Move dissectors to epan/dissectors directory.

Also move ncp222.py, x11-fields, process-x11-fields.pl,
make-reg-dotc, and make-reg-dotc.py.

Adjust #include lines in files that include packet-*.h
files.

svn path=/trunk/; revision=11410

1 files changed, 471 insertions, 0 deletions

diff --git a/epan/dissectors/packet-eth.c b/epan/dissectors/packet-eth.c
new file mode 100644
index 0000000000..89b49b6d30
--- /dev/null
+++ b/epan/dissectors/packet-eth.c
@@ -0,0 +1,471 @@
+/* packet-eth.c
+ * Routines for ethernet packet disassembly
+ *
+ * $Id$
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <glib.h>
+#include <epan/packet.h>
+#include "prefs.h"
+#include "etypes.h"
+#include <epan/resolv.h>
+#include "packet-eth.h"
+#include "packet-ieee8023.h"
+#include "packet-ipx.h"
+#include "packet-isl.h"
+#include "packet-llc.h"
+#include "crc32.h"
+#include "tap.h"
+
+/* Interpret capture file as FW1 monitor file */
+static gboolean eth_interpret_as_fw1_monitor = FALSE;
+
+/* protocols and header fields */
+static int proto_eth = -1;
+static int hf_eth_dst = -1;
+static int hf_eth_src = -1;
+static int hf_eth_len = -1;
+static int hf_eth_type = -1;
+static int hf_eth_addr = -1;
+static int hf_eth_trailer = -1;
+
+static gint ett_ieee8023 = -1;
+static gint ett_ether2 = -1;
+
+static dissector_handle_t isl_handle;
+static dissector_handle_t fw1_handle;
+static heur_dissector_list_t heur_subdissector_list;
+
+static int eth_tap = -1;
+
+#define ETH_HEADER_SIZE	14
+
+/* These are the Netware-ish names for the different Ethernet frame types.
+	EthernetII: The ethernet with a Type field instead of a length field
+	Ethernet802.2: An 802.3 header followed by an 802.2 header
+	Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
+			There's no 802.2 hdr in this.
+	EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
+		there's no difference between 802.2 and 802.2SNAP, since we just
+		pass it down to the LLC dissector. -- Gilbert
+*/
+#define ETHERNET_II 	0
+#define ETHERNET_802_2	1
+#define ETHERNET_802_3	2
+#define ETHERNET_SNAP	3
+
+void
+capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
+{
+  guint16    etype, length;
+  int     ethhdr_type;	/* the type of ethernet frame */
+
+  if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
+    ld->other++;
+    return;
+  }
+
+  etype = pntohs(&pd[offset+12]);
+
+  /*
+   * If the type/length field is <= the maximum 802.3 length,
+   * and is not zero, this is an 802.3 frame, and it's a length
+   * field; it might be an Novell "raw 802.3" frame, with no
+   * 802.2 LLC header, or it might be a frame with an 802.2 LLC
+   * header.
+   *
+   * If the type/length field is > the maximum 802.3 length,
+   * this is an Ethernet II frame, and it's a type field.
+   *
+   * If the type/length field is zero (ETHERTYPE_UNK), this is
+   * a frame used internally by the Cisco MDS switch to contain
+   * Fibre Channel ("Vegas").  We treat that as an Ethernet II
+   * frame; the dissector for those frames registers itself with
+   * an ethernet type of ETHERTYPE_UNK.
+   */
+  if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
+    length = etype;
+
+    /* Is there an 802.2 layer? I can tell by looking at the first 2
+       bytes after the 802.3 header. If they are 0xffff, then what
+       follows the 802.3 header is an IPX payload, meaning no 802.2.
