/* packet-sll.c * Routines for disassembly of packets from Linux "cooked mode" captures * * Wireshark - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * SPDX-License-Identifier: GPL-2.0-or-later */ #include "config.h" #include #include #include #include #include #include "packet-sll.h" #include "packet-ipx.h" #include "packet-llc.h" #include "packet-eth.h" #include "packet-ppp.h" #include "packet-gre.h" #include "packet-arp.h" #include #include #include #include #include void proto_register_sll(void); void proto_reg_handoff_sll(void); typedef struct sll_tap_data { address src_address; } sll_tap_data; /* * A LINKTYPE_LINUX_SLL fake link-layer header. */ #define SLL_HEADER_SIZE 16 /* total header length */ /* * A LINKTYPE_LINUX_SLL fake link-layer header. */ #define SLL2_HEADER_SIZE 20 /* total header length */ #define SLL_ADDRLEN 8 /* length of address field */ /* * The LINUX_SLL_ values for "sll_pkttype". */ #define LINUX_SLL_HOST 0 #define LINUX_SLL_BROADCAST 1 #define LINUX_SLL_MULTICAST 2 #define LINUX_SLL_OTHERHOST 3 #define LINUX_SLL_OUTGOING 4 static const value_string packet_type_vals[] = { { LINUX_SLL_HOST, "Unicast to us" }, { LINUX_SLL_BROADCAST, "Broadcast" }, { LINUX_SLL_MULTICAST, "Multicast" }, { LINUX_SLL_OTHERHOST, "Unicast to another host" }, { LINUX_SLL_OUTGOING, "Sent by us" }, { 0, NULL } }; static const value_string ltype_vals[] = { { LINUX_SLL_P_802_3, "Raw 802.3" }, { LINUX_SLL_P_ETHERNET, "Ethernet" }, { LINUX_SLL_P_802_2, "802.2 LLC" }, { LINUX_SLL_P_PPPHDLC, "PPP (HDLC)" }, { LINUX_SLL_P_CAN, "CAN" }, { LINUX_SLL_P_CANFD, "CAN FD" }, { LINUX_SLL_P_IRDA_LAP, "IrDA LAP" }, { LINUX_SLL_P_ISI, "ISI" }, { LINUX_SLL_P_IEEE802154, "IEEE 802.15.4" }, { LINUX_SLL_P_MCTP, "MCTP" }, { 0, NULL } }; static dissector_handle_t sll_handle; static dissector_handle_t sll2_handle; static dissector_handle_t ethertype_handle; static dissector_handle_t netlink_handle; static int proto_sll; static int sll_tap = -1; static int hf_sll_etype = -1; static int hf_sll_gretype = -1; static int hf_sll_halen = -1; static int hf_sll_hatype = -1; static int hf_sll_ifindex = -1; static int hf_sll_ltype = -1; static int hf_sll_pkttype = -1; static int hf_sll_src_eth = -1; static int hf_sll_src_ipv4 = -1; static int hf_sll_src_other = -1; static int hf_sll_trailer = -1; static int hf_sll_unused = -1; static gint ett_sll = -1; static dissector_table_t sll_hatype_dissector_table; static dissector_table_t sll_ltype_dissector_table; static dissector_table_t gre_dissector_table; static void sll_prompt(packet_info *pinfo, gchar* result) { snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "SLL protocol type 0x%04x as", GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_sll, 0))); } static gpointer sll_value(packet_info *pinfo) { return p_get_proto_data(pinfo->pool, pinfo, proto_sll, 0); } static const char* sll_conv_get_filter_type(conv_item_t* conv, conv_filter_type_e filter) { if ((filter == CONV_FT_SRC_ADDRESS) && (conv->src_address.type == AT_ETHER)) return "sll.src.eth"; if ((filter == CONV_FT_ANY_ADDRESS) && (conv->src_address.type == AT_ETHER)) return "sll.src.eth"; if ((filter == CONV_FT_SRC_ADDRESS) && (conv->src_address.type == AT_IPv4)) return "sll.src.ipv4"; if ((filter == CONV_FT_ANY_ADDRESS) && (conv->src_address.type == AT_IPv4)) return "sll.src.ipv4"; return CONV_FILTER_INVALID; } static ct_dissector_info_t sll_ct_dissector_info = {&sll_conv_get_filter_type}; static address no_dst = {AT_NONE, 0, NULL, NULL}; static tap_packet_status