1998-09-16 02:39:15 +00:00
|
|
|
/* packet-eth.c
|
|
|
|
|
* Routines for ethernet packet disassembly
|
|
|
|
|
*
|
2000-01-23 08:55:37 +00:00
|
|
|
* $Id: packet-eth.c,v 1.26 2000/01/23 08:55:32 guy Exp $
|
1998-09-16 03:22:19 +00:00
|
|
|
*
|
1998-09-16 02:39:15 +00:00
|
|
|
* Ethereal - Network traffic analyzer
|
|
|
|
|
* By Gerald Combs <gerald@zing.org>
|
|
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
|
# include "config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
1998-10-10 03:32:20 +00:00
|
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
|
|
|
# include <sys/types.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
1999-03-23 03:14:46 +00:00
|
|
|
#include <glib.h>
|
1998-09-27 22:12:47 +00:00
|
|
|
#include "packet.h"
|
1998-09-16 02:39:15 +00:00
|
|
|
#include "etypes.h"
|
1998-09-25 23:24:07 +00:00
|
|
|
#include "resolv.h"
|
1998-09-16 02:39:15 +00:00
|
|
|
|
1999-07-07 22:52:57 +00:00
|
|
|
extern const value_string etype_vals[];
|
|
|
|
|
|
|
|
|
|
/* protocols and header fields */
|
1999-07-29 05:47:07 +00:00
|
|
|
static int proto_eth = -1;
|
|
|
|
|
static int hf_eth_dst = -1;
|
|
|
|
|
static int hf_eth_src = -1;
|
|
|
|
|
static int hf_eth_len = -1;
|
|
|
|
|
static int hf_eth_type = -1;
|
1999-07-07 22:52:57 +00:00
|
|
|
|
1999-11-16 11:44:20 +00:00
|
|
|
static gint ett_ieee8023 = -1;
|
|
|
|
|
static gint ett_ether2 = -1;
|
|
|
|
|
|
1999-08-18 00:57:54 +00:00
|
|
|
#define ETH_HEADER_SIZE 14
|
|
|
|
|
|
1998-09-16 02:39:15 +00:00
|
|
|
/* These are the Netware-ish names for the different Ethernet frame types.
|
|
|
|
|
EthernetII: The ethernet with a Type field instead of a length field
|
|
|
|
|
Ethernet802.2: An 802.3 header followed by an 802.3 header
|
|
|
|
|
Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
|
|
|
|
|
There's not 802.2 hdr in this.
|
|
|
|
|
EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
|
|
|
|
|
there's no difference between 802.2 and 802.2SNAP, since we just
|
|
|
|
|
pass it down to dissect_llc(). -- Gilbert
|
|
|
|
|
*/
|
|
|
|
|
#define ETHERNET_II 0
|
|
|
|
|
#define ETHERNET_802_2 1
|
|
|
|
|
#define ETHERNET_802_3 2
|
|
|
|
|
#define ETHERNET_SNAP 3
|
|
|
|
|
|
1999-02-09 00:35:38 +00:00
|
|
|
void
|
2000-01-23 08:55:37 +00:00
|
|
|
capture_eth(const u_char *pd, int offset, packet_counts *ld)
|
|
|
|
|
{
|
|
|
|
|
guint16 etype, length;
|
1999-08-18 00:57:54 +00:00
|
|
|
int ethhdr_type; /* the type of ethernet frame */
|
1999-09-15 06:26:42 +00:00
|
|
|
|
2000-01-23 08:55:37 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, ETH_HEADER_SIZE)) {
|
1999-09-15 06:26:42 +00:00
|
|
|
ld->other++;
|
|
|
|
|
return;
|
|
|
|
|
}
|
1999-02-09 00:35:38 +00:00
|
|
|
|
2000-01-23 08:55:37 +00:00
|
|
|
etype = pntohs(&pd[offset+12]);
|
1999-02-09 00:35:38 +00:00
|
|
|
|
|
|
|
|
/* either ethernet802.3 or ethernet802.2 */
|
|
|
|
|
if (etype <= IEEE_802_3_MAX_LEN) {
|
2000-01-23 08:55:37 +00:00
|
|
|
length = etype;
|
1999-02-09 00:35:38 +00:00
|
|
|
|
2000-01-23 08:55:37 +00:00
|
|
|
/* Is there an 802.2 layer? I can tell by looking at the first 2
|
|
|
|
|
bytes after the 802.3 header. If they are 0xffff, then what
|
|
|
|
|
follows the 802.3 header is an IPX payload, meaning no 802.2.
