/dissectors/packet-symantec.c
parent: c150904c6a4495b84b081b3521b194abdca5409b (diff)
1 files changed, 69 insertions, 19 deletions
diff --git a/epan/dissectors/packet-symantec.c b/epan/dissectors/packet-symantec.c
index 49206ae914..c2bf929d5a 100644
--- a/epan/dissectors/packet-symantec.c
+++ b/epan/dissectors/packet-symantec.c
@@ -1,6 +1,7 @@
 /* packet-symantec.c
  * Routines for dissection of packets from the Axent Raptor firewall/
- * Symantec Enterprise Firewall
+ * Symantec Enterprise Firewall/Symantec Gateway Security appliance
+ * v2/Symantec Gateway Security appliance v3.
  *
  * $Id$
  *
@@ -46,33 +47,82 @@ dissect_symantec(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 {
 	proto_item *ti;
 	proto_tree *symantec_tree = NULL;
-	guint16 etype;
+	guint16 etypev2, etypev3;
 	tvbuff_t *next_tvb;
 
 	/*
+	 * Symantec records come in two variants:
+	 *
+	 * The older variant, dating from Axent days and continuing until
+	 * the SGS v2.0.1 code level, is 44 bytes long.
 	 * The first 4 bytes are the IPv4 address of the interface that
 	 * captured the data, followed by 2 bytes of 0, then an Ethernet
 	 * type, followed by 36 bytes of 0.
+	 *
+	 * The newer variant, introduced either in SGS v3.0 or v3.0.1
+	 * (possibly in concert with VLAN support), is 56 bytes long.
+	 * The first 4 bytes are the IPv4 address of the interface that
+	 * captured the data, followed by 6 bytes of 0, then an Ethernet
+	 * type, followed by 44 bytes of 0.
+	 *
+	 * Unfortunately, there is no flag to distiguish between the two
+	 * flavours.  The only indication of which flavour you have is the
+	 * offset of the ETHERTYPE field.  Fortunately, Symantec didn't
+	 * use ETHERTYPE_UNK as a valid value.
 	 */
+
+	etypev2 = tvb_get_ntohs(tvb, 6);
+	etypev3 = tvb_get_ntohs(tvb, 10);
+	
+	/* a valid packet can't be both v2 and v3 or neither v2 nor v3, */
+	if ((etypev2 == 0) == (etypev3 == 0))
+		return;
+		
 	if (check_col(pinfo->cinfo, COL_PROTOCOL))
 		col_add_str(pinfo->cinfo, COL_PROTOCOL, "Symantec");
-	if (check_col(pinfo->cinfo, COL_INFO))
-		col_add_fstr(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
-	if (tree) {
-		ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
-		    0, 44, "Symantec firewall");
-		symantec_tree = proto_item_add_subtree(ti, ett_symantec);
+		
+	if (etypev3 == 0) {	/* SEF and SGS v2 processing */
+		if (check_col(pinfo->cinfo, COL_INFO))
+			col_add_str(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
+		if (tree) {
+			ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
+				0, 44, "Symantec firewall");
+			symantec_tree = proto_item_add_subtree(ti, ett_symantec);
+		}
+		if (tree) {
+			proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
+				0, 4, FALSE);
+			proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
+				6, 2, etypev2);
+		}
+		next_tvb = tvb_new_subset(tvb, 44, -1, -1);
+		dissector_try_port(ethertype_dissector_table, etypev2, next_tvb, pinfo,
+			tree);
 	}
-	etype = tvb_get_ntohs(tvb, 6);
-	if (tree) {
-		proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
-		    0, 4, FALSE);
-		proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
-		    6, 2, etype);
+
+	if (etypev2 == 0) {	/* SGS v3 processing */
+		if (check_col(pinfo->cinfo, COL_INFO))
+			col_add_str(pinfo->cinfo, COL_INFO, "Symantec SGS v3");
+		if (tree) {
+			ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
+				0, 56, "Symantec SGSv3");
+			symantec_tree = proto_item_add_subtree(ti, ett_symantec);
+		}
+		if (tree) {
+			proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
+				0, 4, FALSE);
+			proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
+				10, 2, etypev3);
+		}
+		/*
+		 * Dissection of VLAN information will have to wait until
+		 * availability of a capture file from an SGSv3 box using VLAN
+		 * tagging.
+		 */
+		next_tvb = tvb_new_subset(tvb, 56, -1, -1);
+		dissector_try_port(ethertype_dissector_table, etypev3, next_tvb, pinfo,
+			tree);
 	}
-	next_tvb = tvb_new_subset(tvb, 44, -1, -1);
-	dissector_try_port(ethertype_dissector_table, etype, next_tvb, pinfo,
-	    tree);
 }
 
 void
@@ -80,10 +130,10 @@ proto_register_symantec(void)
 {
 	static hf_register_info hf[] = {
 		{ &hf_symantec_if,
-		    { "Interface",      "symantec.if", FT_IPv4, BASE_NONE, NULL, 0x0,
+		    { "Interface", "symantec.if", FT_IPv4,  BASE_NONE, NULL, 0x0,
 			"Interface", HFILL }},
 		{ &hf_symantec_etype,
-		    { "Type",	"symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
+		    { "Type",    "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
 			"", HFILL }},
 	};
 	static gint *ett[] = {
author	Jeff Morriss <jeff.morriss@ulticom.com>	2007-04-10 07:01:59 +0000
committer	Jeff Morriss <jeff.morriss@ulticom.com>	2007-04-10 07:01:59 +0000
commit	38b1e3f2857531183e8b3cbcb4e2652070cde7ec (patch)
tree	a23692f3fbd5f827de472d0bf2a74f5da9c362f0 /epan/dissectors/packet-symantec.c
parent	c150904c6a4495b84b081b3521b194abdca5409b (diff)