1998-09-16 02:39:15 +00:00
|
|
|
/* packet-raw.c
|
|
|
|
* Routines for raw packet disassembly
|
|
|
|
*
|
2002-08-28 21:04:11 +00:00
|
|
|
* $Id: packet-raw.c,v 1.35 2002/08/28 21:00:29 jmayer Exp $
|
1998-09-16 03:22:19 +00:00
|
|
|
*
|
1998-09-16 02:39:15 +00:00
|
|
|
* Ethereal - Network traffic analyzer
|
2001-11-20 21:59:18 +00:00
|
|
|
* By Gerald Combs <gerald@ethereal.com>
|
1998-09-16 02:39:15 +00:00
|
|
|
*
|
|
|
|
* This file created and by Mike Hall <mlh@io.com>
|
|
|
|
* Copyright 1998
|
2002-08-28 21:04:11 +00:00
|
|
|
*
|
1998-09-16 02:39:15 +00:00
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
2002-08-28 21:04:11 +00:00
|
|
|
*
|
1998-09-16 02:39:15 +00:00
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
2002-08-28 21:04:11 +00:00
|
|
|
*
|
1998-09-16 02:39:15 +00:00
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
# include "config.h"
|
|
|
|
#endif
|
|
|
|
|
2000-11-17 21:00:40 +00:00
|
|
|
#include <string.h>
|
1999-03-23 03:14:46 +00:00
|
|
|
#include <glib.h>
|
2002-01-21 07:37:49 +00:00
|
|
|
#include <epan/packet.h>
|
2000-05-19 05:29:44 +00:00
|
|
|
#include "packet-raw.h"
|
2000-02-15 21:06:58 +00:00
|
|
|
#include "packet-ip.h"
|
2000-05-25 07:42:26 +00:00
|
|
|
#include "packet-ppp.h"
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2002-01-02 20:33:46 +00:00
|
|
|
static int proto_raw = -1;
|
1999-11-16 11:44:20 +00:00
|
|
|
static gint ett_raw = -1;
|
|
|
|
|
2000-08-13 08:53:51 +00:00
|
|
|
static const char zeroes[10];
|
1999-02-09 00:35:38 +00:00
|
|
|
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
static dissector_handle_t ip_handle;
|
2002-02-05 00:09:45 +00:00
|
|
|
static dissector_handle_t ipv6_handle;
|
|
|
|
static dissector_handle_t data_handle;
|
2001-03-30 06:10:54 +00:00
|
|
|
static dissector_handle_t ppp_hdlc_handle;
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
|
2000-08-13 08:53:51 +00:00
|
|
|
void
|
2002-08-02 23:36:07 +00:00
|
|
|
capture_raw(const guchar *pd, int len, packet_counts *ld)
|
2000-08-13 08:53:51 +00:00
|
|
|
{
|
1999-02-09 00:35:38 +00:00
|
|
|
/* So far, the only time we get raw connection types are with Linux and
|
|
|
|
* Irix PPP connections. We can't tell what type of data is coming down
|
|
|
|
* the line, so our safest bet is IP. - GCC
|
|
|
|
*/
|
2002-08-28 21:04:11 +00:00
|
|
|
|
1999-02-09 00:35:38 +00:00
|
|
|
/* Currently, the Linux 2.1.xxx PPP driver passes back some of the header
|
|
|
|
* sometimes. This check should be removed when 2.2 is out.
|
|
|
|
*/
|
2001-11-20 21:59:18 +00:00
|
|
|
if (BYTES_ARE_IN_FRAME(0,len,2) && pd[0] == 0xff && pd[1] == 0x03) {
|
|
|
|
capture_ppp_hdlc(pd, 0, len, ld);
|
2000-05-25 07:42:26 +00:00
|
|
|
}
|
|
|
|
/* The Linux ISDN driver sends a fake MAC address before the PPP header
|
2000-08-13 08:53:51 +00:00
|
|
|
* on its ippp interfaces... */
|
2001-11-20 21:59:18 +00:00
|
|
|
else if (BYTES_ARE_IN_FRAME(0,len,8) && pd[6] == 0xff && pd[7] == 0x03) {
|
|
|
|
capture_ppp_hdlc(pd, 6, len, ld);
|
2000-05-25 07:42:26 +00:00
|
|
|
}
|
2000-08-13 08:53:51 +00:00
|
|
|
/* ...except when it just puts out one byte before the PPP header... */
|
2001-11-20 21:59:18 +00:00
|
|
|
else if (BYTES_ARE_IN_FRAME(0,len,3) && pd[1] == 0xff && pd[2] == 0x03) {
|
|
|
|
capture_ppp_hdlc(pd, 1, len, ld);
|
2000-08-13 08:53:51 +00:00
|
|
|
}
|
|
|
|
/* ...and if the connection is currently down, it sends 10 bytes of zeroes
|
|
|
|
* instead of a fake MAC address and PPP header. */
|
2001-11-20 21:59:18 +00:00
|
|
|
else if (BYTES_ARE_IN_FRAME(0,len,10) && memcmp(pd, zeroes, 10) == 0) {
|
|
|
|
capture_ip(pd, 10, len, ld);
|
2000-08-13 08:53:51 +00:00
|
|
|
}
|
2000-05-25 07:42:26 +00:00
|
|
|
else {
|
2002-08-28 21:04:11 +00:00
|
|
|
/*
|
2002-02-05 00:09:45 +00:00
|
|
|
* OK, is this IPv4 or IPv6?
