diff options
author | Gilbert Ramirez <gram@alumni.rice.edu> | 2004-07-18 18:06:47 +0000 |
---|---|---|
committer | Gilbert Ramirez <gram@alumni.rice.edu> | 2004-07-18 18:06:47 +0000 |
commit | 669db206cb1f270046ad400fff7655e20c63e723 (patch) | |
tree | 4eff24a2e16c8963e497e1fc575f35e6af59bd26 /epan/dissectors/packet-eth.c | |
parent | ae46c27a38700af669ef907491081f09df6f6b2c (diff) |
Move dissectors to epan/dissectors directory.
Also move ncp222.py, x11-fields, process-x11-fields.pl,
make-reg-dotc, and make-reg-dotc.py.
Adjust #include lines in files that include packet-*.h
files.
svn path=/trunk/; revision=11410
Diffstat (limited to 'epan/dissectors/packet-eth.c')
-rw-r--r-- | epan/dissectors/packet-eth.c | 471 |
1 files changed, 471 insertions, 0 deletions
diff --git a/epan/dissectors/packet-eth.c b/epan/dissectors/packet-eth.c new file mode 100644 index 0000000000..89b49b6d30 --- /dev/null +++ b/epan/dissectors/packet-eth.c @@ -0,0 +1,471 @@ +/* packet-eth.c + * Routines for ethernet packet disassembly + * + * $Id$ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs <gerald@ethereal.com> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include <glib.h> +#include <epan/packet.h> +#include "prefs.h" +#include "etypes.h" +#include <epan/resolv.h> +#include "packet-eth.h" +#include "packet-ieee8023.h" +#include "packet-ipx.h" +#include "packet-isl.h" +#include "packet-llc.h" +#include "crc32.h" +#include "tap.h" + +/* Interpret capture file as FW1 monitor file */ +static gboolean eth_interpret_as_fw1_monitor = FALSE; + +/* protocols and header fields */ +static int proto_eth = -1; +static int hf_eth_dst = -1; +static int hf_eth_src = -1; +static int hf_eth_len = -1; +static int hf_eth_type = -1; +static int hf_eth_addr = -1; +static int hf_eth_trailer = -1; + +static gint ett_ieee8023 = -1; +static gint ett_ether2 = -1; + +static dissector_handle_t isl_handle; +static dissector_handle_t fw1_handle; +static heur_dissector_list_t heur_subdissector_list; + +static int eth_tap = -1; + +#define ETH_HEADER_SIZE 14 + +/* These are the Netware-ish names for the different Ethernet frame types. + EthernetII: The ethernet with a Type field instead of a length field + Ethernet802.2: An 802.3 header followed by an 802.2 header + Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload. + There's no 802.2 hdr in this. + EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes, + there's no difference between 802.2 and 802.2SNAP, since we just + pass it down to the LLC dissector. -- Gilbert +*/ +#define ETHERNET_II 0 +#define ETHERNET_802_2 1 +#define ETHERNET_802_3 2 +#define ETHERNET_SNAP 3 + +void +capture_eth(const guchar *pd, int offset, int len, packet_counts *ld) +{ + guint16 etype, length; + int ethhdr_type; /* the type of ethernet frame */ + + if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) { + ld->other++; + return; + } + + etype = pntohs(&pd[offset+12]); + + /* + * If the type/length field is <= the maximum 802.3 length, + * and is not zero, this is an 802.3 frame, and it's a length + * field; it might be an Novell "raw 802.3" frame, with no + * 802.2 LLC header, or it might be a frame with an 802.2 LLC + * header. + * + * If the type/length field is > the maximum 802.3 length, + * this is an Ethernet II frame, and it's a type field. + * + * If the type/length field is zero (ETHERTYPE_UNK), this is + * a frame used internally by the Cisco MDS switch to contain + * Fibre Channel ("Vegas"). We treat that as an Ethernet II + * frame; the dissector for those frames registers itself with + * an ethernet type of ETHERTYPE_UNK. + */ + if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) { + length = etype; + + /* Is there an 802.2 layer? I can tell by looking at the first 2 + bytes after the 802.3 header. If they are 0xffff, then what + follows the 802.3 header is an IPX payload, meaning no 802.2. + (IPX/SPX is they only thing that can be contained inside a + straight 802.3 packet). A non-0xffff value means that there's an + 802.2 layer inside the 802.3 layer */ + if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) { + ethhdr_type = ETHERNET_802_3; + } + else { + ethhdr_type = ETHERNET_802_2; + } + + /* Oh, yuck. Cisco ISL frames require special interpretation of the + destination address field; fortunately, they can be recognized by + checking the first 5 octets of the destination address, which are + 01-00-0C-00-00 for ISL frames. */ + if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C + && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) { + capture_isl(pd, offset, len, ld); + return; + } + + /* Convert the LLC length from the 802.3 header to a total + frame length, by adding in the size of any data that preceded + the Ethernet header, and adding in the Ethernet header size, + and set the payload and captured-payload lengths to the minima + of the total length and the frame lengths. */ + length += offset + ETH_HEADER_SIZE; + if (len > length) + len = length; + } else { + ethhdr_type = ETHERNET_II; + } + offset += ETH_HEADER_SIZE; + + switch (ethhdr_type) { + case ETHERNET_802_3: + capture_ipx(ld); + break; + case ETHERNET_802_2: + capture_llc(pd, offset, len, ld); + break; + case