diff options
author | Guy Harris <guy@alum.mit.edu> | 2002-05-24 03:03:49 +0000 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2002-05-24 03:03:49 +0000 |
commit | a8ef1340a54152ead11765c0101d2c706bfad8e5 (patch) | |
tree | a98100dcae8921ae252e1029bc6796f6b85e89d8 /packet-ncp.c | |
parent | 9f6d18d4ec0f9d657765dc827e82ae53a7208396 (diff) |
The 0x80000000 bit in the NCP-over-TCP length field, in requests,
appears to be a flag indicating that there's an 8-byte signature after
the NCP-over-IP header but before the NCP packet.
svn path=/trunk/; revision=5538
Diffstat (limited to 'packet-ncp.c')
-rw-r--r-- | packet-ncp.c | 36 |
1 files changed, 31 insertions, 5 deletions
diff --git a/packet-ncp.c b/packet-ncp.c index d451d4502a..340079f712 100644 --- a/packet-ncp.c +++ b/packet-ncp.c @@ -3,7 +3,7 @@ * Gilbert Ramirez <gram@alumni.rice.edu> * Modified to allow NCP over TCP/IP decodes by James Coe <jammer@cin.net> * - * $Id: packet-ncp.c,v 1.61 2002/05/16 09:59:52 guy Exp $ + * $Id: packet-ncp.c,v 1.62 2002/05/24 03:03:49 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -49,6 +49,7 @@ static int hf_ncp_ip_ver = -1; static int hf_ncp_ip_length = -1; static int hf_ncp_ip_rplybufsize = -1; static int hf_ncp_ip_sig = -1; +static int hf_ncp_ip_packetsig = -1; static int hf_ncp_type = -1; static int hf_ncp_seq = -1; static int hf_ncp_connection = -1; @@ -167,6 +168,7 @@ dissect_ncp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) proto_item *ti; struct ncp_ip_header ncpiph; struct ncp_ip_rqhdr ncpiphrq; + gboolean is_signed = FALSE; struct ncp_common_header header; guint16 nw_connection; guint16 flags = 0; @@ -195,8 +197,26 @@ dissect_ncp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) hdr_offset += 4; ncpiphrq.rplybufsize = tvb_get_ntohl(tvb, hdr_offset); hdr_offset += 4; - }; - }; + } + if (ncpiph.length & 0x80000000) { + /* + * This appears to indicate that this packet + * is signed; the signature is 8 bytes long. + * + * XXX - that bit does *not* appear to be set + * in signed replies, and we can't dissect the + * reply enough to find the matching request + * without knowing whether the reply is + * signed. + * + * XXX - what about NCP-over-IPX signed + * messages? + */ + is_signed = TRUE; + hdr_offset += 8; + ncpiph.length &= 0x7fffffff; + } + } /* Record the offset where the NCP common header starts */ commhdr = hdr_offset; @@ -225,6 +245,8 @@ dissect_ncp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) proto_tree_add_uint(ncp_tree, hf_ncp_ip_ver, tvb, 8, 4, ncpiphrq.version); proto_tree_add_uint(ncp_tree, hf_ncp_ip_rplybufsize, tvb, 12, 4, ncpiphrq.rplybufsize); } + if (is_signed) + proto_tree_add_item(ncp_tree, hf_ncp_ip_packetsig, tvb, 16, 8, FALSE); } proto_tree_add_uint(ncp_tree, hf_ncp_type, tvb, commhdr + 0, 2, header.type); } @@ -441,12 +463,12 @@ proto_register_ncp(void) static hf_register_info hf[] = { { &hf_ncp_ip_sig, - { "NCP over IP signature", "ncp.ip.signature", + { "NCP over IP signature", "ncp.ip.signature", FT_UINT32, BASE_HEX, VALS(ncp_ip_signature), 0x0, "", HFILL }}, { &hf_ncp_ip_length, { "NCP over IP length", "ncp.ip.length", - FT_UINT32, BASE_HEX, NULL, 0x0, + FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, { &hf_ncp_ip_ver, { "NCP over IP Version", "ncp.ip.version", @@ -456,6 +478,10 @@ proto_register_ncp(void) { "NCP over IP Reply Buffer Size", "ncp.ip.replybufsize", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_ncp_ip_packetsig, + { "NCP over IP Packet Signature", "ncp.ip.packetsig", + FT_BYTES, BASE_NONE, NULL, 0x0, + "", HFILL }}, { &hf_ncp_type, { "Type", "ncp.type", FT_UINT16, BASE_HEX, VALS(ncp_type_vals), 0x0, |