+       (IPX/SPX is they only thing that can be contained inside a
+       straight 802.3 packet). A non-0xffff value means that there's an
+       802.2 layer inside the 802.3 layer */
+    if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
+      ethhdr_type = ETHERNET_802_3;
+    }
+    else {
+      ethhdr_type = ETHERNET_802_2;
+    }
+
+    /* Oh, yuck.  Cisco ISL frames require special interpretation of the
+       destination address field; fortunately, they can be recognized by
+       checking the first 5 octets of the destination address, which are
+       01-00-0C-00-00 for ISL frames. */
+    if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
+	&& pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
+      capture_isl(pd, offset, len, ld);
+      return;
+    }
+
+    /* Convert the LLC length from the 802.3 header to a total
+       frame length, by adding in the size of any data that preceded
+       the Ethernet header, and adding in the Ethernet header size,
+       and set the payload and captured-payload lengths to the minima
+       of the total length and the frame lengths. */
+    length += offset + ETH_HEADER_SIZE;
+    if (len > length)
+      len = length;
+  } else {
+    ethhdr_type = ETHERNET_II;
+  }
+  offset += ETH_HEADER_SIZE;
+
+  switch (ethhdr_type) {
+    case ETHERNET_802_3:
+      capture_ipx(ld);
+      break;
+    case ETHERNET_802_2:
+      capture_llc(pd, offset, len, ld);
+      break;
+    case ETHERNET_II:
+      capture_ethertype(etype, pd, offset, len, ld);
+      break;
+  }
+}
+
+static void
+dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+	int fcs_len)
+{
+  proto_item		*ti;
+  eth_hdr 		*ehdr;
+  volatile gboolean	is_802_2;
+  proto_tree		*volatile fh_tree = NULL;
+  const char		*src_addr, *dst_addr;
+  static eth_hdr 	ehdrs[4];
+  static int		ehdr_num=0;
+
+  ehdr_num++;
+  if(ehdr_num>=4){
+     ehdr_num=0;
+  }
+  ehdr=&ehdrs[ehdr_num];
+
+
+  if (check_col(pinfo->cinfo, COL_PROTOCOL))
+    col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
+
+  src_addr=tvb_get_ptr(tvb, 6, 6);
+  SET_ADDRESS(&pinfo->dl_src,	AT_ETHER, 6, src_addr);
+  SET_ADDRESS(&pinfo->src,	AT_ETHER, 6, src_addr);
+  SET_ADDRESS(&ehdr->src, 	AT_ETHER, 6, src_addr);
+  dst_addr=tvb_get_ptr(tvb, 0, 6);
+  SET_ADDRESS(&pinfo->dl_dst,	AT_ETHER, 6, dst_addr);
+  SET_ADDRESS(&pinfo->dst,	AT_ETHER, 6, dst_addr);
+  SET_ADDRESS(&ehdr->dst, 	AT_ETHER, 6, dst_addr);
+
+  ehdr->type = tvb_get_ntohs(tvb, 12);
+
+  /*
+   * In case the packet is a non-Ethernet packet inside
+   * Ethernet framing, allow heuristic dissectors to take
+   * a first look before we assume that it's actually an
+   * Ethernet packet.
+   */
+  if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, tree))
+    goto end_of_eth;
+
+  /*
+   * If the type/length field is <= the maximum 802.3 length,
+   * and is not zero, this is an 802.3 frame, and it's a length
+   * field; it might be an Novell "raw 802.3" frame, with no
+   * 802.2 LLC header, or it might be a frame with an 802.2 LLC
+   * header.
+   *
+   * If the type/length field is > the maximum 802.3 length,
+   * this is an Ethernet II frame, and it's a type field.
+   *
+   * If the type/length field is zero (ETHERTYPE_UNK), this is
+   * a frame used internally by the Cisco MDS switch to contain
+   * Fibre Channel ("Vegas").  We treat that as an Ethernet II
+   * frame; the dissector for those frames registers itself with
+   * an ethernet type of ETHERTYPE_UNK.
+   */
+  if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) {
+    /* Oh, yuck.  Cisco ISL frames require special interpretation of the
+       destination address field; fortunately, they can be recognized by
+       checking the first 5 octets of the destination address, which are
+       01-00-0C-00-00 for ISL frames. */
+    if (	tvb_get_guint8(tvb, 0) == 0x01 &&
+		tvb_get_guint8(tvb, 1) == 0x00 &&
+		tvb_get_guint8(tvb, 2) == 0x0C &&
+		tvb_get_guint8(tvb, 3) == 0x00 &&
+		tvb_get_guint8(tvb, 4) == 0x00 ) {
+      call_dissector(isl_handle, tvb, pinfo, tree);
+      goto end_of_eth;
+    }
+
+    /* Is there an 802.2 layer? I can tell by looking at the first 2
+       bytes after the 802.3 header. If they are 0xffff, then what
+       follows the 802.3 header is an IPX payload, meaning no 802.2.
