Add support for DLT_ value 99, as used by the Axent Raptor

firewall/Symantec Enterprise Firewall. Thanks, Axent/Symantec, for not asking us for a DLT_ value and not telling us about the link-layer type. svn path=/trunk/; revision=10361
2004-03-11 09:18:33 +00:00 · 2004-03-11 09:18:33 +00:00 · 48cd9f9358
parent 05d106247c
commit 48cd9f9358
5 changed files with 121 additions and 5 deletions
--- a/epan/Makefile.common
+++ b/epan/Makefile.common
@ -3,7 +3,7 @@
 #     a) common to both files and
 #     b) portable between both files
 #
-# $Id: Makefile.common,v 1.5 2004/03/05 10:56:16 guy Exp $
+# $Id: Makefile.common,v 1.6 2004/03/11 09:18:32 guy Exp $
 #
 # Ethereal - Network traffic analyzer
 # By Gerald Combs <gerald@ethereal.com>
@ -400,6 +400,7 @@ DISSECTOR_SRC =	\
 	../packet-stat.c	\
 	../packet-stun.c	\
 	../packet-sua.c	\
+	../packet-symantec.c	\
 	../packet-syslog.c	\
 	../packet-t38.c	\
 	../packet-tacacs.c	\
--- a/packet-symantec.c
+++ b/packet-symantec.c
@ -0,0 +1,103 @@
+/* packet-symantec.c
+ * Routines for dissection of packets from the Axent Raptor firewall/
+ * Symantec Enterprise Firewall
+ *
+ * $Id: packet-symantec.c,v 1.1 2004/03/11 09:18:32 guy Exp $
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <glib.h>
+
+#include <epan/packet.h>
+
+#include "etypes.h"
+
+static dissector_table_t ethertype_dissector_table;
+
+/* protocols and header fields */
+static int proto_symantec = -1;
+static int hf_symantec_etype = -1;
+
+static gint ett_symantec = -1;
+
+static void
+dissect_symantec(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+	proto_item *ti;
+	proto_tree *symantec_tree = NULL;
+	guint16 etype;
+	tvbuff_t *next_tvb;
+
+	/*
+	 * There appears to be 6 bytes of mysterious junk, followed by an
+	 * Ethernet type (or, at least, there's 08 00), followed by 36 bytes
+	 * of 0.
+	 */
+	if (check_col(pinfo->cinfo, COL_PROTOCOL))
+		col_add_str(pinfo->cinfo, COL_PROTOCOL, "Symantec");
+	if (check_col(pinfo->cinfo, COL_INFO))
+		col_add_fstr(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
+	if (tree) {
+		ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
+		    0, 44, "Symantec firewall");
+		symantec_tree = proto_item_add_subtree(ti, ett_symantec);
+	}
+	etype = tvb_get_ntohs(tvb, 6);
+	if (tree) {
+		proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
+		    6, 2, etype);
+	}
+	next_tvb = tvb_new_subset(tvb, 44, -1, -1);
+	dissector_try_port(ethertype_dissector_table, etype, next_tvb, pinfo,
+	    tree);
+}
+
+void
+proto_register_symantec(void)
+{
+	static hf_register_info hf[] = {
+		{ &hf_symantec_etype,
+		    { "Type",	"symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
+			"", HFILL }},
+	};
+	static gint *ett[] = {
+		&ett_symantec,
+	};
+
+	proto_symantec = proto_register_protocol("Symantec Enterprise Firewall",
+	    "Symantec", "symantec");
+	proto_register_field_array(proto_symantec, hf, array_length(hf));
+	proto_register_subtree_array(ett, array_length(ett));
+}
+
+void
+proto_reg_handoff_symantec(void)
+{
+	dissector_handle_t symantec_handle;
+
+	ethertype_dissector_table = find_dissector_table("ethertype");
+
+	symantec_handle = create_dissector_handle(dissect_symantec,
+	    proto_symantec);
+	dissector_add("wtap_encap", WTAP_ENCAP_SYMANTEC, symantec_handle);
+}
--- a/wiretap/libpcap.c
+++ b/wiretap/libpcap.c
@ -1,6 +1,6 @@
 /* libpcap.c
 *
- * $Id: libpcap.c,v 1.116 2004/03/03 22:24:51 guy Exp $
+ * $Id: libpcap.c,v 1.117 2004/03/11 09:18:32 guy Exp $
 *
 * Wiretap Library
 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
@ -227,6 +227,14 @@ static const struct {
 	 */
 	{ 50,		WTAP_ENCAP_PPP },

+	/*
+	 * Apparently used by the Axent Raptor firewall (now Symantec
+	 * Enterprise Firewall).
+	 * Thanks, Axent, for not reserving that type with tcpdump.org
+	 * and not telling anybody about it.
+	 */
+	{ 99,		WTAP_ENCAP_SYMANTEC },
+
 	/*
 	 * These are the values that libpcap 0.5 and later use in
 	 * capture file headers, in an attempt to work around the
--- a/wiretap/wtap.c
+++ b/wiretap/wtap.c
@ -1,6 +1,6 @@
 /* wtap.c
 *
- * $Id: wtap.c,v 1.90 2004/03/03 22:24:53 guy Exp $
+ * $Id: wtap.c,v 1.91 2004/03/11 09:18:33 guy Exp $
 *
 * Wiretap Library
 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
@ -241,6 +241,9 @@ static const struct encap_type_info {

 	/* WTAP_ENCAP_USER15 */
 	{ "USER 15", "user15" },
+
+	/* WTAP_ENCAP_SYMANTEC */
+	{ "Symantec Enterprise Firewall", "symantec" },
 };

 /* Name that should be somewhat descriptive. */
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@ -1,6 +1,6 @@
 /* wtap.h
 *
- * $Id: wtap.h,v 1.152 2004/02/11 20:05:16 guy Exp $
+ * $Id: wtap.h,v 1.153 2004/03/11 09:18:33 guy Exp $
 *
 * Wiretap Library
 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
@ -150,9 +150,10 @@
 #define WTAP_ENCAP_USER13			58
 #define WTAP_ENCAP_USER14			59
 #define WTAP_ENCAP_USER15			60
+#define WTAP_ENCAP_SYMANTEC			61

 /* last WTAP_ENCAP_ value + 1 */
-#define WTAP_NUM_ENCAP_TYPES			61
+#define WTAP_NUM_ENCAP_TYPES			62

 /* File types that can be read by wiretap.
   We support writing some many of these file types, too, so we