|
|
|
|
*/
|
|
|
|
if (BYTES_ARE_IN_FRAME(0,len,1)) {
|
|
|
|
switch (pd[0] & 0xF0) {
|
|
|
|
|
|
|
|
case 0x40:
|
|
|
|
/* IPv4 */
|
|
|
|
capture_ip(pd, 0, len, ld);
|
|
|
|
break;
|
|
|
|
|
|
|
|
#if 0
|
|
|
|
case 0x60:
|
|
|
|
/* IPv6 */
|
|
|
|
capture_ipv6(pd, 0, len, ld);
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
}
|
2000-05-25 07:42:26 +00:00
|
|
|
}
|
1999-02-09 00:35:38 +00:00
|
|
|
}
|
|
|
|
|
2000-11-29 05:16:15 +00:00
|
|
|
static void
|
2000-05-19 21:47:38 +00:00
|
|
|
dissect_raw(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|
|
|
{
|
|
|
|
proto_tree *fh_tree;
|
|
|
|
proto_item *ti;
|
|
|
|
tvbuff_t *next_tvb;
|
1998-09-16 02:39:15 +00:00
|
|
|
|
|
|
|
/* load the top pane info. This should be overwritten by
|
|
|
|
the next protocol in the stack */
|
2001-12-10 00:26:21 +00:00
|
|
|
if(check_col(pinfo->cinfo, COL_RES_DL_SRC))
|
|
|
|
col_set_str(pinfo->cinfo, COL_RES_DL_SRC, "N/A" );
|
|
|
|
if(check_col(pinfo->cinfo, COL_RES_DL_DST))
|
|
|
|
col_set_str(pinfo->cinfo, COL_RES_DL_DST, "N/A" );
|
|
|
|
if(check_col(pinfo->cinfo, COL_PROTOCOL))
|
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "N/A" );
|
|
|
|
if(check_col(pinfo->cinfo, COL_INFO))
|
|
|
|
col_set_str(pinfo->cinfo, COL_INFO, "Raw packet data" );
|
1998-09-16 02:39:15 +00:00
|
|
|
|
|
|
|
/* populate a tree in the second pane with the status of the link
|
|
|
|
layer (ie none) */
|
2000-05-19 21:47:38 +00:00
|
|
|
if (tree) {
|
2002-01-02 20:33:46 +00:00
|
|
|
ti = proto_tree_add_item(tree, proto_raw, tvb, 0, 0, FALSE);
|
1999-11-16 11:44:20 +00:00
|
|
|
fh_tree = proto_item_add_subtree(ti, ett_raw);
|
2000-05-19 21:47:38 +00:00
|
|
|
proto_tree_add_text(fh_tree, tvb, 0, 0, "No link information available");
|
1998-09-16 02:39:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* So far, the only time we get raw connection types are with Linux and
|
|
|
|
* Irix PPP connections. We can't tell what type of data is coming down
|
|
|
|
* the line, so our safest bet is IP. - GCC
|
|
|
|
*/
|
2002-08-28 21:04:11 +00:00
|
|
|
|
1998-09-16 02:39:15 +00:00
|
|
|
/* Currently, the Linux 2.1.xxx PPP driver passes back some of the header
|
|
|
|
* sometimes. This check should be removed when 2.2 is out.