+       (IPX/SPX is they only thing that can be contained inside a
+       straight 802.3 packet). A non-0xffff value means that there's an
+       802.2 layer inside the 802.3 layer */
+    is_802_2 = TRUE;
+    TRY {
+	    if (tvb_get_ntohs(tvb, 14) == 0xffff) {
+	      is_802_2 = FALSE;
+	    }
+    }
+    CATCH2(BoundsError, ReportedBoundsError) {
+	    ; /* do nothing */
+
+    }
+    ENDTRY;
+
+    if (check_col(pinfo->cinfo, COL_INFO)) {
+      col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
+		(is_802_2 ? "" : "Raw "));
+    }
+    if (tree) {
+      ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
+		"IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
+
+      fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
+    }
+
+    proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
+    proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
+
+/* add items for eth.addr filter */
+    proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
+    proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
+
+    dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
+		  hf_eth_len, hf_eth_trailer, fcs_len);
+  } else {
+    if (eth_interpret_as_fw1_monitor) {
+      call_dissector(fw1_handle, tvb, pinfo, tree);
+      goto end_of_eth;
+    }
+
+    if (check_col(pinfo->cinfo, COL_INFO))
+      col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
+    if (tree) {
+      ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
+		"Ethernet II, Src: %s, Dst: %s",
+		ether_to_str(src_addr), ether_to_str(dst_addr));
+
+      fh_tree = proto_item_add_subtree(ti, ett_ether2);
+    }
+
+    proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
+    proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
+/* add items for eth.addr filter */
+    proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
+    proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
+
+    ethertype(ehdr->type, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, hf_eth_type,
+          hf_eth_trailer, fcs_len);
+  }
+
+end_of_eth:
+  tap_queue_packet(eth_tap, pinfo, ehdr);
+  return;
+}
+
+/*
+ * Add an Ethernet trailer - which, for some captures, might be the FCS
+ * rather than a pad-to-60-bytes trailer.
+ *
+ * If fcs_len is 0, we assume the frame has no FCS; if it's 4, we assume
+ * it has an FCS; if it's anything else (such as -1, which means "maybe
+ * it does, maybe it doesn't"), we try to infer whether it has an FCS.
+ */
+void
+add_ethernet_trailer(proto_tree *fh_tree, int trailer_id, tvbuff_t *tvb,
+		     tvbuff_t *trailer_tvb, int fcs_len)
+{
+  /* If there're some bytes left over, show those bytes as a trailer.
+
+     However, if the Ethernet frame was claimed to have had 64 or more
+     bytes - i.e., it was at least an FCS worth of data longer than
+     the minimum payload size - assume the last 4 bytes of the trailer
+     are an FCS. */
+  if (trailer_tvb && fh_tree) {
+    guint trailer_length, trailer_reported_length;
+    gboolean has_fcs = FALSE;
+
+    trailer_length = tvb_length(trailer_tvb);
+    trailer_reported_length = tvb_reported_length(trailer_tvb);
+    if (fcs_len != 0) {
+      /* If fcs_len is 4, we assume we definitely have an FCS.
+         Otherwise, then, if the frame is big enough that, if we
+         have a trailer, it probably inclues an FCS, and we have
+         enough space in the trailer for the FCS, we assume we
+         have an FCS.
+
+	 "Big enough" means 64 bytes or more; any frame that big
+	 needs no trailer, as there's no need to pad an Ethernet
+	 packet past 60 bytes.
+
+	 The trailer must be at least 4 bytes long to have enough
+	 space for an FCS. */
+
+      if (fcs_len == 4 || (tvb_reported_length(tvb) >= 64 &&
+			   trailer_reported_length >= 4)) {
+	/* Either we know we have an FCS, or we believe we have an FCS. */
+	if (trailer_length < trailer_reported_length) {
+	  /* The packet is claimed to have enough data for a 4-byte FCS,
+	     but we didn't capture all of the packet.