ETHERNET_II: + capture_ethertype(etype, pd, offset, len, ld); + break; + } +} + +static void +dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + int fcs_len) +{ + proto_item *ti; + eth_hdr *ehdr; + volatile gboolean is_802_2; + proto_tree *volatile fh_tree = NULL; + const char *src_addr, *dst_addr; + static eth_hdr ehdrs[4]; + static int ehdr_num=0; + + ehdr_num++; + if(ehdr_num>=4){ + ehdr_num=0; + } + ehdr=&ehdrs[ehdr_num]; + + + if (check_col(pinfo->cinfo, COL_PROTOCOL)) + col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet"); + + src_addr=tvb_get_ptr(tvb, 6, 6); + SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src_addr); + SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src_addr); + SET_ADDRESS(&ehdr->src, AT_ETHER, 6, src_addr); + dst_addr=tvb_get_ptr(tvb, 0, 6); + SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst_addr); + SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst_addr); + SET_ADDRESS(&ehdr->dst, AT_ETHER, 6, dst_addr); + + ehdr->type = tvb_get_ntohs(tvb, 12); + + /* + * In case the packet is a non-Ethernet packet inside + * Ethernet framing, allow heuristic dissectors to take + * a first look before we assume that it's actually an + * Ethernet packet. + */ + if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, tree)) + goto end_of_eth; + + /* + * If the type/length field is <= the maximum 802.3 length, + * and is not zero, this is an 802.3 frame, and it's a length + * field; it might be an Novell "raw 802.3" frame, with no + * 802.2 LLC header, or it might be a frame with an 802.2 LLC + * header. + * + * If the type/length field is > the maximum 802.3 length, + * this is an Ethernet II frame, and it's a type field. + * + * If the type/length field is zero (ETHERTYPE_UNK), this is + * a frame used internally by the Cisco MDS switch to contain + * Fibre Channel ("Vegas"). We treat that as an Ethernet II + * frame; the dissector for those frames registers itself with + * an ethernet type of ETHERTYPE_UNK. + */ + if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) { + /* Oh, yuck. Cisco ISL frames require special interpretation of the + destination address field; fortunately, they can be recognized by + checking the first 5 octets of the destination address, which are + 01-00-0C-00-00 for ISL frames. */ + if ( tvb_get_guint8(tvb, 0) == 0x01 && + tvb_get_guint8(tvb, 1) == 0x00 && + tvb_get_guint8(tvb, 2) == 0x0C && + tvb_get_guint8(tvb, 3) == 0x00 && + tvb_get_guint8(tvb, 4) == 0x00 ) { + call_dissector(isl_handle, tvb, pinfo, tree); + goto end_of_eth; + } + + /* Is there an 802.2 layer? I can tell by looking at the first 2 + bytes after the 802.3 header. If they are 0xffff, then what + follows the 802.3 header is an IPX payload, meaning no 802.2. + (IPX/SPX is they only thing that can be contained inside a + straight 802.3 packet). A non-0xffff value means that there's an + 802.2 layer inside the 802.3 layer */ + is_802_2 = TRUE; + TRY { + if (tvb_get_ntohs(tvb, 14) == 0xffff) { + is_802_2 = FALSE; + } + } + CATCH2(BoundsError, ReportedBoundsError) { + ; /* do nothing */ + + } + ENDTRY; + + if (check_col(pinfo->cinfo, COL_INFO)) { + col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s", + (is_802_2 ? "" : "Raw ")); + } + if (tree) { + ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE, + "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw ")); + + fh_tree = proto_item_add_subtree(ti, ett_ieee8023); + } + + proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr); + proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr); + +/* add items for eth.addr filter */ + proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr); + proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr); + + dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, + hf_eth_len, hf_eth_trailer, fcs_len); + } else { + if (eth_interpret_as_fw1_monitor) { + call_dissector(fw1_handle, tvb, pinfo, tree); + goto end_of_eth; + } + + if (check_col(pinfo->cinfo, COL_INFO)) + col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II"); + if (tree) { + ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE, + "Ethernet II, Src: %s, Dst: %s", + ether_to_str(src_addr), ether_to_str(dst_addr)); + + fh_tree = proto_item_add_subtree(ti, ett_ether2); + } + + proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr); + proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr); +/* add items for eth.addr filter */ + proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr); + proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr); + + ethertype(ehdr->type, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, hf_eth_type, + hf_eth_trailer, fcs_len); + } + +end_of_eth: + tap_queue_packet(eth_tap, pinfo, ehdr); + return; +} + +/* + * Add an Ethernet trailer - which, for some captures, might be the FCS + * rather than a pad-to-60-bytes trailer. + * + * If fcs_len is 0, we assume the frame has no FCS; if it's 4, we assume + * it has an FCS; if it's anything else (such as -1, which means "maybe + * it does, maybe it doesn't"), we try to infer whether it has an FCS. + */ +void +add_ethernet_trailer(proto_tree *fh_tree, int trailer_id, tvbuff_t *tvb, + tvbuff_t *trailer_tvb, int fcs_len) +{ + /* If there're some bytes left over, show those bytes as a trailer. + + However, if the Ethernet frame was claimed to have had 64 or more + bytes - i.e., it was at least an FCS worth of data longer than + the minimum payload size - assume the last 4 bytes of the trailer + are an FCS. */ + if (trailer_tvb && fh_tree) { + guint trailer_length, trailer_reported_length; + gboolean has_fcs = FALSE; + + trailer_length = tvb_length(trailer_tvb); + trailer_reported_length = tvb_reported_length(trailer_tvb); + if (fcs_len != 0) { + /* If fcs_len is 4, we assume we definitely have an FCS. + Otherwise, then, if the frame is big enough that, if we + have a trailer, it probably inclues an FCS, and we have + enough space in the trailer for the FCS, we assume we + have an FCS. + + "Big enough" means 64 bytes or more; any frame that big + needs no trailer, as there's no need to pad an Ethernet + packet past 60 bytes. + + The trailer must be at least 4 bytes long to have enough + space for an FCS. */ + + if (fcs_len == 4 || (tvb_reported_length(tvb) >= 64 && + trailer_reported_length >= 4)) { + /* Either we know we have an FCS, or we believe we have an FCS. */ + if (trailer_length < trailer_reported_length) { + /* The packet is claimed to have enough data for a 4-byte FCS, + but we didn't capture all of the packet. + Slice off the 4-byte FCS from the reported length, and + trim the captured length so it's no more than the reported + length; that will slice off what of the FCS, if any, is + in the captured packet. */ + trailer_reported_length -= 4; + if (trailer_length > trailer_reported_length) + trailer_length = trailer_reported_length; + has_fcs = TRUE; + } else { + /* We captured all of the packet, including what appears to + be a 4-byte FCS. Slice it off. */ + trailer_length -= 4; + trailer_reported_length -= 4; + has_fcs = TRUE; + } + } + } + if (trailer_length != 0) { + proto_tree_add_item(fh_tree, trailer_id, trailer_tvb, 0, + trailer_length, FALSE); + } + if (has_fcs) { + guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, trailer_length); + guint32 fcs = crc32_802_tvb(tvb, tvb_length(tvb) - 4); + if (fcs == sent_fcs) { + proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4, + "Frame check sequence: 0x%08x (correct)", + sent_fcs); + } else { + proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4, + "Frame check sequence: 0x%08x (incorrect, should be 0x%08x)", + sent_fcs, fcs); + } + } + } +} + +/* Called for the Ethernet Wiretap encapsulation type; pass the FCS length + reported to us. */ +static void +dissect_eth_maybefcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + dissect_eth_common(tvb, pinfo, tree, pinfo->pseudo_header->eth.fcs_len); +} + +/* Called by other dissectors - for now, we assume Ethernet encapsulated + inside other protocols doesn't include the FCS. */ +static void +dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + dissect_eth_common(tvb, pinfo, tree, 0); +} + +void +proto_register_eth(void) +{ + static hf_register_info hf[] = { + + { &hf_eth_dst, + { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0, + "Destination Hardware Address", HFILL }}, + + { &hf_eth_src, + { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0, + "Source Hardware Address", HFILL }}, + + { &hf_eth_len, + { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0, + "", HFILL }}, + + /* registered here but handled in ethertype.c */ + { &hf_eth_type, + { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0, + "", HFILL }}, + { &hf_eth_addr, + { "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0, + "Source or Destination Hardware Address", HFILL }}, + + { &hf_eth_trailer, + { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0, + "Ethernet Trailer or Checksum", HFILL }}, + + }; + static gint *ett[] = { + &ett_ieee8023, + &ett_ether2, + }; + module_t *eth_module; + + proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth"); + proto_register_field_array(proto_eth, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + /* subdissector code */ + register_heur_dissector_list("eth", &heur_subdissector_list); + + /* Register configuration preferences */ + eth_module = prefs_register_protocol(proto_eth, NULL); + prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor", + "Interpret as FireWall-1 monitor file", +"Whether the capture file should be interpreted as a CheckPoint FireWall-1 monitor file", + ð_interpret_as_fw1_monitor); + + register_dissector("eth", dissect_eth, proto_eth); + eth_tap = register_tap("eth"); +} + +void +proto_reg_handoff_eth(void) +{ + dissector_handle_t eth_handle, eth_maybefcs_handle; + + /* + * Get a handle for the ISL dissector. + */ + isl_handle = find_dissector("isl"); + fw1_handle = find_dissector("fw1"); + + eth_maybefcs_handle = create_dissector_handle(dissect_eth_maybefcs, + proto_eth); + dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle); + + eth_handle = find_dissector("eth"); + dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_handle); + dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_handle); + dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_handle); +} |