|
|
|
|
|
(IPX/SPX is they only thing that can be contained inside a
|
|
|
|
|
straight 802.3 packet). A non-0xffff value means that there's an
|
|
|
|
|
802.2 layer inside the 802.3 layer */
|
|
|
|
|
if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
|
1999-02-09 00:35:38 +00:00
|
|
|
ethhdr_type = ETHERNET_802_3;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
ethhdr_type = ETHERNET_802_2;
|
|
|
|
|
}
|
2000-01-23 08:55:37 +00:00
|
|
|
|
|
|
|
|
/* Convert the LLC length from the 802.3 header to a total
|
|
|
|
|
length, by adding in the Ethernet header size, and set
|
|
|
|
|
the payload and captured-payload lengths to the minima
|
|
|
|
|
of the total length and the frame lengths. */
|
|
|
|
|
length += ETH_HEADER_SIZE;
|
|
|
|
|
if (pi.len > length)
|
|
|
|
|
pi.len = length;
|
|
|
|
|
if (pi.captured_len > length)
|
|
|
|
|
pi.captured_len = length;
|
1999-02-09 00:35:38 +00:00
|
|
|
} else {
|
|
|
|
|
ethhdr_type = ETHERNET_II;
|
|
|
|
|
}
|
2000-01-23 08:55:37 +00:00
|
|
|
offset += ETH_HEADER_SIZE;
|
1999-02-09 00:35:38 +00:00
|
|
|
|
|
|
|
|
switch (ethhdr_type) {
|
|
|
|
|
case ETHERNET_802_3:
|
2000-01-23 08:55:37 +00:00
|
|
|
capture_ipx(pd, offset, ld);
|
1999-02-09 00:35:38 +00:00
|
|
|
break;
|
|
|
|
|
case ETHERNET_802_2:
|
2000-01-23 08:55:37 +00:00
|
|
|
capture_llc(pd, offset, ld);
|
1999-02-09 00:35:38 +00:00
|
|
|
break;
|
|
|
|
|
case ETHERNET_II:
|
2000-01-23 08:55:37 +00:00
|
|
|
capture_ethertype(etype, offset, pd, ld);
|
1999-02-09 00:35:38 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
1998-09-16 02:39:15 +00:00
|
|
|
void
|
1999-08-20 06:55:20 +00:00
|
|
|
dissect_eth(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
|
1998-09-16 02:39:15 +00:00
|
|
|
guint16 etype, length;
|
1999-03-23 03:14:46 +00:00
|
|
|
proto_tree *fh_tree = NULL;
|
|
|
|
|
proto_item *ti;
|
1999-08-18 00:57:54 +00:00
|
|
|
int ethhdr_type; /* the type of ethernet frame */
|
2000-01-23 08:55:37 +00:00
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, ETH_HEADER_SIZE)) {
|
1999-09-15 06:26:42 +00:00
|
|
|
dissect_data(pd, offset, fd, tree);
|
|
|
|
|
return;
|
|
|
|
|
}
|
1998-09-16 02:39:15 +00:00
|
|
|
|
Generalize the "ip_src" and "ip_dst" members of the "packet_info"
structure to "dl_src"/"dl_dst", "net_src"/"net_dst", and "src"/"dst"
addresses, where an address is an address type, an address length in
bytes, and a pointer to that many bytes.
"dl_{src,dst}" are the link-layer source/destination; "net_{src,dst}"
are the network-layer source/destination; "{src,dst}" are the
source/destination from the highest of those two layers that we have in
the packet.
Add a port type to "packet_info" as well, specifying whether it's a TCP
or UDP port.
Don't set the address and port columns in the dissector functions; just
set the address and port members of the "packet_info" structure. Set
the columns in "fill_in_columns()"; this means that if we're showing
COL_{DEF,RES,UNRES}_SRC" or "COL_{DEF,RES,UNRES}_DST", we only generate
the string from "src" or "dst", we don't generate a string for the
link-layer address and then overwrite it with a string for the
network-layer address (generating those strings costs CPU).
Add support for "conversations", where a "conversation" is (at present)
a source and destination address and a source and destination port. (In
the future, we may support "conversations" above the transport layer,
e.g. a TFTP conversation, where the first packet goes from the client to
the TFTP server port, but the reply comes back from a different port,
and all subsequent packets go between the client address/port and the
server address/new port, or an NFS conversation, which might include
lock manager, status monitor, and mount packets, as well as NFS
packets.)
Currently, all we support is a call that takes the source and
destination address/port pairs, looks them up in a hash table, and:
if nothing is found, creates a new entry in the hash table, and
assigns it a unique 32-bit conversation ID, and returns that
conversation ID;
if an entry is found, returns its conversation ID.
