forked from osmocom/wireshark
From David Kennedy via bug 1464:
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1464 Support for Symantec SGS v3 files. svn path=/trunk/; revision=21362
This commit is contained in:
parent
c150904c6a
commit
38b1e3f285
4
AUTHORS
4
AUTHORS
|
@ -2616,6 +2616,10 @@ Jon Smirl <jonsmirl [AT] gmail.com> {
|
|||
USB conversations/endpoints list
|
||||
}
|
||||
|
||||
David Kennedy <sgsguy [AT] gmail.com> {
|
||||
Symantec SGS v3 support
|
||||
}
|
||||
|
||||
and by:
|
||||
|
||||
Pavel Roskin <proski [AT] gnu.org>
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
/* packet-symantec.c
|
||||
* Routines for dissection of packets from the Axent Raptor firewall/
|
||||
* Symantec Enterprise Firewall
|
||||
* Symantec Enterprise Firewall/Symantec Gateway Security appliance
|
||||
* v2/Symantec Gateway Security appliance v3.
|
||||
*
|
||||
* $Id$
|
||||
*
|
||||
|
@ -46,33 +47,82 @@ dissect_symantec(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
{
|
||||
proto_item *ti;
|
||||
proto_tree *symantec_tree = NULL;
|
||||
guint16 etype;
|
||||
guint16 etypev2, etypev3;
|
||||
tvbuff_t *next_tvb;
|
||||
|
||||
/*
|
||||
* Symantec records come in two variants:
|
||||
*
|
||||
* The older variant, dating from Axent days and continuing until
|
||||
* the SGS v2.0.1 code level, is 44 bytes long.
|
||||
* The first 4 bytes are the IPv4 address of the interface that
|
||||
* captured the data, followed by 2 bytes of 0, then an Ethernet
|
||||
* type, followed by 36 bytes of 0.
|
||||
*
|
||||
* The newer variant, introduced either in SGS v3.0 or v3.0.1
|
||||
* (possibly in concert with VLAN support), is 56 bytes long.
|
||||
* The first 4 bytes are the IPv4 address of the interface that
|
||||
* captured the data, followed by 6 bytes of 0, then an Ethernet
|
||||
* type, followed by 44 bytes of 0.
|
||||
*
|
||||
* Unfortunately, there is no flag to distiguish between the two
|
||||
* flavours. The only indication of which flavour you have is the
|
||||
* offset of the ETHERTYPE field. Fortunately, Symantec didn't
|
||||
* use ETHERTYPE_UNK as a valid value.
|
||||
*/
|
||||
|
||||
etypev2 = tvb_get_ntohs(tvb, 6);
|
||||
etypev3 = tvb_get_ntohs(tvb, 10);
|
||||
|
||||
/* a valid packet can't be both v2 and v3 or neither v2 nor v3, */
|
||||
if ((etypev2 == 0) == (etypev3 == 0))
|
||||
return;
|
||||
|
||||
if (check_col(pinfo->cinfo, COL_PROTOCOL))
|
||||
col_add_str(pinfo->cinfo, COL_PROTOCOL, "Symantec");
|
||||
if (check_col(pinfo->cinfo, COL_INFO))
|
||||
col_add_fstr(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
|
||||
if (tree) {
|
||||
ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
|
||||
0, 44, "Symantec firewall");
|
||||
symantec_tree = proto_item_add_subtree(ti, ett_symantec);
|
||||
|
||||
if (etypev3 == 0) { /* SEF and SGS v2 processing */
|
||||
if (check_col(pinfo->cinfo, COL_INFO))
|
||||
col_add_str(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
|
||||
if (tree) {
|
||||
ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
|
||||
0, 44, "Symantec firewall");
|
||||
symantec_tree = proto_item_add_subtree(ti, ett_symantec);
|
||||
}
|
||||
if (tree) {
|
||||
proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
|
||||
0, 4, FALSE);
|
||||
proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
|
||||
6, 2, etypev2);
|
||||
}
|
||||
next_tvb = tvb_new_subset(tvb, 44, -1, -1);
|
||||
dissector_try_port(ethertype_dissector_table, etypev2, next_tvb, pinfo,
|
||||
tree);
|
||||
}
|
||||
etype = tvb_get_ntohs(tvb, 6);
|
||||
if (tree) {
|
||||
proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
|
||||
0, 4, FALSE);
|
||||
proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
|
||||
6, 2, etype);
|
||||
|
||||
if (etypev2 == 0) { /* SGS v3 processing */
|
||||
if (check_col(pinfo->cinfo, COL_INFO))
|
||||
col_add_str(pinfo->cinfo, COL_INFO, "Symantec SGS v3");
|
||||
if (tree) {
|
||||
ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
|
||||
0, 56, "Symantec SGSv3");
|
||||
symantec_tree = proto_item_add_subtree(ti, ett_symantec);
|
||||
}
|
||||
if (tree) {
|
||||
proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
|
||||
0, 4, FALSE);
|
||||
proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
|
||||
10, 2, etypev3);
|
||||
}
|
||||
/*
|
||||
* Dissection of VLAN information will have to wait until
|
||||
* availability of a capture file from an SGSv3 box using VLAN
|
||||
* tagging.
|
||||
*/
|
||||
next_tvb = tvb_new_subset(tvb, 56, -1, -1);
|
||||
dissector_try_port(ethertype_dissector_table, etypev3, next_tvb, pinfo,
|
||||
tree);
|
||||
}
|
||||
next_tvb = tvb_new_subset(tvb, 44, -1, -1);
|
||||
dissector_try_port(ethertype_dissector_table, etype, next_tvb, pinfo,
|
||||
tree);
|
||||
}
|
||||
|
||||
void
|
||||
|
@ -80,10 +130,10 @@ proto_register_symantec(void)
|
|||
{
|
||||
static hf_register_info hf[] = {
|
||||
{ &hf_symantec_if,
|
||||
{ "Interface", "symantec.if", FT_IPv4, BASE_NONE, NULL, 0x0,
|
||||
{ "Interface", "symantec.if", FT_IPv4, BASE_NONE, NULL, 0x0,
|
||||
"Interface", HFILL }},
|
||||
{ &hf_symantec_etype,
|
||||
{ "Type", "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
|
||||
{ "Type", "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
|
||||
"", HFILL }},
|
||||
};
|
||||
static gint *ett[] = {
|
||||
|
|
Loading…
Reference in New Issue