2004-03-25 11:21:07 +00:00
|
|
|
/* packet-rlm.c
|
|
|
|
* Routines for RLM dissection
|
|
|
|
* Copyright 2004, Duncan Sargeant <dunc-ethereal@rcpt.to>
|
|
|
|
*
|
2004-07-18 00:24:25 +00:00
|
|
|
* $Id$
|
2004-03-25 11:21:07 +00:00
|
|
|
*
|
2006-05-21 05:12:17 +00:00
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
2004-03-25 11:21:07 +00:00
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* RLM is a proprietary Cisco protocol used for centralling managing
|
|
|
|
* many redundant NASes. I don't know much about the format, but you
|
|
|
|
* can read about the feature here:
|
|
|
|
*
|
2009-01-13 06:54:06 +00:00
|
|
|
* http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/rlm_123.html
|
2004-03-25 11:21:07 +00:00
|
|
|
*
|
|
|
|
* RLM runs on a UDP port (default 3000) between the MGC and the NAS.
|
|
|
|
* On port N+1 (default 3001), a Q.931/LAPD/UDP connection is maintained.
|
|
|
|
* Both sides use the same local port number for the connection, so source
|
|
|
|
* and dest port are always the same.
|
|
|
|
*
|
|
|
|
* In large networks, the links are typically split onto higher ports,
|
|
|
|
* so anything up to 3015 (or higher) could either be RLM or Q.931 traffic,
|
|
|
|
* although always the RLM has the one lower port number for that RLM group.
|
|
|
|
*
|
|
|
|
* Multiple RLM groups are possible on a single NAS.
|
|
|
|
*
|
|
|
|
* I haven't been able to find the protocol documented, so I've
|
|
|
|
* guessed some of the fields based on the output of debug commands on
|
|
|
|
* cisco NASes.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
# include "config.h"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
2006-04-22 20:26:16 +00:00
|
|
|
#include <glib.h>
|
2004-03-25 11:21:07 +00:00
|
|
|
#include <epan/packet.h>
|
2009-01-13 06:54:06 +00:00
|
|
|
#include <epan/xdlc.h>
|
2004-03-25 11:21:07 +00:00
|
|
|
|
|
|
|
/* Initialize the protocol and registered fields */
|
|
|
|
static int proto_rlm = -1;
|
|
|
|
|
|
|
|
static int hf_rlm_version = -1;
|
|
|
|
static int hf_rlm_type = -1;
|
|
|
|
static int hf_rlm_unknown = -1;
|
|
|
|
static int hf_rlm_tid = -1;
|
|
|
|
static int hf_rlm_unknown2 = -1;
|
|
|
|
|
|
|
|
/* Initialize the subtree pointers */
|
|
|
|
static gint ett_rlm = -1;
|
|
|
|
|
|
|
|
|
|
|
|
/* RLM definitions - missing some! */
|
|
|
|
|
|
|
|
#define RLM_START_REQUEST 1
|
|
|
|
#define RLM_START_ACK 2
|
|
|
|
/* #define ??? 3 */
|
|
|
|
/* #define ??? 4 */
|
|
|
|
#define RLM_ECHO_REQUEST 5
|
|
|
|
#define RLM_ECHO_REPLY 6
|
|
|
|
/* #define ??? ?? */
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
Maybe this isn't the best place for it, but RLM goes hand in hand
|
|
|
|
with Q.931 traffic on a higher port.
|
|
|
|
*/
|
2009-01-13 06:54:06 +00:00
|
|
|
static dissector_handle_t lapd_handle;
|
2004-03-25 11:21:07 +00:00
|
|
|
|
|
|
|
static gboolean
|
|
|
|
dissect_udp_lapd(tvbuff_t *tvb, packet_info *pinfo _U_ , proto_tree *tree) {
|
|
|
|
|
|
|
|
if (pinfo->srcport < 3001 || pinfo->srcport > 3015
|
|
|
|
|| pinfo->destport < 3001 || pinfo->destport > 3015
|
|
|
|
|| pinfo->destport != pinfo->srcport)
|
|
|
|
return FALSE;
|
|
|
|
|
2009-01-13 06:54:06 +00:00
|
|
|
/*
|
|
|
|
* XXX - check for a valid LAPD address field.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* OK, check whether the control field looks valid.
|
|
|
|
*/
|
|
|
|
if (!check_xdlc_control(tvb, 2, NULL, NULL, FALSE, FALSE))
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Loooks OK - call the LAPD dissector.