Use that in the SMB and AFS code to keep track of individual SMB or AFS
conversations. We need to match up requests and replies, as, for
certain replies, the operation code for the request to which it's a
reply doesn't show up in the reply - you have to find the request with a
matching transaction ID. Transaction IDs are per-conversation, so the
hash table for requests should include a conversation ID and transaction
ID as the key.
This allows SMB and AFS decoders to handle IPv4 or IPv6 addresses
transparently (and should allow the SMB decoder to handle NetBIOS atop
other protocols as well, if the source and destination address and port
values in the "packet_info" structure are set appropriately).
In the "Follow TCP Connection" code, check to make sure that the
addresses are IPv4 addressses; ultimately, that code should be changed
to use the conversation code instead, which will let it handle IPv6
transparently.
svn path=/trunk/; revision=909
1999-10-22 07:18:23 +00:00
|
|
|
SET_ADDRESS(&pi.dl_src, AT_ETHER, 6, &pd[offset+6]);
|
|
|
|
|
SET_ADDRESS(&pi.src, AT_ETHER, 6, &pd[offset+6]);
|
|
|
|
|
SET_ADDRESS(&pi.dl_dst, AT_ETHER, 6, &pd[offset+0]);
|
|
|
|
|
SET_ADDRESS(&pi.dst, AT_ETHER, 6, &pd[offset+0]);
|
|
|
|
|
|
1998-11-17 04:29:13 +00:00
|
|
|
if (check_col(fd, COL_PROTOCOL))
|
1999-08-24 06:10:05 +00:00
|
|
|
col_add_str(fd, COL_PROTOCOL, "Ethernet");
|
1998-09-16 02:39:15 +00:00
|
|
|
|
1999-11-19 05:12:50 +00:00
|
|
|
etype = pntohs(&pd[offset+12]);
|
1998-09-16 02:39:15 +00:00
|
|
|
|
|
|
|
|
/* either ethernet802.3 or ethernet802.2 */
|
|
|
|
|
if (etype <= IEEE_802_3_MAX_LEN) {
|
|
|
|
|
length = etype;
|
|
|
|
|
|
1999-08-24 06:10:05 +00:00
|
|
|
/* Is there an 802.2 layer? I can tell by looking at the first 2
|
|
|
|
|
bytes after the 802.3 header. If they are 0xffff, then what
|
|
|
|
|
follows the 802.3 header is an IPX payload, meaning no 802.2.
|
|
|
|
|
(IPX/SPX is they only thing that can be contained inside a
|
|
|
|
|
straight 802.3 packet). A non-0xffff value means that there's an
|
|
|
|
|
802.2 layer inside the 802.3 layer */
|
1999-08-20 06:55:20 +00:00
|
|
|
if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
|
1998-09-27 22:12:47 +00:00
|
|
|
ethhdr_type = ETHERNET_802_3;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
ethhdr_type = ETHERNET_802_2;
|
|
|
|
|
}
|
|
|
|
|
|
1999-08-24 06:10:05 +00:00
|
|
|
if (check_col(fd, COL_INFO)) {
|
|
|
|
|
col_add_fstr(fd, COL_INFO, "IEEE 802.3 %s",
|
|
|
|
|
(ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
|
|
|
|
|
}
|
1998-09-16 02:39:15 +00:00
|
|
|
if (tree) {
|
1999-07-07 22:52:57 +00:00
|
|
|
|
1999-11-19 05:12:50 +00:00
|
|
|
ti = proto_tree_add_item_format(tree, proto_eth, offset, ETH_HEADER_SIZE,
|
1999-07-07 22:52:57 +00:00
|
|
|
NULL, "IEEE 802.3 %s", (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
|
|
|
|
|
|
1999-11-16 11:44:20 +00:00
|
|
|
fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
|
1999-07-07 22:52:57 +00:00
|
|
|
|
1999-11-19 05:12:50 +00:00
|
|
|
proto_tree_add_item(fh_tree, hf_eth_dst, offset+0, 6, &pd[offset+0]);
|
|
|
|
|
proto_tree_add_item(fh_tree, hf_eth_src, offset+6, 6, &pd[offset+6]);
|
|
|
|
|
proto_tree_add_item(fh_tree, hf_eth_len, offset+12, 2, length);
|
1998-09-16 02:39:15 +00:00
