Fixed the ERSPAN Cisco marker packet dissector

author: Stéphane Lapie <stephane.lapie@darkbsd.org> 2021-11-29 05:25:42 +0000
committer: Wireshark GitLab Utility <6629907-ws-gitlab-utility@users.noreply.gitlab.com> 2021-11-29 05:25:42 +0000
commit: 2b1c34b24385b64857e9fa425d00042ab8a59e96 (patch)
tree: 87fa214c3c187a871abfab508c3ced380bca49d0 /epan/dissectors/packet-cisco-marker.c
parent: 890555b8bd7391b83f4cda3da06de405e630efb3 (diff)
1 files changed, 22 insertions, 9 deletions
diff --git a/epan/dissectors/packet-cisco-marker.c b/epan/dissectors/packet-cisco-marker.c
index 7ec4d2d178..38a59713b2 100644
--- a/epan/dissectors/packet-cisco-marker.c
+++ b/epan/dissectors/packet-cisco-marker.c
@@ -1,6 +1,7 @@
 /* packet-cisco-marker.c
  * Routines for CISCO's ERSPAN3 Marker Packet
  * See: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-733921.html#_Toc413144488
+ * See: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/system-management/b-cisco-nexus-9000-series-nx-os-system-management-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-system-management-configuration-guide-93x_chapter_011110.html
  * Copyright 2015, Peter Membrey
  *
  * Wireshark - Network traffic analyzer
@@ -8,6 +9,8 @@
  * Copyright 1998 Gerald Combs
  *
  * Copied from packet-time.c
+ * Fixed with additional documentation from Cisco and real-life observations
+ * by Stéphane Lapie <stephane.lapie@darkbsd.org>
  *
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
@@ -64,11 +67,18 @@ static header_field_info cisco_erspan_utcoffset CISCO_ERSPAN_MARKER_HFI_INIT =
   FT_UINT16, BASE_DEC, NULL, 0x00ff,
   NULL, HFILL };
 
+/* Timestamp is actually a 48-bit value, packed across 2 32-bit integers
+ * Timestamp_hi : 0000 ffff (high 16-bits)
+ * Timestamp_lo : ffff ffff (low 32-bits) */
 static header_field_info cisco_erspan_timestamp CISCO_ERSPAN_MARKER_HFI_INIT =
-{ "Timestamp", "cisco_erspan_marker.timestamp",
-  FT_UINT32, BASE_DEC, NULL, 0xffffffff,
+{ "ASIC 48-bit Timestamp", "cisco_erspan_marker.timestamp",
+  FT_UINT48, BASE_DEC, NULL, 0xffffffffffff,
   NULL, HFILL };
 
+/* Comparison between the actual packet arrival time and this field
+ * indicated that the Ethernet packet's arrival time was behind
+ * the below field value by the value of the  UTC offset
+ * (37 seconds as of Nov 2021) */
 static header_field_info cisco_erspan_utc_sec CISCO_ERSPAN_MARKER_HFI_INIT =
 { "UTC Seconds", "cisco_erspan_marker.utc_sec",
   FT_UINT32, BASE_DEC, NULL, 0xffffffff,
@@ -85,13 +95,16 @@ static header_field_info cisco_erspan_sequence_number CISCO_ERSPAN_MARKER_HFI_IN
   NULL, HFILL };
 
 static header_field_info cisco_erspan_reserved CISCO_ERSPAN_MARKER_HFI_INIT =
-{ "Reserved", "cisco_erspan_marker.sequence_number",
+{ "Reserved", "cisco_erspan_marker.reserved",
   FT_UINT32, BASE_DEC, NULL, 0xffffffff,
   NULL, HFILL };
 
+/* The 32-bit signature is expected to be 0xA5A5A5A5,
+ * and while the Cisco documentation does not mention packing details,
+ * it does mention padding values to enforce alignment */
 static header_field_info cisco_erspan_tail CISCO_ERSPAN_MARKER_HFI_INIT =
 { "TAIL", "cisco_erspan_marker.tail",
-  FT_UINT32, BASE_DEC, NULL, 0xffffffff,
+  FT_UINT64, BASE_HEX, NULL, 0x00000000ffffffff,
   NULL, HFILL };
 
 
@@ -131,13 +144,13 @@ dissect_marker(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _
     proto_tree_add_item(marker_tree, &cisco_erspan_utcoffset, tvb, offset, 2, ENC_BIG_ENDIAN);
     offset+= 2;
 
-    proto_tree_add_item(marker_tree, &cisco_erspan_timestamp, tvb, offset, 4, ENC_BIG_ENDIAN);
-    offset+=4;
+    proto_tree_add_item(marker_tree, &cisco_erspan_timestamp, tvb, offset, 8, ENC_BIG_ENDIAN);
+    offset+=8;
 
-    proto_tree_add_item(marker_tree, &cisco_erspan_utc_sec, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+    proto_tree_add_item(marker_tree, &cisco_erspan_utc_sec, tvb, offset, 4, ENC_BIG_ENDIAN);
     offset+=4;
 
-    proto_tree_add_item(marker_tree, &cisco_erspan_utc_usec, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+    proto_tree_add_item(marker_tree, &cisco_erspan_utc_usec, tvb, offset, 4, ENC_BIG_ENDIAN);
     offset+=4;
 
     proto_tree_add_item(marker_tree, &cisco_erspan_sequence_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
@@ -146,7 +159,7 @@ dissect_marker(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _
     proto_tree_add_item(marker_tree, &cisco_erspan_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
     offset+=4;
 
-    proto_tree_add_item(marker_tree, &cisco_erspan_tail, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+    proto_tree_add_item(marker_tree, &cisco_erspan_tail, tvb, offset, 8, ENC_BIG_ENDIAN);
   }
   return tvb_captured_length(tvb);
 }
author	Stéphane Lapie <stephane.lapie@darkbsd.org>	2021-11-29 05:25:42 +0000
committer	Wireshark GitLab Utility <6629907-ws-gitlab-utility@users.noreply.gitlab.com>	2021-11-29 05:25:42 +0000
commit	2b1c34b24385b64857e9fa425d00042ab8a59e96 (patch)
tree	87fa214c3c187a871abfab508c3ced380bca49d0 /epan/dissectors/packet-cisco-marker.c
parent	890555b8bd7391b83f4cda3da06de405e630efb3 (diff)