From David Kennedy via bug 1464:

http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1464 Support for Symantec SGS v3 files. svn path=/trunk/; revision=21362
2007-04-10 07:01:59 +00:00 · 2007-04-10 07:01:59 +00:00 · 38b1e3f285
parent c150904c6a
commit 38b1e3f285
2 changed files with 73 additions and 19 deletions
--- a/4
+++ b/4
@ -2616,6 +2616,10 @@ Jon Smirl <jonsmirl [AT] gmail.com> {
 	USB conversations/endpoints list
 }

+David Kennedy <sgsguy [AT] gmail.com> {
+	Symantec SGS v3 support
+}
+
 and by:

 Pavel Roskin            <proski [AT] gnu.org>
--- a/epan/dissectors/packet-symantec.c
+++ b/epan/dissectors/packet-symantec.c
@ -1,6 +1,7 @@
 /* packet-symantec.c
 * Routines for dissection of packets from the Axent Raptor firewall/
- * Symantec Enterprise Firewall
+ * Symantec Enterprise Firewall/Symantec Gateway Security appliance
+ * v2/Symantec Gateway Security appliance v3.
 *
 * $Id$
 *
@ -46,33 +47,82 @@ dissect_symantec(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 {
 	proto_item *ti;
 	proto_tree *symantec_tree = NULL;
-	guint16 etype;
+	guint16 etypev2, etypev3;
 	tvbuff_t *next_tvb;

 	/*
+	 * Symantec records come in two variants:
+	 *
+	 * The older variant, dating from Axent days and continuing until
+	 * the SGS v2.0.1 code level, is 44 bytes long.
 	 * The first 4 bytes are the IPv4 address of the interface that
 	 * captured the data, followed by 2 bytes of 0, then an Ethernet
 	 * type, followed by 36 bytes of 0.
+	 *
+	 * The newer variant, introduced either in SGS v3.0 or v3.0.1
+	 * (possibly in concert with VLAN support), is 56 bytes long.
+	 * The first 4 bytes are the IPv4 address of the interface that
+	 * captured the data, followed by 6 bytes of 0, then an Ethernet
+	 * type, followed by 44 bytes of 0.
+	 *
+	 * Unfortunately, there is no flag to distiguish between the two
+	 * flavours.  The only indication of which flavour you have is the
+	 * offset of the ETHERTYPE field.  Fortunately, Symantec didn't
+	 * use ETHERTYPE_UNK as a valid value.
 	 */
+
+	etypev2 = tvb_get_ntohs(tvb, 6);
+	etypev3 = tvb_get_ntohs(tvb, 10);
+	
+	/* a valid packet can't be both v2 and v3 or neither v2 nor v3, */
+	if ((etypev2 == 0) == (etypev3 == 0))
+		return;
+		
 	if (check_col(pinfo->cinfo, COL_PROTOCOL))
 		col_add_str(pinfo->cinfo, COL_PROTOCOL, "Symantec");
-	if (check_col(pinfo->cinfo, COL_INFO))
-		col_add_fstr(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
-	if (tree) {
-		ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
-		    0, 44, "Symantec firewall");
-		symantec_tree = proto_item_add_subtree(ti, ett_symantec);
+		
+	if (etypev3 == 0) {	/* SEF and SGS v2 processing */
+		if (check_col(pinfo->cinfo, COL_INFO))
+			col_add_str(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
+		if (tree) {
+			ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
+				0, 44, "Symantec firewall");
+			symantec_tree = proto_item_add_subtree(ti, ett_symantec);
+		}
+		if (tree) {
+			proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
+				0, 4, FALSE);
+			proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
+				6, 2, etypev2);
+		}
+		next_tvb = tvb_new_subset(tvb, 44, -1, -1);
+		dissector_try_port(ethertype_dissector_table, etypev2, next_tvb, pinfo,
+			tree);
 	}
-	etype = tvb_get_ntohs(tvb, 6);
-	if (tree) {
-		proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
-		    0, 4, FALSE);
-		proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
-		    6, 2, etype);
+
+	if (etypev2 == 0) {	/* SGS v3 processing */
+		if (check_col(pinfo->cinfo, COL_INFO))
+			col_add_str(pinfo->cinfo, COL_INFO, "Symantec SGS v3");
+		if (tree) {
+			ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
+				0, 56, "Symantec SGSv3");
+			symantec_tree = proto_item_add_subtree(ti, ett_symantec);
+		}
+		if (tree) {
+			proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
+				0, 4, FALSE);
+			proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
+				10, 2, etypev3);
+		}
+		/*
+		 * Dissection of VLAN information will have to wait until
+		 * availability of a capture file from an SGSv3 box using VLAN
+		 * tagging.
+		 */
+		next_tvb = tvb_new_subset(tvb, 56, -1, -1);
+		dissector_try_port(ethertype_dissector_table, etypev3, next_tvb, pinfo,
+			tree);
 	}
-	next_tvb = tvb_new_subset(tvb, 44, -1, -1);
-	dissector_try_port(ethertype_dissector_table, etype, next_tvb, pinfo,
-	    tree);
 }

 void
@ -80,10 +130,10 @@ proto_register_symantec(void)
 {
 	static hf_register_info hf[] = {
 		{ &hf_symantec_if,
-		    { "Interface",      "symantec.if", FT_IPv4, BASE_NONE, NULL, 0x0,
+		    { "Interface", "symantec.if", FT_IPv4,  BASE_NONE, NULL, 0x0,
 			"Interface", HFILL }},
 		{ &hf_symantec_etype,
-		    { "Type",	"symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
+		    { "Type",    "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
 			"", HFILL }},
 	};
 	static gint *ett[] = {