|
|
|
|
*/
|
2000-05-19 21:47:38 +00:00
|
|
|
if (tvb_get_ntohs(tvb, 0) == 0xff03) {
|
2001-03-30 06:10:54 +00:00
|
|
|
call_dissector(ppp_hdlc_handle, tvb, pinfo, tree);
|
2000-05-25 07:42:26 +00:00
|
|
|
}
|
|
|
|
/* The Linux ISDN driver sends a fake MAC address before the PPP header
|
2000-08-13 08:53:51 +00:00
|
|
|
* on its ippp interfaces... */
|
2000-05-25 07:42:26 +00:00
|
|
|
else if (tvb_get_ntohs(tvb, 6) == 0xff03) {
|
|
|
|
next_tvb = tvb_new_subset(tvb, 6, -1, -1);
|
2001-03-30 06:10:54 +00:00
|
|
|
call_dissector(ppp_hdlc_handle, next_tvb, pinfo, tree);
|
2000-05-19 21:47:38 +00:00
|
|
|
}
|
2000-08-13 08:53:51 +00:00
|
|
|
/* ...except when it just puts out one byte before the PPP header... */
|
|
|
|
else if (tvb_get_ntohs(tvb, 1) == 0xff03) {
|
|
|
|
next_tvb = tvb_new_subset(tvb, 1, -1, -1);
|
2001-03-30 06:10:54 +00:00
|
|
|
call_dissector(ppp_hdlc_handle, next_tvb, pinfo, tree);
|
2000-08-13 08:53:51 +00:00
|
|
|
}
|
|
|
|
/* ...and if the connection is currently down, it sends 10 bytes of zeroes
|
|
|
|
* instead of a fake MAC address and PPP header. */
|
|
|
|
else if (memcmp(tvb_get_ptr(tvb, 0, 10), zeroes, 10) == 0) {
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
next_tvb = tvb_new_subset(tvb, 10, -1, -1);
|
|
|
|
call_dissector(ip_handle, next_tvb, pinfo, tree);
|
2000-08-13 08:53:51 +00:00
|
|
|
}
|
2000-05-19 21:47:38 +00:00
|
|
|
else {
|
2002-02-05 00:09:45 +00:00
|
|
|
/*
|
|
|
|
* OK, is this IPv4 or IPv6?
|
|
|
|
*/
|
|
|
|
switch (tvb_get_guint8(tvb, 0) & 0xF0) {
|
|
|
|
|
|
|
|
case 0x40:
|
|
|
|
/* IPv4 */
|
|
|
|
call_dissector(ip_handle, tvb, pinfo, tree);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 0x60:
|
|
|
|
/* IPv6 */
|
|
|
|
call_dissector(ipv6_handle, tvb, pinfo, tree);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
/* None of the above. */
|
|
|
|
call_dissector(data_handle, tvb, pinfo, tree);
|
|
|
|
break;
|
|
|
|
}
|
2000-05-19 21:47:38 +00:00
|
|
|
}
|
1998-09-16 02:39:15 +00:00
|
|
|
}
|
1999-02-09 00:35:38 +00:00
|
|
|
|
1999-11-16 11:44:20 +00:00
|
|
|
void
|
|
|
|
proto_register_raw(void)
|
|
|
|
{
|
|
|
|
static gint *ett[] = {
|
|
|
|
&ett_raw,
|
|
|
|
};
|
|
|
|
|
2002-01-02 20:33:46 +00:00
|
|
|
proto_raw = proto_register_protocol("Raw packet data", "Raw", "raw");
|
1999-11-16 11:44:20 +00:00
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
|
|
}
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
|
|
|
|
void
|
|
|
|
proto_reg_handoff_raw(void)
|
|
|
|
{
|
2001-12-03 04:00:26 +00:00
|
|
|
dissector_handle_t raw_handle;
|
|
|
|
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
/*
|
2002-02-05 00:09:45 +00:00
|
|
|
* Get handles for the IP, IPv6, undissected-data, and
|
|
|
|
* PPP-in-HDLC-like-framing dissectors.
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
*/
|
|
|
|
ip_handle = find_dissector("ip");
|
2002-02-05 00:09:45 +00:00
|
|
|
ipv6_handle = find_dissector("ipv6");
|
|
|
|
data_handle = find_dissector("data");
|
2001-03-30 06:10:54 +00:00
|
|
|
ppp_hdlc_handle = find_dissector("ppp_hdlc");
|
2002-01-03 02:10:01 +00:00
|
|
|
raw_handle = create_dissector_handle(dissect_raw, proto_raw);
|
2001-12-03 04:00:26 +00:00
|
|
|
dissector_add("wtap_encap", WTAP_ENCAP_RAW_IP, raw_handle);
|
Tvbuffify the IP, ICMP, TCP, UDP, OSI CLNP, OSI COTP, OSI CLTP, and OSI
ESIS dissectors.
Register the IP dissector and have dissectors that call it directly
(rather than through a port table) call it through a handle.
Add a routine "tvb_set_reported_length()" which a dissector can use if
it was handed a tvbuff that contains more data than is actually in its
part of the packet - for example, handing a padded Ethernet frame to IP;
the routine sets the reported length of the tvbuff (and also adjusts the
actual length, as appropriate). Then use it in IP.
Given that, "ethertype()" can determine how much of the Ethernet frame
was actually part of an IP datagram (and can do the same for other
protocols under Ethernet that use "tvb_set_reported_length()"; have it
return the actual length, and have "dissect_eth()" and "dissect_vlan()"
use that to mark trailer data in Ethernet II frames as well as in 802.3
frames.
svn path=/trunk/; revision=2658
2000-11-18 10:38:33 +00:00
|
|
|
}
|