Jason Masker:

- Add decoding of direction bit for version 2 (type III) erspan.

Me:
- Decode the original direction bit as unknown in case of version 2.
- The original unknown3 value seems to indicate whether the packet
  was too long to fit into a single mtu (trunkated).
- "Timestamp(s)" -> "Timestamp"



git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@34221 f5534014-38df-0310-8fa8-9805f1628bb7

1 files changed, 56 insertions, 17 deletions

diff --git a/epan/dissectors/packet-cisco-erspan.c b/epan/dissectors/packet-cisco-erspan.c
index 3871550ec0..177dd76a14 100644
--- a/epan/dissectors/packet-cisco-erspan.c
+++ b/epan/dissectors/packet-cisco-erspan.c
@@ -33,11 +33,14 @@
  *	No real specs exist. Some general description can be found at:
  *	http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a008069952a.html
  *
- *	Some information on ERSPAN type III (version 2) can be found at:
+ *	Some information on ERSPAN type III can be found at:
  *	http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3/system_management/configuration/guide/n1000v_system_9span.html
  *
  *	For ERSPAN packets, the "protocol type" field value in the GRE header
- *	is 0x88BE or 0x22EB.
+ *	is 0x88BE (version 1) or 0x22EB (version 2).
+ *
+ *	ERSPAN type II is version 1
+ *	ERSPAN type III is version 2
  *
  * 0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000 <-- pcap header
  * 0000010: ffff 0000
@@ -72,12 +75,16 @@ static int hf_erspan_priority = -1;
 static int hf_erspan_unknown2 = -1;
 static int hf_erspan_direction = -1;
 static int hf_erspan_unknown3 = -1;
+static int hf_erspan_trunkated = -1;
 static int hf_erspan_spanid = -1;
 static int hf_erspan_timestamp = -1;
 static int hf_erspan_unknown4 = -1;
+static int hf_erspan_direction2 = -1;
+static int hf_erspan_unknown5 = -1;
+static int hf_erspan_unknown6 = -1;
 
 #define PROTO_SHORT_NAME "ERSPAN"
-#define PROTO_LONG_NAME "ER Switch Packet Analysis"
+#define PROTO_LONG_NAME "Encapsulated Remote Switch Packet ANalysis"
 
 #define ERSPAN_DIRECTION_INCOMING 0
 #define ERSPAN_DIRECTION_OUTGOING 1
@@ -87,6 +94,12 @@ static const value_string erspan_direction_vals[] = {
 	{0, NULL},
 };
 
+static const value_string erspan_trunkated_vals[] = {
+	{0, "Not trunkated"},
+	{1, "Trunkated"},
+	{0, NULL},
+};
+
 static dissector_handle_t ethnofcs_handle;
 
 static void
@@ -113,41 +126,51 @@ dissect_erspan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 		erspan_tree = proto_item_add_subtree(ti, ett_erspan);
 
 		version = tvb_get_ntohs(tvb, offset) >> 12;
+		/* FIXME: we only know how to handle versions 1 and 2. Check for this */
 		proto_tree_add_item(erspan_tree, hf_erspan_version, tvb, offset, 2,
 			FALSE);
-
 		proto_tree_add_item(erspan_tree, hf_erspan_vlan, tvb, offset, 2,
 			FALSE);
 		offset += 2;
 
 		proto_tree_add_item(erspan_tree, hf_erspan_priority, tvb, offset, 2,
 			FALSE);
-
 		proto_tree_add_item(erspan_tree, hf_erspan_unknown2, tvb, offset, 2,
 			FALSE);
-
-		proto_tree_add_item(erspan_tree, hf_erspan_direction, tvb, offset, 2,
-			FALSE);
-
-		proto_tree_add_item(erspan_tree, hf_erspan_unknown3, tvb, offset, 2,
+		if (version == 1)
+			proto_tree_add_item(erspan_tree, hf_erspan_direction, tvb,
+				offset, 2, FALSE);
+		else /* version = 2 */
+			proto_tree_add_item(erspan_tree, hf_erspan_unknown3, tvb,
+				offset, 2, FALSE);
+		proto_tree_add_item(erspan_tree, hf_erspan_trunkated, tvb, offset, 2,
 			FALSE);
-
 		proto_tree_add_item(erspan_tree, hf_erspan_spanid, tvb, offset, 2,
 			FALSE);
 		offset += 2;
 
-		if (version < 2) {
+		if (version == 1) {
 			proto_tree_add_item(erspan_tree, hf_erspan_unknown4, tvb,
 				offset, 4, FALSE);
 			offset += 4;
-		} else if (version == 2) {
+		} else { /* version = 2 */
 			proto_tree_add_item(erspan_tree, hf_erspan_timestamp, tvb,
 				offset, 4, FALSE);
 			offset += 4;
 
 			proto_tree_add_item(erspan_tree, hf_erspan_unknown4, tvb,
-				offset, 12, FALSE);
-			offset += 12;
+				offset, 2, FALSE);
+			offset += 2;
+
+			proto_tree_add_item(erspan_tree, hf_erspan_direction2, tvb,
+				offset, 2, FALSE);
+			proto_tree_add_item(erspan_tree, hf_erspan_unknown5, tvb,
+				offset, 2, FALSE);
+			offset += 2;
+
+			proto_tree_add_item(erspan_tree, hf_erspan_unknown6, tvb,
+				offset, 8, FALSE);
+			offset += 8;
 		}
 	}
 	else {
@@ -187,20 +210,36 @@ proto_register_erspan(void)
 
 		{ &hf_erspan_unknown3,
 		{ "Unknown3",	"erspan.unknown3", FT_UINT16, BASE_DEC, NULL,
-			0x0400, NULL, HFILL }},
+			0x0800, NULL, HFILL }},
+
+		{ &hf_erspan_trunkated,
+		{ "Trunkated",	"erspan.trunkated", FT_UINT16, BASE_DEC, VALS(erspan_trunkated_vals),
+			0x0400, "ERSPAN packet exceeded the MTU size", HFILL }},
 
 		{ &hf_erspan_spanid,
 		{ "SpanID",	"erspan.spanid", FT_UINT16, BASE_DEC, NULL,
 			0x03ff, NULL, HFILL }},
 
 		{ &hf_erspan_timestamp,
-		{ "Timestamp(s)",       "erspan.timestamp", FT_UINT32, BASE_CUSTOM, erspan_fmt_timestamp,
+		{ "Timestamp",	"erspan.timestamp", FT_UINT32, BASE_CUSTOM, erspan_fmt_timestamp,
 			0, NULL, HFILL }},
 
 		{ &hf_erspan_unknown4,
 		{ "Unknown4",	"erspan.unknown4", FT_BYTES, BASE_NONE, NULL,
 			0, NULL, HFILL }},
 
+		{ &hf_erspan_direction2,
+		{ "Direction2",	"erspan.direction2", FT_UINT16, BASE_DEC, VALS(erspan_direction_vals),
+			0x0008, NULL, HFILL }},
+
+		{ &hf_erspan_unknown5,
+		{ "Unknown5",	"erspan.unknown5", FT_UINT16, BASE_HEX, NULL,
+			0xfff7, NULL, HFILL }},
+
+		{ &hf_erspan_unknown6,
+		{ "Unknown6",	"erspan.unknown6", FT_BYTES, BASE_NONE, NULL,
+			0, NULL, HFILL }},
+
         };
 	static gint *ett[] = {
 		&ett_erspan,