+	     Slice off the 4-byte FCS from the reported length, and
+	     trim the captured length so it's no more than the reported
+	     length; that will slice off what of the FCS, if any, is
+	     in the captured packet. */
+	  trailer_reported_length -= 4;
+	  if (trailer_length > trailer_reported_length)
+	    trailer_length = trailer_reported_length;
+	  has_fcs = TRUE;
+	} else {
+	  /* We captured all of the packet, including what appears to
+	     be a 4-byte FCS.  Slice it off. */
+	  trailer_length -= 4;
+	  trailer_reported_length -= 4;
+	  has_fcs = TRUE;
+	}
+      }
+    }
+    if (trailer_length != 0) {
+      proto_tree_add_item(fh_tree, trailer_id, trailer_tvb, 0,
+			  trailer_length, FALSE);
+    }
+    if (has_fcs) {
+      guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, trailer_length);
+      guint32 fcs = crc32_802_tvb(tvb, tvb_length(tvb) - 4);
+      if (fcs == sent_fcs) {
+	proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
+			    "Frame check sequence: 0x%08x (correct)",
+			    sent_fcs);
+      } else {
+	proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
+			    "Frame check sequence: 0x%08x (incorrect, should be 0x%08x)",
+			    sent_fcs, fcs);
+      }
+    }
+  }
+}
+
+/* Called for the Ethernet Wiretap encapsulation type; pass the FCS length
+   reported to us. */
+static void
+dissect_eth_maybefcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+  dissect_eth_common(tvb, pinfo, tree, pinfo->pseudo_header->eth.fcs_len);
+}
+
+/* Called by other dissectors - for now, we assume Ethernet encapsulated
+   inside other protocols doesn't include the FCS. */
+static void
+dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+  dissect_eth_common(tvb, pinfo, tree, 0);
+}
+
+void
+proto_register_eth(void)
+{
+	static hf_register_info hf[] = {
+
+		{ &hf_eth_dst,
+		{ "Destination",	"eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
+			"Destination Hardware Address", HFILL }},
+
+		{ &hf_eth_src,
+		{ "Source",		"eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
+			"Source Hardware Address", HFILL }},
+
+		{ &hf_eth_len,
+		{ "Length",		"eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
+			"", HFILL }},
+
+		/* registered here but handled in ethertype.c */
+		{ &hf_eth_type,
+		{ "Type",		"eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
+			"", HFILL }},
+		{ &hf_eth_addr,
+		{ "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
+			"Source or Destination Hardware Address", HFILL }},
+
+                { &hf_eth_trailer,
+		{ "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
+			"Ethernet Trailer or Checksum", HFILL }},
+
+	};
+	static gint *ett[] = {
+		&ett_ieee8023,
+		&ett_ether2,
+	};
+	module_t *eth_module;
+
+	proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
+	proto_register_field_array(proto_eth, hf, array_length(hf));
+	proto_register_subtree_array(ett, array_length(ett));
+
+	/* subdissector code */
+	register_heur_dissector_list("eth", &heur_subdissector_list);
+
+	/* Register configuration preferences */
+	eth_module = prefs_register_protocol(proto_eth, NULL);
+	prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
+            "Interpret as FireWall-1 monitor file",
+"Whether the capture file should be interpreted as a CheckPoint FireWall-1 monitor file",
+            &eth_interpret_as_fw1_monitor);
+
+	register_dissector("eth", dissect_eth, proto_eth);
+	eth_tap = register_tap("eth");
+}
+
+void
+proto_reg_handoff_eth(void)
+{
+	dissector_handle_t eth_handle, eth_maybefcs_handle;
+
+	/*
+	 * Get a handle for the ISL dissector.
+	 */
+	isl_handle = find_dissector("isl");
+	fw1_handle = find_dissector("fw1");
+
+	eth_maybefcs_handle = create_dissector_handle(dissect_eth_maybefcs,
+	    proto_eth);
+	dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle);
+
+	eth_handle = find_dissector("eth");
+	dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_handle);
+	dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_handle);
+	dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_handle);
+}