sll_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags) { conv_hash_t *hash = (conv_hash_t*) pct; hash->flags = flags; const sll_tap_data *tap_data = (const sll_tap_data*)vip; add_conversation_table_data(hash, &tap_data->src_address, &no_dst, 0, 0, 1, pinfo->fd->pkt_len, &pinfo->rel_ts, &pinfo->abs_ts, &sll_ct_dissector_info, CONVERSATION_NONE); return TAP_PACKET_REDRAW; } static const char* sll_endpoint_get_filter_type(endpoint_item_t* endpoint, conv_filter_type_e filter) { if ((filter == CONV_FT_SRC_ADDRESS) && (endpoint->myaddress.type == AT_ETHER)) return "sll.src.eth"; if ((filter == CONV_FT_ANY_ADDRESS) && (endpoint->myaddress.type == AT_ETHER)) return "sll.src.eth"; if ((filter == CONV_FT_SRC_ADDRESS) && (endpoint->myaddress.type == AT_IPv4)) return "sll.src.ipv4"; if ((filter == CONV_FT_ANY_ADDRESS) && (endpoint->myaddress.type == AT_IPv4)) return "sll.src.ipv4"; return CONV_FILTER_INVALID; } static et_dissector_info_t sll_endpoint_dissector_info = {&sll_endpoint_get_filter_type}; static tap_packet_status sll_endpoint_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags) { conv_hash_t *hash = (conv_hash_t*) pit; hash->flags = flags; const sll_tap_data *tap_data = (const sll_tap_data*)vip; add_endpoint_table_data(hash, &tap_data->src_address, 0, TRUE, 1, pinfo->fd->pkt_len, &sll_endpoint_dissector_info, ENDPOINT_NONE); return TAP_PACKET_REDRAW; } static gboolean capture_sll(const guchar *pd, int offset _U_, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header _U_) { guint16 hatype; guint16 protocol; if (!BYTES_ARE_IN_FRAME(0, len, SLL_HEADER_SIZE)) return FALSE; protocol = pntoh16(&pd[14]); if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */ /* * "proto" is *not* a length field, it's a Linux internal * protocol type. */ hatype = pntoh16(&pd[2]); if (try_capture_dissector("sll.hatype", hatype, pd, SLL_HEADER_SIZE, len, cpinfo, pseudo_header)) return TRUE; return try_capture_dissector("sll.ltype", protocol, pd, SLL_HEADER_SIZE, len, cpinfo, pseudo_header); } else { return try_capture_dissector("ethertype", protocol, pd, SLL_HEADER_SIZE, len, cpinfo, pseudo_header); } return FALSE; } static gboolean capture_sll2(const guchar *pd, int offset _U_, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header _U_) { guint16 hatype; guint16 protocol; if (!BYTES_ARE_IN_FRAME(0, len, SLL2_HEADER_SIZE)) return FALSE; protocol = pntoh16(&pd[0]); if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */ /* * "proto" is *not* a length field, it's a Linux internal * protocol type. */ hatype = pntoh16(&pd[8]); if (try_capture_dissector("sll.hatype", hatype, pd, SLL2_HEADER_SIZE, len, cpinfo, pseudo_header)) return TRUE; return try_capture_dissector("sll.ltype", protocol, pd, SLL2_HEADER_SIZE, len, cpinfo, pseudo_header); } else { return try_capture_dissector("ethertype", protocol, pd, SLL2_HEADER_SIZE, len, cpinfo, pseudo_header); } return FALSE; } static void add_ll_address(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, int halen_offset, int halen_len, sll_tap_data *tap_data) { guint32 ha_len; int ha_offset = halen_offset + halen_len; /* * XXX - check the link-layer address type value? * For now, we just assume ha_len 4 is IPv4 and ha_len 6 * is Ethernet. */ proto_tree_add_item_ret_uint(tree, hf_sll_halen, tvb, halen_offset, halen_len, ENC_BIG_ENDIAN, &ha_len); switch (ha_len) { case 4: set_address_tvb(&pinfo->dl_src, AT_IPv4, 4, tvb, ha_offset); copy_address_shallow(&pinfo->src, &pinfo->dl_src); copy_address_wmem(wmem_file_scope(), &tap_data->src_address, &pinfo->src); proto_tree_add_item(tree, hf_sll_src_ipv4, tvb, ha_offset, 4, ENC_BIG_ENDIAN); break; case 6: set_address_tvb(&pinfo->dl_src, AT_ETHER, 6, tvb, ha_offset); copy_address_shallow(&pinfo->src, &pinfo->dl_src); copy_address_wmem(wmem_file_scope(), &tap_data->src_address, &pinfo->src); proto_tree_add_item(tree, hf_sll_src_eth, tvb, ha_offset, 6, ENC_NA); break; case 0: break; default: proto_tree_add_item(tree, hf_sll_src_other, tvb, ha_offset, ha_len > 8 ? 