|
|
|
|
*/
|
|
|
|
call_dissector(lapd_handle, tvb, pinfo, tree);
|
2004-03-25 11:21:07 +00:00
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Code to actually dissect the packets */
|
|
|
|
static gboolean
|
|
|
|
dissect_rlm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|
|
|
{
|
|
|
|
proto_item *ti;
|
|
|
|
proto_tree *rlm_tree;
|
|
|
|
guint8 rlm_type, version;
|
2005-07-23 11:41:25 +00:00
|
|
|
const char *type_str = NULL;
|
2004-03-25 11:21:07 +00:00
|
|
|
|
|
|
|
if (pinfo->srcport < 3000 || pinfo->srcport > 3015
|
|
|
|
|| pinfo->destport < 3000 || pinfo->destport > 3015
|
|
|
|
|| pinfo->destport != pinfo->srcport)
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
version = tvb_get_guint8(tvb, 0);
|
|
|
|
rlm_type = tvb_get_guint8(tvb, 1);
|
|
|
|
|
|
|
|
/* we only know about version 2, and I've only seen 8 byte packets */
|
|
|
|
if (tvb_length(tvb) != 8 || version != 2) {
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2009-08-09 06:26:46 +00:00
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "RLM");
|
2004-03-25 11:21:07 +00:00
|
|
|
|
|
|
|
switch (rlm_type) {
|
|
|
|
case RLM_START_REQUEST:
|
|
|
|
type_str = "Start request";
|
|
|
|
break;;
|
|
|
|
|
|
|
|
case RLM_START_ACK:
|
|
|
|
type_str = "Start acknowledgement";
|
|
|
|
break;;
|
|
|
|
|
|
|
|
case RLM_ECHO_REQUEST:
|
|
|
|
type_str = "Echo request";
|
|
|
|
break;;
|
|
|
|
|
|
|
|
case RLM_ECHO_REPLY:
|
|
|
|
type_str = "Echo reply";
|
|
|
|
break;;
|
|
|
|
|
|
|
|
default:
|
|
|
|
type_str = "Unknown type";
|
|
|
|
break;;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (check_col(pinfo->cinfo, COL_INFO))
|
|
|
|
col_set_str(pinfo->cinfo, COL_INFO, type_str);
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
/* proto_tree_add_protocol_format(tree, proto_rlm, tvb, 0,
|
|
|
|
16, "Cisco Session Management"); */
|
|
|
|
ti = proto_tree_add_item(tree, proto_rlm, tvb, 0, 8, FALSE);
|
|
|
|
rlm_tree = proto_item_add_subtree(ti, ett_rlm);
|
|
|
|
ti = proto_tree_add_item(rlm_tree, hf_rlm_version, tvb, 0, 1, FALSE);
|
|
|
|
proto_tree_add_uint_format(rlm_tree, hf_rlm_type, tvb, 1, 1, rlm_type, "Type: %u (%s)", rlm_type, type_str);
|
|
|
|
ti = proto_tree_add_item(rlm_tree, hf_rlm_unknown, tvb, 2, 2, FALSE);
|
|
|
|
ti = proto_tree_add_item(rlm_tree, hf_rlm_tid, tvb, 4, 2, FALSE);
|
|
|
|
ti = proto_tree_add_item(rlm_tree, hf_rlm_unknown2, tvb, 6, 2, FALSE);
|
|
|
|
}
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2006-05-28 16:32:49 +00:00
|
|
|
/* Register the protocol with Wireshark */
|
2004-03-25 11:21:07 +00:00
|
|
|
|
|
|
|
/* this format is require because a script is used to build the C function
|
|
|
|
that calls all the protocol registration.
|
|
|
|
*/
|
|
|
|
|
2004-04-25 11:14:01 +00:00
|
|
|
void
|
2006-04-22 20:26:16 +00:00
|
|
|
proto_reg_handoff_rlm(void)
|
2004-04-25 11:14:01 +00:00
|
|
|
{
|
2009-01-13 06:54:06 +00:00
|
|
|
/*
|
|
|
|
* Find a handle for the LAPD dissector.
|
|
|
|
*/
|
|
|
|
lapd_handle = find_dissector("lapd");
|
|
|
|
|
2004-04-25 11:14:01 +00:00
|
|
|
heur_dissector_add("udp", dissect_rlm, proto_rlm);
|
|
|
|
heur_dissector_add("udp", dissect_udp_lapd, proto_get_id_by_filter_name("lapd"));
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_register_rlm(void)
|
2004-03-25 11:21:07 +00:00
|
|
|
{
|
|
|
|
|
|
|
|
/* Setup list of header fields See Section 1.6.1 for details*/
|
|
|
|
static hf_register_info hf[] = {
|
|
|
|
{ &hf_rlm_version,
|
|
|
|
{ "Version", "rlm.version",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, HFILL }
|
2004-03-25 11:21:07 +00:00
|
|
|
},
|
|
|
|
{ &hf_rlm_type,
|
|
|
|
{ "Type", "rlm.type",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, HFILL }
|
2004-03-25 11:21:07 +00:00
|
|
|
},
|
|
|
|
{ &hf_rlm_unknown,
|
|
|
|
{ "Unknown", "rlm.unknown",
|
|
|
|
FT_UINT16, BASE_HEX, NULL, 0x0,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, HFILL }
|
2004-03-25 11:21:07 +00:00
|
|
|
},
|
|
|
|
{ &hf_rlm_tid,
|
|
|
|
{ "Transaction ID", "rlm.tid",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, HFILL }
|
2004-03-25 11:21:07 +00:00
|
|
|
},
|
|
|
|
{ &hf_rlm_unknown2,
|
|
|
|
{ "Unknown", "rlm.unknown2",
|
|
|
|
FT_UINT16, BASE_HEX, NULL, 0x0,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, HFILL }
|
2004-03-25 11:21:07 +00:00
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Setup protocol subtree array */
|
|
|
|
static gint *ett[] = {
|
|
|
|
&ett_rlm,
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Register the protocol name and description */
|
|
|
|
proto_rlm = proto_register_protocol("Redundant Link Management Protocol",
|
|
|
|
"RLM", "rlm");
|
|
|
|
|
|
|
|
/* Required function calls to register the header fields and subtrees used */
|
|
|
|
proto_register_field_array(proto_rlm, hf, array_length(hf));
|
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
|
|
}
|