|
|
|
}
|
|
|
|
|
|
2000-01-23 08:55:37 +00:00
|
|
|
/* Convert the LLC length from the 802.3 header to a total
|
|
|
|
|
length, by adding in the Ethernet header size, and set
|
|
|
|
|
the payload and captured-payload lengths to the minima
|
|
|
|
|
of the total length and the frame lengths. */
|
|
|
|
|
length += ETH_HEADER_SIZE;
|
|
|
|
|
if (pi.len > length)
|
|
|
|
|
pi.len = length;
|
|
|
|
|
if (pi.captured_len > length)
|
|
|
|
|
pi.captured_len = length;
|
1998-09-27 22:12:47 +00:00
|
|
|
} else {
|
|
|
|
|
ethhdr_type = ETHERNET_II;
|
1999-08-24 06:10:05 +00:00
|
|
|
if (check_col(fd, COL_INFO))
|
|
|
|
|
col_add_str(fd, COL_INFO, "Ethernet II");
|
1998-09-27 22:12:47 +00:00
|
|
|
if (tree) {
|
1999-07-07 22:52:57 +00:00
|
|
|
|
1999-11-19 05:12:50 +00:00
|
|
|
ti = proto_tree_add_item_format(tree, proto_eth, offset, ETH_HEADER_SIZE,
|
1999-08-18 00:57:54 +00:00
|
|
|
NULL, "Ethernet II");
|
1999-07-07 22:52:57 +00:00
|
|
|
|
1999-11-16 11:44:20 +00:00
|
|
|
fh_tree = proto_item_add_subtree(ti, ett_ether2);
|
1999-07-07 22:52:57 +00:00
|
|
|
|
1999-11-20 03:27:02 +00:00
|
|
|
proto_tree_add_item(fh_tree, hf_eth_dst, offset+0, 6, &pd[offset+0]);
|
|
|
|
|
proto_tree_add_item(fh_tree, hf_eth_src, offset+6, 6, &pd[offset+6]);
|
1998-09-27 22:12:47 +00:00
|
|
|
}
|
1998-09-16 02:39:15 +00:00
|
|
|
}
|
1999-08-20 06:55:20 +00:00
|
|
|
offset += ETH_HEADER_SIZE;
|
1998-09-16 02:39:15 +00:00
|
|
|
|
|
|
|
|
switch (ethhdr_type) {
|
1999-02-09 00:35:38 +00:00
|
|
|
case ETHERNET_802_3:
|
|
|
|
|
dissect_ipx(pd, offset, fd, tree);
|
|
|
|
|
break;
|
|
|
|
|
case ETHERNET_802_2:
|
|
|
|
|
dissect_llc(pd, offset, fd, tree);
|
|
|
|
|
break;
|
|
|
|
|
case ETHERNET_II:
|
1999-07-07 22:52:57 +00:00
|
|
|
ethertype(etype, offset, pd, fd, tree, fh_tree, hf_eth_type);
|
1999-02-09 00:35:38 +00:00
|
|
|
break;
|
1998-09-16 02:39:15 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
1999-07-07 22:52:57 +00:00
|
|
|
void
|
|
|
|
|
proto_register_eth(void)
|
|
|
|
|
{
|
1999-07-15 15:33:52 +00:00
|
|
|
static hf_register_info hf[] = {
|
|
|
|
|
|
|
|
|
|
{ &hf_eth_dst,
|
1999-10-12 06:21:15 +00:00
|
|
|
{ "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
|
|
|
|
|
"Destination Hardware Address" }},
|
1999-07-15 15:33:52 +00:00
|
|
|
|
|
|
|
|
{ &hf_eth_src,
|
1999-10-12 06:21:15 +00:00
|
|
|
{ "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
|
|
|
|
|
"Source Hardware Address" }},
|
1999-07-15 15:33:52 +00:00
|
|
|
|
|
|
|
|
{ &hf_eth_len,
|
1999-10-12 06:21:15 +00:00
|
|
|
{ "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
|
"" }},
|
1999-07-15 15:33:52 +00:00
|
|
|
|
|
|
|
|
/* registered here but handled in ethertype.c */
|
|
|
|
|
{ &hf_eth_type,
|
1999-10-12 06:21:15 +00:00
|
|
|
{ "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
|
|
|
|
|
"" }}
|
1999-07-08 03:18:20 +00:00
|
|
|
};
|
1999-11-16 11:44:20 +00:00
|
|
|
static gint *ett[] = {
|
|
|
|
|
&ett_ieee8023,
|
|
|
|
|
&ett_ether2,
|
|
|
|
|
};
|
1999-07-08 03:18:20 +00:00
|
|
|
|
|
|
|
|
proto_eth = proto_register_protocol ("Ethernet", "eth" );
|
|
|
|
|
proto_register_field_array(proto_eth, hf, array_length(hf));
|
1999-11-16 11:44:20 +00:00
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
1999-07-07 22:52:57 +00:00
|
|
|
}
|