8 : ha_len, ENC_NA); break; } /* Not all bytes of SLL_ADDRLEN have been used. Add remaining as unused */ if (ha_len < SLL_ADDRLEN) proto_tree_add_item(tree, hf_sll_unused, tvb, ha_offset + ha_len, SLL_ADDRLEN - ha_len, ENC_NA); } static guint16 add_protocol_type(proto_tree *fh_tree, tvbuff_t *tvb, int protocol_offset, int hatype) { guint16 protocol; protocol = tvb_get_ntohs(tvb, protocol_offset); if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */ /* * "proto" is *not* a length field, it's a Linux internal * protocol type. * We therefore cannot say how much of the packet will * be trailer data. * XXX - do the same thing we do for packets with Ethertypes? */ proto_tree_add_uint(fh_tree, hf_sll_ltype, tvb, protocol_offset, 2, protocol); } else { switch (hatype) { case ARPHRD_IPGRE: /* * XXX - the link-layer header appears to consist * of an IPv4 header followed by a bunch of stuff * that includes the GRE flags and version, but * cooked captures strip the link-layer header, * so we can't provide the flags and version to * the dissector. */ proto_tree_add_uint(fh_tree, hf_sll_gretype, tvb, protocol_offset, 2, protocol); break; default: proto_tree_add_uint(fh_tree, hf_sll_etype, tvb, protocol_offset, 2, protocol); break; } } return protocol; } static void dissect_payload(proto_tree *tree, packet_info *pinfo, proto_tree *fh_tree, tvbuff_t *tvb, int header_size, int hatype, guint16 protocol) { tvbuff_t *next_tvb; ethertype_data_t ethertype_data; next_tvb = tvb_new_subset_remaining(tvb, header_size); if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */ /* * "proto" is *not* a length field, it's a Linux internal * protocol type. * We therefore cannot say how much of the packet will * be trailer data. * XXX - do the same thing we do for packets with Ethertypes? */ if (!dissector_try_uint(sll_hatype_dissector_table, hatype, next_tvb, pinfo, tree)) { p_add_proto_data(pinfo->pool, pinfo, proto_sll, 0, GUINT_TO_POINTER((guint)protocol)); if (!dissector_try_uint(sll_ltype_dissector_table, protocol, next_tvb, pinfo, tree)) { call_data_dissector(next_tvb, pinfo, tree); } } } else { switch (hatype) { case ARPHRD_IPGRE: /* * XXX - the link-layer header appears to consist * of an IPv4 header followed by a bunch of stuff * that includes the GRE flags and version, but * cooked captures strip the link-layer header, * so we can't provide the flags and version to * the dissector. */ dissector_try_uint(gre_dissector_table, protocol, next_tvb, pinfo, tree); break; default: ethertype_data.etype = protocol; ethertype_data.payload_offset = header_size; ethertype_data.fh_tree = fh_tree; ethertype_data.trailer_id = hf_sll_trailer; ethertype_data.fcs_len = 0; call_dissector_with_data(ethertype_handle, tvb, pinfo, tree, ðertype_data); break; } } } static int dissect_sll_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int encap) { guint16 pkttype; guint16 protocol; guint16 hatype; int header_size; int version; proto_item *ti; proto_tree *fh_tree; sll_tap_data* tap_data; switch (encap) { case WTAP_ENCAP_SLL: pkttype = tvb_get_ntohs(tvb, 0); header_size = SLL_HEADER_SIZE; version = 1; break; case WTAP_ENCAP_SLL2: pkttype = tvb_get_ntohs(tvb, 10); header_size = SLL2_HEADER_SIZE; version = 2; break; default: DISSECTOR_ASSERT_NOT_REACHED(); } /* * Set "pinfo->p2p_dir" if the packet wasn't received * promiscuously. */ switch (pkttype) { case LINUX_SLL_HOST: case LINUX_SLL_BROADCAST: case LINUX_SLL_MULTICAST: pinfo->p2p_dir = P2P_DIR_RECV; break; case LINUX_SLL_OUTGOING: pinfo->p2p_dir = P2P_DIR_SENT; break; } switch (encap) { case WTAP_ENCAP_SLL: hatype = tvb_get_ntohs(tvb, 2); break; case WTAP_ENCAP_SLL2: hatype = tvb_get_ntohs(tvb, 8); break; default: DISSECTOR_ASSERT_NOT_REACHED(); } /* * XXX - special purpose hack. Netlink packets have a hardware * address type of ARPHRD_NETLINK, but the protocol type value * indicates the Netlink message type; we just hand the netlink * dissector our *entire* packet. * * That's different from link-layer types such as 802.11+radiotap, * where the payload follows the complete SLL header, and the * protocol field in the SLL header is irrelevant; for those, * we have the sll.hatype dissector table. */ if (hatype == ARPHRD_NETLINK) { return call_dissector(netlink_handle, tvb, pinfo, tree); } col_set_str(pinfo->cinfo, COL_PROTOCOL, "SLL"); col_clear(pinfo->cinfo, COL_INFO); col_add_str(pinfo->cinfo, COL_INFO, val_to_str(pkttype, packet_type_vals, "Unknown (%u)")); ti = proto_tree_add_protocol_format(tree, proto_sll, tvb, 0, header_size, "Linux cooked capture v%d", version); fh_tree = proto_item_add_subtree(ti, ett_sll); tap_data = wmem_new0(wmem_file_scope(), sll_tap_data); switch (encap) { case WTAP_ENCAP_SLL: proto_tree_add_item(fh_tree, hf_sll_pkttype, tvb, 0, 2, ENC_BIG_ENDIAN); proto_tree_add_uint(fh_tree, hf_sll_hatype, tvb, 2, 2, hatype); add_ll_address(fh_tree, pinfo, tvb, 4, 2, tap_data); protocol = add_protocol_type(fh_tree, tvb, 14, hatype); dissect_payload(tree, pinfo, fh_tree, tvb, SLL_HEADER_SIZE, hatype, protocol); break; case WTAP_ENCAP_SLL2: protocol = add_protocol_type(fh_tree, tvb, 0, hatype); proto_tree_add_item(fh_tree, hf_sll_ifindex, tvb, 4, 4, ENC_BIG_ENDIAN); proto_tree_add_uint(fh_tree, hf_sll_hatype, tvb, 8, 2, hatype); proto_tree_add_item(fh_tree, hf_sll_pkttype, tvb, 10, 1, ENC_BIG_ENDIAN); add_ll_address(fh_tree, pinfo, tvb, 11, 1, tap_data); dissect_payload(tree, pinfo, fh_tree, tvb, SLL2_HEADER_SIZE, hatype, protocol); break; default: DISSECTOR_ASSERT_NOT_REACHED(); } tap_queue_packet(sll_tap, pinfo, tap_data); return tvb_captured_length(tvb); } static int dissect_sll_v1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) { return dissect_sll_common(tvb, pinfo, tree, WTAP_ENCAP_SLL); } static int dissect_sll_v2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) { return dissect_sll_common(tvb, pinfo, tree, WTAP_ENCAP_SLL2); } void proto_register_sll(void) { static hf_register_info hf[] = { { &hf_sll_pkttype, { "Packet type", "sll.pkttype", FT_UINT16, BASE_DEC, VALS(packet_type_vals), 0x0, NULL, HFILL } }, { &hf_sll_hatype, { "Link-layer address type", "sll.hatype", FT_UINT16, BASE_DEC, VALS(arp_hrd_vals), 0x0, NULL, HFILL } }, { &hf_sll_halen, { "Link-layer address length", "sll.halen", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_sll_src_eth, { "Source", "sll.src.eth", FT_ETHER, BASE_NONE, NULL, 0x0, "Source link-layer address", HFILL } }, { &hf_sll_src_ipv4, { "Source", "sll.src.ipv4", FT_IPv4, BASE_NONE, NULL, 0x0, "Source link-layer address", HFILL } }, { &hf_sll_src_other, { "Source", "sll.src.other", FT_BYTES, BASE_NONE, NULL, 0x0, "Source link-layer address", HFILL } }, { &hf_sll_unused, { "Unused", "sll.unused", FT_BYTES, BASE_NONE, NULL, 0x0, "Unused bytes", HFILL } }, { &hf_sll_ltype, { "Protocol", "sll.ltype", FT_UINT16, BASE_HEX, VALS(ltype_vals), 0x0, "Linux protocol type", HFILL } }, { &hf_sll_gretype, { "Protocol", "sll.gretype", FT_UINT16, BASE_HEX, VALS(gre_typevals), 0x0, "GRE protocol type", HFILL } }, { &hf_sll_etype, { "Protocol", "sll.etype", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0, "Ethernet protocol type", HFILL } }, { &hf_sll_trailer, { "Trailer", "sll.trailer", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { &hf_sll_ifindex, { "Interface index", "sll.ifindex", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, }; static gint *ett[] = { &ett_sll }; /* Decode As handling */ static build_valid_func sll_da_build_value[1] = {sll_value}; static decode_as_value_t sll_da_values = {sll_prompt, 1, sll_da_build_value}; static decode_as_t sll_da = {"sll.ltype", "sll.ltype", 1, 0, &sll_da_values, NULL, NULL, decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL}; proto_sll = proto_register_protocol("Linux cooked-mode capture", "SLL", "sll" ); proto_register_field_array(proto_sll, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); sll_handle = register_dissector("sll_v1", dissect_sll_v1, proto_sll); sll2_handle = register_dissector("sll_v2", dissect_sll_v2, proto_sll); sll_tap = register_tap("sll"); /* * Sigh. * * For some packets, the link-layer header *isn't* been stripped * off in a cooked capture; the hardware address type is the * device ARPTYPE, so, for those packets, we should call the * dissector for that value. * * We define a "sll.hatype" dissector table; we try dissecting * with that first, and then try the protocol type if nothing * is found in sll.hatype. */ sll_hatype_dissector_table = register_dissector_table ( "sll.hatype", "Linux SLL ARPHRD_ type", proto_sll, FT_UINT16, BASE_DEC ); register_capture_dissector_table("sll.hatype", "Linux SLL ARPHRD_ type"); sll_ltype_dissector_table = register_dissector_table ( "sll.ltype", "Linux SLL protocol type", proto_sll, FT_UINT16, BASE_HEX ); register_capture_dissector_table("sll.ltype", "Linux SLL protocol"); register_conversation_table(proto_sll, TRUE, sll_conversation_packet, sll_endpoint_packet); register_decode_as(&sll_da); } void proto_reg_handoff_sll(void) { capture_dissector_handle_t sll_cap_handle; capture_dissector_handle_t sll2_cap_handle; /* * Get handles for the IPX and LLC dissectors. */ gre_dissector_table = find_dissector_table("gre.proto"); ethertype_handle = find_dissector_add_dependency("ethertype", proto_sll); netlink_handle = find_dissector_add_dependency("netlink", proto_sll); dissector_add_uint("wtap_encap", WTAP_ENCAP_SLL, sll_handle); dissector_add_uint("wtap_encap", WTAP_ENCAP_SLL2, sll2_handle); sll_cap_handle = create_capture_dissector_handle(capture_sll, proto_sll); capture_dissector_add_uint("wtap_encap", WTAP_ENCAP_SLL, sll_cap_handle); sll2_cap_handle = create_capture_dissector_handle(capture_sll2, proto_sll); capture_dissector_add_uint("wtap_encap", WTAP_ENCAP_SLL2, sll2_cap_handle); } /* * Editor modelines - https://www.wireshark.org/tools/modelines.html * * Local variables: * c-basic-offset: 8 * tab-width: 8 * indent-tabs-mode: t * End: * * vi: set shiftwidth=8 tabstop=8 noexpandtab: * :indentSize=8:tabSize=8:noTabs=false: */